Why audit won’t save your anti-money laundering (AML) program

That’s not an indictment of audit itself. Independent testing has its place. It’s a critical mechanism for confirming whether policies exist, whether procedures were followed, and whether the program’s skeleton is intact.

But that’s all it is, a structural X-ray. It doesn’t tell you if your institution can absorb a hit. It doesn’t simulate real-world stress. And it certainly doesn’t predict whether your controls will hold under the next iteration of typologies.

Yet, audit remains the most over-weighted function in AML assurance, while forward-looking risk management–the part that might actually stop the next fine–languishes as an afterthought.

We’ve seen the consequences of this imbalance repeatedly. USAA Federal Savings Bank received clean internal audit ratings in 2016. In 2022, The Treasury’s Office of the Comptroller of the Currency (OCC), and its Financial Crimes Enforcement Network (FinCEN) fined the bank $140 million for widespread AML failures that had been festering all along.

The same dynamic unfolded at TD Bank, where auditors confirmed the existence of key controls, only for regulators to later discover that major transaction categories weren’t even being monitored. A $3 billion enforcement action followed in 2024.

These aren’t isolated misfires. They are examples of what happens when institutions conflate “well-documented” with “well-defended.”  

Audit is, by design, backward-looking. It reviews the past. It tells you whether you met your own internal expectations, whether your policies were followed, whether your forms were signed. It is valuable for governance.

But it is not predictive. It cannot see around corners. And it certainly cannot prepare your institution for a geopolitical disruption, a jurisdictional realignment, or the next enforcement surge from a regulator with new priorities.

That work belongs to your risk team, your strategy unit, and your front-line compliance staff, the ones who are paid to think forward, not just review backward.

The problem isn’t that audit exists. It’s that we’ve let it define the compliance conversation.

Boards are more comfortable reading audit reports than engaging with threat maps. Executives prefer to anchor to testing cycles than to dynamic typologies. And regulators–despite shifting language toward effectiveness–still use audit findings as the primary barometer of program health.

It’s a misalignment of focus. We’ve built comfort around the wrong measure.

When audit becomes the center of gravity, the rest of the program bends around it. Staff prioritize what will pass inspection, not what will prevent exposure. KYC teams paper files with templated language. Monitoring teams tune thresholds to avoid false positives that might raise audit flags.

What emerges is a risk framework optimized for audit clearance, not criminal disruption. In theory, the controls exist. In practice, the threats walk right through them.

Even where regulators are trying to pivot, FinCEN’s effectiveness push, the OCC’s escalation in testing requirements, the underlying cultural inertia persists. Compliance programs continue to prioritize independence over relevance, and procedural validation over outcome-based resilience.

We celebrate clean reports instead of scrutinizing whether those reports reflect any real ability to detect, escalate, or prevent financial crime in motion.

That distinction matters because financial crime doesn’t operate on an audit cycle. Threats aren’t waiting for Q4 to strike. Criminal networks don’t care about documentation. And regulators have made it increasingly clear that passing your last audit will not shield you from scrutiny if your program fails in real-time.

They’re not asking whether your policies existed.

They’re asking whether they worked. Whether they caught the thing that mattered. Whether the institution responded in time. And that’s a very different standard than the one most audit teams are scoped to measure.

Some argue that audit is necessary because it provides independence. That’s true, but incomplete.

Independence only matters if what’s being tested is relevant. Reviewing whether a policy exists doesn’t help if the policy itself is obsolete. And in many institutions, audits are scoped to validate form, not function. They check whether monitoring rules exist, not whether those rules actually align with evolving threat typologies.

That’s not independence. That’s detachment.

Others point to audit’s accountability. The findings go to the board, after all. But if those findings are rooted in the wrong scope, they don’t inform. They mislead. They tell senior leadership that the program is sound when, in fact, it may be one emerging corridor or one typology shift away from failure. If we treat those findings as the ceiling of AML performance, rather than the floor, we’re setting ourselves up to be blindsided.

The solution isn’t to discard audit. It’s to recalibrate its weight. It should be part of the equation, not the entirety of it. Forward-looking AML programs integrate scenario testing, typology anticipation, continuous control validation, and proactive intelligence into their daily operations.

They don’t wait for audit to catch a gap, they simulate the gap before it’s exploited. That’s what resilience looks like. That’s what regulators are asking for, whether the industry wants to admit it or not.

AML is no longer a paperwork exercise. It’s a live system, operating in real time, under pressure, with adversaries that adapt faster than most institutions can staff up. If we continue to define our programs by whether they pass last quarter’s audit, we’re not managing risk.

We’re memorializing it.

Audit still has a role to play. But if we’re honest about what actually protects institutions from the next enforcement action, the next reputational implosion, or the next systemic breach, it won’t be the report written six months after the failure. It’ll be the forward-facing mechanisms you had, or didn’t have, in place before it happened. 

And if you’re only finding those flaws after the fact, then your audit isn’t a defense.

It’s just a eulogy.