The most common finding in CSP regulatory examinations is not a single catastrophic failure — it is a cluster of smaller deficiencies that, taken together, indicate that the firm's compliance infrastructure is not keeping pace with its business or with evolving regulatory expectations. Isolated issues can be explained and remediated; systematic gaps in programme design or implementation suggest a culture or resource problem that regulators treat more seriously.
This checklist is designed for CSP compliance officers and senior management to use as a structured self-assessment tool — either in preparation for an anticipated regulatory examination, as part of an annual compliance review, or when onboarding new personnel who need to understand the firm's compliance obligations. It covers the key areas that regulators across the major CSP jurisdictions consistently examine. It is not a substitute for jurisdiction-specific legal advice or for the firm's own compliance programme documentation.
1. AML/CFT Programme Foundations
The compliance programme foundation is the area regulators assess first. It establishes whether the firm has the structural prerequisites for compliant operation.
- Written AML/CFT policies and procedures: Are they current (reviewed within the last 12 months or following a material regulatory change)? Do they cover all the services the firm provides? Are they accessible to all relevant staff?
- MLRO appointment: Is the MLRO (and deputy where required) properly appointed, with a documented appointment and evidence of the board's or senior management's approval? Is the MLRO suitably qualified and experienced for the role?
- Business-wide risk assessment: Is there a current (within 12 months) written business-wide risk assessment covering the firm's client base, jurisdictions, services, delivery channels, and identified vulnerabilities? Does it inform the firm's CDD standards and resource allocation?
- AML/CFT training: Is there a training programme covering all relevant staff, with records of completion? Is training role-specific (different content for front-line onboarding staff vs. operations vs. board)? Has training been delivered within the last 12 months?
- SAR procedures: Are there documented procedures for staff to report suspicions internally, for the MLRO to review and determine whether to file an external SAR, and for managing tipping-off risk during SAR investigations?
2. Customer Due Diligence Standards
CDD is the area where examination deficiencies most frequently cluster. The volume of files to review, the variability of documentation across different client types, and the challenge of maintaining current information across a large portfolio create structural risk.
- Onboarding CDD completeness: Sample 20-30 client files (across risk categories) and assess whether identification, verification, UBO documentation, and risk assessment are complete and documented to the current standard. Any file where CDD was completed more than 3 years ago and has not been refreshed should be assessed against the applicable refresh policy.
- Beneficial ownership documentation: For corporate clients, is beneficial ownership identified and verified to the applicable threshold? For trust clients, are settlor, trustee, protector, and beneficiary CDD requirements met? Is UBO documentation current?
- Source of wealth documentation: For high-risk clients and significant transactions, is source of wealth documented with supporting evidence (not just client-declared assertions)?
- PEP identification and EDD: Are there documented processes for identifying PEPs at onboarding and through ongoing monitoring? Are PEP files subject to EDD, documented with senior management approval?
- Ongoing monitoring and refresh: Is there a documented refresh cycle by risk tier? Is there a systematic process to identify files where refresh is due and to track completion?
"The test that regulators apply is not 'did you collect a passport and a utility bill?' — it is 'can you demonstrate that you understand who this client is, where their wealth came from, and why they need this particular structure?' That is a much higher bar, and it requires narrative and analysis in the client file, not just documents."
— Former regulator, now CSP compliance consultant
3. Entity Administration and Statutory Compliance
Beyond AML, regulators examine whether CSPs are meeting their entity administration obligations — the core of the service they are licensed to provide.
4. Governance and Senior Management Obligations
Regulators assess whether senior management is genuinely engaged in compliance oversight — not whether the MLRO produces good reports, but whether the board and senior management read them, ask questions, and take appropriate action.
- Board/senior management compliance reporting: Is there a regular (at least quarterly) compliance report from the MLRO to the board or senior management? Are those reports documented with evidence that they were received, discussed, and any actions tracked?
- Key person fit and proper: Are all key persons (directors, MLRO, senior managers in regulated roles) properly approved by the regulator where required? Are there documented processes for notifying the regulator of changes to key persons?
- Conflicts of interest: Is there a documented conflicts of interest policy? Are conflicts identified and managed — including where the firm provides director services and those directors may face conflicts between their duties to the entity and the interests of other parties?
- Complaints handling: Is there a documented complaints procedure? Are complaints recorded and tracked? Are complaint trends reported to senior management?
5. Technology and Data Controls
Technology controls are an increasing focus of regulatory examinations across CSP jurisdictions, reflecting the growing dependence of CSP operations on technology systems and the risks associated with data security failures.
- Screening systems: Is sanctions screening conducted against all relevant lists (OFAC, UN, EU, HMT, and jurisdiction-specific lists) for all clients at onboarding and on a continuous or regular basis? Is there a documented false positive management process?
- Data security: Is client and entity data held securely, with access controls, encryption, and audit logs? Is there a data breach response procedure? Has it been tested?
- Business continuity: Is there a documented business continuity and disaster recovery plan? Has it been tested within the last 12 months? Does it cover the firm's critical technology systems?
- Data retention: Are there documented data retention periods for different document categories? Are records being retained for the required period (typically 5-7 years from the end of the relationship, depending on jurisdiction)?
6. Inspection Readiness
Inspection readiness is not about coaching staff to give the right answers — it is about having the documentation and systems that make a good answer demonstrable. Regulators are sophisticated; they know when they are seeing performance rather than practice.
Key inspection preparation steps: conduct a pre-examination file review to identify and remediate obvious gaps before the examiner does; ensure MLRO reports, board minutes, training records, and compliance monitoring records are organised and retrievable; brief senior management on their expected role in the examination (availability, engagement with examiner questions, willingness to discuss compliance challenges honestly); and ensure the compliance team has a clear point of contact and protocol for managing document requests during the examination.