What regulators really look for in compliance systems

Reading Time: 18 Mins

There is a particular type of corporate optimism that surfaces whenever a regulator announces an inspection.

Executives who normally can’t agree on the location of the biscuit tin suddenly achieve perfect consensus: the compliance programme is, they insist, absolutely world-class. The documentation is thorough. The training is comprehensive. The culture is impeccable. It is, in short, fine.

Regulators have heard this before. They have, in fact, heard it so many times that they’ve developed a rather sophisticated set of instincts for distinguishing organisations that genuinely mean it from those who have simply had a productive long weekend with a document editor.

This article sets out — with perhaps more frankness than is customary — what regulators actually look for when they arrive at your door. Not what your compliance consultant told you they look for. Not what the framework guidance suggests they should look for. What they actually look for.

A compliance programme that exists only on paper is, technically, a very expensive form of fiction.

Evidence of Life

The first and most fundamental question a regulator asks is deceptively simple: does this compliance programme actually exist in practice, or has someone merely described the compliance programme they wished they had?

Policies and procedures are easy to produce. Any reasonably competent person with access to a printer and a willingness to use the word ‘robust’ seventeen times per page can generate an impressively thick compliance manual over a bank holiday weekend. This, regulators have noticed, is precisely what some organisations do.

What they look for instead is evidence of operationalisation — the slightly ungainly term for ‘things actually happening’. This includes:

  • Meeting minutes that reflect genuine discussion of compliance risks, rather than the traditional corporate exercise of rubber-stamping whatever was decided before the meeting.
  • Escalation logs showing that concerns were raised through proper channels and that someone, somewhere, actually did something about them.
  • Training completion records that suggest employees received training, rather than records suggesting someone pressed ‘complete’ on behalf of their entire department on a Friday afternoon.
  • Evidence of policy reviews that go beyond updating the date in the header.

The absence of any documented failures is, counterintuitively, itself a red flag. An organisation with no compliance breaches, no near-misses, and no uncomfortable conversations is either extraordinarily lucky or — and regulators tend to suspect this — not looking very hard.

The Tone at the Top (And Whether It Actually Reached the Middle)

Much has been written about ‘tone at the top’. The Chief Executive is photographed at the compliance conference. The Chair signs off on the annual ethics statement. The Board minutes note that compliance was discussed with ‘appropriate rigour’. Everyone agrees, in public, that doing the right thing is rather important.

This is all well and good. Regulators are, however, considerably more interested in what might be called ‘tone in the middle’ — the behaviour of line managers, team leaders, and the sort of people who actually decide whether compliance guidance is followed on a Tuesday morning when everyone is slightly too busy.

Tone at the top means very little if it evaporates somewhere around the third floor.

Indicators that tone has successfully penetrated beyond the executive floor include:

  • Middle managers who can articulate compliance expectations without consulting a laminated card.
  • Performance management processes that do not, in practice, reward those who hit their numbers by cutting compliance corners.
  • A speak-up culture that extends beyond the theoretical — meaning people have actually spoken up, and something constructive happened as a result.
  • Evidence that compliance considerations feature in business decisions before they are made, rather than as a post-hoc exercise in rationalisation.

An organisation where senior leaders give beautifully articulate answers about compliance culture whilst the operational staff below them have never heard of the relevant policy is not, in the regulatory view, a well-run compliance programme. It is a well-rehearsed executive team.

Risk Assessment: The Genuine Article

Every organisation of any size has a risk assessment. This is not especially impressive. What is impressive — and considerably rarer — is a risk assessment that bears any meaningful relationship to the actual risks the organisation faces.

Regulators have developed a keen eye for the generic risk assessment: the document that lists every conceivable risk category, assigns each a medium rating, and concludes that controls are adequate. It is thorough, internally consistent, and almost entirely useless as a management tool.

