Aaron Bedra (updated annually, publicly available) While addressed to CTO practitioners, this checklist provides a useful framework for the technical due diligence questions that compliance teams should ask of SaaS vendors, covering data security architecture, incident response, and sub-processor ma → Chapter 36: Further Reading — Vendor Selection, Due Diligence, and Implementation Management
For each of the three system types (KYC verification, credit decisioning, fraud monitoring), specify: (i) which fairness metrics are most appropriate and why; (ii) the trigger thresholds you would set; and (iii) the frequency of assessment. → Exercises — Chapter 29: Algorithmic Fairness and Bias in Compliance Systems
(b) Reporting Obligations
Specify VantageDecision's reporting obligations, including: frequency; the demographic attributes for which disaggregated performance must be reported; the specific metrics that must be included; and the format in which data must be delivered. → Exercises — Chapter 29: Algorithmic Fairness and Bias in Compliance Systems
Specify Meridian's rights in the event of: (i) a four-fifths violation that persists for more than 12 months; (ii) VantageDecision's failure to provide required disaggregated reporting on time; (iii) discovery that VantageDecision provided materially inaccurate disaggregated performance data. → Exercises — Chapter 29: Algorithmic Fairness and Bias in Compliance Systems
SR 11-7's three pillars are conceptual soundness, ongoing monitoring, and outcomes analysis. The other options include elements of good governance but do not represent SR 11-7's three-pillar framework. → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
Legal owner: the person or entity whose name appears on the share register or title - Beneficial owner: the natural person who ultimately enjoys the economic benefit and/or exercises control - Nominee shareholders hold legal title on behalf of beneficial owners — creating a structural gap that compl → Key Takeaways
1. Multiple Regimes, Multiple Lists
OFAC (US): SDN List, Consolidated Sanctions List, FSE List, SSI List - OFSI/HM Treasury (UK): UK Consolidated List — independent from EU post-Brexit - EU: Consolidated Financial Sanctions List - UN Security Council: Multilateral regimes (DPRK, Al-Qaida, Taliban) implemented through domestic law - Ex → Key Takeaways
1. Risk Rating Drives Proportionality
Low risk → standard CDD; longer review cycles (24–36 months); standard transaction monitoring thresholds - High risk → Enhanced Due Diligence (EDD); shorter review cycles (6 months); tighter transaction monitoring - The regulatory principle: KYC measures must be proportionate to the money laundering → Key Takeaways
1. The Basel Definition and Capital Framework
Operational risk = loss from inadequate/failed internal processes, people, systems, OR external events - Excludes strategic risk and reputational risk (though these often result from operational events) - Basel IV / SMA: Business Indicator × loss multipliers derived from historical loss data - Repla → Key Takeaways
1. The Legal Filing Standard
US: "knows, suspects, or has reason to suspect" — a relatively low bar; covers objective indicators of suspicion, not just subjective certainty - UK: "knows or suspects" — POCA 2002; personal liability for individuals who know or suspect and fail to report - EU: "knows, suspects or has reasonable gr → Key Takeaways
Shadow models are models that are in production and influencing decisions but have never been registered in the firm's model inventory. They cannot be subject to validation, monitoring, or review if the governance function does not know they exist. → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
11. B
Counterfactual explanations are actionable: they tell the applicant what would need to change (lower debt-to-income ratio, longer account age) for the outcome to be different. SHAP waterfall plots tell the applicant what features drove the decision, which is informative but not necessarily actionabl → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
11. C
FCA notification prior to completion is required for material outsourcing of a critical or important function. Not all cloud migrations are material — a collaboration tool migration is not — but core compliance systems (AML, sanctions, regulatory reporting) typically qualify. → Chapter 27: Quiz — Cloud Compliance: Regulatory Requirements for Cloud Adoption
12. B
Independence under SR 11-7 means genuine organizational separation from the development team — separate reporting lines, no shared project accountability, and professional obligation to find problems rather than to approve. External consultancy is not required; internal teams with genuine independen → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
12. C
Counterfactual fairness asks whether a specific individual would have received a different decision if their protected characteristic had been different, with all other characteristics held constant. It is the closest algorithmic analogue to the legal concept of direct discrimination. → Quiz — Chapter 29: Algorithmic Fairness and Bias in Compliance Systems
13. B
