Perspectives
Perspective 014Inspection Readiness

Read your own files cold before the regulator does.

A practitioner's note on the most productive single hour in the week before an inspection: ten high-risk files, open on the screen, with the people who own them and no preparation time.

By Everett MorganSummer 20268 min read
An empty meeting room set up for an inspection, files and a laptop on the table
Executive summary

The most productive hour in the week before an inspection is not spent in the data room. It is spent in front of ten files, open on the screen, with the people who own them, and no preparation time.

This is a companion note to Guide 006, Preparing for an AML Inspection. The guide covers the full inspection cycle. This piece sits on the one hour in the four-week preparation that, in my experience, most often decides the supervisory tone.

Key takeaways
  1. 01

    The most productive single hour in the week before an inspection is not spent in the data room. It is spent in front of ten high-risk files, opened cold, with the relationship manager and the analyst, asking three questions per file and then staying quiet.

  2. 02

    What people say about their controls and what their files actually show are almost never identical. Sometimes the gap is small and explainable. Often it is large enough that, if the inspector found it first, it would be cited as a control weakness rather than a documentation gap.

  3. 03

    The instinct in the firm is to edit. The instinct is wrong. Files are dated, supervisors can see when notes were added, and an edit made the week of the notice letter is a worse finding than the gap it tried to cover.

  4. 04

    The right answer is a dated, contemporaneous note added today, acknowledging what the file does not yet show, why, and what the firm is doing about it. That note becomes part of the evidence and changes how the gap is read.

  5. 05

    Inspections do not create gaps. They reveal the ones the firm had stopped looking at because nothing recently had forced it to. The pre-inspection file walk forces the firm to look again.

  6. 06

    The person with the most useful information about what the inspector will find is usually two desks away from the MLRO, has been for years, and has very rarely been asked the right question in the right way. Ask it now, with the file open.

The week a notice letter lands, most firms head straight for the data room. There is a request list to triage, an evidence tracker to stand up, an interview list to confirm. All of that work matters. None of it is the most productive hour in the week.

The most productive hour is the one in which I sit down with the relationship manager and the AML analyst for one of the firm's high-risk customer segments, ask them to open ten files at random on the screen, and walk me through each one cold. Three questions per file. What is the customer's purpose. What triggered the last periodic review. What would you escalate if you saw it tomorrow. Then I stop talking.

What the hour usually finds

What people say about their controls and what the files actually show are almost never identical. That is not because anyone has been dishonest. It is because the description of how the work is done has been written and rewritten in policy, training and MI for so long that it has detached, gently, from the day-to-day reality of how it is actually being done.

A periodic review that the policy says is annual turns out, on five of ten files, to have been more than fourteen months ago, because the system queue depends on a date field that has been inconsistently maintained. The relationship manager knows the customer well and has spoken to them twice in the period; the file does not record either call. The analyst can describe the EDD process clearly; the EDD note on file is two lines, dated eighteen months ago, and references a source of wealth document that is not in the folder.

None of these are scandals. Each is the kind of finding a supervisor will cite in a draft letter and which, if a firm sees it for the first time in writing from a regulator, will read very differently than if the firm has named it openly beforehand.

Why the instinct to edit is the wrong instinct

The temptation, once the hour is over, is to fix the files. To add the missing call note. To complete the EDD record. To update the source of wealth document. Sometimes the temptation extends, quietly, to back-dating the entry so that it sits naturally in the chronology of the file.

Do not edit. Supervisors can see when notes were added. Files are dated. A clean entry made the week of a notice letter is not a clean entry; it is evidence of an attempt to look better than the firm was. It is a worse finding than the gap it tried to cover, and it is the finding most likely to escalate from documentation weakness to conduct concern.

The right answer is a dated, contemporaneous note added today. "On [today's date], in preparation for the inspection notified on [date], a file review identified that the EDD record on file is two lines and references a source of wealth document not currently in the folder. The relationship has been operating within risk appetite. The firm is sourcing the document and will update the file accordingly. This note has been added in the open, not retrospectively." That note becomes part of the evidence the supervisor sees, and it changes how the gap is read.

Themes, not files

Record what the hour finds by theme, not by file. The supervisor will report by theme. If three of ten files show stale periodic reviews on the same segment, the supervisor will cite "periodic review timeliness in segment X", not "file 12345". The firm's note should match that lens, so the conversation with the supervisor is about the same population and the same remedy, not about whether one file is or is not in scope.

For each theme, decide three things. What is addressable now, today, without altering any file. What needs to be acknowledged openly to the supervisor, in writing or at the opening meeting. What is too late to fix in time and will need to be lived with, for this cycle, with a credible plan for the next.

Inspections do not create gaps. They reveal the ones the firm had stopped looking at because nothing recently had forced it to.

The harder lesson is for the management layer above

The people who walked me through those ten files knew, before I asked, where the soft spots were. They had not been asked. The QA cycle had not asked. The second-line review had not asked. The MLRO's MI pack had not asked. The pre-inspection file walk had asked, in the only way that ever reliably surfaces this kind of information: open the file, ask the operator, and stay quiet long enough for the operator to give a real answer.

The work that follows the hour, in the four weeks before the inspectors arrive, is operationally significant. But the hour itself is the one that, more than any other piece of preparation I have seen, changes the supervisory tone. Firms that walk into the opening meeting able to name two or three themes they have already found and are already addressing are inspected differently from firms that wait to be told.

What I would do this week, if I were you

If you have a notice letter on your desk, find an hour tomorrow. Pick the segment most likely to be sampled. Sit with the relationship manager and the analyst. Open ten files at random. Ask three questions per file. Write down what you hear by theme. Decide which themes to disclose at the opening meeting, in writing, in the firm's own words.

If you do not have a notice letter, do it anyway. The same hour, run twice a year, is the most effective piece of self-assessment I know of, and it costs the firm one afternoon. It will also, almost certainly, tell you something your formal MI pack has not, about the population it claims to describe.

Guide 006 sets out the full inspection cycle, from the first 72 hours after the notice letter to closing the loop on findings in the months that follow. Download the full guide and use the four-week preparation schedule in the appendix before the next supervisory cycle begins.

About the author
Everett Morgan
Founder & Principal Adviser, Claritas Risk Advisory

Everett has more than twenty years' experience in financial crime, AML governance, regulatory compliance and operational risk gained within Deutsche Bank, Morgan Stanley and BNP Paribas. He established Claritas Risk Advisory to provide smaller regulated financial institutions with experienced independent judgement, practical insight and proportionate recommendations.

Need an independent perspective?

Preparing for regulatory change starts with understanding where your organisation stands today.

If you would like to discuss your financial crime framework or explore how Claritas Risk Advisory can help, I would be pleased to arrange a confidential conversation.

Let's start with a conversation