A credible risk assessment demonstrates:

  • Genuine prioritisation — some risks are genuinely higher than others, and the document should reflect this uncomfortable fact rather than treating bribery and stationery theft with equivalent levels of concern.
  • Clear ownership — someone specific is responsible for each material risk, and that person is aware of this responsibility.
  • Regular refresh — the assessment has been updated in response to actual changes in the business, the regulatory environment, or the risk landscape, rather than simply being re-approved annually with minor cosmetic changes.
  • Honest acknowledgement of control gaps — a risk assessment with no gaps is not a rigorous risk assessment. It is wishful thinking formatted as a spreadsheet.

Due Diligence: Going Through the Motions vs. Actually Looking

Third-party due diligence occupies a curious position in many compliance programmes. Organisations invest considerable resources in elaborate due diligence frameworks, detailed questionnaires, and multi-stage approval processes. They then proceed to approve approximately everyone who completes the paperwork, regardless of what the paperwork says.

Regulators are not unfamiliar with this phenomenon. They tend to look for evidence that due diligence outputs actually influence decisions — that enhanced due diligence triggers enhanced scrutiny, that red flags result in follow-up enquiries, and that the occasional relationship is declined or exited on compliance grounds.

A due diligence process that has never resulted in a declined relationship is, statistically speaking, probably not working.

Similarly, periodic reviews of existing relationships should ideally reflect current risk profiles rather than simply confirming that the original due diligence file still exists. The world changes. Business relationships evolve. Regulators are mildly interested in whether anyone noticed.

Monitoring, Testing, and the Willingness to Find Things

Compliance monitoring exists, in principle, to identify weaknesses in the control environment so that they can be addressed. In practice, it sometimes exists to confirm that everything is fine — a subtle but significant distinction.

Regulators look for monitoring programmes that are genuinely designed to find problems. This means:

  • Testing that is sufficiently deep and targeted to identify real issues, rather than sufficiently superficial to guarantee clean results.
  • Findings that are reported honestly, including upwards to the Board and relevant committees.
  • Remediation that is tracked to completion, with evidence that the root cause was addressed rather than simply the symptom.
  • A willingness to commission deeper investigations when monitoring suggests something may be amiss — as opposed to an institutional tendency to consider the initial finding ‘isolated’.

An organisation that has been monitoring its compliance controls for several years without ever identifying a significant finding is, once again, either extremely fortunate or measuring the wrong things. Regulators tend to lean toward the latter hypothesis.

The Response to Failure

Every organisation fails, occasionally, to meet its compliance obligations. Regulators understand this. What they are considerably less understanding about is an organisation that responds to failure by minimising, delaying, or — the classic move — commissioning a review whose conclusions somehow align with whatever the organisation wanted to hear.

The response to compliance failures is, in many respects, the most revealing indicator of genuine compliance culture. Organisations with strong programmes tend to:

  • Identify failures promptly, rather than allowing them to compound over months or years before someone notices.
  • Conduct root cause analysis that goes beyond ‘the individual concerned made a mistake’ and examines whether systemic factors contributed.
  • Implement remediation that is proportionate and sustainable, rather than producing an impressive action plan that is quietly abandoned after the inspection concludes.
  • Self-report to regulators where appropriate, without needing to be discovered first.

That final point bears some emphasis. Regulators treat voluntary disclosure of failures very differently from failures that come to light through external investigation. The difference in outcome can be quite material. This is, one might suggest, a rather strong incentive for the genuinely committed compliance professional.

Independence and Resources

The compliance function cannot effectively oversee the business if it is structurally subordinate to the business, resourced at the level of a minor irritant, or led by someone whose primary qualification is their unavailability for more senior roles.

Regulators assess whether the compliance function has:

  • Genuine independence — including reporting lines that allow concerns to be escalated without passing through the very people being scrutinised.
  • Adequate resources — sufficient staff, budget, and access to systems to perform their functions meaningfully, rather than performing a creditable impression of performing their functions.
  • Appropriate seniority and access — the Chief Compliance Officer should be able to access the Chief Executive and the Board directly, and should not require prior written application.
  • A voice in material decisions — compliance input that arrives after the commercial decision has been made is, technically, better than no compliance input, but only marginally.

