We specialize in compliance consultancy, due diligence, and audit services to help businesses meet regulatory standards with confidence. Our experienced team provides tailored solutions to identify and manage risks, ensuring you operate responsibly and securely in today’s complex landscape. We are committed to integrity, excellence, and empowering our clients with the insights they need for sustainable growth.
An FIAU compliance visit rarely becomes difficult because a firm has no policies at all. More often, the pressure comes from a gap between what the business says it does and what can actually be evidenced on the day.
That is why the right preparation is not about assembling a tidy folder the night before. It is about proving that your AML framework is active, risk-based and understood across the business. For compliance officers, MLROs and operational leaders, the real task is to make sure governance, customer files, monitoring controls and internal reporting all tell the same story.
How to prepare for an FIAU compliance visit without scrambling
The strongest firms prepare as if the visit will test three things at once – design, implementation and oversight. A policy may be technically sound, but if onboarding files do not reflect the stated risk methodology, or if senior management cannot explain how AML risks are governed, that weakness will be visible quickly.
Start by reviewing the scope of your control environment as a regulator would. Look at your business risk assessment, customer risk assessment model, CDD procedures, transaction monitoring approach, sanctions screening, suspicious activity reporting processes, record keeping, training records and governance reporting. The question is not whether each document exists. The question is whether each element is current, coherent and evidenced in practice.
This is where many firms lose time. They prepare in silos. Compliance updates policies, operations gathers customer files, and management expects the visit to go well because each team has done its part. But an FIAU visit tests the links between these areas. If your written procedures say enhanced due diligence is mandatory for higher-risk relationships, sampled files must show that this happens consistently and with adequate rationale.
Start with your risk assessment framework
If you are considering how to prepare for an FIAU compliance visit, begin with the risk assessment architecture because it underpins almost every other control. Your business risk assessment should clearly identify the AML and CFT risks arising from your products, services, delivery channels, customer types and jurisdictions. It should also explain the controls used to mitigate those risks and the basis for any residual risk ratings.
A common weakness is treating the BRA as a static document rather than a management tool. If the business has expanded into new markets, changed onboarding channels, introduced new payment flows or taken on different customer profiles, the BRA should reflect that. If it does not, the regulator may reasonably question whether your wider compliance programme is aligned to the actual business model.
The same applies to customer risk assessments. Check that risk scoring criteria are clear, applied consistently and capable of producing different outcomes where appropriate. An assessment model that labels nearly every customer as standard risk may look efficient operationally, but it raises questions about whether the methodology is truly risk-based.
Test whether your files support your procedures
A compliance visit often moves quickly from policy review to file testing. That means your customer records must do more than contain documents. They need to show a defensible onboarding decision.
Review a sample of files across risk categories, customer types and jurisdictions. For each file, ask whether the identification and verification evidence is complete, whether beneficial ownership has been established properly, whether source of funds or source of wealth has been obtained where required, whether screening results have been reviewed, and whether the final risk rating is supported by the information on file.
Pay close attention to higher-risk files. These tend to reveal whether enhanced due diligence is meaningful or simply described that way. If a file is rated high risk, the rationale should be clear, the additional documentation should be proportionate to the risk, and the approval route should match your internal rules. Weak escalation trails, unclear management sign-off and generic EDD notes are all avoidable problems.
It also helps to assess whether periodic reviews are happening when they should. A well-written onboarding framework is not enough if legacy files have gone untouched beyond the review cycle set out in policy.
Governance matters as much as documentation
Firms sometimes assume the visit will focus almost entirely on frontline CDD. In practice, governance is often just as revealing. Regulators want to see who owns AML risk, how decisions are challenged, and whether senior management receives useful oversight information.
Board and committee minutes should show that AML issues are discussed with appropriate seriousness. Management information should be relevant and not overly cosmetic. Reporting that simply states all controls are operating effectively, without metrics, incidents, backlogs or remediation updates, can appear superficial.
Your MLRO and compliance function should also be prepared to explain how concerns are escalated and resolved. That includes internal reporting lines, decision-making around suspicious activity reports, and the process for remediating identified control weaknesses. If previous internal audits, monitoring reviews or external assessments identified gaps, be ready to show what changed afterwards. A firm is not expected to be perfect. It is expected to identify weaknesses and deal with them properly.
Make sure staff can explain what they do
An FIAU compliance visit is not only a document exercise. Staff interviews can quickly show whether procedures are embedded or merely circulated.
