Cryptocompliance 101: The Importance Of Annual Audits And Independent Testing

April 8, 2019

Your AML compliance program is only as good as a third party says it is. Thus, annual AML audits are required of all financial institutions, including businesses in the cryptocurrency space and crypto MSBs.

The four pillars of BSA/AML compliance established by the Bank Secrecy Act (BSA) provide the foundation for cryptocurrency businesses to build robust compliance programs. The pillars include an audit requirement for all AML programs.

Based on the four pillars, every financial institution (including cryptocurrency businesses) must develop a compliance program that features:

  1. Internal policies, procedures, and controls
  2. A designated compliance officer
  3. Ongoing employee training
  4. An independent audit function to test the program

Failure to comply with the Bank Secrecy Act and other anti-money laundering (AML) regulations carries serious consequences, so it’s important not to shrug this one off.

Any way you look at it, understanding how AML compliance audits work is essential to building a stronger business for the long haul. We’ll make sure you know everything you need to know about independent auditing so there’s no guessing.

We’re continuing our series of cryptocompliance 101 posts to help cryptocurrency business owners understand the regulatory landscape, its nuances, and what steps need to be taken to strengthen their compliance.

Today, we’re focusing on annual AML program audits – what they are, who should prepare them, and what to do when the audit is complete.

What Is An Annual AML Compliance Audit And Why Is It Important?


When you hear the word “audit,” do you start to sweat?

Most people do because we usually hear about the negative aspects of the audit process.

But what’s the real story?

AML program audits are conducted to ensure your cryptocurrency compliance policies and processes are working the way they should and keeping your crypto business out of trouble. That’s not a bad thing.

The reality is laws change, and financial criminals devise new ways to infiltrate legitimate financial companies all the time. For that reason, it’s critical that financial institutions constantly test the strength of their compliance policies and protocols and update them as needed.

In cryptocurrency, where regulatory oversight is more reactionary and guidance is more limited and ambiguous, the importance of annual compliance audits cannot be overstated.

An annual AML compliance audit is conducted by an independent, qualified third party with a goal to test the program, identify weaknesses, and recommend corrective actions to ensure the program stays in compliance with the Bank Secrecy Act.

The independent auditor will review your compliance program from top to bottom to identify any areas where your crypto business is weak. They’ll search deep and make sure they have sufficient evidence before they draw any conclusions or make any recommendations in a final report.

An AML program audit typically includes:

  • Evaluation of overall adequacy and effectiveness of the AML compliance program, including policies, procedures, and processes
  • Risk-based transaction testing to evaluate the MSB’s adherence to recordkeeping and reporting requirements. This includes things like Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs)
  • Evaluation of management’s efforts to resolve compliance violations or deficiencies that were identified in previous audits or regulatory examinations
  • Review of employee compliance training for accuracy and thoroughness
  • Review and assessment of suspicious activity monitoring to ensure its adequacy
  • Review of Know Your Customer/Customer Due Diligence processes
  • Evaluation of automated systems and information technology
  • Review of recordkeeping
  • Adherence of personnel to compliance policies and procedures
  • Delivery of a final report and recommendations for improvement as appropriate

What Should Crypto Companies Do When The Audit Is Completed?

When the independent AML compliance audit is complete, the third party auditor will provide a report that documents the procedures performed, testing done, and findings. This report will identify any compliance violations, weaknesses identified, and problems discovered during the audit.

The audit report should be provided to the Board of Directors who is responsible for tracking identified weaknesses and documenting corrective actions. In addition, the BSA Compliance Officer is responsible for ensuring the problems and weaknesses described in the report are documented, tracked, and corrected.

Ultimately, it’s the BSA Compliance Officer who will determine what corrective actions are needed and create an action plan to address them.

Who Should Prepare The Audit According To Regulators?


The annual AML compliance audit should always be performed by a highly-qualified independent auditing company with expertise in cryptocurrency compliance and the relevant cryptocurrency regulators.

Like we said up top: Your AML compliance is only as good as a third party says it is.

In other words, if you want to stay out of trouble, you need to work with a reputable and thorough independent auditing company that understands how to test your AML program, poke holes in it, and improve it.

Working with an independent auditor can be a positive experience. You can benefit significantly from the knowledge transfer that can occur during the audit process and after the report is delivered.

However, you have to be working with an experienced and credible audit consultant to derive maximum benefits. Otherwise, deficiencies in your cryptocurrency compliance program could be missed and you could find yourself in legal trouble.

A poorly conducted audit can give you false peace-of-mind, so do your due diligence and choose a reputable third-party audit company to conduct your audits each year.

Key Takeaways About Annual AML Program Audits For Your Cryptocurrency Company

Remember, AML program audits are conducted to ensure the policies and processes you have in place to maintain compliance with regulators are adequate and functioning properly to protect your business. Annual audits also confirm that everyone on your team is following a robust compliance program and actually doing what they say they’re doing.

The law requires that MSBs conduct independent audits, and it’s recommended that you have a complete AML program audit done every twelve months or more often depending on your BSA/AML risk profile.

When you hire an independent consultancy firm to complete your compliance program audit, make sure they have access to the information they need so the final report is as comprehensive and accurate as possible. This is the best way to have true peace of mind that your compliance program is as strong as it can be.

Finally, always work with an experienced and qualified independent cryptocompliance auditor to ensure your audit results are reliable and actionable.

If it’s time for your annual audit, you can schedule a free consultation with BitAML below to get started:

[caldera_form id=”CF5d249dfbb2c3c”]

Similiar Blog Post

UPDATED: What cryptos need to know about cybersecurity

August 17, 2020
This old-fashioned scam is more prevalent than you think — and your customers could be at risk. If you run a cryptocurrency exchange, kiosk...

How Does Bitcoin Money Laundering Hurt Businesses?

August 17, 2020
This old-fashioned scam is more prevalent than you think — and your customers could be at risk. If you run a cryptocurrency exchange, kiosk...

How To Know If A Customer Is A Politically Exposed Person (PEP)

August 17, 2020
This old-fashioned scam is more prevalent than you think — and your customers could be at risk. If you run a cryptocurrency exchange, kiosk...