A compliance function that cannot say no to the business is, functionally, a very politely worded rubber stamp.

Culture: The Part That Cannot Be Faked Indefinitely

Compliance culture is, admittedly, difficult to define and harder still to measure. It is also — and this is the part that keeps compliance professionals modestly employed — the thing that determines whether everything else works.

An organisation can have impeccable documentation, well-funded technology systems, and a compliance team of conspicuous intelligence and good intentions. If the prevailing culture treats compliance as a constraint to be managed rather than a standard to be upheld, the programme will underperform. Possibly quite dramatically.

Regulators probe culture through a variety of mechanisms: interviews with staff at multiple levels, review of internal communications (where available), examination of how actual decisions were made in practice, and the general conversational tenor of their engagement with the organisation. Experienced examiners develop a reasonable sense, over a fairly short period, of whether they are speaking with people who genuinely believe in what they are saying.

This is not, it should be said, infallible. Some organisations are very good at presenting a coherent cultural narrative. But sustained inconsistency between the narrative and the evidence tends, over the course of an examination, to become apparent.

Wrap up

The organisations that fare best in regulatory examinations are not necessarily those with the most elaborate compliance programmes. They are those whose compliance programmes reflect genuine commitment — where the documentation describes real processes, where the training changes real behaviours, where the risk assessments acknowledge real risks, and where failures are met with honest enquiry rather than defensive manoeuvring.

This is, in principle, not particularly complicated. In practice, it requires sustained organisational will, appropriate resources, and a leadership team that views compliance as something other than an overhead to be minimised.

The good news is that getting this right is both achievable and, in the long run, considerably less expensive than the alternative.

After all, a regulator’s second visit is rarely more pleasant than the first — and they do tend to remember who wasted their time.

There is a particular type of corporate optimism that surfaces whenever a regulator announces an inspection.

Executives who normally can’t agree on the location of the biscuit tin suddenly achieve perfect consensus: the compliance programme is, they insist, absolutely world-class. The documentation is thorough. The training is comprehensive. The culture is impeccable. It is, in short, fine.

Regulators have heard this before. They have, in fact, heard it so many times that they’ve developed a rather sophisticated set of instincts for distinguishing organisations that genuinely mean it from those who have simply had a productive long weekend with a document editor.

This article sets out — with perhaps more frankness than is customary — what regulators actually look for when they arrive at your door. Not what your compliance consultant told you they look for. Not what the framework guidance suggests they should look for. What they actually look for.

A compliance programme that exists only on paper is, technically, a very expensive form of fiction.

Evidence of Life

The first and most fundamental question a regulator asks is deceptively simple: does this compliance programme actually exist in practice, or has someone merely described the compliance programme they wished they had?

Policies and procedures are easy to produce. Any reasonably competent person with access to a printer and a willingness to use the word ‘robust’ seventeen times per page can generate an impressively thick compliance manual over a bank holiday weekend. This, regulators have noticed, is precisely what some organisations do.

What they look for instead is evidence of operationalisation — the slightly ungainly term for ‘things actually happening’. This includes:

  • Meeting minutes that reflect genuine discussion of compliance risks, rather than the traditional corporate exercise of rubber-stamping whatever was decided before the meeting.
  • Escalation logs showing that concerns were raised through proper channels and that someone, somewhere, actually did something about them.
  • Training completion records that suggest employees received training, rather than records suggesting someone pressed ‘complete’ on behalf of their entire department on a Friday afternoon.
  • Evidence of policy reviews that go beyond updating the date in the header.

The absence of any documented failures is, counterintuitively, itself a red flag. An organisation with no compliance breaches, no near-misses, and no uncomfortable conversations is either extraordinarily lucky or — and regulators tend to suspect this — not looking very hard.

