f you work in a regulated industry in the EU, the phrase "compliance audit" probably sits somewhere between a necessary routine and a genuine source of stress. That is completely understandable. The regulatory landscape you are operating in right now is arguably the most demanding it has ever been, with a wave of sweeping legislative changes, a brand-new pan-European supervisory authority, and a clear signal from regulators that the era of minimum-effort compliance is over.

This guide is written for compliance teams, MLROs, and senior managers at regulated businesses in the EU, including payment service providers (PSPs), e-money institutions (EMIs), corporate service providers (CSPs), and iGaming operators. We will walk through what a compliance audit actually involves, what you need to have ready, and how to think about audit-readiness not as a periodic exercise but as an ongoing discipline.

Before we get into the checklist, it helps to understand the regulatory backdrop, because the context shapes everything about how you prepare.

The EU Regulatory Environment in 2026 and 2027

The EU's approach to compliance oversight has changed materially in the last two years. The adoption of the EU's fourth AML legislative package in May 2024 introduced three interlocking instruments that every regulated business needs to know. Regulation (EU) 2024/1620 established the Anti-Money Laundering Authority (AMLA), a new EU-level supervisor based in Frankfurt. Regulation (EU) 2024/1624 sets out the substantive AML/CFT obligations for obliged entities across the single market, and Directive (EU) 2024/1640 updates the mechanisms Member States must have in place, replacing the previous fourth Anti-Money Laundering Directive.

AMLA commenced operations on 1 July 2025, with full supervisory powers to be phased in by 2028. For financial services firms, this means a shift toward centralised supervision, especially for those operating in multiple EU countries. AMLA will directly supervise the highest-risk financial institutions, issue regulatory technical standards, and coordinate with national supervisors. What this means practically is that your compliance framework is no longer only measured against the standards of your home Member State regulator. It will increasingly be assessed against a harmonised EU-wide benchmark.

The Digital Operational Resilience Act (DORA) came into force in January 2025 and applies across all EU Member States. Its purpose is to create a consistent rulebook for how financial institutions handle risks linked to technology and cyber incidents. Firms need documented risk frameworks, must report major incidents within hours, have to test their systems regularly, and are responsible for overseeing their tech vendors.

And then there is GDPR, which continues to apply to all personal data processing, NIS2 for cybersecurity obligations across essential and important sectors, and the EU AI Act, portions of which have been in force since February 2025, including AI literacy training requirements for all staff who interact professionally with AI systems.

The point is this: a compliance audit today is not simply a check on your AML policies. It spans governance, data protection, operational resilience, technology risk, and increasingly, how you use automated tools in your compliance processes. Preparation needs to match that breadth.

What a Compliance Audit Actually Tests

A compliance audit, whether internal or external, is fundamentally testing whether your documented policies and procedures accurately reflect what your business actually does, and whether both are consistent with applicable law.

EU legislation on internal governance requires that institutions have a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective risk management processes, and appropriate control mechanisms. The internal governance framework should be proportionate to the nature, scale and complexity of the institution, and the main responsibility for it lies with the management body.

The EBA has emphasised that compliance audits for regulated financial institutions should be independent and conducted by auditors with appropriate expertise. There are two types: internal and external. A full external AML compliance audit typically covers a review of the company's AML compliance program against EU and local laws and regulations, testing of AML policies and procedures, and a review of the controls implemented within the company.

When regulators or external auditors sit across the table from your compliance team, they are looking for evidence. Not intentions, not plans, and not explanations of what you would do in a hypothetical situation. They want documented, dated, traceable records that demonstrate that your controls are real, operational, and proportionate to your actual risk exposure.

The Compliance Audit Checklist

What follows is a structured checklist covering the core pillars of a compliance audit for EU-regulated businesses. You should treat this as a framework rather than a definitive legal specification, and you should always take advice specific to your jurisdiction, sector, and licence type.

1. Governance and Compliance Function

Your governance structure is the foundation. Auditors will want to see that accountability for compliance sits clearly at board or senior management level and that your compliance function is genuinely independent rather than embedded within commercial operations.

Under Regulation (EU) 2024/1624, obliged entities must appoint one member of the management body in its management function who is responsible for ensuring compliance. The business-wide risk assessment must be drawn up by the compliance officer and approved by the management body, and where a supervisory body exists, communicated to it. Internal policies must be approved by the management body, and internal procedures and controls must be approved at least at the level of the compliance manager.

For your audit preparation, you should be able to produce the following:

A clear governance chart showing reporting lines for the compliance function, with the designated compliance officer or MLRO identified by name. Board or senior management approval of your current AML/CFT policies, with dated signatures or meeting minutes. A written conflict of interest policy and evidence that it is actively applied. For EMIs, PSPs, and credit institutions, a documented three-lines-of-defence model as referenced in the EBA's revised internal governance guidelines, which specifies requirements for the second line of defence (the risk management and compliance function) and the third line (internal audit).

