What Is an AML Independent Review? BSA Testing Requirements for Fintechs

Of the five required pillars of a BSA/AML compliance program, independent testing is the one most commonly delayed, underfunded, and deprioritized — particularly at early-stage fintechs managing competing operational demands.

It is treated as something to get to later, after more immediately pressing priorities are addressed. This approach creates real and serious compliance risk.

Independent testing is a formal BSA requirement, not an optional program enhancement. And beyond the regulatory obligation, it serves a critical practical purpose — it is how you find out whether your compliance program is actually working before a regulator, a sponsor bank, or a law enforcement inquiry finds out it is not.

This article explains what an AML independent review is, what it must cover, who can conduct it, how often it must occur, and what examination-ready output looks like.

What Is AML Independent Testing?

AML independent testing — also called an AML audit or BSA independent review — is a periodic assessment of your AML compliance program conducted by someone who is independent of the function being tested.

The objective is to evaluate whether your AML program is designed appropriately for your specific risk profile, implemented consistently and completely in practice, actually effective at detecting and reporting suspicious activity, and compliant with applicable BSA requirements and regulatory expectations.

Independent testing is specifically designed to surface gaps that internal teams may not identify — either because of proximity to the operations, because the gaps exist in areas with the least internal oversight, or because findings require organizational escalation that would not occur through self-assessment.

Why Independent Testing Is a BSA Requirement

The BSA requires covered financial institutions to conduct independent testing as one of the four original core pillars of a compliant AML program. FinCEN examination guidance requires that testing be conducted by qualified personnel who are independent of the BSA/AML compliance function.

The requirement exists because AML programs that evaluate only themselves have an inherent and unavoidable blind spot. External or functionally independent review provides the objectivity needed to identify real program gaps — not just the gaps the program manager is aware of and willing to acknowledge.

Sponsor banks take independent testing seriously as well. A fintech that cannot produce an independent review report — or whose most recent review is more than 18 months old — will face sponsor bank scrutiny regardless of how the program looks on paper.

Who Can Conduct an Independent Review?

The independence requirement is the critical constraint. The reviewer cannot be the same person — or directly supervised by the same person — who is responsible for the AML program being reviewed. The reviewer must be able to reach findings that are contrary to management's preferences without organizational constraint.

In practice, independent review is conducted by one of three parties.

1. External compliance consultants or specialized audit firms — the most common approach for fintechs and smaller MSBs. An external firm with demonstrated AML expertise reviews the program and produces a written findings report. This is the clearest demonstration of independence and is typically what sponsor banks and FinCEN examiners expect to see for non-bank financial institutions.
2. Internal audit function — for larger organizations with a dedicated internal audit team that reports independently to the board's audit committee rather than to compliance or operations management, the internal audit department can conduct the AML review. Organizational independence from the compliance function must be genuine and clearly documented.
3. Qualified independent internal personnel — in smaller organizations without a dedicated audit function, another senior employee with sufficient AML knowledge who has no responsibility for any element of the program under review may conduct the assessment. This approach is the most difficult to defend to examiners because independence is less clearly established.

For most early-stage and growth-stage fintechs, external review by a qualified compliance consultant is the most straightforward, defensible, and examination-ready approach.

How Often Must Independent Testing Occur?

FinCEN does not specify a fixed frequency requirement but establishes that testing must occur at a frequency commensurate with the institution's risk profile. Examination guidance and industry practice have established clear norms.

Annual testing is the standard expectation for most fintech businesses with moderate risk profiles. This means at least one comprehensive independent review of the complete AML program every 12 months.

More frequent testing — semi-annual or even quarterly — is appropriate for higher-risk businesses, businesses that have undergone rapid growth, businesses that have recently launched new high-risk products, and businesses that have had recent examination findings or identified program gaps requiring closer monitoring.

Post-significant-change reviews are appropriate when a fintech launches a new product, enters a new geographic market, significantly changes its customer base, or undergoes a merger or acquisition. Material changes to the business warrant an independent assessment of the affected program areas.

The minimum defensible position is a comprehensive independent review at least once every 12 to 18 months. Going beyond 18 months without any independent review is a significant program gap that examiners treat as a standalone finding.

What the Review Must Cover

A comprehensive AML independent review covers the complete program across all required pillars.

