AML compliance audit for domiciliation centers: methodology, scope, deliverable
Full AML audit methodology for Belgian domiciliation centers: mandatory annual scope, 8 domains to cover, test plan, file sampling, deliverable template, action plan and remediation tracking.
In brief
The annual AML audit is a legal obligation under the Act of 18 September 2017 for all Belgian domiciliation centers. It covers 8 mandatory domains, relies on a representative file sample, and must produce a documented report with a tracked action plan. It is the governance mechanism that demonstrates management actively supervises its AML framework.
Why audit your AML framework
The annual audit of the AML framework is required by the Act of 18 September 2017 (Article 16). It is:
- Internal for structures up to 10 staff
- External beyond (or on SPF Economie demand)
- Annual at minimum, or immediately after a major change (new obligation, sanction)
The audit is not optional: it is a governance mechanism demonstrating management has verified the framework's effectiveness. See also our 2026 checklist.
Mandatory scope (8 domains)
A compliant AML audit covers 8 domains:
1. Governance
- AMLCO appointed, trained, direct management access
- AML policy written, dated, signed, current
- Up-to-date risk assessment
- Coherent written procedures
2. Risk assessment
- Methodology in place on the 4 dimensions
- Risk grade per file
- Consistency of grades with real profile
3. Initial KYC
- File sample: completeness (6 sections)
- Comparison with SPF Economie requirements
4. UBO
- UBO cascade documented over 3 levels
- Comparison with Belgian register
- See UBO article
5. Sanctions and PEPs
- Screening done, dated, archived
- Continuous or annual re-screening
- See PEP verification
6. Ongoing monitoring
- Rules and scenarios in place
- Alerts generated and analyzed
7. CTIF reporting
- Written procedure
- Log of reports and non-reports
- See CTIF guide
8. Training and retention
- Training program applied
- See AML/KYC training
- 10-year timestamped archiving
- See data retention
Test plan template
Pre-audit (1-2 days)
- Document collection (policy, risk assessment, file sample)
- Interview with AMLCO
- Process mapping
File tests (3-5 days for 5-20 files)
- Sampling: minimum 10 files, of which at least 50 % high risk
- Completeness check: each file passes the 6-section checklist
- Cross-check with external sources (BCE, UBO register)
- Decision test: is the assigned risk grade coherent?
- Alert test: if generated, correctly handled?
Procedure tests (1-2 days)
- Verify written procedures match practice
- Interview 2-3 staff to test knowledge
- Verification of reasoned non-reports (often deficient)
Synthesis and restitution (1-2 days)
- Report drafting
- Management presentation
- Action plan
Deliverable template
A compliant AML audit report comprises:
File sampling
The sample must be representative:
- 60 % active files
- 20 % recently refused files
- 10 % older files (renewed)
- 10 % high-risk files (intentional over-representation)
For a practice with 200 active files: annual audit on 15-20 files is sufficient.
Grading criteria
A template grid:
| Domain | Compliant | Partial | Non-compliant |
|---|---|---|---|
| Governance | All in place, current | 1-2 minor gaps | Structural gap |
| KYC | 95-100 % files OK | 70-94 % | < 70 % |
| UBO | Full cascade, register compared | Cascade level 2 missing | No cascade |
| PEP/sanctions | Screening dated < 12 months | Old screenings | No screening |
| Monitoring | Rules + scenarios | Rules only | No surveillance |
| CTIF | Procedure + reasoned non-reports | Procedure only | No log |
| Training | Annual + assessment + traces | Annual without traces | No training |
| Retention | 10 years + timestamping | < 10 years | Missing |
Overall score: ≥ 90 % compliant, 70-89 % partial, < 70 % non-compliant.
Frequent audit mistakes
How Company Belgium facilitates audit
Company Belgium's audit module provides:
- AMLCO dashboard with real-time compliance indicators
- KYC file export in one click for the auditor
- Statistics: completeness rate, risk files, alerts generated/reported
- Audit report templates compliant with SPF Economie format
- Integrated action plan with remediation tracking
- Audit history with scores and trends
- Monthly automated pre-audit flagging risk files
See our RegTech landscape and the dedicated Company Belgium support module.
Bottom line
The annual AML audit is not another inspection — it is the internal governance mechanism proving management supervises its framework. Mandatory 8-domain scope, representative sampling, documented report, tracked action plan.
The right reflex: schedule the audit annually at a fixed date (ideally Q4 to prepare next year), with a structured deliverable and monthly remediation tracking. It is also the best preparation for an SPF Economie inspection.
Frequently asked questions
Is the annual AML audit mandatory for a Belgian domiciliation center?
Yes, Article 16 of the Act of 18 September 2017 requires all regulated professions, including domiciliation centers, to conduct an annual audit of their full AML framework. The audit may be internal for structures with fewer than 10 staff, or external beyond that threshold. Failure to audit exposes the entity to an administrative sanction from SPF Economie.
What are the 8 mandatory domains of an AML audit for a domiciliation center?
A compliant AML audit covers: governance (AML policy, AMLCO), risk assessment, initial KYC, UBO verification, PEP and sanctions screening, continuous transaction monitoring, CTIF reporting and data retention. Each domain receives a compliant, partial or non-compliant score.
How many files must be reviewed in an AML audit of a domiciliation center?
The sample must be representative: at least 10 files for a small practice, up to 15-20 for a portfolio of 200 active clients. It must include at least 50 % high-risk files, 20 % recently refused files and 10 % older files. Over-representation of high-risk files is intentional to test the most complex cases.
What are the sanctions if an AML audit reveals uncorrected deficiencies?
If an audit is conducted but recommendations are not followed by a documented action plan, SPF Economie may impose administrative fines up to 5 million euros and publish the sanction. An audit without a remediation plan is insufficient in the eyes of the authorities: it demonstrates the problem exists without any willingness to correct it.
Comments
Related articles

Notaries: verifying beneficial owners before an authentic act
Notaries are on the front line to block money-laundering setups via companies. Incorporation, merger, share transfer, real estate sale: every act demands enhanced UBO due diligence. Here is the complete checklist to secure an authentic act without burdening practice.

The Belgian trial period is back: what the Clarinval reform changes for SMEs from day one
On 21 May 2026, the Belgian Chamber voted to reinstate a trial regime covering the first six months of the employment contract. Notice cut to one week, written reasoning, scope limited to new contracts: what employers need to grasp before publication in the Moniteur belge.

Branch in Belgium and the UBO register: what the foreign company must do
A foreign company opening a branch in Belgium is not a Belgian company: the branch has no separate legal personality. That changes everything for the UBO register. Find out who must declare what, and why a Belgian SRL subsidiary offers a cleaner compliance footprint.
