Ask for a detailed description of the risk assessment methodology before anything else - this is the single most important quality signal

Hiring an AML compliance firm is not like hiring a vendor for a commodity service. The quality of the work directly determines whether your business is protected or exposed when a regulator examines your program. A well-chosen firm builds a program that holds up under scrutiny. A poorly chosen one delivers a document that looks like compliance but fails the moment an examiner asks a specific question about your business. The difference between those two outcomes often comes down to the questions you ask before you sign anything.

Confirm the firm has direct experience in your specific industry and can describe industry-specific examination priorities

The AML consulting market is not well-regulated. Anyone can call themselves a BSA compliance consultant. There is no licensing requirement, no mandatory certification, and no industry body that sets enforceable standards for the quality of work delivered. This means the burden of due diligence falls entirely on you. The questions in this guide are designed to help you do that due diligence systematically, so you can evaluate firms on the dimensions that actually matter for the quality of the compliance program you will receive.

Find out who will actually do the work - not just who sells the engagement

The first question to ask is: what does your risk assessment process look like, and what does it produce? This is the single most important question on this list. A legitimate AML program must be risk-based, meaning every element of the program - the internal controls, the monitoring thresholds, the customer due diligence procedures - must be calibrated to the specific risks your business faces. That calibration is only possible if the firm conducts a genuine risk assessment of your business before writing a single policy. Ask the firm to describe their methodology in specific terms: what dimensions do they analyze, what documentation do they review, what interviews do they conduct, and what does the written output look like? A firm that cannot answer this question in detail, or that treats the risk assessment as a brief intake form, is telling you that they build from templates. That is not a risk-based program.

Ask for a complete list of deliverables and confirm whether the policy is custom-built or template-based

The second question is: have you worked with businesses in my specific industry, and can you describe how your approach differs for my industry versus others? AML compliance is not one-size-fits-all. The regulatory framework for a non-bank mortgage lender is different from the framework for a money services business, which is different from the framework for a title company or a casino. The examination priorities, the specific red flags, the transaction monitoring thresholds, and the customer due diligence requirements all vary by industry. A firm that has never worked with a business like yours will apply a generic framework to your specific situation - and generic frameworks fail industry-specific examinations. Ask for examples of work they have done in your industry. Ask what the most common examination findings are for businesses like yours. If they cannot answer with specificity, they do not have the industry depth your program requires.

Independent testing is a mandatory BSA element - confirm whether it is included and how the firm approaches it

The third question is: who will actually be doing the work on my engagement, and what are their qualifications? Many compliance consulting firms sell engagements at the senior level and deliver them at the junior level. The partner or principal who impresses you in the sales conversation may have minimal involvement in the actual program build. Ask specifically who will be assigned to your engagement, what their background is, and how much direct experience they have with businesses in your industry. Ask whether the person who conducts your risk assessment is the same person who writes your policy. Continuity matters - a risk assessment conducted by one person and a policy written by another creates gaps that neither person owns.

Ask for references from clients who have been through a regulatory examination after working with the firm

The fourth question is: what does your deliverable actually include, and what format does it take? A compliant AML program requires specific written outputs: a risk assessment document, a written AML policy covering all five BSA program elements, customer identification procedures, transaction monitoring procedures, and a training curriculum. Ask the firm to describe exactly what documents you will receive at the end of the engagement. Ask whether the policy is a custom document built from your risk assessment or a template with your name inserted. Ask whether the training curriculum is role-specific or generic. Ask whether the deliverables include a written findings report or just a policy document. The answers will tell you a great deal about the quality of the work you are buying.

Price is a signal: a program priced too low for the scope described almost certainly reflects template work, not original analysis

The fifth question is: how do you handle independent testing, and is that included in this engagement? Independent testing is one of the five mandatory elements of a BSA-compliant AML program. It is also the element most commonly missing from programs built by lower-quality firms, because it requires a separate review of the program after it is built - which means additional professional time that template mills do not want to invest. Ask whether the firm offers independent testing as part of the engagement or as a separate service. Ask how frequently they recommend testing and what the testing scope covers. A firm that does not have a clear answer to this question, or that treats independent testing as optional, does not understand the regulatory standard they are supposed to be helping you meet.

A firm that is honest about the limits of what it can deliver is more trustworthy than one that promises everything

The sixth question is: what happens after delivery? An AML program is not a one-time project. It requires ongoing maintenance: annual risk assessment updates, refreshed training, updated policies when regulations change, and periodic independent testing. Ask the firm whether they offer ongoing support after the initial program build, what that support looks like, and what it costs. Ask how they communicate regulatory changes to clients and whether they proactively update programs when FinCEN issues new guidance. A firm that delivers a program and disappears is not a compliance partner - they are a document vendor. The regulatory environment changes, and your program must change with it.

The seventh question is: can you provide references from clients in my industry who have been through a regulatory examination? This is the ultimate test of a firm's work quality. A program that looks good on paper is not the same as a program that holds up under examination. Ask for references from clients who have been examined by FinCEN, the IRS, state regulators, or banking examiners after working with the firm. Ask those references specifically whether the program the firm built was examined, what the findings were, and whether the firm's work was cited as a strength or a weakness. Firms that have consistently delivered examination-ready programs will have references who can speak to this directly. Firms that have not will deflect the question.

The eighth question is: what is your pricing structure, and what does it reflect? Price is not the most important factor in choosing a compliance firm, but it is a meaningful signal. A genuine risk assessment and custom program build requires substantial professional time - typically multiple days of interviews, document review, analysis, and writing. A program priced at a few hundred dollars cannot reflect that investment. It reflects template customization. That does not mean the most expensive firm is the best choice, but it does mean that a price that seems too low for the scope of work described should prompt follow-up questions about what is actually being delivered.

The ninth question is: how do you stay current with regulatory changes, and how does that affect the programs you build? The AML regulatory environment is not static. FinCEN issues new guidance, enforcement actions establish new precedents, and examination priorities shift. A firm that built programs to 2020 standards and has not updated its approach is delivering programs that may not satisfy 2026 examination standards. Ask the firm how they track regulatory developments, what their process is for updating client programs when guidance changes, and whether they can point to specific recent changes they have incorporated into their work. A firm that cannot answer this question with specificity is not keeping pace with the regulatory environment.

The tenth question - and the one most business owners forget to ask - is: what are the limits of what you can do for me? A good compliance firm is honest about what it can and cannot deliver. It will tell you if your situation requires legal counsel rather than consulting advice. It will tell you if your examination risk is severe enough that you need a formal remediation plan rather than a program build. It will tell you if the timeline you are proposing is not realistic for the quality of work required. A firm that promises everything you want to hear without qualification is not being honest with you. Compliance is a field where overconfidence is dangerous, and a firm that acknowledges the limits of its work is more trustworthy than one that does not.

Taken together, these questions give you a framework for evaluating any AML compliance firm before you commit to an engagement. The goal is not to find a firm that answers every question perfectly - it is to find a firm that answers them honestly, specifically, and in a way that demonstrates genuine expertise in your industry and your regulatory environment. That firm exists. The questions in this guide will help you find it.