Relevant employees should understand the practical parts of the framework that apply to their role. Onboarding teams should be able to explain how they identify risk flags and when they escalate. Relationship managers should understand why commercial pressure cannot override CDD standards. Senior management should be able to describe the firm’s material AML risks and how these are monitored.
Training records matter, but they are only part of the picture. Generic annual training with no role-specific relevance may satisfy an internal schedule while still leaving operational gaps. It is far more credible when training content reflects the business model, the jurisdictional exposure and the actual control challenges staff face.
Prepare your evidence, not just your answers
Good preparation means assembling documents in a way that supports a clear narrative. Policies, procedures, risk assessments, file samples, training logs, monitoring reports, internal audit findings and governance papers should be easy to retrieve and internally consistent.
That does not mean producing volume for its own sake. Excess material can be just as unhelpful as missing material if it creates contradictions or slows response times. A more disciplined approach is to prepare a structured document pack and map key evidence to core obligations. This allows the business to respond accurately rather than reactively.
It is also wise to run a pre-visit review. This can include mock file testing, walkthroughs of onboarding and monitoring controls, and challenge sessions with key staff. The aim is not theatre. It is to identify where explanations are vague, evidence is incomplete or controls rely too heavily on informal practice. Where firms use an experienced adviser such as Complipal, the benefit is often not additional paperwork but sharper visibility over what a regulator is likely to probe.
Address remediation before the visit if you can
If you already know there are gaps, do not try to hide them behind polished documents. It is usually better to assess the issue, define the root cause, record the remediation plan and show progress. Regulators tend to distinguish between unmanaged weaknesses and issues that have been recognised, escalated and actively addressed.
The trade-off, of course, is timing. Not every deficiency can be fixed immediately, and rushed remediation can create new inconsistencies. If a policy update is underway but staff have not yet been trained on it, be candid about the transition and clear about interim controls. Credibility matters.
A sensible final check is to ask whether an independent reviewer, with no background knowledge of the business, could understand your AML control environment from the documents and evidence available. If the answer is no, the visit may expose confusion that has gone unnoticed internally.
The firms that come through FIAU visits most confidently are rarely those with the largest compliance manuals. They are the ones with a risk-based framework that works in practice, records that support decision-making, and governance that shows accountability rather than assumption. Preparation is not about appearing compliant for a day. It is about being able to demonstrate, calmly and clearly, that your controls can withstand scrutiny when it matters most.
How to Get Ready for an FIAU Visit
An FIAU compliance visit rarely becomes difficult because a firm has no policies at all. More often, the pressure comes from a gap between what the business says it does and what can actually be evidenced on the day.
That is why the right preparation is not about assembling a tidy folder the night before. It is about proving that your AML framework is active, risk-based and understood across the business. For compliance officers, MLROs and operational leaders, the real task is to make sure governance, customer files, monitoring controls and internal reporting all tell the same story.
How to prepare for an FIAU compliance visit without scrambling
The strongest firms prepare as if the visit will test three things at once – design, implementation and oversight. A policy may be technically sound, but if onboarding files do not reflect the stated risk methodology, or if senior management cannot explain how AML risks are governed, that weakness will be visible quickly.
Start by reviewing the scope of your control environment as a regulator would. Look at your business risk assessment, customer risk assessment model, CDD procedures, transaction monitoring approach, sanctions screening, suspicious activity reporting processes, record keeping, training records and governance reporting. The question is not whether each document exists. The question is whether each element is current, coherent and evidenced in practice.
This is where many firms lose time. They prepare in silos. Compliance updates policies, operations gathers customer files, and management expects the visit to go well because each team has done its part. But an FIAU visit tests the links between these areas. If your written procedures say enhanced due diligence is mandatory for higher-risk relationships, sampled files must show that this happens consistently and with adequate rationale.
Start with your risk assessment framework
If you are considering how to prepare for an FIAU compliance visit, begin with the risk assessment architecture because it underpins almost every other control. Your business risk assessment should clearly identify the AML and CFT risks arising from your products, services, delivery channels, customer types and jurisdictions. It should also explain the controls used to mitigate those risks and the basis for any residual risk ratings.
A common weakness is treating the BRA as a static document rather than a management tool. If the business has expanded into new markets, changed onboarding channels, introduced new payment flows or taken on different customer profiles, the BRA should reflect that. If it does not, the regulator may reasonably question whether your wider compliance programme is aligned to the actual business model.
The same applies to customer risk assessments. Check that risk scoring criteria are clear, applied consistently and capable of producing different outcomes where appropriate. An assessment model that labels nearly every customer as standard risk may look efficient operationally, but it raises questions about whether the methodology is truly risk-based.
