The Three Biggest Blind Spots in AML/CFT Audits (and How They Can Ruin Your Organisation)
Introduction: Why Your AML/CFT Audit May Fall Short
The AML/CFT audit is complete. The report looks good. Compliance has finished its annual reviews, and collectively the conclusion is: we’re in control.
And yet… several clients turn out to be part of a money laundering network worth hundreds of millions of euros. Your monitoring tool missed transactions that a competitor did flag. An employee has been approving PEP transactions for years without any enhanced due diligence measures in place.
How is that possible?
In practice, AML/CFT audits are frequently vulnerable to a number of fundamental blind spots: organizational culture, human behaviour under pressure, and the way data is used and interpreted.
In this article we unpack:
- Blind spot 1 – Culture: Why a “compliance tick-box culture” masks real risk.
- Blind spot 2 – People: The psychology behind ignoring red flags.
- Blind spot 3 – Data: Why your monitoring tools miss more than they catch.
Blind Spot 1: The “Compliance Tick-Box Culture” – Why Your Organization Thinks It’s Compliant When It Isn’t
In many organizations, AML/CFT compliance has gradually shifted from a risk-driven discipline to an administrative process. What was once designed to make risks visible and manageable has in practice often been reduced to following steps and ticking checklists. Employees do what is asked of them but rarely pause to consider what it means — for risks, for the organization, or for overall effectiveness. The result?
- Reports full of confirmations that processes exist and have been implemented, but with little concrete evidence that they work.
- Audits that focus on the “easy” components (such as client onboarding and policy checks), while complex risks (such as transaction monitoring and culture) are ignored.
- A false sense of security: “We’re compliant because we follow the rules.”
Real-world example:
In 2025, de Volksbank was fined €20 million by the DNB because their compliance system was not up to date and risks were not being effectively mitigated. The problem? The bank had processes in place, but they were never critically assessed for effectiveness. Employees followed the rules but didn’t understand why — and so they missed signals that pointed to potential money laundering.
Why is this a blind spot?
Culture determines the depth of compliance
In organizations where compliance is seen as an obligation, a minimal approach quickly takes hold: “do just enough to get through the check.” Employees follow processes but don’t feel responsible for the underlying goal. Identifying risks requires curiosity, ownership, and often courage. When those elements are absent, deviations go unnoticed — not because they don’t exist, but because no one is actively looking, raising concerns, or speaking up.
No personal accountability
When compliance is positioned as a separate department, an implicit divide emerges: “they handle the rules, we handle the business.” In theory, everyone remains responsible, but in practice that accountability erodes. Risk management becomes something you can pass along rather than something that is an integral part of daily work. The result is that signals get lost between teams or simply aren’t acted on because no one truly feels ownership.
Fear of conflict
Asking critical questions about clients, transactions, or internal processes requires space and psychological safety. In many organizations, employees feel that space is limited. Those who push back questions are sometimes seen as difficult, causing delays, or “not commercial enough.” In high-pressure environments with a strong focus on targets, this effect can be amplified. The rational choice then becomes to stay within the lines and avoid discussion — even when there is doubt.
How to address this:
✔ Make compliance everyone’s responsibility: Explain why rules exist and why they matter to the organization (e.g. “This prevents us from being used for money laundering”) and what each person’s role should be. In your next audit, examine the sense of accountability across different teams.
✔ Create a compliance KPI: Encourage employees to report red flags, even when it’s uncomfortable. Compliance training is essential to help them recognize those flags. As an auditor, it is also important to investigate how compliance is incentivized.
✔ Test the culture: Run anonymous employee surveys: Do employees feel comfortable voicing criticism? Do they feel safe reporting irregularities?
✔ Let senior management set the tone: If management ignores compliance, the rest will too. As an auditor, be willing to address the impact of management’s tone.