A PDP showing that predicted approval probability falls as income rises above a threshold is anomalous and inconsistent with basic credit economics. This should be flagged as a potential spurious correlation learned from training data — perhaps income correlates with some other variable in the train → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
13. C
The FCA and other financial regulators do not transfer regulatory responsibility to vendors. The financial firm bears full responsibility for the customer outcomes produced by any system it deploys, regardless of whether the system was developed by a third party. The firm cannot rely on vendor valid → Quiz — Chapter 29: Algorithmic Fairness and Bias in Compliance Systems
14. B
Under PaaS, AWS manages the runtime and underlying infrastructure. The firm retains responsibility for its application code (including any security vulnerabilities in the Lambda function), the data it processes, access controls, IAM configurations, and environment configuration. "Writing the code" m → Chapter 27: Quiz — Cloud Compliance: Regulatory Requirements for Cloud Adoption
14. C
The EU AI Act requires human oversight measures but explicitly does not require replacement of human decision-makers. Indeed, the human oversight requirement is designed to ensure that AI supports rather than supplants human judgment in high-risk contexts. All other options accurately describe EU AI → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
162.8 ≈ 163 alerts closed at triage
Escalated for full investigation: 185 × 12% = **22.2 ≈ 22 full investigations per week** - SAR decisions required: 22 reviews per week (all escalated cases reach the SAR decision stage) - SARs filed per week: 18 SARs/month ÷ 4.33 weeks/month = **4.16 SARs per week** → Answers to Selected Exercises
1d assessment notes:
ORD-0341: 13.2 bps arrival slippage. Within the ±15 bps tolerance band — no exception. - ORD-0342: For a sell order, the client wants as high a price as possible; executing below the arrival mid is a cost. The sign inversion reflects that a lower execution price vs. mid is adverse for the seller, ju → Chapter 18 Exercises: MiFID II, MiFIR, and Best Execution Compliance
2. C
PSI above 0.25 is a critical breach requiring immediate action: suspension from high-stakes decisions and initiation of a retraining investigation. There is no acceptable practice of simply adjusting the threshold to compensate for population drift; the model's learned relationships may no longer ap → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
2. Rules-Based Systems: Transparent but Limited
A scenario is a combination of rules defining a suspicious pattern: conditions applied to transaction data that, when met, generate an alert - Rules are transparent, auditable, and directly linked to regulatory typologies — valuable for regulatory examination - The tuning challenge is fundamental: e → Key Takeaways
US CDD Rule, EU AMLD5, UK MLRs: **25% ownership** threshold for identifying BO by equity stake - Second prong: any individual with significant **managerial control** regardless of ownership % - OFAC 50% Rule: entities **50%+ owned** by sanctioned persons are sanctioned — creating a separate sanction → Key Takeaways
2. The Three-Factor Framework
**Customer factors**: entity type, PEP status, adverse media, industry/occupation - **Geographic factors**: country of domicile, countries of operations, counterparty jurisdictions - **Product/service factors**: products and services used, transaction volume/value profile, account complexity - Overa → Key Takeaways
2. The Tipping-Off Prohibition
Institutions that file a SAR are prohibited from disclosing the SAR's existence to the subject - This prohibition is absolute — not disclosure to the subject, not hints that a SAR was filed - Even exiting a relationship immediately after filing (if obvious it's SAR-related) can constitute tipping of → Key Takeaways
27% of total lending
a concentration significantly above the UK banking sector average of approximately 15%. The PRA's analysis indicated that Cornerstone's CRE portfolio was skewed toward secondary office and retail assets — sectors that had already seen structural demand shifts (remote working, online retail) that mad → Case Study 16.1: Cornerstone's ICAAP Under Scrutiny — The PRA's Deep Dive
3. B
Article 22 of the GDPR creates the right not to be subject to solely automated decisions with legal or similarly significant effects, and the right to obtain human intervention and to challenge the decision. It does not prohibit automated decisions but requires that meaningful explanations be availa → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
3. C
Article 30 does not require that the cloud provider maintain ISO 27001 certification. ISO 27001 is a common due diligence assessment criterion but is not mandated as a contractual provision. The required provisions include audit rights, exit assistance, sub-outsourcing notification, and incident not → Chapter 27: Quiz — Cloud Compliance: Regulatory Requirements for Cloud Adoption
3. Corporate Opacity Mechanisms
