AML/CFT Audit Requirements for VASPS
Anti-Money Laundering (AML)/Combatting the Financing of Terrorism (CFT) audit requirements for Virtual Asset Service Providers (VASPs) are now a core part of how regulators assess whether a Virtual Asset Service Provider is fit to operate.
If a Virtual Asset Service Provider (VASP) cannot demonstrate that its AML/CFT controls are effective in practice, having documented policies alone will not meet regulatory expectations.
What Is an AML/CFT Audit?
An AML/CFT audit is an independent and systemic assessment of a firm's AML/CFT policies, procedures and controls. It is done in a way that meets its regulatory obligations and is effective in identifying, mitigating, and reporting financial crime risk in practice.
An AML/CFT Audit must be independent. This means that it cannot be conducted by the same person or Compliance Officer who built or run the programme. It examines both the design and operation of a VASP’s compliance framework. This means Independent AML/CFT auditors look beyond written policies to determine whether those controls are actually implemented, followed by staff, and effective in managing financial crime risks.
This is different from day-to-day compliance monitoring, which is an internal function focused on ongoing oversight of AML/CFT controls.
An Independent AML/CFT audit is a periodic, independent, and structured review designed to assess whether those controls are properly designed, implemented, and effective. It provides management, the board, and regulators with objective insight into the strength of the VASP’s AML framework.
AML/CFT Audit Requirements for VASPs
The global standard for AML/CFT audit requirements for Vasps comes from Financial Action Task Force (FAFT) recommendation 15.
VASPs must be registered or licensed by competent authorities, and must take preventive measures to ensure AML/CFT compliance including customer due diligence, recordkeeping, and suspicious transaction reporting. They must also avoid sanctions violations, and worldwide collaboration is required to ensure VASPs follow the rules.
In essence, since the entire 5 pillars of an effective compliance program applies to a VASP, VASPs must comply with an Independent AML/CFT Audit. An independent AML/CFT audit is the mandatory fourth pillar of an effective anti-money laundering compliance program that actually tests a VASP’s AML/CFT program. An Independent AML/CFT Audit is not a financial audit.
To prepare for an AML/CFT Audit, a VASP needs to meet the following requirements:
1. A Written, Board-Approved AML/CFT Policy
Your business AML/CFT policy must be written, approved at board level, dated, and actively maintained. Independent AML/CFT auditors check the date of last update and an undated policy is an immediate red flag. During an Independent audit, auditors sample transactions, interview staff, replay alert dispositions, and read training records. An AML/CFT audit is only useful if it evaluates your controls using the same expectations and standards that regulators use. If it does not, it may offer little protection during a regulatory review.
2. Enterprise Wide Risk Assessment
As a VASP, you must conduct and document a formal risk assessment covering your customer base, products, geographies, and transaction channels. This must be reviewed regularly and must feed directly into your KYC, monitoring, and reporting procedures.
3. Customer Due Diligence and KYC
As a VASP, you must identify, verify and risk assess customer identity using reliable documentation, and compliance does not end after onboarding.
Your firm must continuously monitor customer behaviour to identify unusual or suspicious activity.
4. Transaction Monitoring Systems
Your monitoring system must detect suspicious activity in real time, generate alerts, escalate them, and document how each one was resolved. Manual processes that cannot scale will not satisfy an Independent AML/CFT auditor or an examiner. A risk based approach should also applied to ensure that you scale your transaction monitoring systems as your customer base increases.
5. Sanctions and PEP Screening
Every customer on your platform as a VASP must be screened against applicable sanctions lists and Politically Exposed Persons databases at onboarding and on an ongoing basis. Independent AML/CFT Auditors will examine which lists you screen against, how frequently they are updated, and whether your escalation process for matches is clearly defined and consistently followed.
6. Suspicious Transaction Reporting
VASPs are required to promptly report suspicious transactions to the relevant authorities, making both speed and completeness essential elements of an effective AML/CFT framework. AML/CFT audits will verify not only that Suspicious Transaction Reports (STRs) are filed within required timelines, but also that each report is fully supported with accurate and complete documentation showing the basis for suspicion and the decision-making process.
7. Travel Rule Compliance
The Travel Rule dictates that VASPs share originator and beneficiary information during virtual asset transfers, and that implementing the Travel Rule in diverse technological environments is one of the core compliance challenges VASPs face. Independent AML/CFT Auditors will test whether your Travel Rule procedures are in place, technically functional, and properly documented.
8. Record Keeping and Audit Trails
Customer records, transaction histories, and all compliance decisions must be stored for the full retention period required by your regulator for typically five years and must be retrievable on request.
9. Staff Training
Employee AML training is a core compliance obligation for VASPs. Staff must understand their specific roles in the AML framework, and training must be refreshed regularly to keep pace with evolving regulatory expectations. Auditors will check training logs and ask specific questions of staff to test whether training is being absorbed in practice.
10. A Designated Compliance Officer and Independent Audit Function
VASPs are required to appoint a compliance officer at management level and maintain an independent audit function to test their AML/CFT Framework.
These are hard legal obligations. The compliance officer must hold genuine senior management authority.
The Role of Independent AML/CFT Audit in Strengthening Compliance
AML/CFT Audit is important for the compliance team as it helps for finding and fixing weaknesses before a regulator does.
Examiners no longer accept policy documentation as evidence of operational compliance. They sample transactions, interview staff, replay alert dispositions, and read training records. An independent audit tests your programme the same way an examiner would. That means when a regulator does arrive, there are no surprises.
Beyond regulatory readiness, there are 3 practical benefits of AML/CFT Audit. An Independnt AML/CFT Audit:
A good audit will surface weak spots in your transaction monitoring, gaps in your KYC procedures, or inconsistencies in how staff are applying policy. Fixing these internally is far less costly than having a regulator find them first.
Nigerian banks are now permitted to work with licensed VASPs but they still carry out their own due diligence. A documented, independently verified AML programme gives your bank the evidence it needs to maintain your account with confidence.
Whether you are seeking new investors, expanding into new markets, or applying for additional licenses, an up-to-date independent AML audit report signals that your business is run with discipline and built to last
CONCLUSION
AML/CFT audit requirements for VASPs are tightening globally, especially as virtual assets become more integrated into mainstream financial systems and regulators respond to misuse risks like fraud, sanctions evasion, and cross-border laundering.
VASPs that combine strong governance, effective transaction monitoring, and thorough documentation are better positioned to meet regulatory expectations, retain banking access, and grow with confidence.
At A&D Forensics, we help VASPs prepare for and navigate independent AML audits from gap assessments and compliance framework design to transaction monitoring reviews and audit readiness support. If your VASP AML audit is overdue or you are not sure your controls will hold up, speak to our team today.
Contributor: Ademola-Adesola Ifeoluwaposimi