If your compliance officer role is outsourced rather than in-house, you also need to have notified your supervisor before the outsourcing arrangement commenced, as Regulation (EU) 2024/1624 requires obliged entities to notify the supervisor of outsourcing before the service provider starts to carry out the outsourced task.

2. Business-Wide Risk Assessment

This is one of the documents auditors will go to first, and it is also one of the documents that most businesses underinvest in. A business-wide risk assessment is not a template you download and fill in with generic text. It is a living document that reflects your actual products, customer types, geographies, delivery channels, and transaction patterns.

Under the new EU framework, your risk assessment needs to be granular, evidence-based, and regularly reviewed. It should cover your inherent risk exposure before controls are applied, the controls you have in place to mitigate each risk category, your residual risk after controls, and the conclusions you have reached about your overall risk profile.

For businesses operating across multiple jurisdictions, you should also demonstrate awareness of country-specific risk. Where customers or transactions involve EU-listed high-risk third countries, you must apply enhanced verification, source-of-funds checks, and increased monitoring, and you must keep an audit trail of the measures taken. The EU's high-risk third country list is maintained and updated by the European Commission through delegated regulations published on EUR-Lex.

3. Customer Due Diligence (CDD) and KYC/KYB Documentation

Customer due diligence is the operational heart of AML compliance, and it is almost always where auditors find the most gaps. The standard expected under Regulation (EU) 2024/1624 is that obliged entities must apply all required CDD measures, which in practice means verifying the identity of the customer and any beneficial owner, understanding the nature and purpose of the business relationship, and conducting ongoing monitoring.

For businesses serving corporate customers specifically, Know Your Business (KYB) verification is a critical component. You need to be able to demonstrate that you have verified the existence and legal standing of the company, identified and verified beneficial owners (typically defined as any individual with more than 25% ownership or control), and obtained and reviewed documentation from authoritative sources rather than self-reported information.

Under the AMLR, the business-wide risk assessment and related internal policies and procedures must be kept up-to-date and enhanced where weaknesses are identified. This applies to your CDD procedures too. If your processes were designed three years ago and have not been reviewed since, that is a gap an auditor will identify.

Prepare for audit by being able to produce a sample of customer files that demonstrate consistent application of your CDD process, with dated records of every verification step. Be prepared to explain how you differentiate between standard, simplified, and enhanced due diligence, and which customer segments trigger which level of scrutiny.

4. Enhanced Due Diligence (EDD) and High-Risk Relationships

Politically Exposed Persons (PEPs), customers from high-risk jurisdictions, and high-value or complex business structures all require enhanced treatment. Your EDD process needs to be documented, consistently applied, and proportionate to the specific risk presented by each relationship.

As set out in Regulation (EU) 2024/1624, where a customer is a PEP or has complex or opaque ownership, you must perform source-of-wealth enquiries where proportionate. Where the relationship includes correspondent or equivalent higher-risk services, you must perform deeper respondent due diligence and obtain senior management approval.

Auditors will look for evidence that EDD was actually performed and not merely noted as a category on a form. That means documentation of the additional steps taken, the information obtained, who approved the relationship, and how the file is being monitored on an ongoing basis.

5. Sanctions Screening and PEP Checks

Your sanctions screening framework needs to cover customers, beneficial owners, and counterparties, and it needs to be applied both at onboarding and on a continuous basis. The EU maintains restrictive measures through Regulations published in the Official Journal of the European Union, and the asset-freeze and prohibition provisions in those Regulations have direct legal effect, meaning there is no grace period or interpretation gap.

The EBA's guidelines EBA/GL/2024/14 are addressed to all institutions within its supervisory remit and set out the internal policies, procedures and controls financial institutions must have in place to comply with restrictive measures. Weak controls in this area expose financial institutions to legal risks, reputational damage, and significant fines for non-compliance.

For audit purposes, you should be able to demonstrate the data sources your screening tool uses, how frequently the lists are updated, how you handle potential matches including how false positives are managed and documented, and who has authority to clear or escalate a match.

6. Transaction Monitoring and Suspicious Activity Reporting

Your transaction monitoring system, whether automated or manual, needs to be calibrated to your actual risk profile and customer base. A monitoring system that generates thousands of alerts that are routinely dismissed without investigation is not a control. It is noise, and auditors know the difference.

Regulated firms in the EU are required to disclose information about customers and transactions to authorities and to maintain complete audit trails when required. This obligation flows directly from Regulation (EU) 2024/1624 and applies to all obliged entities.

