Core advisory
Regulatory Readiness & Audit Defence
Pre-audit gap analysis, control narratives, response packs and stakeholder coaching for FCA, ECB, GFSC or CBN reviews — before the regulator arrives.
The problem
A thematic review, s166 notice or Dear CEO letter does not fail institutions because their controls are absent — it fails them because their controls are undocumented, inconsistently applied, or cannot be explained under challenge. Readiness is won before the regulator walks in.
When a regulator gives notice — a thematic review, a s166 requirement, a Dear CEO letter — the instinct is to start fixing controls. That is the wrong first move. The institutions that come through reviews cleanly are not the ones with flawless frameworks; they are the ones who can evidence and explain the framework they have, and who have closed the genuinely material gaps before the review begins.
Audit defence is, at its core, the discipline of being able to answer three questions under pressure: what is the risk, what control addresses it, and how do you know the control works? CCL builds the documentation, the evidence and the people’s readiness to answer all three — consistently, from the analyst to the SMF holder.
Readiness is a triage problem
Notice periods are short and the gap list is always longer than the calendar. The differentiator is sequencing by supervisory risk: addressing the issues most likely to drive a finding first, and documenting a credible, owned plan for the rest. A ranked, defensible roadmap is itself part of the defence — regulators respond very differently to an institution that knows exactly where its weaknesses are and has a plan, versus one that is surprised by its own gaps.
The control narrative is the centrepiece
For each key control we build a narrative the regulator can read in isolation and trust: purpose, ownership, operation, testing, and the MI that proves it runs. Assembled across the framework, these narratives become the response pack — cross-referenced to the regulator’s lines of enquiry so nothing is hunted for in the room.
Prepare the people, not just the paper
A perfect document set fails if the control owner contradicts it under questioning. We run mock challenge sessions with the MLRO, senior managers and control owners so the framework’s story is told consistently by the documents and the people. Pair this with independent QA and second-line challenge to stress-test the framework before the regulator does.
The CCL approach
- 01
Gap analysis against the actual standard
We assess the framework against the specific regulatory expectation in play — FCA SYSC, JMLSG, the relevant thematic findings — not a generic checklist, and rank gaps by supervisory risk.
- 02
Build the control narrative
Every key control gets a clear, evidenced narrative: what it does, who owns it, how it is tested, and what the MI shows. This is the document the regulator reads first.
- 03
Assemble the response pack
A structured, cross-referenced evidence pack — policies, procedures, MI, sampling and remediation status — mapped to the regulator's lines of enquiry.
- 04
Coach the people in the room
We prepare the MLRO, control owners and senior managers to answer with precision and consistency, so the story the documents tell is the story the people tell.
Quantified outcomes
Frequently asked questions
We've had notice of an FCA thematic review. Is 12 weeks enough?
In most cases, yes. We have run focused 12-week readiness sprints covering transaction monitoring calibration, SAR quality standards, MLRO procedures and governance documentation — closing the review with no adverse findings. The key is triaging by supervisory risk immediately rather than attempting to fix everything at once.
What is the difference between this and an internal audit?
Internal audit tells you where you stand. Readiness and audit defence prepares you to withstand external challenge: it builds the control narratives, the evidence pack and the people's ability to defend the framework under questioning. It is adversarial preparation, not assurance.
Do you handle s166 and Dear CEO responses?
Yes. These are the highest-stakes engagements we take. We help scope the skilled-person work, build the response, and ensure the remediation that follows is genuine and evidenced — not a paper exercise that fails the next review.
Which regulators do you cover?
Primarily FCA, with experience across GFSC (Guernsey), ECB-supervised contexts and CBN (Nigeria) frameworks. The methodology is regulator-agnostic; the evidence and narrative are tailored to the specific supervisory expectation.
Related case studies
See it in practice
FCA Thematic Review — Audit Defence & Control Narrative
FCA-Regulated Payments Institution
Notice of an FCA thematic review on transaction monitoring and SAR quality, with no defensible documented framework. A 12-week readiness sprint closed the review with zero adverse findings.
Read the caseSDD Eligibility Verification via GFSC-Regulated Prescribed Business
Guernsey Finance / Trust Administration
A trust administrator could not evidence its Simplified Due Diligence eligibility claim. CCL verified GFSC Prescribed Business status and built a fully documented rationale with 100% audit trail.
Read the caseRelated insights
Read the thinking
Why KYC Is Broken in Most Banks (And Everyone Pretends Otherwise)
KYC failure is rarely a people problem. It is a design problem — flat effort, drifting standards, and MI that cannot answer the regulator's question. Here is what actually breaks, and how it gets fixed.
The Independent QA of Remediation: Why Marking Your Own Homework Fails
Most remediation QA is performed by the team that did the work — or the vendor being paid for throughput. That is a conflict, not a control. Genuine second-line challenge requires structural independence.
Speak to the practice
Before it becomes a regulatory finding, make it a closed action.
A short, confidential advisory call to pressure-test where your KYC, AML, sanctions or risk-classification framework is exposed — and what a defensible fix looks like.