Case study
FCA Thematic Review — Audit Defence & Control Narrative
Situation
The institution received notice of an FCA thematic review focused on transaction-monitoring effectiveness and SAR quality — and had no documented, defensible control framework to put in front of the regulator.
Risk exposure
Without documented control narratives, calibration evidence or governance records, an otherwise functioning team risked an adverse finding simply because it could not evidence or explain the controls it operated.
Before & after — the numbers
A thematic review does not fail institutions for having weak controls so much as for being unable to evidence and explain the controls they have. This FCA-regulated payments institution was a textbook case: a competent first line and a diligent MLRO, but no documented, defensible framework — no control narratives, no calibration evidence, no governance trail — to put in front of a regulator examining transaction-monitoring effectiveness and SAR quality.
With notice given and the clock running, the risk was an adverse finding earned not through bad controls but through silent ones.
Triage by supervisory risk
Notice periods are short and the gap list is always longer than the calendar. CCL sequenced the work by supervisory risk: the transaction-monitoring and SAR-quality issues most likely to drive a finding were addressed first, with a credible, owned plan documented for the remainder. A ranked, honest roadmap is itself part of the defence — regulators respond very differently to an institution that knows exactly where it stands.
Twelve weeks, end to end
The readiness sprint ran for 12 weeks and covered the full scope of the review:
- Transaction-monitoring calibration — documenting how rules and thresholds were set against the institution’s risk profile, and the rationale behind them.
- SAR quality standards — rebuilding the standard from alert triage to disclosure narrative, so SARs were timely, complete and defensible.
- MLRO procedures — documenting escalation pathways and decision-making so the process held up under questioning.
- Governance documentation — assembling the control narratives and evidence into a response pack mapped to the regulator’s likely lines of enquiry.
We also prepared the people: mock challenge sessions ensured the story the documents told was the story the MLRO and control owners told in the room.
The outcome
The thematic review closed with zero adverse findings. The controls had largely been there; what the institution had lacked was the ability to evidence and defend them — and that is exactly what a regulatory readiness and audit-defence engagement builds. Where the underlying monitoring needed deeper tuning, the path led naturally into transaction-monitoring optimisation.
Regulator-facing outputs
- Documented transaction-monitoring calibration and rationale
- SAR quality standards and templates
- MLRO procedures and escalation documentation
- Governance pack and regulator response narrative
Capabilities involved
The services behind this work
Regulatory Readiness & Audit Defence
Pre-audit gap analysis, control narratives, response packs and stakeholder coaching for FCA, ECB, GFSC or CBN reviews — before the regulator arrives.
Explore serviceTransaction Monitoring & Model Optimisation
Tuning and optimisation of transaction-monitoring rules, thresholds and models — cutting false positives while closing genuine detection gaps, with documented rationale.
Explore serviceSpeak to the practice
Before it becomes a regulatory finding, make it a closed action.
A short, confidential advisory call to pressure-test where your KYC, AML, sanctions or risk-classification framework is exposed — and what a defensible fix looks like.