You should be ready to show the logic and thresholds behind your monitoring scenarios, records of alerts reviewed and the decisions made, records of Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) filed with your national Financial Intelligence Unit (FIU), and evidence that staff responsible for reviewing alerts have received appropriate training.

7. Record Retention

Record retention is one of the simpler areas of compliance preparation in principle, but it is frequently where businesses create unnecessary risk by either not retaining records for long enough or not being able to retrieve them efficiently during an audit.

Under Regulation (EU) 2024/1624, the standard retention period is five years from the end of the business relationship or the date of the transaction, though some Member States require longer periods and some categories of data may be subject to different rules under GDPR.

For audit readiness, you should be able to produce any customer file, any transaction record, or any decision document within a reasonable timeframe. If your records are spread across multiple systems that are not interoperable, that is both an operational problem and a compliance risk that an auditor will flag.

8. DORA: Digital and Operational Resilience

If your business is a financial institution subject to DORA, the scope of what an auditor may examine has expanded significantly since January 2025. DORA requires you to have a documented ICT risk management framework, incident classification and reporting procedures (major ICT incidents must be reported to your competent authority within specific timeframes), a programme of regular ICT system testing, and documented oversight of critical third-party ICT providers.

Regulators have indicated that 2025 is a transition year focused on reviewing firms' new frameworks and identifying gaps before moving toward stricter enforcement. Early enforcement action is expected to target firms that have not yet established documented frameworks or have material gaps in their ICT risk governance.

9. Data Protection (GDPR)

Your compliance audit may well include or be accompanied by a review of your data protection practices, particularly as they interact with your AML obligations. There is an inherent tension between the duty to collect and retain customer data for AML purposes and the GDPR principle of data minimisation. That tension needs to be managed through documented data protection impact assessments, clear retention policies, and lawful basis documentation for each category of personal data you process. The authoritative reference here is Regulation (EU) 2016/679, which remains fully in force.

10. Staff Training Records

Regulators want to see that your policies and procedures are not just paper documents but are actually understood by the people responsible for applying them. Training must be consistent, role-specific, and updated as new threats, typologies, and regulatory changes emerge. This obligation is reflected across the EBA's internal governance guidelines and the requirements of Regulation (EU) 2024/1624.

Maintain records of who was trained, on what topics, on what dates, and what the training covered. For new starters, be able to show that AML and compliance training was completed before they were given access to customer accounts or transaction processing. For existing staff, show that refresher training is regular and reflects current regulatory expectations.

Common Gaps Auditors Find

Across regulated sectors in the EU, the same weaknesses tend to surface.

• Your business-wide risk assessment is generic rather than specific to your actual product mix and customer base.

• Your CDD files are incomplete or inconsistently applied, with some customers having full documentation and others having significant gaps.

• Your transaction monitoring alerts are not being reviewed with enough rigour, or the review decisions are not being documented.

• Your record of training completion is patchy or the training itself is outdated. Your sanctions screening covers customers but not beneficial owners or third-party counterparties.

• And your governance documentation attributes responsibility for compliance to a role without enough specificity about what that person is actually expected to do.

None of these gaps are unique to any particular type of business. They tend to arise when compliance is treated as something that gets done once and then maintained at minimum effort, rather than as a continuous operational discipline.

Audit-Readiness Is Not a One-Time Project

The most important mindset shift for regulated businesses right now is this: audit-readiness is a state, not an event. An audit that finds no material deficiencies is not the result of a few weeks of intensive preparation. It is the result of compliance being embedded in how the business operates day to day.

That means your risk assessment is reviewed at least annually and whenever a material change occurs in your products, customers, or geographies. Your CDD documentation is complete before a business relationship commences, not retrospectively. Your monitoring alerts are reviewed within defined timeframes. Your staff training is current. Your records are accessible. And your governance is genuinely active rather than nominal.

The years 2025, 2026 and 2027 are pivotal for AML compliance in Europe. As Regulation (EU) 2024/1624 takes direct effect across all Member States, businesses can no longer rely on the variance that existed under the previous directive-based framework. For businesses operating across multiple Member States, this is the moment to invest in harmonising your compliance approach rather than managing separate frameworks per jurisdiction.

About SpeedyDD

SpeedyDD exists because the documentation and verification side of compliance is genuinely hard to get right at scale. Our mission is to help complex, regulated businesses maintain the kind of continuous audit-readiness that regulators now expect, without it consuming your entire compliance team's capacity.

SpeedyDD connects with over 3000 corporate registry data sources across more than 200 countries and territories, giving compliance teams direct access to authoritative, primary-source data for KYB verification.

