A regulator rarely asks whether you have “a system”. They ask whether your controls actually catch the risks your business creates - and whether you can evidence the decisions you made when something looked wrong. That is

When an AML programme fails, it is rarely because a policy was missing. It fails because controls were assumed to work - and no-one could prove they did. The uncomfortable moment usually arrives in an audit, a

Most compliance monitoring programmes fail quietly. Not because the firm does nothing, but because the work is disconnected: a test plan that does not match the Business Risk Assessment, QA checks that never reach the first line,

The call usually comes at a predictable moment - a regulator has asked for evidence, the board wants assurance, or a spike in alerts is exposing how much of the MLRO function depends on one person keeping

Most KYC failures are not caused by a missing passport scan. They happen because a file tells an inconsistent story - the risk rating does not match the client profile, the source of wealth narrative is thin,

A regulator rarely needs to allege intentional wrongdoing to create a serious problem. In fintech, a weak control can be enough: inconsistent onboarding decisions, thin rationale for accepting higher-risk customers, alerts that are closed without defensible evidence,

A regulator rarely asks whether you have a policy. They ask whether it works. That difference is where most programmes come unstuck. On paper, the organisation has an AML policy, a CDD procedure, an escalation route, an

A regulator rarely asks whether you have AML policies and procedures. They ask whether your programme actually works - in files, in decisions, and under pressure. That is why an aml policies and procedures review should feel

A regulator or internal audit report rarely hurts because it’s surprising. It hurts because it exposes gaps you already suspected, then forces you to prove - quickly - that you can control your risk. An effective remediation

The first sign you are not ready for an AML audit is rarely a missing policy. It is the pause in a meeting when someone asks, “Where is the evidence for that decision?” If your AML framework

A regulator rarely asks whether you meant to do the right thing. They ask what you did, when you did it, why you judged the risk acceptable, and what evidence you retained. That is why third-party risk

When a prospective client looks commercially attractive but trips your high-risk flags, the real question is not whether you can onboard them. It is whether you can defend the decision six months later - to your auditor,

A regulator rarely asks for your policies first. They ask how you decided what mattered most - and whether your decisions are consistent. That is why a Business Risk Assessment (BRA) is not a document you “complete”.

A regulator rarely asks for your business risk assessment (BRA) because they are curious. They ask because something has already made them doubt whether your controls match your real-world exposure - your customer base, your delivery channels,

When onboarding is working, you barely notice it. When it is not, you see it everywhere: inconsistent go/no-go decisions, long queues for approval, missing files right before an audit, and a creeping sense that the business is

A regulator does not assess your intent - they assess your evidence. If your onboarding files are inconsistent, your risk ratings cannot be explained, or your controls testing is informal, you can be exposed even when your

A regulator rarely asks for your AML policy because they are curious about the wording. They ask because they want to know whether your controls actually work - on a real file, on a real day, under

A regulator rarely criticises you for a single missed document. They criticise you for the decision your firm made on a client, and whether your records show a clear, risk-based rationale for that decision. That is the

A regulator rarely criticises you for not having a policy document. They criticise you for inconsistent decisions, weak evidence, and controls that exist on paper but fail in practice. If you are onboarding clients at pace, operating