Cryptoassets: The Importance of Internal Audit for FCA AML/CFT Compliance

The Financial Conduct Authority (“FCA”) recently published a memo related to companies dealing in cryptoassets. The update sets out requirements as part of the wider rules and guidance for cryptoasset businesses.  For firms where appropriate for the size and nature of the business, an independent internal audit function must be established. This is a new obligation for cryptoasset firms to ensure compliance with Anti-Money Laundering and Counter Terrorist Financing (“AML/CFT”) regulations. The function will have the responsibility for examining and evaluating the adequacy and effectiveness of policies, controls and procedures, making recommendations, as well as monitoring the controls of the business.

With cryptoasset firms being subject to the AML/CFT rules, this memo also serves as a reminder to other financial services firms regulated by the FCA that they must also establish appropriate AML/CFT controls proportional to their risks.

FCA Requirements for Internal Audit

The FCA Handbook states that an internal audit function must be separate and independent from other functions, with responsibilities that include:

  1. To establish, implement and maintain an audit plan to examine and evaluate the adequacy and effectiveness of the firm’systems, internal control mechanisms and arrangements;
  2. to issue recommendations based on the result of work carried out in accordance with (1);
  3. to verify compliance with those recommendations;
  4. to report in relation to internal audit matters to senior management (this only applies to firms subject to the Senior Management Arrangements, Systems and Controls (SYSC)).

The internal audit function should operate on a risk-based approach and examine areas such as client due diligence, transaction monitoring, record keeping, staff training, and compliance with legal requirements.

Importance of Independent Internal Audit

An independent internal audit provides assurance to senior management and the board that AML/CFT systems and controls are operating effectively. As a third line of defence, internal audit plays a vital role in assessing and improving compliance frameworks.

Key areas where independent audit adds value include:

  • Evaluating risk assessments and mitigation measures;
  • assessing effectiveness of client due diligence and enhanced due diligence;
  • testing reliability of transaction monitoring systems;
  • checking data quality and record keeping;
  • reviewing staff screening and training, and
  • assessing compliance culture company-wide.

By identifying control weaknesses and potential gaps, internal audit helps financial services firms including cryptoasset firms continually improve AML/CFT defences and avoid significant regulatory penalties.

How Complyport Can Help

Conducting robust internal audits requires a deep knowledge of the regulatory expectations as set out by the FCA. Firms can leverage Complyport’s extensive experience through Section 166 work as part of our appointment on FCA’s Skilled Persons Panel, as well as a significant number of Internal Audit assignments and engagements within our Group. This places Complyport as a provider of choice when it comes to the provision of Internal Audit services to FCA-regulated firms

Complyport helps firms meet internal audit requirements through:

  • Risk-based Audit Planning: We analyse your operations, controls, and risk profile to develop customised annual audit plans focusing on key risk areas.
  • Compliance Control Testing: We thoroughly evaluate your AML/CFT compliance program, including due diligence, transaction monitoring, record keeping, staff training, and overall governance.
  • Detailed Reporting: Audit reports provide comprehensive reviews, testing results, control ratings, risk assessments, and practical recommendations to enhance compliance.
  • Ad-hoc Engagements: We conduct rapid response reviews to address emergent issues and regulatory requests. Our experience includes investigative audits.
  • Compliance Training: We provide tailored training to boards, management, and staff on regulations, risks, audit techniques, and industry best practices.

With over 22 years of regulatory excellence and a deep understanding of the crypto industry, Complyport is well-positioned to deliver high-quality internal audits that provide assurance to firms, regulators and stakeholders. A proactive internal audit program can help crypto businesses continue building trust and maturity in a rapidly evolving space.

Get In touch now

Don’t navigate the complex world of FCA regulations alone, contact us to see how the regulation may apply to your firm. Email Thomas Salmon in our Regulatory Solutions team at to book a free consultation.

About Complyport

Complyport is a market-leading consulting firm supporting the UK financial services industry for over 22 years. We specialise in providing Governance, Risk and Compliance services to support the regulated financial services industry to raise standards and thrive.

Complyport can assist with the preparation of a GAP analysis and impact assessment on the investment firm’s capital adequacy and risk management framework of the Company under the regulatory framework.

We specialise in supporting the UK financial services industry with compliance guidance, advice and best practice.

  • Financial Crime support and Forensics
  • Compliance managed services and resourcing compliance personnel
  • Skilled Person Reviews and Regulatory Investigation
  • Prudential support, IFPR, ICARA and financial resilience advice
  • Consumer Duty implementation advice
  • Operational resilience & Cybersecurity advice
  • Financial Promotions guidance, support, and management software solutions
  • CASS advice and protections of client assets
  • Comprehensive compliance work-flow management software

Contact Thomas Salmon in our Regulatory Solutions team via email at: to book a free consultation.





COntact us for assistance

Please fill our free consultation form and a member of our team will get in contact with you.