Test whether your files support your procedures
A compliance visit often moves quickly from policy review to file testing. That means your customer records must do more than contain documents. They need to show a defensible onboarding decision.
Review a sample of files across risk categories, customer types and jurisdictions. For each file, ask whether the identification and verification evidence is complete, whether beneficial ownership has been established properly, whether source of funds or source of wealth has been obtained where required, whether screening results have been reviewed, and whether the final risk rating is supported by the information on file.
Pay close attention to higher-risk files. These tend to reveal whether enhanced due diligence is meaningful or simply described that way. If a file is rated high risk, the rationale should be clear, the additional documentation should be proportionate to the risk, and the approval route should match your internal rules. Weak escalation trails, unclear management sign-off and generic EDD notes are all avoidable problems.
It also helps to assess whether periodic reviews are happening when they should. A well-written onboarding framework is not enough if legacy files have gone untouched beyond the review cycle set out in policy.
Governance matters as much as documentation
Firms sometimes assume the visit will focus almost entirely on frontline CDD. In practice, governance is often just as revealing. Regulators want to see who owns AML risk, how decisions are challenged, and whether senior management receives useful oversight information.
Board and committee minutes should show that AML issues are discussed with appropriate seriousness. Management information should be relevant and not overly cosmetic. Reporting that simply states all controls are operating effectively, without metrics, incidents, backlogs or remediation updates, can appear superficial.
Your MLRO and compliance function should also be prepared to explain how concerns are escalated and resolved. That includes internal reporting lines, decision-making around suspicious activity reports, and the process for remediating identified control weaknesses. If previous internal audits, monitoring reviews or external assessments identified gaps, be ready to show what changed afterwards. A firm is not expected to be perfect. It is expected to identify weaknesses and deal with them properly.
Make sure staff can explain what they do
An FIAU compliance visit is not only a document exercise. Staff interviews can quickly show whether procedures are embedded or merely circulated.
Relevant employees should understand the practical parts of the framework that apply to their role. Onboarding teams should be able to explain how they identify risk flags and when they escalate. Relationship managers should understand why commercial pressure cannot override CDD standards. Senior management should be able to describe the firm’s material AML risks and how these are monitored.
Training records matter, but they are only part of the picture. Generic annual training with no role-specific relevance may satisfy an internal schedule while still leaving operational gaps. It is far more credible when training content reflects the business model, the jurisdictional exposure and the actual control challenges staff face.
Prepare your evidence, not just your answers
Good preparation means assembling documents in a way that supports a clear narrative. Policies, procedures, risk assessments, file samples, training logs, monitoring reports, internal audit findings and governance papers should be easy to retrieve and internally consistent.
That does not mean producing volume for its own sake. Excess material can be just as unhelpful as missing material if it creates contradictions or slows response times. A more disciplined approach is to prepare a structured document pack and map key evidence to core obligations. This allows the business to respond accurately rather than reactively.
It is also wise to run a pre-visit review. This can include mock file testing, walkthroughs of onboarding and monitoring controls, and challenge sessions with key staff. The aim is not theatre. It is to identify where explanations are vague, evidence is incomplete or controls rely too heavily on informal practice. Where firms use an experienced adviser such as Complipal, the benefit is often not additional paperwork but sharper visibility over what a regulator is likely to probe.
Address remediation before the visit if you can
If you already know there are gaps, do not try to hide them behind polished documents. It is usually better to assess the issue, define the root cause, record the remediation plan and show progress. Regulators tend to distinguish between unmanaged weaknesses and issues that have been recognised, escalated and actively addressed.
The trade-off, of course, is timing. Not every deficiency can be fixed immediately, and rushed remediation can create new inconsistencies. If a policy update is underway but staff have not yet been trained on it, be candid about the transition and clear about interim controls. Credibility matters.
A sensible final check is to ask whether an independent reviewer, with no background knowledge of the business, could understand your AML control environment from the documents and evidence available. If the answer is no, the visit may expose confusion that has gone unnoticed internally.
The firms that come through FIAU visits most confidently are rarely those with the largest compliance manuals. They are the ones with a risk-based framework that works in practice, records that support decision-making, and governance that shows accountability rather than assumption. Preparation is not about appearing compliant for a day. It is about being able to demonstrate, calmly and clearly, that your controls can withstand scrutiny when it matters most.
Recent Post
How to Get Ready for an FIAU
March 16, 2026What Ongoing Due Diligence Really Means
March 14, 2026How Often Should KYC Be Updated?
March 12, 2026Categories