Quality Assurance

The Independent QA of Remediation: Why Marking Your Own Homework Fails

Most remediation QA is performed by the team that did the work — or the vendor being paid for throughput. That is a conflict, not a control. Genuine second-line challenge requires structural independence.

By Cognitive Compliance 8 min read

Quality assurance is the control institutions are most confident they have and most often do not. Ask whether a remediation programme is being quality-checked and the answer is invariably yes. Ask who is doing the checking, and the answer reveals the problem: the delivery team itself, or the vendor whose payment depends on throughput. That is not quality assurance. It is marking your own homework, and it fails for exactly the reason it sounds like it would.

The conflict at the centre of most QA

The value of QA depends entirely on the independence of the checker. The moment the person assuring the work has a stake in it passing, the assurance is compromised — not because anyone is dishonest, but because incentives bend judgement in ways no one intends.

A first line checking its own files is under pressure to hit completion targets; a marginal file gets waved through because flagging it slows the queue. A delivery vendor assuring its own output is paid for volume; rigorous QA that sends files back reduces the throughput it is being measured on. In both cases the checker is structurally inclined to pass, and over a large programme that inclination compounds into a quietly inflated quality picture. The dashboard says 95% pass; the regulator’s sample says otherwise.

This is why the three-lines-of-defence model exists at all. The first line owns and does the work; the second line challenges it independently; the third provides assurance over the whole. Collapse the second line into the first — let the doers assure themselves — and you have removed the challenge that makes the model a control rather than an org chart.

Completeness is not correctness

Even where QA is performed by a separate team, much of it tests the wrong thing. It checks completeness — were the fields filled in, are the documents attached, is the file closed — because completeness is easy to check at speed. But a complete file is not a correct file.

Genuine second-line QA tests judgement. Was the customer’s risk correctly identified? Was the EDD sufficient for that level of risk? Was the escalation decision sound? Was the beneficial ownership actually resolved, or merely recorded? These questions require expertise to ask and answer, and they are exactly the questions a regulator will ask of a sampled file. A QA function that confirms files are complete but never tests whether they are right gives false comfort: it certifies that the work looks done without establishing that the risk was addressed.

What independent QA actually involves

Independent QA done properly has a few non-negotiable features.

Structural independence. The QA function sits outside the first line and outside the delivery team — with no stake in throughput. This is what makes the challenge credible to a supervisor, and it is why institutions increasingly bring in an external party for the QA layer over a large programme: independence is easiest to evidence when the assurer has nothing to gain from a pass.

A documented, risk-weighted sampling methodology. Sampling has to be defensible — weighted to risk rather than convenience, with sample sizes and selection logic that withstand scrutiny. A QA approach that cannot explain why it sampled what it sampled is itself a finding.

Testing of decisions, not just forms. As above: the risk rating, the EDD sufficiency, the escalation call. QA challenges the judgement embedded in the file.

A feedback loop into the standard. QA findings are not a scorecard; they are intelligence. Error themes feed back into the file standard and analyst guidance, so the same mistakes stop recurring. QA that only scores, without closing the loop, leaves the root causes in place.

QA over programmes you did not deliver

One of the most valuable applications of independent QA is over a programme delivered by someone else — an internal team or another vendor. Here the independence is at its most useful: the institution gets a conflict-free view of whether the volume being produced actually meets the standard it claims, and the Board and the regulator get assurance that does not rely on the deliverer’s own marking.

This matters especially in blended delivery models, where high-volume execution is performed by delivery partners. The right structure is to separate the delivery from the assurance: the partner executes, an independent function assures. CCL’s delivery model is built on exactly this separation — specialist-led design and independent QA over scaled execution — which is why the independent QA and second-line challenge capability is distinct from the remediation delivery it assures.

Why the regulator cares so much about this

When a supervisor tests a remediation programme, they are really testing whether the institution’s own assurance can be trusted. If the QA was independent, rigorous and decision-focused, the regulator’s sample will broadly confirm what the institution already knew. If the QA was the delivery team marking its own homework, the regulator’s sample will diverge from the dashboard — and that divergence is among the most damaging findings a programme can attract, because it tells the supervisor that the institution did not actually know the state of its own book.

The lesson is simple and uncomfortable. QA you can trust is QA performed by someone with no reason to pass the work. Anything else is a number on a dashboard, and the regulator has learned not to believe it.

Cognitive Compliance provides independent QA and second-line challenge over remediation, onboarding and control frameworks — including programmes delivered by other firms. To add a conflict-free assurance layer, book an advisory call.

Quality Assurance Second Line Remediation Three Lines of Defence Assurance

Keep reading

Related insights

KYC Remediation 10 min read

KYC Remediation at Scale: A Playbook for Large-Scale Customer Backlogs

Clearing a large-scale KYC backlog is an engineering problem, not a staffing one. The playbook: diagnose, risk-tier, design the workflow once, run on regulator-ready MI, and hand back a BAU that holds.

Read analysis
Regulatory Strategy 10 min read

Why KYC Is Broken in Most Banks (And Everyone Pretends Otherwise)

KYC failure is rarely a people problem. It is a design problem — flat effort, drifting standards, and MI that cannot answer the regulator's question. Here is what actually breaks, and how it gets fixed.

Read analysis
AI Compliance Series 8 min read

Perpetual KYC Is Not an Automation Problem. It's an Architecture Problem.

Perpetual KYC is sold as an automation upgrade. Automate a broken review model and you get faster noise. The real work is architecture: triggers, data and escalation logic designed before any tool is bought.

Read analysis

Speak to the practice

Before it becomes a regulatory finding, make it a closed action.

A short, confidential advisory call to pressure-test where your KYC, AML, sanctions or risk-classification framework is exposed — and what a defensible fix looks like.

Book an Advisory Call View Case Portfolio