Whether you are onboarding high-risk entities, managing complex ownership structures, or preparing documentation ahead of a regulatory review, SpeedyDD is built to support the practical, day-to-day work of staying audit-ready.

Frequently Asked Questions

What is the difference between an internal compliance audit and an external compliance audit?

An internal compliance audit is conducted by your own compliance or internal audit function, or by someone sufficiently independent within your organisation. An external audit is conducted by an independent third party, typically a specialist firm or an auditor with regulatory expertise. The EBA's internal governance guidelines make clear that for regulated financial institutions, the internal audit function must be independent from operational and risk management functions. External audits carry additional credibility with regulators because they provide an impartial assessment. Many regulated entities conduct both, with internal audits more frequently and external audits at least annually or ahead of regulatory inspections.

How often should a regulated business conduct a compliance audit?

There is no single prescribed frequency that applies across all EU-regulated entities, because requirements vary by sector and licence type. As a general principle, your business-wide risk assessment should be reviewed at least annually and whenever there is a material change to your business model, customer base, or product offering, as reflected in Regulation (EU) 2024/1624. Many businesses conduct a light-touch internal compliance review quarterly and a more comprehensive review annually. External audits are typically annual, though some regulators may require them more or less frequently depending on your risk profile.

What documents should I have ready before a compliance audit?

At minimum, you should have your current AML/CFT policy approved at board or senior management level with a date, your business-wide risk assessment, your CDD procedures including the thresholds and triggers for EDD, your sanctions screening policy and evidence of its application, your transaction monitoring procedures and a sample of recent alert disposals, your staff training records for the past two years, records of any SARs or STRs filed, and your data retention policy. For DORA-obligated entities, add your ICT risk management framework and incident reporting log.

What is AMLA and how does it affect my compliance audit obligations?

AMLA is the new EU-level Authority for Anti-Money Laundering and Countering the Financing of Terrorism, established by Regulation (EU) 2024/1620. It will directly supervise high-risk financial institutions operating across the EU and coordinate with national supervisors for all other regulated entities. For most businesses, the day-to-day supervisory relationship will remain with your national regulator for the time being. However, AMLA is progressively issuing regulatory technical standards and guidelines that will set the EU-wide baseline. Compliance frameworks that were adequate under national standards alone may need to be updated to reflect those harmonised standards as they are published.

What are the most common reasons a compliance audit leads to regulatory action?

The most frequent triggers for regulatory action following a compliance audit are failure to apply CDD proportionate to the actual risk of the customer relationship, inadequate documentation of the decisions made during onboarding and monitoring, a business-wide risk assessment that does not reflect the firm's actual risk exposure, transaction monitoring that is not calibrated to the firm's risk profile or is not genuinely reviewed, inadequate governance accountability at senior management level, and failure to file suspicious activity reports when the threshold for reporting was met. In March 2025, a global neobank was fined €3.5 million by the Bank of Lithuania for deficiencies in its AML procedures, illustrating that enforcement is active and penalties are material even for relatively well-resourced institutions.

Does the EU AML Regulation (AMLR) apply directly to my business, or does it still need to be implemented into national law?

Unlike the previous Anti-Money Laundering Directives, which required national implementation, Regulation (EU) 2024/1624 is a directly applicable EU Regulation. This means it moves substantive AML/CFT obligations out of the directive framework and into a single set of uniform rules that apply across all EU countries without the need for national transposition. This matters because it reduces the scope for inconsistency in how requirements are applied across jurisdictions and means you cannot rely on a more permissive national interpretation if the Regulation itself sets a higher standard.

How should I approach compliance audits if my business operates across multiple EU Member States?

Operating across multiple jurisdictions adds complexity because while the EU AML framework is increasingly harmonised, some national-level requirements still exist, and different national competent authorities may have different supervisory styles and expectations. The practical approach is to build your compliance framework to the highest common denominator, ensuring it satisfies both the EU-level regulatory technical standards being issued by AMLA and the specific requirements of each national supervisor. Maintain a single, centralised compliance governance structure with jurisdiction-specific addenda where required, and ensure your record-keeping is organised in a way that allows you to respond quickly to requests from any of your supervisors.

What role does KYB verification play in a compliance audit for businesses with corporate clients?

KYB is a critical element of your CDD framework if you onboard or serve corporate entities. Auditors will specifically examine whether you have verified the legal existence of corporate customers, identified and verified their beneficial owners using authoritative sources rather than self-certification, understood the nature and purpose of the business relationship, and applied appropriate ongoing monitoring. Gaps in beneficial ownership verification are one of the most common findings in AML audits of businesses serving corporate clients. Using primary-source registry data is both a regulatory expectation under Directive (EU) 2024/1640 and a practical risk management discipline.