Nominee shareholders: legal title holder obscures actual owner - Bearer shares: largely eliminated by FATF pressure but legacy structures persist - Trust structures: separate legal ownership (trustees) from economic benefit (beneficiaries) - Layered corporate structures: multiple companies in multip → Key Takeaways
3. DORA: The EU Technology Risk Standard
Five pillars: ICT risk management, ICT incident reporting, resilience testing, third-party risk, information sharing - Effective January 17, 2025 — the most comprehensive regulatory technology risk framework to date - Applies to financial institutions AND critical ICT third-party providers - Materia → Key Takeaways
3. Name Matching Is the Core Technical Challenge
Exact matching: appropriate for document IDs; insufficient for names - Levenshtein/edit distance: good for typos; poor for transliterations - Phonetic (Soundex, Metaphone): good for English phonetics; limited for non-Latin names - ML-based matching: can learn language-specific similarity patterns wi → Key Takeaways
3. SAR Quality Is as Important as SAR Volume
The annual global SAR volume has grown to millions — not all are actionable - A high-quality SAR narrative: who (specific identifiers), what (precise transactions/amounts/dates), why suspicious (specific typology indicators), context (how this deviates from declared purpose/history), prior contact - → Key Takeaways
How will you measure the relevant mid-price at the time of cluster placement and at the time of cancellation? - What minimum price movement (in basis points) should be required to confirm Phase 2? Justify this threshold relative to the typical bid-ask spread and normal price volatility for your chos → Chapter 22 Exercises: Trade Surveillance — Spoofing, Layering, and Front-Running Detection
SHAP applies Shapley values from cooperative game theory. Option A describes LIME. Option B describes gradient-based attribution methods. Option D describes counterfactual explanation methods. → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
4. EDD Elements Beyond Standard CDD
**Source of wealth**: how the customer accumulated their overall wealth — requires corroborated documentation (not just customer declaration) - **Source of funds**: where specific transaction funds originated — bank statements, wire confirmations, completion statements - **Business purpose**: stated → Key Takeaways
4. False Positive Rates Are Systematically High
Common names from populations frequently represented on sanctions lists (e.g., Arabic, Persian, Russian names) generate disproportionate false positive rates - Watchlists contain multiple aliases and transliterations per entry — each is a false positive opportunity - Regulatory pressure toward maxim → Key Takeaways
4. Hybrid Architecture: The Practical Solution
Most sophisticated programs use a layered approach: - Rules-based layer: known typologies, regulatory-required scenarios (structuring, CTR-adjacent patterns) - ML layer: novel patterns, risk scoring, alert prioritization - Priority-weighted queue: highest-risk alerts reviewed first regardless of det → Key Takeaways
4. The context
What do we know about the customer that makes this activity inconsistent? What was their declared business purpose? What does their historical transaction pattern look like compared to the current activity? → Chapter 11: Suspicious Activity Reporting and Case Management
4. The Global Registry Gap
No single global corporate registry exists - Registry quality varies dramatically: UK Companies House (high quality, free, public) vs. BVI Financial Services Commission (beneficial owner data not publicly accessible) - US CTA/BOI regime (2024): significant improvement — FinCEN now collects BO data f → Key Takeaways
4. The ORM Framework Components
**RCSA**: Business units identify and assess risks in their processes; inherent vs. residual risk; control documentation - **Loss data collection**: Internal events database + ORX external data for low-frequency, high-severity risks - **Scenario analysis**: For tail risks not in historical data — ex → Key Takeaways
several variations of the same typology, accumulated over years as new scenarios had been added without retiring old ones - **Alert composition**: reviewing a sample of 80 backlogged alerts, he estimated 3 genuine suspicious activity indicators. The rest were legitimate transactions tripping thresho → Case Study 7.1: From Alert Chaos to Priority Queue — Meridian Capital's AML Transformation
5. B
Regulation B requires specific, meaningful reasons that reflect the actual factors driving the adverse decision. Generic statements are insufficient. The other options describe practices that are not required by Regulation B. → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
SOF: where did this money come from? (transaction-level) - SOW: how did this customer build their wealth? (customer-level) - Both required for high-risk customers; missing either creates a regulatory gap → Key Takeaways
5. The False Positive Problem Is a Compliance Risk
False positive rates of 90–98% are common in rule-based programs — meaning most analyst time is spent on legitimate transactions - High false positive rates create their own compliance risk: analysts overwhelmed by false positives review each alert less carefully, increasing the probability of missi → Key Takeaways
