Receiving notice of a visit or supervisory inspection from a Regulator can be a daunting prospect, particularly with financial crime and fraud prevention sitting high on the Regulator’s priority list. However, there are some simple steps you can take to make sure you, and your firm, put your best foot forward and may help prevent you scoring any avoidable own goals.
It’s important to be positive – whilst firms don’t necessarily welcome such visits, they are nevertheless a great opportunity to reassure the Regulator that you take financial crime risk seriously, and that you have an appropriate and robust framework of policies and procedures to manage the risks to your firm, your customers and to the Regulator’s objectives.
With an impending visit, first and foremost, you will need to be able to demonstrate that you know your business and its financial crime risk profile.
As a starting point, think about refreshing your knowledge on the areas of higher financial crime risk in your business - whether these are operations or clients in higher risk countries, higher risk products or services such as prepaid cards or correspondent services, or outsourcing arrangements.
You should be able to articulate where the pockets of increased risk sit within your business. The Regulator will want comfort that you know what it is about your business, and your clients, that may present inherently higher financial crime risks, and what you do to manage these.
It’s a good idea to make sure you’re familiar with the stats and data relating to the firm’s risk profile, such as percentage of high-risk customers, number of PEPs and any particularly high-profile PEP relationships. For example, it may raise concerns if the MLRO can’t remember if a particularly high-profile PEP was onboarded or not.
Have a look at your most recent REPCRIM and APP fraud reporting. If your firm has had other recent interactions with the Regulator (such as breaches of SYSC in the financial crime space), then be prepared to talk about these including the current status of any follow up action.
Be able to articulate the 3LOD model deployed in your business and know the size of your compliance function, and resources deployed on financial crime matters
When it comes to ongoing change – tactical and strategic - you should be able to describe, at a high level, any planned change or remediation activity, including main objectives, when it is due to complete and whether it is currently on track.
So, to recap:
- Firstly, Do your homework – read up on the MLRO report, REPCRIM and fraud data returns, latest status reports of remediation and change activity
- Secondly, Prep interviewees – mock interviews can be an excellent tool to ensure senior management are up to speed and know what to expect. You can also ensure that all those interacting with the Regulator during the visit can provide consistent positions on the key issues
- Thirdly, Be transparent – if you don’t know something, say you will check and confirm to them later. It isn’t about trying to show you are perfect but being open and honest about where you are and what your direction of travel is
- And finally, Post-visit follow-up – Debrief internally, document key takeaways, respond to any Regulator requests, begin remediation where needed, and share lessons learned to strengthen future readiness.
Preparing for a Regulator visit on financial crime doesn’t need to be overwhelming. With the right groundwork: knowing your risk profile, being familiar with your data, and ensuring key stakeholders are well-prepped, you can approach the visit with confidence and transparency.
If you’d like help to prepare for a visit, get in touch, we’re here to support.
