The Gap Between Having Controls and Passing an Audit
There is a common misconception in Nigerian fintech compliance circles that having an AML program means you are ready for an audit. Most fintechs that fail their first AML audit are not failing because they have no controls. They are failing because the controls they have are not documented, not tested, not consistently applied, or not calibrated to their actual risk profile. The gap between existence and effectiveness is where most audit failures live.
The CBN and NFIU conduct AML examinations that are increasingly sophisticated. Examiners know what good looks like and they know the shortcuts that institutions take. Understanding what they look for, and preparing accordingly, is the difference between a clean examination and a remediation order.
Reason 1: The Risk Assessment Is Generic or Outdated
The AML risk assessment is the foundation of every compliance program. It documents the institution's exposure to money laundering risk across its products, customer segments, geographies, and delivery channels. Most Nigerian fintechs either do not have a risk assessment, have one that was written at launch and never updated, or have one that was copied from a template without being customized to the institution's actual business.
Examiners read risk assessments carefully. A risk assessment that does not mention the specific fraud typologies prevalent in the institution's market, or that fails to address the risks of the institution's specific products and channels, is a red flag that the program is not embedded in the business.
Reason 2: The Monitoring System Has Never Been Validated
Transaction monitoring systems are not set and forget. Rules that made sense when the product was launched may no longer be appropriate as the customer base grows and product usage evolves. Most institutions cannot demonstrate that their monitoring scenarios are calibrated to detect the specific risks they have assessed. This disconnect between risk assessment and monitoring is one of the most common audit findings, as we have described in our analysis of continuous risk monitoring.
Reason 3: STR Filing Records Are Incomplete
Examiners will request a sample of STR filings and compare them to the institution's alert records to verify that the triage process is working correctly. Institutions that cannot show a clear trail from alert to investigation to disposition to filing decision will receive findings, even if the filings themselves are accurate.
Complete records mean: every alert is documented, every investigation is recorded with a rationale, every filing decision is signed off by an authorized officer, and every filed report is retained with confirmation of submission.
Reason 4: Training Records Are Missing
All staff in AML-relevant roles must receive documented training at least annually. Examiners request training records for compliance staff, relationship managers, and customer-facing staff. Remllo's compliance platform helps institutions maintain training records, track certification renewals, and document ongoing compliance obligations.
How to Prepare for Your First Audit
The preparation process should start at least six months before an expected examination. Conduct an internal mock examination using the CBN's published examination checklist as a guide. Identify gaps in documentation, testing records, and training. Remediate the gaps and re-test before the actual examination.
Work with your compliance officer to ensure that every component of the AML program can be demonstrated on demand. An examiner who asks to see your monitoring scenarios should be able to see them immediately, not be told that someone needs a week to compile the documentation.
