Following on from my recent blog on the evolving role of the MLRO, I realised I overlooked one critical component: the independent AML audit. The more I considered it, the clearer it became that this is not a supporting detail but something that deserves attention in its own right.
Under Regulation 21 of the Money Laundering Regulations 2017, most firms are required to establish an independent AML audit function to assess the adequacy and effectiveness of their AML policies, controls and procedures. For many, this is treated as a regulatory obligation to be satisfied. For an MLRO, it should be seen very differently. Done properly, it becomes both protection and leverage.
At its most basic level, the Reg 21 AML indpendent audit is a form of defence. An MLRO can be held personally accountable if things go wrong, particularly where there is a failure to demonstrate that all reasonable steps were taken. An independent audit creates evidence. It provides external validation of the firm’s systems and highlights any weaknesses in a way that is difficult to ignore. If those findings are then used to push for change, whether that is more resource, better systems or revised processes, the MLRO builds a clear record of action. That record matters. It shows effort, escalation and intent.
It also addresses a more practical problem. It is extremely difficult to assess your own framework objectively, particularly when you are operating under pressure. Internal reviews, whist important, often miss what they are too close to see. An independent AML auditor brings distance and specialism. They identify gaps, inconsistencies and blind spots that an internal team, however capable, may overlook. If scrutiny ever comes from the regulator, a recent audit that has either come back clean or been acted upon is powerful evidence that the firm was not operating carelessly.
Beyond protection, the audit plays an important role in shaping behaviour across the firm. One of the most underestimated aspects of a Regulation 21 independent AML audit is the message it sends internally. When an external auditor is brought in to review files and speak to staff, it signals that AML compliance is not optional and not secondary. It is a core part of how the business operates.
This has a direct impact on how fee earners view the MLRO. Requirements that may have been seen as internal friction begin to carry more weight when they are reinforced by external scrutiny. The assessor will interview your fee earners and support staff. The presence of an independent auditor changes the dynamic. It provides a form of accountability that is harder to dismiss and often prompts a level of engagement that internal messaging alone cannot achieve. It also helps shift the culture away from individual blame. A well run Regulation 21 audit does not focus on catching people out, it looks at systems and patterns. When findings are shared constructively, it encourages openness and reduces the fear that often surrounds compliance.
To get real value from the process, the audit itself needs to be more than a formality. Reviewing a sample of live matters is essential to understand how policies operate in practice, not just on paper. Client matter risk assessment must be reviewed. Speaking directly to staff reveals whether processes are truly understood and embedded, or simply followed at a surface level. Just as importantly, the outcome must reach the board. If there are barriers the MLRO has been unable to resolve, the audit is the mechanism that brings them into view at the highest level.
The independent AML audit also reinforces a broader point about compliance. Just like a strong Client Matter Risk Assessment, it is not enough to reach a conclusion. You have to show your workings and your rationale. That applies at both the file level and the firm level. An audit that captures not only where the risks are, but where the controls are working well, creates a more credible and complete picture. It demonstrates that the firm understands both its vulnerabilities and its strengths.
The Regulation 21 independent AML audit is the bridge between saying you are compliant and being able to evidence it. For the MLRO, it is a safeguard. For the wider firm, it is a signal of seriousness and intent. In a climate of increasing regulatory scrutiny, it should not be viewed as a cost to manage, but as an investment in resilience, credibility and culture.