5. Third-Party Risk Is Now a Primary Risk Category
US: 2023 Interagency Guidance covers the full third-party relationship lifecycle - DORA: Register of all ICT arrangements; contractual requirements; exit strategies - UK: Cloud concentration risk is a specific regulatory concern - Due diligence: financial health, SOC 2, business continuity, sub-cont → Key Takeaways
5.4%
still above the 4.5% regulatory minimum but with a substantially reduced buffer - The Capital Planning Buffer required to ensure CET1 remains above 4.5% throughout the stress horizon, given the more severe loss path, was assessed at **3.3%** rather than the originally submitted **2.1%** - This 1.2 p → Case Study 16.1: Cornerstone's ICAAP Under Scrutiny — The PRA's Deep Dive
CloudWatch logs for an AML system are likely to contain personal data (customer account identifiers, transaction references). Routing those logs to a US region transfers personal data outside the UK without a confirmed legal mechanism under UK GDPR. The primary application data location does not det → Chapter 27: Quiz — Cloud Compliance: Regulatory Requirements for Cloud Adoption
6. C
SHAP is the appropriate choice for regulatory documentation due to its theoretical stability and exact attribution properties. LIME's instability — where different runs can produce different explanations — makes it unsuitable for documents that may be reviewed by regulators or challenged in legal pr → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
6. Model Risk Management (SR 11-7)
All models require: model inventory entry, conceptual soundness assessment, independent validation, ongoing monitoring - SR 11-7 scope now effectively extends to ML-based compliance systems (transaction monitoring, fraud, KYC) - Model governance: a Model Risk Committee or equivalent with appropriate → Key Takeaways
6. Real-Time vs. Batch Have Different Requirements
Payment screening must be integrated before transaction execution — milliseconds to seconds - SWIFT MT103/MT202 fields (originator, beneficiary, intermediary) must be screened - Customer screening uses periodic batch processing supplemented by designation-triggered re-screening - New OFAC designatio → Key Takeaways
6. Trust Structures Are the Hardest Case
Settlor (creates trust), trustees (legal title, management control), beneficiaries (economic benefit), protectors (override powers) — all may be relevant BO - Discretionary trusts: trustees have discretion over distributions — no fixed 25%+ beneficiaries to identify; must identify the class and appl → Key Takeaways
7. AI-Assisted SAR Drafting
Appropriate for: data synthesis (extracting transactions from case data), pattern description, typology matching, template completion - Not appropriate for: the judgment of suspicion itself; legal characterization; novel typology recognition - The model: AI drafts the data-synthesis component; train → Key Takeaways
7. B
The critical deficiency is that the exit strategy has not been tested and the 14-day timeline has not been validated against the firm's RTO. Regulators expect exit strategies to be exercised, not merely documented. Manual data export is not prohibited — but its feasibility and timeline must be demon → Chapter 27: Quiz — Cloud Compliance: Regulatory Requirements for Cloud Adoption
7. C
A credit scoring system determining creditworthiness for retail loan applicants is explicitly listed in Annex III of the EU AI Act as a high-risk AI application. The other options describe systems that do not involve consequential determinations about individuals' access to financial resources. → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
7. Cybersecurity Risk Has Its Own Reporting Regime
US SEC: Material cyber incidents disclosed within 4 business days of materiality determination - DORA: 4-hour initial notification for major incidents - UK: FCA notification "as soon as reasonably practicable" - NIST CSF 2.0 (2024): Identify, Protect, Detect, Respond, Recover, Govern — the US refere → Key Takeaways
7. The SAR Filing Obligation Is the Central Output
The entire monitoring system exists to generate qualified referrals for SAR (US) or STR (international) filing - FATF Recommendation 20: countries must ensure financial institutions report suspicious transactions to the FIU - SAR filing is not the end of the process: effective AML programs track SAR → Key Takeaways
8. B
Indirect discrimination under the Equality Act occurs when a neutral provision, criterion, or practice has disproportionate adverse effects on people sharing a protected characteristic. Discriminatory intent is not required. Option A describes direct discrimination. → Quiz — Chapter 29: Algorithmic Fairness and Bias in Compliance Systems
8. C
This is a well-established mathematical result in the algorithmic fairness literature. Demographic parity and equalized odds are mutually incompatible when base rates differ across groups, which is nearly always the case in real-world applications. The incompatibility is a mathematical constraint, n → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
9. B
