Every firm subject to anti-money laundering obligations needs assurance that its controls actually work. That assurance is the job of the third line of defence, usually called internal audit. A recurring question I hear from compliance leaders is whether that work should sit with an in-house internal audit function or be carried out by an independent external party. It is a fair question, and the honest answer is that both models can be effective. What matters is not the badge on the auditor's pass, but whether the assurance is genuinely independent, objective and competent.
This post sets out the principles at stake, where each model tends to add value, what supervisors expect, and how smaller firms can meet the same standard through co-sourcing or outsourcing. The aim is to help you reason about the choice, not to push one answer.
What the third line is, and why independence matters
The three lines model is a simple way of allocating responsibility for risk. The first line owns and manages risk in the business and operations. The second line, typically compliance and the money laundering reporting officer, sets policy, advises and monitors. The third line provides independent assurance that the first two lines are designed well and operating effectively. AML audit is third-line work: it tests whether the framework actually controls financial crime risk, rather than simply confirming that procedures exist on paper.
Two qualities make third-line assurance worth having:
- Independence. The assurance provider must be free from the activities it reviews and from any pressure to soften its conclusions. An auditor who helped build a control, or who reports to the person responsible for it, cannot credibly assure it.
- Objectivity. The work must be evidence-based and free from bias. Findings should follow the testing, not the politics of the organisation.
If either quality is missing, the audit is really just another layer of self-assessment, and it will not stand up to a supervisor's scrutiny.
When an in-house internal audit function is sufficient
For many larger institutions, a permanent internal audit function is the natural home for AML assurance. It works well when several conditions hold:
- Scale justifies it. The firm is large enough to keep an audit team busy across the year, with a methodology, a risk-based audit plan and quality assurance over its own work.
- Independence is structurally protected. The function reports functionally to the board or its audit committee, not to the executives whose areas it audits, and the head of audit can raise findings without fear for their position.
- The team has financial crime depth. AML is a specialism. In-house auditors who genuinely understand sanctions, transaction monitoring, customer due diligence and suspicious or, in the Netherlands, unusual activity reporting can provide assurance that is both rigorous and commercially grounded.
The advantages are continuity, institutional knowledge and the ability to follow issues over time. An in-house team lives with the business, sees how remediation actually lands, and can build a multi-year view of whether the control environment is improving or drifting.
When external independence adds value
External or independent AML audit earns its place in a few recognisable situations. In my experience the case is strongest where:
- Capacity is the constraint. A smaller firm, or one with a lean audit team, may simply not have the hours or the seniority to cover financial crime to the required depth alongside everything else on the audit plan.
- Specialist skills are needed. Some reviews demand niche expertise, for example model validation of a monitoring system, sanctions screening calibration, or readiness for the EU AML package. Buying that expertise for a defined piece of work is often more sensible than hiring it permanently.
- Freedom from internal conflicts matters. Where the topic is politically sensitive, where senior management itself is in scope, or where a regulator or board wants a fresh and visibly impartial view, an external party carries a credibility that an internal team, however good, can struggle to match.
The trade-off is that an external reviewer starts with less context and must invest time to understand the business. Good independent work closes that gap quickly; poor independent work produces generic findings that the firm has heard before.
What regulators expect on independence and objectivity
Supervisors are far more interested in the substance of independent assurance than in its label. Across the EBA's guidelines and the expectations of national supervisors such as De Nederlandsche Bank, several themes are consistent:
- There must be an independent audit of the AML framework, proportionate to the nature, scale and complexity of the firm.
- The function performing it must be operationally independent of the areas it reviews and have direct access to the management body.
- The work must be risk-based, covering the business-wide risk assessment (the SIRA in the Netherlands), policies, controls and their practical effectiveness, not just their existence.
- Findings must be reported, tracked and remediated, with the board or audit committee sighted on the results.
The EU AML package reinforces this direction. The AMLR builds a single rulebook of obligations applying from 10 July 2027, and from 2028 the new EU authority, AMLA, begins directly supervising selected high-risk cross-border firms. Independent, evidence-led assurance over the AML framework is exactly what such supervision rewards, whoever delivers it.
Co-sourcing and outsourcing for smaller firms
Smaller firms often feel caught between an obligation they cannot avoid and resources they do not have. There are two practical middle paths:
- Co-sourcing. The firm keeps ownership of the audit plan and runs the function, but brings in external specialists for the parts that need depth or extra hands. This blends institutional knowledge with niche expertise and tends to transfer skills into the team over time.
- Outsourcing. The whole third-line AML review is delegated to an external provider. This can be the only realistic route for very small firms, but it does not transfer accountability. The board still owns the risk, must approve the scope, and must act on what the review finds.
Whichever route you take, the independence test is unchanged. The provider must not audit work it helped design, must report objectively, and must be free to disagree with management. A useful discipline is to document, before the work begins, how independence is preserved and to whom the findings will be reported.
The principle that survives the choice
Internal and external AML audit are not rivals so much as different ways of meeting the same standard. A well-resourced, structurally independent in-house function and a competent, conflict-free external reviewer can each give a board genuine assurance. The model that fails is the one that looks like assurance but is not: a review by people too close to the controls, too junior to challenge them, or too constrained to report what they find. Get the independence, objectivity and expertise right, and the question of internal versus independent becomes a matter of resourcing rather than credibility.
Key takeaways
- The third line provides independent assurance over the AML framework; its value depends on genuine independence and objectivity, not on whether the auditor is internal or external.
- An in-house internal audit function works well at scale, with structural independence from the areas it reviews and real financial crime expertise.
- External independence adds value where capacity is short, specialist skills are needed, or freedom from internal conflicts matters.
- Co-sourcing blends in-house ownership with external specialists; outsourcing suits very small firms but never transfers the board's accountability.
- Regulators, including the EBA, DNB and the incoming AMLA regime, expect risk-based, operationally independent assurance with direct access to the management body.