Blind Spot 2: Human Behavior – The Psychology Behind Ignoring Red Flags
We are not rational — including in compliance. Even if systems and processes are perfect, people make mistakes. And those mistakes are often caused by psychological pitfalls:
Psychological Bias |
How It Works |
Example |
| Confirmation bias | We seek information that confirms our existing beliefs. | An auditor sees that a client looks fine “on paper” and ignores signals that suggest otherwise. |
| Overconfidence bias | We overestimate our own ability to recognise risks. | “We know our clients, so we know which transactions are safe.” |
| Groupthink | Group pressure suppresses dissenting opinions. | A team ignores a red flag because “everyone agrees there’s no risk here.” |
| Alert fatigue | Too many false alarms lead to all signals being ignored. | Employees automatically click “safe” because 99% of alerts turn out to be nothing. |
| Authority bias | We blindly trust authority figures (e.g. senior management). | An employee doubts a transaction but does nothing because the manager says: “This is fine.” |
This vulnerability — these biases — doesn’t reside in systems or procedures, but in human behavior. And that is precisely what makes it so persistent.
People are not machines
Even the most experienced auditors and compliance officers are constantly making judgements based on incomplete information. Unconscious assumptions and cognitive biases play a larger role than is often acknowledged — think of confirmation bias, but also “normalization of deviance” (deviations that occur often enough start to feel normal). In an audit context, this means signals that don’t immediately fit the expected pattern are more likely to be filtered out or rationalized away.
Culture amplifies biases
This natural tendency is reinforced by the environment in which people work. Culture — the first blind spot — is a key factor here. In organizations where mistakes are primarily seen as something to be punished, hesitancy sets in. Employees become more cautious about asking critical questions or escalating uncertain cases. Not because they don’t see the risks, but because the personal or organizational cost of “being difficult” feels higher than the potential benefit. The result is that risks may be noticed but not always voiced.
Pressure to deliver results
On top of this, incentives within organizations are not always aligned with risk management. When speed, commercial targets, or customer satisfaction carry more weight in assessments and rewards, tension arises. Employees who are evaluated throughput times or volumes will — consciously or unconsciously — tend to be less rigorous in their assessments. Not necessarily out of bad intent, but because the system nudges them in that direction. A compliance KPI could help to rebalance this.
Together, these factors create an environment where risks don’t necessarily disappear but do become less visible. And that makes this one of the most insidious blind spots: everyone is doing their job, and yet a structural underestimation of what is really happening emerges.
How to address this:
✔ Train on behavior, not just rules: Teach employees to think critically and challenge assumptions. When auditing, review training materials with this theme in mind.
✔ Use red teaming: Have a team deliberately try to circumvent your systems. What works? Where do they hit obstacles? As an auditor, explore how an organization can guard against biases.
✔ Reward reporting mistakes: Build a culture where reporting errors is rewarded, not punished. Always worth probing this in interviews and walkthroughs.
✔ Automate where possible: Replace human judgement with objective criteria where feasible (e.g. “If a transaction has characteristics X, Y, and Z, always escalate”).
✔ Measure the quality of decisions: Analyze retrospectively how often human assessments were wrong and learn from them.
Question for you:
What psychological pitfalls do you recognize in your own team? And how do you ensure that employees feel comfortable expressing their doubts?
Blind Spot 3: Data – Why Your Monitoring Tools Miss More Than They Find
Organizations rely on sophisticated monitoring tools to detect suspicious transactions. But what if those tools are not calibrated to the actual risks of your organization? Or if the data fed into the system is incomplete, outdated, or even misinterpreted?
Real-world examples:
- Bunq (Dutch neobank) was fined €2.6 million by the DNB in 2025 because their AML controls repeatedly fell short. One of the problems: monitoring tools missed patterns that were suspicious because they had not been calibrated to the specific risks of a fintech.
- De Volksbank was unable to properly monitor customer activity between 2020 and 2023 because their systems did not keep pace with new money laundering methods (for example, structuring via small amounts).