Sustained performance degradation below acceptable thresholds, combined with a material change in business purpose, are both named triggers for model retirement under governance best practice. Retirement requires documentation, a replacement plan, and a transition plan. → Chapter 26: Quiz — Explainable AI (XAI) and Model Governance
9. C
The UK Equality Act 2010 identifies nine protected characteristics: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation. → Quiz — Chapter 29: Algorithmic Fairness and Bias in Compliance Systems
The client master is maintained in the CRM system. The Head of Compliance estimates that approximately 30% of client records are missing one or more required fields (primarily source of wealth documentation references and beneficial ownership confirmations for entities). These gaps are known but hav → Chapter 35 Exercises — Building a RegTech Program: Strategy, Governance, and Roadmapping
About monitoring:
The firm has no real-time compliance monitoring. The monthly transaction monitoring review is the only systematic monitoring activity. - The Head of Compliance meets weekly with each relationship manager team to discuss any compliance questions. These meetings are not structured; issues are raised i → Chapter 35 Exercises — Building a RegTech Program: Strategy, Governance, and Roadmapping
About reporting:
The last MIFID II transaction report contained three errors identified by the FCA's data quality report. The errors were corrected on resubmission. No formal root cause analysis was conducted. - Board compliance reporting consists of a monthly one-page narrative written by the Head of Compliance. No → Chapter 35 Exercises — Building a RegTech Program: Strategy, Governance, and Roadmapping
About the firm's compliance technology:
Client onboarding documentation is collected through a third-party document portal, but risk ratings are assigned manually by relationship managers using a PDF checklist. The checklist was last updated in 2019. - AML transaction monitoring is performed by the compliance team using a monthly data ext → Chapter 35 Exercises — Building a RegTech Program: Strategy, Governance, and Roadmapping
ACAMS CGSS (Certified Global Sanctions Specialist)
The primary professional certification focused on sanctions compliance. acams.org. → Further Reading
The market mid-price at 09:00:12 was 133.505. At 09:00:16, it was 133.498. - The market mid-price at 09:15:33 was 133.485. At 09:15:37, it was 133.478. - The market mid-price at 09:31:05 was 133.445. At 09:31:08, it was 133.430. - Orders ORD-005, ORD-009, and ORD-014 are genuine buy executions (note → Chapter 22 Exercises: Trade Surveillance — Spoofing, Layering, and Front-Running Detection
Adoption metrics:
74% of reports submitted through new system (target: 90%) - 26% of reports still produced manually (team lead for the derivatives reporting team has continued manual production, citing "data quality concerns") - New users onboarded since go-live: 4 (none received formal training) → Chapter 37 Exercises
the use of computer programs to generate, route, and execute trading orders based on predefined rules or models — now accounts for an estimated 60–70% of trading volume in major equity markets, 30–40% in fixed income, and 80%+ in foreign exchange markets. The transition happened fast: in the early 2 → Chapter 21: Algorithmic Trading Controls and Kill Switches
stablecoins backed by a basket of assets, currencies, or commodities — face the most stringent requirements, including capital requirements, reserve management standards, and for "significant" ARTs (those exceeding thresholds of holders or transaction volume), additional supervisory oversight by the → Chapter 24: Blockchain, Smart Contracts, and Immutable Audit Trails
At Go-Live:
[ ] Management visibly present on go-live day - [ ] Escalation path for technical issues clear and tested - [ ] First-day issues captured and triaged in real time → Key Takeaways
Attitude survey (conducted at 60 days, n=18):
"I feel competent using the system for my regular reporting tasks": 71% agree - "I trust the system's outputs for regulatory submissions": 58% agree - "My team lead supports using the new system": 44% agree → Chapter 37 Exercises
[ ] All procedure documentation updated (old system references removed) - [ ] Super-users designated and given advanced training - [ ] Training environment available for at least 2 weeks prior - [ ] Competence assessments completed for all user roles - [ ] Rollback plan documented and communicated - → Key Takeaways
Bloomberg's APA operates across EU and UK jurisdictions. - **ICE Data Services** — ICE's APA covers a wide range of asset classes. - **LSEG (London Stock Exchange Group)** — provides APA services through its post-trade division. - **MarkitSERV / IHS Markit** — a major APA for OTC derivatives. → Chapter 20: Pre-Trade and Post-Trade Transparency Requirements
Board/Senior Management
[ ] Model risk appetite approved by the board - [ ] Quarterly model risk report presented to ALCO/Risk Committee - [ ] Model risk material to ICAAP Pillar 2 assessment - [ ] Head of Model Risk (or equivalent) has direct access to CRO/board → Chapter 15: Key Takeaways — Credit Risk Modelling and Model Risk Management
Borrow