The Tone at the Top (And Whether It Actually Reached the Middle)

Much has been written about ‘tone at the top’. The Chief Executive is photographed at the compliance conference. The Chair signs off on the annual ethics statement. The Board minutes note that compliance was discussed with ‘appropriate rigour’. Everyone agrees, in public, that doing the right thing is rather important.

This is all well and good. Regulators are, however, considerably more interested in what might be called ‘tone in the middle’ — the behaviour of line managers, team leaders, and the sort of people who actually decide whether compliance guidance is followed on a Tuesday morning when everyone is slightly too busy.

Tone at the top means very little if it evaporates somewhere around the third floor.

Indicators that tone has successfully penetrated beyond the executive floor include:

  • Middle managers who can articulate compliance expectations without consulting a laminated card.
  • Performance management processes that do not, in practice, reward those who hit their numbers by cutting compliance corners.
  • A speak-up culture that extends beyond the theoretical — meaning people have actually spoken up, and something constructive happened as a result.
  • Evidence that compliance considerations feature in business decisions before they are made, rather than as a post-hoc exercise in rationalisation.

An organisation where senior leaders give beautifully articulate answers about compliance culture whilst the operational staff below them have never heard of the relevant policy is not, in the regulatory view, a well-run compliance programme. It is a well-rehearsed executive team.

Risk Assessment: The Genuine Article

Every organisation of any size has a risk assessment. This is not especially impressive. What is impressive — and considerably rarer — is a risk assessment that bears any meaningful relationship to the actual risks the organisation faces.

Regulators have developed a keen eye for the generic risk assessment: the document that lists every conceivable risk category, assigns each a medium rating, and concludes that controls are adequate. It is thorough, internally consistent, and almost entirely useless as a management tool.

A credible risk assessment demonstrates:

  • Genuine prioritisation — some risks are genuinely higher than others, and the document should reflect this uncomfortable fact rather than treating bribery and stationery theft with equivalent levels of concern.
  • Clear ownership — someone specific is responsible for each material risk, and that person is aware of this responsibility.
  • Regular refresh — the assessment has been updated in response to actual changes in the business, the regulatory environment, or the risk landscape, rather than simply being re-approved annually with minor cosmetic changes.
  • Honest acknowledgement of control gaps — a risk assessment with no gaps is not a rigorous risk assessment. It is wishful thinking formatted as a spreadsheet.

Due Diligence: Going Through the Motions vs. Actually Looking

Third-party due diligence occupies a curious position in many compliance programmes. Organisations invest considerable resources in elaborate due diligence frameworks, detailed questionnaires, and multi-stage approval processes. They then proceed to approve approximately everyone who completes the paperwork, regardless of what the paperwork says.

Regulators are not unfamiliar with this phenomenon. They tend to look for evidence that due diligence outputs actually influence decisions — that enhanced due diligence triggers enhanced scrutiny, that red flags result in follow-up enquiries, and that the occasional relationship is declined or exited on compliance grounds.

A due diligence process that has never resulted in a declined relationship is, statistically speaking, probably not working.

Similarly, periodic reviews of existing relationships should ideally reflect current risk profiles rather than simply confirming that the original due diligence file still exists. The world changes. Business relationships evolve. Regulators are mildly interested in whether anyone noticed.

Monitoring, Testing, and the Willingness to Find Things

Compliance monitoring exists, in principle, to identify weaknesses in the control environment so that they can be addressed. In practice, it sometimes exists to confirm that everything is fine — a subtle but significant distinction.

Regulators look for monitoring programmes that are genuinely designed to find problems. This means:

  • Testing that is sufficiently deep and targeted to identify real issues, rather than sufficiently superficial to guarantee clean results.
  • Findings that are reported honestly, including upwards to the Board and relevant committees.
  • Remediation that is tracked to completion, with evidence that the root cause was addressed rather than simply the symptom.
  • A willingness to commission deeper investigations when monitoring suggests something may be amiss — as opposed to an institutional tendency to consider the initial finding ‘isolated’.

