By Stuart Watkins, CEO, Zenoo
Last year, we spoke to 23 MLROs across UK and EU financial institutions after they had been through a regulatory inspection. The pattern was striking. Almost all of them said the same thing: "We thought we were ready. We were not."
The gap between thinking your compliance programme is solid and proving it to a regulator in real time is enormous. And it is a gap that costs firms millions in fines, remediation costs, and lost business relationships every year.
This guide is not a theoretical overview of MLRO responsibilities. You can find those anywhere. This is practical, hard-won advice from people who have sat across the table from regulators and lived to tell the story.
They are not testing your policy. They are testing your people.
The single biggest misconception we hear from MLROs preparing for inspections is that regulators want to see well-written policies. They do, of course. But that is the baseline. What they actually want to understand is whether your team knows how to apply those policies in practice.
An experienced MLRO at a UK payments firm told us about their FCA visit:
"They asked one of our junior analysts to walk them through a recent SAR filing from start to finish. Not the MLRO. Not the compliance director. The analyst. They wanted to see whether the process actually worked at the operational level, not just in the procedures manual."
This is a pattern we see repeated across jurisdictions. Regulators will ask to speak with front-line staff, not just senior compliance personnel. They want to understand whether training has actually landed, whether people know what a suspicious transaction looks like, and whether escalation routes work in practice.
Practical step: Before any inspection, run unannounced scenario tests with your team. Give an analyst a hypothetical transaction pattern and ask them to walk through their response. Time it. Document it. If they hesitate or reach for the manual, that is your gap.
The audit trail is everything
We cannot overstate this. The quality of your audit trail will determine the outcome of your inspection more than almost any other factor. Regulators are not asking "did you make the right decision?" They are asking "can you show me how you made the decision, what information you had at the time, and why you concluded what you concluded?"
This means every risk assessment, every customer review, every screening alert disposition needs a documented rationale. Not a tick in a box. A written explanation that another person could read and understand.
The firms that struggle most in inspections are the ones where decisions exist in people's heads rather than in systems. An analyst who reviewed a screening alert and decided it was a false positive may have been entirely correct. But if the only record is "cleared" with no supporting rationale, the regulator will treat it as a failure.
Practical step: Pull 20 random case files from the last six months. For each one, ask: could a new joiner, with no context, understand why each decision was made? If the answer is no for more than two or three, your documentation standards need work.
Know your numbers before they ask
Regulators have become increasingly data-driven in their approach. They will ask for statistics on SAR volumes, screening alert volumes, false positive rates, average time to disposition, and customer risk distribution. If you cannot produce these numbers quickly, it signals a lack of management oversight.
More importantly, they will probe the numbers for internal consistency. If you report a 2% SAR filing rate but your screening system generates alerts on 15% of transactions, they will want to understand the funnel between those two numbers. If you cannot explain it, they will assume the worst.
"The regulator asked us for our false positive rate by screening provider. We had the overall number, but we had never broken it down by provider. That single question led to a three-month remediation programme because it turned out one of our providers was generating 94% false positives, and we had never noticed."
Practical step: Build a compliance dashboard that tracks the metrics regulators care about. Update it monthly at minimum. Review it in your board reporting. The act of tracking these numbers regularly means you will spot problems long before a regulator does.
Customer risk assessments: depth matters more than breadth
Every firm has a customer risk assessment model. Most of them are not good enough. The common failure is treating risk assessment as a scoring exercise: assign points for jurisdiction, product type, and transaction volume, produce a score, put the customer in a bucket. Regulators see through this immediately.
What they want is evidence of genuine risk reasoning. Why is this customer medium-risk rather than high-risk? What specific factors did you consider? Did you look beyond the obvious indicators? For corporate customers, did you actually trace the ownership structure, or did you accept the information at face value?
The firms that impress regulators are the ones that can demonstrate they have thought critically about their customer base, not just processed it through an algorithm. That does not mean every assessment needs to be a dissertation. It means the rationale needs to be proportionate to the risk.
Practical step: Take your ten highest-risk customers and review their assessments as if you were a regulator. Are the risk factors clearly identified? Is the rationale for the risk rating documented? Is the enhanced due diligence proportionate to the specific risks, or is it a generic checklist applied uniformly?
Governance is not a committee. It is a decision-making framework.
Inspectors will review your governance arrangements, and they are looking for something specific: evidence that senior management is genuinely engaged in compliance oversight, not just receiving quarterly reports and signing them off.
Board minutes that say "the compliance report was noted" are a red flag. Board minutes that record questions asked, challenges raised, and decisions made are evidence of active governance. Regulators can tell the difference between a board that interrogates its compliance data and one that rubber-stamps it.
The MLRO's relationship with the board matters enormously. If the MLRO has direct access to the board and uses it, that is a strong signal. If the MLRO reports through two layers of management and the board only sees sanitised summaries, that is a weakness regulators will probe.
"The inspector asked our chairman a direct question: 'When was the last time you disagreed with the MLRO's recommendation?' Our chairman had a good answer, because it had happened three months earlier and was documented. That exchange probably saved us more than any policy document in our compliance library."
Common traps and how to avoid them
Based on conversations with MLROs who have been through inspections in the past 18 months, here are the five most common traps.
The legacy customer trap. Regulators love asking about long-standing customers who were onboarded under older, less rigorous processes. If you have customers who were onboarded five or ten years ago and have never been re-assessed against current standards, you have a problem. Prioritise a remediation programme for legacy customers before the inspector finds them.
The policies vs practice gap. Your AML policy says you review high-risk customers annually. Can you prove you actually did? For every single one? In the required timeframe? If there are gaps, it is better to have identified them yourself and documented a remediation plan than to have the regulator discover them.
The training records gap. Regulators will check training records. Not just that training happened, but what it covered, who attended, and how you assessed comprehension. A sign-in sheet is not enough. Evidence of scenario-based training with documented outcomes is the standard.
The third-party reliance trap. If you rely on third parties for any part of your AML framework (screening providers, data vendors, outsourced monitoring), regulators will want to see evidence that you have conducted due diligence on those providers and that you actively monitor their performance. "We trust our vendor" is not a compliance position.
The SAR quality trap. Filing SARs is not enough. Regulators review SAR quality. If your SARs are vague, lack supporting evidence, or read like template fill-ins, it undermines your entire compliance programme. Quality over quantity, always.
The 30-day preparation plan
If you know an inspection is coming, or even if you want to be ready for one that is not yet scheduled, here is a practical 30-day preparation plan.
Days 1 to 10: Conduct a self-assessment. Pull sample case files, review documentation quality, test your team's knowledge, and produce the statistics a regulator would ask for. Document every gap you find.
Days 11 to 20: Close the gaps. Update incomplete case files, refresh training records, fix any documentation that falls below standard. If there are systemic issues (like a backlog of overdue customer reviews), document a remediation plan with clear milestones.
Days 21 to 30: Run a mock inspection. Have someone outside your compliance team (internal audit, external consultant, or even a trusted colleague from another firm) conduct a simulated inspection. Treat it as real. The discomfort of a mock inspection is vastly preferable to the discomfort of failing a real one.