meaning adopt open-source libraries, participate in industry consortia, or access shared regulatory infrastructure (such as the FCA's Digital Sandbox or industry-maintained reference data) — when: the capability involves reference data or common frameworks that are not competitive differentiators; p → Chapter 35: Building a RegTech Program — Strategy, Governance, and Roadmapping
Business Case
[ ] Cost-of-status-quo analysis completed with time-and-motion data where available - [ ] Four value categories assessed (cost efficiency, risk reduction, regulatory relationship, speed to market) - [ ] ROI case built and sensitivity-tested against key assumptions - [ ] Budget approved by CFO and pr → Chapter 35 Key Takeaways — Building a RegTech Program: Strategy, Governance, and Roadmapping
Business Purpose and Expected Activity
[ ] Signed customer statement describing expected account use and anticipated transaction volumes/values - [ ] Plausibility assessment: is the stated use consistent with the customer's profile? - [ ] Transaction profile documented in KYC file for ongoing monitoring calibration → Chapter 10: Customer Risk Rating and Enhanced Due Diligence
specialist capability; regulated context; no value in building | | Electronic Identity Verification (eIDV) | Database cross-check of identity data | **Buy** — credit bureau / electoral roll access requires data licence | | Watchlist Screening | Sanctions, PEP, adverse media | **Buy** — list maintena → Capstone Project 01: Design a KYC/AML RegTech Program for a Fintech Startup
C
Categories:
**SAFE WITH CONTROLS:** LLM assistance is appropriate, but specific controls must be in place. Identify what those controls are. - **UNSAFE:** LLM assistance is not appropriate for this task in its described form. Explain why. - **CONDITIONAL:** Appropriateness depends on factors not specified. Iden → Chapter 39: Exercises — The Future of RegTech
CDMP (Certified Data Management Professional)
DAMA International's professional certification for data management practitioners. Relevant for compliance data architects. → Further Reading
CFTC Enforcement Actions Database
Searchable database of all CFTC enforcement actions, including civil monetary penalties and administrative proceedings - Filter by "Spoofing" or "Manipulation" in the violation type - Available at: [https://www.cftc.gov/LawRegulation/EnforcementActions/index.htm](https://www.cftc.gov/LawRegulation/E → Chapter 22: Further Reading — Trade Surveillance: Spoofing, Layering, and Front-Running Detection
[ ] Process redesign completed for all processes that the technology will change - [ ] Affected roles identified and change impact assessed - [ ] Change management plan drafted with communication timeline, training plan, and transition support - [ ] Success metrics baselined (current state measureme → Chapter 35 Key Takeaways — Building a RegTech Program: Strategy, Governance, and Roadmapping
Check 4: Referential Integrity
Verify that every `account_id` in the transactions table corresponds to a valid `customer_id` in the customers table. (Generate synthetic data where some transactions reference non-existent customer IDs.) → Chapter 5 Exercises
Check 5: Date Logic Validation
Verify that `kyc_verified_date` is always before or on the account opening date. (Generate synthetic data where some KYC dates come after account opening — a logical impossibility that indicates data error.) → Chapter 5 Exercises
CIPM (Certified Information Privacy Manager)
IAPP certification focused on privacy program management. Relevant for privacy-compliance intersection roles. → Further Reading
CISA (Certified Information Systems Auditor)
ISACA certification with data governance components. Relevant for compliance technology audit roles. → Further Reading
Claude Code Textbook Series
*For the compliance professionals, technologists, and policy thinkers building the systems that will govern finance for decades to come.* → Regulatory Technology (RegTech)
Compliance Week
Industry publication; good for current practitioner news and enforcement updates. → Further Reading
Implementation of enhanced surveillance controls for the Rates Structured Trading desk within six months, including real-time alerts on cross-instrument order book anomalies - Independent audit of the new surveillance arrangements by an FCA-approved skilled person within 12 months - Written undertak → Case Study 1: The Interest Rate Futures Layering Investigation at Cornerstone Financial Group
Cornerstone Bank NA
a mid-size US retail and commercial bank, OCC-regulated - **Cornerstone Capital Markets** — a UK-regulated investment management subsidiary - **Cornerstone Securities** — a US broker-dealer, SEC/FINRA regulated - **Cornerstone Asset Management (Europe)** — an EU-regulated fund manager based in Dubli → Chapter 1: What Is RegTech? History, Definitions, and the Compliance Crisis
Cost efficiency metrics:
FTE hours per KYC review completed (versus baseline) - False positive rate in transaction monitoring (versus baseline) - Rework rate for compliance outputs (versus baseline) - Cost per SAR filed (versus baseline) - Regulatory report production time per report (versus baseline) → Chapter 38: RegTech ROI — Measuring and Communicating Compliance Efficiency
