Perspectives
Perspective 002Governance

Five questions every Board should ask about its financial crime controls.

Simple questions that move a board conversation from policy compliance to genuine oversight, and reveal whether the framework holds together under scrutiny.

By Everett MorganSummer 20266 min read
A modern European executive boardroom at dusk
Executive brief

Reading time · 9 minutes  ·  Primary audience · Non-Executive Directors, Chairs, Audit and Risk Committees, MLROs

Why this matters

Recent European enforcement actions, from Starling Bank in the UK to ING Spain and Banca March, share a common feature. In each case the Board had approved the policies, received the packs and signed the minutes. What the Board could not later evidence was that it had genuinely understood, challenged and directed the financial crime framework it was responsible for. Supervisors are now testing that distinction directly.

Key findings
  1. 01European supervisors are moving from documentary review to evidence-based testing of Board effectiveness. The existence of an approval trail is no longer sufficient.
  2. 02Recurring findings include Boards that could not describe the firm's principal financial crime exposures, minutes recording acknowledgement rather than challenge, and management information that reported activity rather than risk.
  3. 03The most useful indicator of Board effectiveness is not the volume of MI received. It is the number of decisions the Board has changed as a result of a financial crime discussion.
  4. 04Firms that answer these questions well tend to prepare for supervisory engagement over years. Firms that answer poorly tend to prepare in the weeks after receiving the letter.
Questions Boards should ask
  1. 01Can each director, without notes, describe the three highest financial crime exposures currently carried by the firm?
  2. 02When was the last Board or committee meeting at which a financial crime discussion changed a business decision?
  3. 03If a supervisor asked to see the evidence that our framework works, what would we show them, and would it be enough?

Why these five questions

Perspective 001 examined recent Spanish enforcement and set out the direction European supervision is now taking: from the review of documents to the evidencing of outcomes. That shift changes what a Board actually needs to be able to do. It is no longer sufficient to approve a policy suite once a year and receive a quarterly MLRO report. Supervisors now expect Boards to demonstrate active oversight, informed challenge and documented judgement.

The questions that follow are the ones I have found most useful during Board effectiveness reviews and pre-inspection readiness work. Each one is straightforward. Each one is difficult to answer well. Taken together they will tell a Board, quickly, whether the framework it oversees is holding together.

01. Can we describe our financial crime risk in plain terms?

This is the question I ask first. Not because it tests technical expertise, but because it tests whether the Board has genuinely absorbed the Business-Wide Risk Assessment, or whether the BWRA has become a document maintained by the second line and approved once a year by the first.

A Board that has absorbed the BWRA can describe, in its own language, which products carry the most exposure, which customer segments draw the most attention from the MLRO team, which jurisdictions the firm would rather not be exposed to, and where the residual risk is trending. The Chair should be able to give that answer to a supervisor without opening the pack.

Where that answer is hesitant or generic, the diagnosis is rarely that the Board is uninterested. It is usually that the BWRA has become a technical artefact rather than a governance tool. It contains the right analysis, but it is not written for, or discussed with, the people who need to act on it.

02. How do we know the controls are working, not just running?

Most firms can produce a management information pack showing alerts raised, cases closed, files reviewed and training completed. Very few can produce management information showing whether the controls those numbers describe actually worked.

The distinction matters because supervisors have now made it explicit. SEPBLAC's 2025 Annual Report was direct on the point: packs that count activity are treated as productivity reporting, not as assurance. Useful MI answers a different question. It shows whether higher-risk files were reviewed to the standard the policy requires, whether alert closure rationales evidenced genuine analytical judgement, and whether the issues raised last quarter were resolved in substance or only in status.

This is where independent challenge, examined in Perspective 003, becomes practically important. It is difficult for a function to grade its own homework. It is harder still for a Board to receive that grade and know how far to trust it.

03. Where are we weakest, and who is willing to say so?

Every framework has weak points. The question is whether the Board can see them before the supervisor does, and whether anyone in the room feels safe enough to name them.

Supervisors do not expect perfection. They expect the firm to know its own gaps, to have an honest view of materiality and to be closing them at a sensible pace. That is a very different position from a firm that presents an implausibly green dashboard and is later found, on inspection, to have known about material weaknesses for some time.

The way to test this at Board level is to watch how the MLRO answers the question in front of the Chair. A direct answer, even an uncomfortable one, is usually a good sign. A polished one rarely is.

04. If a supervisor asked, could we explain why?

The hardest questions in an inspection are not about what the firm did. They are about why.

Why was this customer accepted at onboarding. Why was that relationship kept when the risk rating moved to high. Why was the monitoring scenario adjusted last summer. Why did the Committee decide, in October, that the SAR backlog was acceptable. Eighteen months later, the only surviving evidence is the paper trail: Board papers, committee minutes, the MI relied upon and the challenge recorded against it.

This is not an exercise in defensive documentation. It is an exercise in the discipline of decision-making. Boards that write clearly about why they decided something also tend to decide it more carefully.

05. Are we ready for what is already coming?

AMLR, AMLD6 and AMLA are no longer future events. The text is settled and the implementation dates are fixed. The firms that will manage the transition comfortably are the ones already strengthening governance, customer due diligence and management information now, in the two years before AMLA becomes operational.

Most of the work required has very little to do with the technical standards still to be published. It is the work of tightening legacy files, sharpening risk assessments, rebuilding management information around risk rather than activity, and ensuring the second line has the standing to challenge the first. That work takes time to do well, and it takes longer if it has to be done under supervisory pressure.

How Claritas approaches these questions

When a Board asks us to help, we do not begin by proposing new policies. We begin by testing how well the framework already answers the five questions above.

That work typically has three phases. First, a short evidence review: the BWRA, the last four Board packs, the MLRO reports, the second-line QA output and internal audit findings, read against each other rather than in isolation. Second, a small number of structured conversations with the Chair, the CEO, the MLRO, the Head of Risk and internal audit, focused on the same five questions. Third, a short findings note written for the Board, distinguishing between issues that require a decision and issues that require a change in practice.

The output is intentionally short. Boards rarely need more paper. What they need is a document that is honest about where the framework stands and specific about what to do about it.

What success looks like
  • 01Every director can describe, in plain terms, the firm's principal financial crime exposures and how they have changed in the last year.
  • 02Management information tells the Board whether the controls worked, not only that the team was busy. Trend and outlier data are more prominent than volumes.
  • 03The Board knows where the framework is weakest and can describe what is being done about it, on what timeline, and by whom.
  • 04Material financial crime decisions are minuted with sufficient specificity that a supervisor could reconstruct them eighteen months later without help.
  • 05Preparation for AMLR, AMLD6 and AMLA is under way, sequenced by materiality, with clear owners and a realistic timeline.
References
About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation