Preparing for an Independent Review of a Money Services Business’s (MSB) AML Program

Originally published October 21, 2022

Money services businesses (“MSBs”) are required to conduct independent reviews to ensure their anti-money-laundering (“AML”) programs comply with Bank Secrecy Act (“BSA”) requirements. Under the BSA, MSBs must develop programs that identify and assess AML risks associated with their products, services, customers, and geographic locations and must take reasonable steps to manage them. Longstanding FinCEN guidance makes clear that the purpose of the reviews is to monitor the adequacy of these programs, especially in light of the recent expansion of BSA regulatory obligations under the Anti-Money Laundering Act of 2020. In this article, Bates offers tips to guide MSB firms in preparing for a review, including key review elements, timing, and selecting the right reviewer.

What are the key elements for an independent review?

Independent reviews are concerned with assessing whether anti-money laundering risks for MSBs are being addressed. Policies, procedures, internal controls, recordkeeping, reporting, and training are all elements of an independent review. The reviewer must conduct tests to ensure that internal controls and transactional systems are working as intended and to identify weaknesses and potential fixes. To be thorough, the review must cover all actions taken by the compliance team on AML-related risk, on each of the above elements, and also on supervision of program controls and transactional systems.

When should independent reviews take place?

As formalized risk assessments are not required for MSBs, there is no mandated frequency for conducting independent reviews, but they must be periodic and appropriate to the level of risk. As these assessments change, the review period might change. “Given the changes to FinCEN regulations, MSBs should be proactively working on their programs and putting in place the oversight necessary to ensure compliance,” recommends Brandi Reynolds, Bates AML & Compliance Managing Director and head of Bates Group’s MSB, Fintech and Virtual Asset practice.

Who should conduct the independent review?

The independent review must include an unbiased assessment of each element of an MSB’s AML program. Under current guidance, a formal audit by a certified public accountant or third-party consultant is not necessarily required, but independence and thoroughness are key. (Remember, an internal assessment cannot be performed by an AML compliance officer, nor can it be someone who reports to the compliance officer.) Brandi points out that “the need for independence and the increasing complexity of AML regulatory obligations means that persons with the requisite knowledge and experience must oversee or conduct these reviews, in order for them to be considered adequate.”


Independent reviews on AML risk are becoming more important, not only to ensure compliance with current regulation and the documentation of all efforts undertaken, but also to uncover systemic weaknesses and to provide corrective recommendations for management. “In a changing AML regulatory environment, MSBs should be ensuring that their independent review framework is up to the task. These reviews are a critical tool in the regulator’s examinations,” said Brandi.