Costs
All expenses incurred by the client that are directly related to the execution of the order, including execution venue fees, clearing and settlement fees, and any other fees paid to third parties involved in the execution of the order. → Chapter 18: MiFID II, MiFIR, and Best Execution Compliance
Field 1: Reporting firm's LEI - Field 2: Executing entity's LEI (if different) - Field 3: Investment decision maker's ID (LEI or NCA identifier) - Field 4: Executing trader's ID - Field 7: Buyer's LEI (or concatenated code for individuals) - Field 8: Buyer's date of birth (for natural persons) - Fie → Chapter 18: MiFID II, MiFIR, and Best Execution Compliance
Coverage confirmation
Travel Rule compliance requires the *receiving* VASP also to support the protocol. The exchange should be able to confirm what percentage of its transaction volume (by counterparty) is covered by Travel Rule-compliant exchanges, and how it handles transfers to/from non-compliant VASPs (typically eit → Chapter 24: Quiz — Blockchain, Smart Contracts, and Immutable Audit Trails
Current data flows:
KYC exports a weekly CSV to Transaction Monitoring containing customer risk classifications - Sanctions Screening has no connection to any other system - Case Management receives alerts from Transaction Monitoring only - Management reports are produced manually by the CCO's assistant each month usin → Chapter 40 Exercises
Current state (baseline, documented):
The current process requires 4.2 FTE of analyst time allocated to regulatory reporting activities, at a fully-loaded cost of £68,000 per FTE per year - External consultant is engaged for two regulatory filing cycles per year (COREP-related reviews): £85,000 per year - Resubmission and error correcti → Chapter 38: Exercises — RegTech ROI: Measuring and Communicating Compliance Efficiency
[ ] Data requirements identified for all planned capabilities - [ ] Data quality assessment completed for all required data sources - [ ] Golden source strategy documented for critical reference data - [ ] Data remediation work scoped and scheduled before dependent capability builds - [ ] Data linea → Chapter 35 Key Takeaways — Building a RegTech Program: Strategy, Governance, and Roadmapping
Engage a specialist KYC remediation firm to run an intensive 60-day program using their digital verification platform. Cost: £180,000. This would close the backlog before the FCA deadline. Simultaneously, select and implement a permanent eIDV solution for ongoing KYC. → Case Study 1.1: Verdant Bank's Compliance Reckoning
Decision 2: Transaction Monitoring
Do not replace the monitoring platform immediately (too disruptive during the FCA remediation period). Instead, engage a specialized firm to review and update the monitoring scenarios to reflect the current product range and customer base, reducing the alert rate while improving alert quality. Defer → Case Study 1.1: Verdant Bank's Compliance Reckoning
Decision 3: Regulatory Reporting
Prioritize documentation of the current manual process (to reduce key-person risk), then evaluate and procure an automated regulatory reporting solution within six months. → Case Study 1.1: Verdant Bank's Compliance Reckoning
Decision 4: Team
Hire two additional senior compliance analysts immediately (within the existing budget by redeploying funds from a lower-priority project). Begin building the business case for a compliance technology specialist role — someone who could own the ongoing technology stack. → Case Study 1.1: Verdant Bank's Compliance Reckoning
Decision 5: FCA Communication
Proactively update the FCA on the remediation plan within 30 days. Maya's experience as a former FCA supervisor told her that regulators prefer transparency and proactive communication to surprises. → Case Study 1.1: Verdant Bank's Compliance Reckoning
For Activity 1: Does the absence of fully automated decision-making eliminate the DPIA requirement? What is the ICO's position on profiling with human review? - For Activity 3: Under what circumstances does a cloud migration require a DPIA? Is there a change in risk profile? - For Activity 4: What i → Chapter 17 Exercises: Data Privacy, GDPR, and Cross-Border Data Compliance
Customer or jurisdiction appears on FATF blacklist/greylist - PEP or immediate family member - Non-face-to-face business - Business sectors with elevated ML risk (cash-intensive, gambling, dealers in precious metals) → Appendix E: Quick Reference Cards
In the past two years, the firm has had two instances of suspicious activity identified by external parties (a counterparty bank's correspondent banking review) that the firm's own monitoring had not flagged. In each case, the firm conducted an internal look-back review. Average cost of a look-back → Chapter 35 Exercises — Building a RegTech Program: Strategy, Governance, and Roadmapping
EU database of high-risk AI systems
a publicly accessible register maintained by the European Commission. Public registration means civil society organizations, journalists, regulators, and affected individuals can identify which high-risk AI systems are deployed by which organizations. This creates reputational and political accounta → Key Takeaways — Chapter 30: The EU AI Act and Algorithmic Accountability
