AML/CFT audit and CNBV supervision: key differences and regulatory risks

FINANCE AND BANKING / by Miguel Gallardo Guerra

In practice, it is common for financial institutions to confuse Anti-money Laundering and Countering the Financing of Terrorism (AML/CFT) auditing with supervision by the authority. Although both are related to regulatory compliance, they are not equivalent. They fulfill different functions and generate different consequences.

Understanding this distinction is critical to correctly sizing regulatory risks and the importance of a well-executed audit.

The AML/CFT audit: an obligation of the Regulated Entity

The annual AML/CFT audit is a periodic obligation of the regulated entity itself. Its purpose is to evaluate, from an independent and technical perspective, the degree of compliance with the applicable provisions and the real effectiveness of the prevention system implemented by the entity.

Some of its main characteristics are:

• It is annual and mandatory.
• It must be carried out by an internal auditor or a duly certified independent third party.
• It is based on a previous planning, a work program and a risk analysis.
• It concludes with an Audit Report, which must be submitted to the authority within the regulatory deadline.
• It includes findings, recommendations and corrective actions aimed at strengthening the AML/CFT system.

The audit, therefore, is not of a sanctioning nature. Its logic is essentially preventive and corrective, making it possible to identify weaknesses before they translate into relevant non-compliance.

Supervision by the CNBV: a power of the authority

AML/CFT supervision is an exclusive power of the authority, exercised by the National Banking and Securities Commission.

Such supervision includes, among other functions:

• Off-site surveillance, through the analysis of information, regulatory reports and audit reports.
• On-site inspection, through ordinary, special or investigative visits.
• Formal requests for information and documentation.
• Issuance of observations, recommendations and corrective measures.
• Follow-up of detected non-compliances and, if necessary, the initiation of sanctioning procedures.

Unlike auditing, supervision can lead to direct regulatory consequences, such as fines, mandatory corrective measures or a higher level of scrutiny by the authority.

The connecting point: the Audit Report

The AML/CFT Audit Report is, in practice, a relevant input for supervision.

A deficient, incomplete or poorly substantiated audit can:

• Evidence structural weaknesses in the AML/CFT system.
• Trigger alerts in off-site surveillance processes.
• Increase the probability of inspection visits or specific requirements.

On the contrary, a well-planned audit, with clear findings and timely corrective actions, significantly reduces the risk of intensive follow-up by the authority.

Conclusions

AML/CFT auditing and CNBV supervision are not the same thing, but they are closely linked. The former is a tool for self-monitoring and improvement; the latter, a mechanism for monitoring and correction by the authority.

In this context, a robust audit not only fulfills a formal obligation, but also becomes a key line of defense against major regulatory risks.

If your entity has not yet initiated the 2026 AML/CFT audit, doing so in a timely manner anticipates risks and reduces the likelihood of intensive supervision.

Let’s keep in contact!