On paper, data-driven monitoring appears to be one of the strongest lines of defense in AML/CFT. In practice, this is precisely where a fundamental vulnerability lies — not because there is too little data, but because the way we use that data has limitations that are often underestimated.
False Negatives
A first problem lies in what is not seen: so-called false negatives. Monitoring tools are by definition based on models, scenarios, and historical patterns. They recognize what has previously been identified as a risk. But money laundering and fraud evolve constantly. New methods often fall outside existing parameters and therefore remain invisible. The system generates no alert, even though something is genuinely happening. And because “no alert” is often interpreted as “no risk,” a dangerous form of false assurance emerges.
False Positives
On the other side is the opposite problem: false positives. Many systems generate large volumes of alerts, a considerable portion of which ultimately prove irrelevant. This creates an operational reality where employees must assess enormous volumes daily. Inevitably, alert fatigue sets in. Signals that were initially investigated carefully are increasingly dismissed as “probably nothing again.” Not out of negligence, but out of efficiency. The risk is clear: the one genuine signal can get lost in the noise.
Data Silos
On top of this, data rarely forms a coherent whole. In many organizations, information is spread across different systems: client data in one platform, transaction data in another, risk assessments somewhere else. These silos make it difficult to connect the dots. A transaction may appear harmless on its own, as may a client profile. But in combination — across time and systems — a pattern may well become visible. If those puzzle pieces never come together, the bigger picture remains hidden.
How to address this:
✔ Validate your data: Ensure your monitoring tools detect the risks that are relevant to your organization. Test regularly with realistic scenarios. In an audit, dig deeper into how the rules (and their associated scenarios) were developed.
✔ Combine humans and machines: AI and data analysis are powerful, but human judgement is needed to add context (e.g. “This director is a PEP, but their assets are unrelated to the client organization”).
✔ Monitor effectiveness: Measure how many real risks your tool identifies and how many it misses. As an auditor, examine the monitoring tool’s statistics.
✔ Integrate data: Ensure that client data, transaction data, and risk data are connected, so that patterns can surface. Include data types in your audit scope.
Conclusion: From Blind Spots to Clear Vision
The three blind spots — culture, human behavior, and data — do not exist in isolation. They reinforce each other. An organization with a tick-box culture will be less critical about the effectiveness of its monitoring. People under pressure or driven by speed will be quicker to trust systems without questioning them. And systems that don’t work effectively but are still used in turn to feed the conviction that “everything is under control.” This creates a closed loop of false assurance.
The uncomfortable reality is that many audits do not break this dynamic. They confirm that processes exist, that controls have been performed, and that reporting is accurate. But they rarely ask the sharp question: Does this system actually work when it really matters?
An effective AML/CFT audit therefore looks not only at what has been set up, but above all at how it functions in practice — under pressure, when in doubt, and at the moments when it counts. That demands something different from auditors:
- Not just testing, but asking deeper questions
- Not just checking, but understanding
- Not just reporting, but also confronting
Because ultimately the difference does not lie in even better policies or even more data. It lies in the willingness to see what you’d rather not see. The question, therefore, is not whether your organization has blind spots.
The question is: do you dare to truly make them visible?
If you ignore these blind spots, you remain reactive rather than proactive. Your organization is not badly protected — but it is vulnerable in places where you least expect it. The 20% that truly makes an impact understands that a good AML/CFT audit is not about ticking regulatory boxes, but about exposing vulnerabilities before they can be exploited.
Invitation to Consult
If this article has raised questions or prompted topics you would like to discuss further — or if you have a specific case, you would like to explore — we welcome you to reach out for an informal introductory conversation. Our contact details can be found on our website.
Next Article
In the next article, we examine an uncomfortable truth: Internal Audit versus Business. Why audit teams are so often seen as a brake on progress — and how to change that.
Get in touch
Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com
Boy Custers | +31649935735 | boy.custers@compliancechamps.com
