The gap that policy review does not close
A policy review is a test of what the framework says it does. It checks that documents exist, that they reflect current regulation, that responsibilities are clearly allocated and that procedures cover the material scenarios. It is a necessary exercise and, done well, a useful one.
What a policy review will not tell a Board is whether the framework works. It will not tell the Board whether risk ratings were assigned correctly on the last hundred onboarded customers. It will not test whether the alert closure rationales in transaction monitoring reflect genuine analytical judgement or template language. It will not answer whether the escalations recorded on paper produced any change in the underlying decisions.
Perspective 002 set out five questions a Board should be able to answer about its financial crime framework. The uncomfortable truth is that policy review, on its own, cannot help a Board answer any of them. Only file-level, operational and governance-level challenge can do that.
What independent challenge actually means
The term is used loosely, sometimes to describe a peer review, sometimes an audit, sometimes an external consultant reading a policy suite. It is worth being precise about what supervisors now mean by it.
Independent challenge is the exercise of professional judgement against evidence, by someone who is neither responsible for producing that evidence nor accountable for the outcome being tested. The core of the exercise is not documentary. It is sampling files, sitting in the meetings where decisions are taken, testing the analytical reasoning that produced them, and forming a view of the framework from the outside in.
Three characteristics distinguish it from other second-line activity:
Internal audit provides part of this discipline, but rarely all of it. Audit typically operates on a three-year cycle, applies a structured methodology and reports at a level of generality that supports risk-rating conclusions. Independent challenge is faster, more granular and more specific. The two functions are complementary. Neither substitutes for the other.
Why firms resist genuine challenge
In the abstract, no Board resists challenge. In practice, resistance is common and rarely conscious. It usually takes one of three forms.
The first is scope compression. An initial engagement to test file quality becomes, by degrees, a policy readback with a file-sampling appendix. The change is presented as pragmatic; its effect is to preserve the framework's self-image.
The second is finding softening. Draft findings are shared for factual accuracy and returned with adjustments that dull the language, split composite findings into smaller items and re-classify significance. The published report reads as a measured contribution rather than a call to change.
The third is action-plan absorption. Findings are accepted and translated into a remediation plan of such breadth that individual accountability disappears into a portfolio owned by a project manager. Progress is reported in RAG status; the underlying weakness quietly persists.
How Boards should use independent challenge
Independent challenge is most useful when it is deployed deliberately, on a defined question, with a clear route into governance. The following practical actions consistently produce useful engagements.
How Claritas approaches independent challenge
Our starting point is that the value of a challenge engagement is measured by whether it changes the way the firm operates, not by the length of the report it produces. That has three practical consequences for how we work.
First, we scope narrowly. A single well-defined question answered against real evidence is worth more than a broad framework review that closes with a list of themes. Second, we sample. Interviews and document review inform the work, but the conclusions rest on files, meetings and MI reviewed in detail. Third, we report to the Board in the language the Board uses. Where a finding requires a decision, we say so. Where it requires a change in practice, we identify the change, the owner and the evidence that would demonstrate improvement.
The engagements that produce the most durable change tend to be short, focused and repeated. Boards find them more useful than either an annual audit cycle or a periodic comprehensive review, because they map cleanly onto the questions the Board is actually being asked to answer.
- 01Independent challenge is a scheduled feature of the Board's assurance calendar, not an ad hoc response to a supervisory event.
- 02The second line has documented standing to overrule the first line, and that standing has visibly been used in the last twelve months.
- 03Challenge engagements are scoped against specific hypotheses tied to the Business-Wide Risk Assessment, not against generic themes.
- 04Findings translate into a small number of named-owner actions tracked directly by the Audit or Risk Committee.
- 05The firm can point to at least one material financial crime decision in the last year that changed as a result of independent challenge.
- Financial Conduct Authority, Final Notice: Starling Bank Limited (October 2024). www.fca.org.uk/publication/final-notices/starling-bank-limited-2024.pdf
- Bank of Lithuania, supervisory action against Revolut Bank UAB (2025). www.lb.lt/en/news/the-bank-of-lithuania-imposes-a-fine-on-revolut-bank-uab
- National Bank of Belgium, enforcement action against ING Belgium (2024).
- European Banking Authority, Guidelines on Internal Governance (EBA/GL/2021/05).
- Basel Committee on Banking Supervision, Sound Management of Risks related to Money Laundering and Financing of Terrorism. www.bis.org/bcbs/publ/d505.pdf