An organisation that has been monitoring its compliance controls for several years without ever identifying a significant finding is, once again, either extremely fortunate or measuring the wrong things. Regulators tend to lean toward the latter hypothesis.

The Response to Failure

Every organisation fails, occasionally, to meet its compliance obligations. Regulators understand this. What they are considerably less understanding about is an organisation that responds to failure by minimising, delaying, or — the classic move — commissioning a review whose conclusions somehow align with whatever the organisation wanted to hear.

The response to compliance failures is, in many respects, the most revealing indicator of genuine compliance culture. Organisations with strong programmes tend to:

  • Identify failures promptly, rather than allowing them to compound over months or years before someone notices.
  • Conduct root cause analysis that goes beyond ‘the individual concerned made a mistake’ and examines whether systemic factors contributed.
  • Implement remediation that is proportionate and sustainable, rather than producing an impressive action plan that is quietly abandoned after the inspection concludes.
  • Self-report to regulators where appropriate, without needing to be discovered first.

That final point bears some emphasis. Regulators treat voluntary disclosure of failures very differently from failures that come to light through external investigation. The difference in outcome can be quite material. This is, one might suggest, a rather strong incentive for the genuinely committed compliance professional.

Independence and Resources

The compliance function cannot effectively oversee the business if it is structurally subordinate to the business, resourced at the level of a minor irritant, or led by someone whose primary qualification is their unavailability for more senior roles.

Regulators assess whether the compliance function has:

  • Genuine independence — including reporting lines that allow concerns to be escalated without passing through the very people being scrutinised.
  • Adequate resources — sufficient staff, budget, and access to systems to perform their functions meaningfully, rather than performing a creditable impression of performing their functions.
  • Appropriate seniority and access — the Chief Compliance Officer should be able to access the Chief Executive and the Board directly, and should not require prior written application.
  • A voice in material decisions — compliance input that arrives after the commercial decision has been made is, technically, better than no compliance input, but only marginally.

A compliance function that cannot say no to the business is, functionally, a very politely worded rubber stamp.

Culture: The Part That Cannot Be Faked Indefinitely

Compliance culture is, admittedly, difficult to define and harder still to measure. It is also — and this is the part that keeps compliance professionals modestly employed — the thing that determines whether everything else works.

An organisation can have impeccable documentation, well-funded technology systems, and a compliance team of conspicuous intelligence and good intentions. If the prevailing culture treats compliance as a constraint to be managed rather than a standard to be upheld, the programme will underperform. Possibly quite dramatically.

Regulators probe culture through a variety of mechanisms: interviews with staff at multiple levels, review of internal communications (where available), examination of how actual decisions were made in practice, and the general conversational tenor of their engagement with the organisation. Experienced examiners develop a reasonable sense, over a fairly short period, of whether they are speaking with people who genuinely believe in what they are saying.

This is not, it should be said, infallible. Some organisations are very good at presenting a coherent cultural narrative. But sustained inconsistency between the narrative and the evidence tends, over the course of an examination, to become apparent.

Wrap up

The organisations that fare best in regulatory examinations are not necessarily those with the most elaborate compliance programmes. They are those whose compliance programmes reflect genuine commitment — where the documentation describes real processes, where the training changes real behaviours, where the risk assessments acknowledge real risks, and where failures are met with honest enquiry rather than defensive manoeuvring.

This is, in principle, not particularly complicated. In practice, it requires sustained organisational will, appropriate resources, and a leadership team that views compliance as something other than an overhead to be minimised.

The good news is that getting this right is both achievable and, in the long run, considerably less expensive than the alternative.

After all, a regulator’s second visit is rarely more pleasant than the first — and they do tend to remember who wasted their time.