A client says the money came from "business income". Another provides a bank statement showing a recent transfer from a personal account. On paper, both may look acceptable at first glance. Under regulatory scrutiny, neither explanation is

A weak risk assessment usually shows up long before a regulator points it out. It appears in inconsistent onboarding decisions, repeated false positives, over-escalated low-risk cases, and high-risk relationships that pass through with limited challenge. That is

A weak AML risk assessment rarely fails in theory. It fails when onboarding teams override alerts without a clear rationale, when business lines rate clients differently for the same fact pattern, or when a regulator asks why

An FIAU compliance visit rarely becomes difficult because a firm has no policies at all. More often, the pressure comes from a gap between what the business says it does and what can actually be evidenced on

A client who looked low risk at onboarding can become a very different proposition six months later. Ownership structures change, transaction patterns shift, sanctions lists update, and adverse media can surface without warning. If your due diligence

A KYC file that was accurate at onboarding can become unreliable far sooner than many firms expect. Directors change, ownership structures shift, transaction behaviour drifts, sanctions risks move, and documents expire quietly in the background. By the

A transaction does not need to be proven criminal before it becomes reportable. That is where many firms come unstuck. The suspicious transaction report process sits at the centre of an effective AML control framework because it

A regulator rarely tells you something you do not already suspect. By the time weaknesses surface in an inspection, a file review or a remediation exercise, the real issue is usually older and deeper - inconsistent control

A corporate client can look perfectly ordinary on paper: a registered company, an active bank account, a familiar line of business. Then you open the ownership tree and find three layers of entities, a nominee shareholder, and

A player deposits £20, cashes out £2,000 two days later, and explains it as a “lucky streak”. Your payments team sees nothing unusual. Your CRM flags a different device. Your VIP manager recognises the name from a

A regulator rarely criticises a firm for having a transaction monitoring system (TMS). They criticise it for what it fails to do in practice: miss obvious typologies, generate unmanageable alert volumes, or produce no defensible rationale for

A regulator rarely criticises you for having a risk-based approach. They criticise you for applying it inconsistently. That is exactly where customer risk rating falls apart: two analysts reach different outcomes on the same file, a “medium”

A regulator rarely criticises you for moving too slowly on onboarding. They criticise you for letting the wrong customer in, not spotting a red flag, or being unable to evidence how you reached a decision. That is

Most onboarding failures are not caused by a lack of policy. They happen in the gaps between teams: Sales promises a timeline, Operations chase documents, Compliance reviews too late, and the business ends up either onboarding a

An AML remediation programme rarely fails because people do not understand the rules. It fails because the work is treated like a document exercise, the scope keeps moving, and evidence is gathered too late to be credible.

Most AML programmes do not fail because a policy is missing. They fail because nobody can clearly show how obligations flow into day-to-day controls, who owns them, and what evidence proves they operate. That is exactly what

Corporate onboarding rarely fails because a firm missed a document. It fails because teams accepted a story that did not match the evidence - and no one stopped the onboarding long enough to test the gaps. The

Fintech onboarding rarely fails because teams do not care about compliance. It fails because the controls are not designed for speed, product complexity, and messy real-world customers - then nobody can evidence why a client was accepted

A regulator asks a simple question after a thematic review: “How do you know your controls work?” If your answer relies on a monthly checklist and a few case notes, you may be exposed. If your answer

A periodic review is where good onboarding decisions either stay good or quietly become liabilities. Most audit findings we see are not because a firm failed to collect an ID document in year one. They happen because