• Program Governance and Documentation — is the AML policy written, current, approved by senior management, and specific to the business? Is the BSA Officer designation current, with documented authority and access? Does the program accurately reflect the current state of the business?
• Risk Assessment — was the risk assessment conducted within the past 12 months? Does it accurately reflect current products, customers, and geographies? Are controls demonstrably calibrated to the risk levels identified?
• Customer Identification Program — are CIP procedures being followed consistently for every customer? Is identity verification actually occurring — not just information collection? Are CIP records complete and retained?
• Customer Due Diligence — are risk ratings applied consistently using defined criteria? Is EDD being applied for all customers that meet defined EDD triggers? Is ongoing monitoring connected to CDD? Are periodic reviews occurring on schedule?
• Transaction Monitoring — are monitoring rules appropriate for the risk profile? Are alerts being reviewed within defined SLA timelines? Is alert documentation complete and specific? Are false positive rates at manageable levels? Is rule tuning occurring regularly?
• SAR Filing — are SARs being filed accurately and within the 30-day deadline? Is investigation documentation complete? Is the SAR confidentiality rule understood and consistently followed?
• Sanctions Screening — is OFAC screening occurring at onboarding and for ongoing transactions? Are hits being reviewed and documented appropriately? Is the SDN List being re-screened when updated?
• Employee Training — is AML training being conducted at minimum annually? Is training role-specific and documented? Are new hires trained before performing compliance-relevant functions?
• Recordkeeping — are required BSA records being retained for the required minimum period? Are records retrievable on reasonable notice?

What the Output Must Look Like

The independent review must produce a written report. A verbal summary or informal feedback is not an acceptable examination deliverable.

The written report must include the scope and methodology of the review covering what was assessed, how, and over what time period, a summary assessment of the overall adequacy of the AML program, specific findings organized by program area with each finding clearly described, a risk rating for each finding typically expressed as high, medium, or low based on the potential regulatory exposure or harm created by the gap, specific recommendations for remediating each finding, and the date the review was completed and the name of the reviewing firm or individual.

The report must be presented to senior management. Evidence that senior management reviewed the findings, acknowledged them, and directed remediation is something FinCEN examiners specifically look for. A report that was produced and filed without senior management engagement is nearly as problematic as not having conducted the review.

What Happens After the Review

Each finding in the independent review report requires a formal management response identifying the specific remediation steps to be taken, the individual responsible for each remediation item, and the target completion date. Findings must be tracked to resolution and verified as actually remediated — not just marked complete on a tracking document.

Patterns of findings that are identified in multiple consecutive reviews without genuine remediation are a serious examination risk. They demonstrate that the independent testing function is not driving meaningful program improvement — which undermines the entire purpose of the requirement.

Frequently Asked Questions

Can a fintech's external legal counsel conduct the AML independent review? 

Legal counsel can provide compliance advisory support but conducting the AML independent review requires operational AML expertise — the ability to assess whether monitoring rules are calibrated correctly, whether SAR narratives meet FinCEN standards, whether alert documentation is examination-ready, and whether training content is adequate. Legal counsel without specific AML examination experience is generally not well-suited to conduct a comprehensive BSA independent review. Specialized compliance consultants or audit firms with AML examination backgrounds are better positioned.

What is the difference between an AML independent review and a regulatory examination? 

An AML independent review is conducted proactively by the institution — or by a firm it engages — to identify and remediate program gaps before regulators find them. A regulatory examination is conducted by FinCEN, a prudential regulator, or a sponsor bank to assess the institution's compliance. Independent review findings that are identified and remediated before examination significantly strengthen your examination position.

How long does an AML independent review take? 

The duration depends on the size and complexity of the institution and the depth of the review. For early-stage fintechs with relatively straightforward programs, a comprehensive independent review can typically be completed in 2 to 4 weeks including document review, testing, and report preparation. More complex programs or programs with significant gaps that require deeper investigation take longer.

Does a fintech need to make independent review findings available to its sponsor bank? 

Sponsor banks frequently request independent review reports as part of their ongoing oversight of fintech partners. Whether a fintech is contractually obligated to provide the report depends on the terms of the sponsor bank agreement. Regardless of contractual obligation, providing independent review reports to your sponsor bank — including the findings and remediation status — is generally good practice that demonstrates the maturity of your compliance program and builds trust in the relationship.

How ComplyOne Helps

ComplyOne provides AML independent review services for fintechs and money services businesses — conducting comprehensive program assessments, producing written examination-ready findings reports, presenting findings to senior management, and supporting companies through the remediation process. Whether through our advisory team, our compliance technology platform, or both, we help you identify gaps before regulators do.

Talk to the ComplyOne team to schedule your independent review.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.