A regulator rarely asks for your business risk assessment (BRA) because they are curious. They ask because something has already made them doubt whether your controls match your real-world exposure - your customer base, your delivery channels,

When onboarding is working, you barely notice it. When it is not, you see it everywhere: inconsistent go/no-go decisions, long queues for approval, missing files right before an audit, and a creeping sense that the business is

A regulator does not assess your intent - they assess your evidence. If your onboarding files are inconsistent, your risk ratings cannot be explained, or your controls testing is informal, you can be exposed even when your

A regulator rarely asks for your AML policy because they are curious about the wording. They ask because they want to know whether your controls actually work - on a real file, on a real day, under

A regulator rarely criticises you for a single missed document. They criticise you for the decision your firm made on a client, and whether your records show a clear, risk-based rationale for that decision. That is the

A regulator rarely criticises you for not having a policy document. They criticise you for inconsistent decisions, weak evidence, and controls that exist on paper but fail in practice. If you are onboarding clients at pace, operating