Every quarter, my team and I close out a fresh batch of independent AML audits across fintechs, money service businesses, crypto platforms, sweepstakes and social-gaming operators, payroll processors, and BaaS clients. The faces and product stacks change. The findings, increasingly, do not.
In 2026, federal and state examiners are no longer rewarding good intentions or impressive policy binders. They are rewarding evidence — reproducible, time-stamped, decision-grade evidence — that an AML program actually runs the way it is written. Where that evidence is missing, what used to be a quiet matter requiring attention in 2022 is now a public consent order, a civil money penalty, or a banking-relationship exit notice in 2026.
Here are the top recurring findings I am citing in independent AML audit reports this year, why they are showing up, and how to remediate them before an examiner or sponsor bank does it for you.
1. The risk assessment that no one believes
The first thing every examiner asks for is the enterprise-wide BSA/AML risk assessment. The first thing they usually find is a document that bears no relationship to the actual business.
Common gaps we cite: the customer-risk taxonomy was last calibrated when the company served 5,000 users, not 500,000; high-risk geographies are pulled from a 2022 list and do not reflect current FATF grey-list changes or recent OFAC designations; product risk treats stablecoin on-ramps, prepaid disbursements, and instant ACH the same as a vanilla checking deposit; and inherent-versus-residual scoring is calculated with weights no one in the second line can explain.
Fix: Refresh the risk assessment at least annually, and immediately upon any material change — new product, new geography, new partner, new typology. Tie every inherent-risk rating to a documented control and a tested mitigant. If you cannot defend the math in a one-page memo, your examiner will not defend it either.
2. Transaction monitoring tuned for a different company
In nearly every 2026 audit, transaction-monitoring scenarios are still inherited — from the vendor’s out-of-the-box library, from the sponsor bank’s template, or from the prior CCO’s instincts. Thresholds were set during a soft launch, never revisited at scale, and now generate either a flood of low-quality alerts or, worse, a deceptive quiet.
Examiners are zeroing in on three things. First, model documentation: every rule needs a stated typology, a risk rationale, a parameter history, and an owner. Second, above-the-line and below-the-line testing: have you sampled what the model does not catch, not just what it catches? Third, productivity: a 95 percent false-positive rate is no longer acceptable when AI-assisted tuning has been commercially available for three years.
Fix: Run a formal monitoring effectiveness review at least annually. Document every threshold change with a before/after impact analysis. If you are layering in machine-learning or agentic-AI components, you also need model risk management documentation — development, validation, ongoing performance, and human override logs.
3. Customer Due Diligence that stops at onboarding
Onboarding KYC is usually solid. Ongoing CDD is where programs fall apart. Examiners want to see continuous, risk-based reassessment — not a tick-box refresh every two years.
Findings we are writing this year: high-risk customers who have not been re-reviewed inside the stated cycle; beneficial-ownership information that was collected at onboarding but never re-verified after corporate restructurings or sanctions designations of related parties; expected-activity profiles captured at signup that bear no relation to two years of actual flows; and PEP and adverse-media screening that runs only at onboarding rather than continuously.
Fix: Move to event-driven CDD. Trigger a refresh on negative news, sanctions-list deltas, threshold breaches, product upgrades, and beneficial-ownership changes — not just on a calendar. Document the trigger logic and prove it fires.
4. Sanctions screening you cannot reproduce
Sanctions findings are the most dangerous because the strict-liability exposure is real and the dollar penalties are public. The most common gap is not a missed match — it is the inability to reconstruct, on demand, exactly which list, fuzzy-matching algorithm, threshold, and whitelist were in effect on a given historical date.
Add to that: secondary-sanctions risk under recent OFAC advisories that most mid-size programs have not internalized; the OFAC 50 Percent Rule applied inconsistently to complex beneficial-ownership chains; and screening that covers customers but skips counterparties on outbound transactions, related parties, and vendors.
Fix: Version-control your screening configuration. Every list update, every algorithm change, every threshold tweak should produce an auditable record. Test fuzzy-match performance with a documented test deck quarterly. And screen the full ecosystem — not just account holders.
5. SAR narratives that do not explain the suspicion
SAR quality is now an explicit examination focus, and it is the single finding most likely to follow a CCO into their next job. Examiners are pulling SAR samples and reading them line by line. The recurring weaknesses we cite: narratives that summarize the alert without describing the underlying suspicion; missing the five essential elements (who, what, when, where, why); typology language pulled verbatim from a FinCEN advisory without explaining how the customer’s behavior fits; and decisions to file or not file that are not tied to the documented investigation work.
Fix: Build a SAR narrative template that forces the five elements. Implement second-line QA on a sample of every analyst’s SARs every month. And remember: a well-written SAR is an asset to law enforcement and a defense for your program; a thin one is the opposite.
6. Governance gaps the board cannot defend
Examiners increasingly want to see that the board and senior management have genuinely engaged with AML risk — not just rubber-stamped a packet. Findings we are seeing: board minutes that record AML reporting as a single line item with no substantive discussion; missing or stale BSA Officer designation letters; training that does not differentiate by role or risk; and three-lines-of-defense models that exist on paper but collapse under pressure because the second line lacks independence or resources.
Fix: Upgrade the AML reporting package the board receives. Include trend analytics, residual risk movement, open issues with owners and due dates, and a candid view of regulatory exposure. Make sure the BSA/AML Officer has direct access to the board and protection from retaliation, in writing.
FinCheck’s perspective and way forward
The pattern across all six findings is the same: programs that look fine on paper but cannot prove operation in practice. The fix is not more policy. The fix is evidence — build the program around the artifacts an examiner will eventually request.
For our clients, that means three commitments. First, every control we design produces a logged, retrievable artifact. If a rule fires, a SAR is filed, an alert is closed, a high-risk customer is approved, or a sanctions hit is cleared, the why is captured at the moment of decision and stored in a way an auditor can reconstruct two years later. Second, we audit ourselves before the regulator does — our independent AML audit work for clients is built to flag these six categories first, because they are the most expensive to remediate after an exam. Third, we pair the audit with a clear management action plan that prioritizes remediation by regulatory risk and business impact, not by ease.
Looking ahead through 2026, three forces will compound the pressure: the maturing FinCEN AML/CFT program reform expectations, increased state-level scrutiny from CSBS and individual money-transmitter regulators, and sponsor banks pushing higher control standards down to their fintech and BaaS partners. The programs that thrive will not be the ones with the thickest binders. They will be the ones whose evidence holds up under questioning.
Where FinCheck comes in
FinCheck LLC provides independent AML audits, BSA/AML risk assessments, fractional Chief Compliance Officer services, AML program design and remediation, transaction-monitoring tuning, and policy and procedure development for fintechs, MSBs, crypto platforms, sweepstakes and social-gaming operators, payroll processors, BaaS programs, and e-commerce businesses across 30+ jurisdictions.
If your program has not been independently audited in the last twelve months — or if your last audit produced findings you have not yet closed — the time to act is before your next examination cycle, not during it.
