The 80/20 Gap: Why Most AML/CFT Audits Miss the Mark and How to Join the Effective Few

The Illusion of Compliance 

Imagine the following: Your organization has a seemingly perfect AML/CFT audit program. Everything is meticulously documented, reports are delivered on time, and the regulator leaves after the latest inspection with a reassuring verdict. On paper, everything is correct. 

And yet—one year later—a multi-million dollar fine follows. Or worse: your organization hits the headlines due to involvement in a money laundering scandal that went unnoticed for years. 

 

What went (likely) wrong?  

The uncomfortable truth is that it is rarely a lack of rules, processes, or even expertise. The problem lies in the fundamental approach. Our market observation shows that approximately 80% of audits have subconsciously started believing in false security: treating compliance as an administrative end goal rather than risk management as a continuous process. The result? Audit programs that revolve around checkmarks and tickets, but fail to detect real risks and deviant behavior. 

In this article, we unravel: 

  • Why audits often remain superficial (and how to pierce through that surface). 
  • The three biggest pitfalls for audit teams. 
  • How to make the shift to the 20% of organizations that actually add value. 

 

1. False Security: “We Are Compliant”

In practice, an AML/CFT audit is still too often viewed as a mandatory “check-the-box” exercise. This mindset leads to audits that primarily prove that processes exist, but not whether they hold up under pressure. 

Reports are filled with confirmations that policies are in place, controls are set up, and procedures are followed. But the question that is rarely truly answered is: does it actually work in practice? Furthermore, audits often focus on the “low-hanging fruit,” such as the administrative completeness of customer onboarding. More complex subjects—such as the effectiveness of advanced transaction monitoring or the integrity of decision-making regarding abnormal behavioral patterns—often remain underexposed. 

The 20% who make an impact shift the focus from process compliance to effectiveness compliance. An effective program is not about checking off rules; it’s about exposing vulnerabilities before a criminal finds them. 

 

2. The Three Biggest Pitfalls in AML/CFT Audits

I. Tunnel Vision: Looking at What You Already Know

Auditors often focus on known risks and existing checklists. This provides a sense of security but creates significant blind spots. New threats—such as complex fraud structures, crypto-related risks, or advanced laundering methods—remain out of sight. When an audit concludes with “no significant findings,” it is often not a sign that everything is in order, but a signal that the audit did not look deep enough. 

 

How to tackle this:

  • Steer toward ‘Event-driven’ scopes: Stop auditing just “because it’s on the annual plan.” Focus on areas where the market or the organization is changing (e.g., new product-market combinations). 
  • Use technology as a mirror: Use data analytics to discover patterns that manual sampling misses, but remain critical of data quality. 
  • Broaden the perspective: Involve external specialists (e.g., SIRA or sanctions experts) to challenge your own assumptions. experts) to challenge your own assumptions.

 

II. Paper Compliance: The Gap Between Policy and Practice

Many organizations have excellently documented processes. On paper, it all adds up. But in practice, deviations occur. Employees skip steps because processes are too cumbersome; monitoring tools generate so many alerts that real signals get lost in the noise; training is completed but does not lead to a change in behavior. 

How to tackle this: 

  • Mystery Shopping / Walk-through tests: Test the process by guiding a fictitious, high-risk customer through onboarding. How easily do they slip through? 
  • Measure ‘Output Quality’: Don’t just look at whether an alert was handled, but whether the handling actually mitigated the risk. 
  • Feasibility Check: If a rule is not followed, the employee is often not the problem—the process is. Dare to name this. 

 

III. The “Audit as End Point” Pitfall 

An audit report is delivered, discussed, and then filed away. Recommendations fade into the background, follow-up is lacking, and the organization returns to business as usual. In such an environment, audit is seen as a control mechanism rather than an improvement tool. 

How to tackle this: 

  • Make audit findings SMART: Specific, Measurable, Achievable, Relevant, and Time-bound. 
  • Involve the business in the solution: Let those who execute the process help think of improvements. Additionally, appoint someone responsible for the solution. 
  • Communicate results: Show that audit is not just about “checking” but also about adding value. 

 

3. How to Reach the 20%: Practical Steps for an Effective Audit 

Step 1: Prioritize Impact, Not Completeness Not every risk deserves the same attention. Effective audit teams make sharp choices. They focus on the areas where probability and impact are highest: high-risk customers, complex or abnormal transactions, and behavior within the organization that puts rules under pressure. This requires daring to abandon standard checklists. 

Step 2: Use Data to Discover Blind Spots Many audits confirm what is already known. The real value lies in discovering blind spots. By actively using data analysis, patterns can become visible that otherwise remain hidden—such as unusual transaction flows or structural exceptions in processes. 

Step 3: Make Audit a Continuous Process, Not a One-time Check Risks change constantly, but audits often only take place periodically. By continuously monitoring critical processes and conducting shorter, thematic ‘deep dives,’ audit becomes an integral part of risk management rather than an annual exam. 

  • Tip: Create an ‘audit roadmap’ with priorities and deadlines, and communicate this to management. 

Step 4: Measure the Impact of Your Audit Ultimately, it is not about delivering reports, but about realizing improvement. Ask: Are risks identified faster? Do signals lead to action? Does behavior within the organization actually change? 

 

4. Conclusion: From Superficiality to True Risk Awareness 

In this approach, audit shifts from a monitoring function to a strategic partner in risk management. Most AML/CFT audits fail because they only check boxes, focus on paper rather than behavior, and result in no action being taken. 

The solution? An audit program that: 

  • Truly exposes risks (not just checking if they are “documented”). 
  • Uses technology and data to find blind spots. 
  • Stimulates business engagement and enforces action. 

 

Invitation for Consultation 

We can imagine that after reading this article, you may have questions or wish to exchange thoughts on specific topics or a concrete case. We invite you to contact us without obligation. Our contact details can be found on our website. 

Preview of the Next Article:

In the next article, we dive deeper into the three biggest ‘blind spots’ that even the sharpest AML/CFT auditor can overlook: culture, data, and human behavior. How is it that organizations think they are compliant while criminals find their greatest opportunities right here? Prepare for an honest check: which blind spot do you recognize in your team? 

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.