EU Declaration of Conformity
a formal document signed by an authorized representative attesting that the system meets the Act's requirements; - Register the AI system in the **EU database of high-risk AI systems** — a publicly accessible database maintained by the European Commission, enabling public scrutiny of which high-risk → Chapter 30: The EU AI Act and Algorithmic Accountability
European Union
European Banking Authority: eba.europa.eu — Guidelines, ITS, RTS, Q&As - European Securities and Markets Authority: esma.europa.eu — MiFID II/MiFIR technical standards, MAR guidelines - European Insurance and Occupational Pensions Authority: eiopa.europa.eu — Solvency II guidance - European Central → Bibliography
Annual probability of material AML enforcement: 7% - Expected fine magnitude: £2.5M - Annual expected cost without technology: 0.07 × £2,500,000 = £175,000 - Technology reduces probability by 45%: new probability = 3.85% - Annual expected cost with technology: 0.0385 × £2,500,000 = £96,250 - **Annua → Chapter 38: Key Takeaways — RegTech ROI: Measuring and Communicating Compliance Efficiency
Executive Summary
A two-paragraph summary of the finding and the immediate steps taken 2. **Description of the Issue** — The nature of the 3.8× differential, how it was identified, and its regulatory significance under the Consumer Duty and Equality Act 2010 3. **Root Cause Hypothesis** — Your current working hypothe → Exercises — Chapter 29: Algorithmic Fairness and Bias in Compliance Systems
Expected post-implementation state:
Platform will handle automated generation for approximately 75% of regulatory filings (reducing human review to 20 minutes per filing for automated reports, versus the current average of 5.2 hours per filing) - Remaining 25% of filings (complex, judgment-intensive reports) will still require signifi → Chapter 38: Exercises — RegTech ROI: Measuring and Communicating Compliance Efficiency
Externalities
costs imposed on uninvolved parties — are particularly acute in financial markets because financial institutions are interconnected. When Lehman Brothers failed in 2008, the costs were not borne only by Lehman's shareholders and creditors. They were transmitted across the global financial system thr → Chapter 2: The Regulatory Landscape: Financial Regulation and Its Architecture
F
FATF Virtual Assets Contact Group publications
Guidance on KYC for crypto asset service providers (CASPs) — relevant as crypto regulation expands. → Further Reading
Regular publications addressing surveillance expectations, observed market behaviours, and thematic concerns - Particularly relevant issues: MW43 (algorithmic trading and automated order cancellations), MW67 (market abuse and the COVID-19 environment), MW72 (algorithmic order book manipulation) - Av → Chapter 22: Further Reading — Trade Surveillance: Spoofing, Layering, and Front-Running Detection
FinCEN's own compliance guide for small companies subject to CTA reporting. Useful as a practitioner reference for client-facing conversations. Free at fincen.gov. → Further Reading
FinCEN Exchange
US public-private information sharing program facilitating dialogue between financial institutions and law enforcement on AML typologies. Participation provides access to current suspicious activity intelligence. → Further Reading
Finextra
Trade publication covering financial services technology broadly, with RegTech as a regular theme. → Further Reading
Pre-technology false positive rate: 91% - Post-technology false positive rate: 74% - Weekly alert volume: 400 alerts - Average time to investigate a false positive: 20 minutes - Fully-loaded analyst cost: £60,000 per year (assuming 1,600 productive hours per year) - Annual probability of material re → Chapter 38: Quiz — RegTech ROI: Measuring and Communicating Compliance Efficiency
Global Relay's Annual State of Compliance Report
Industry survey on compliance trends and challenges. → Further Reading
Global Relay's Compliance Blog
Practitioner-oriented coverage of communications compliance, surveillance, and RegTech. → Further Reading
Glossary
200+ RegTech terms defined - **Answers to Selected Exercises** — Worked solutions and discussion guides - **Bibliography** — Annotated references and primary sources - **Appendix A: Python RegTech Reference** — Function and library guide - **Appendix B: Regulatory Frameworks Guide** — Key frameworks → Regulatory Technology (RegTech): Complete Table of Contents
Govern, Map, Measure, Manage
provide a structured methodology for AI risk management adopted as a reference by the federal financial regulators. Critically, the AI RMF is **voluntary guidance**, not a regulation. US financial institutions bear no legal obligation to adopt it, though adoption is strongly encouraged by supervisor → Key Takeaways — Chapter 30: The EU AI Act and Algorithmic Accountability
Governance
[ ] Governance structure selected and documented - [ ] Program sponsor named with clear authority and accountability - [ ] Steering committee constituted with terms of reference - [ ] Program director appointed (internal or external) - [ ] PMO established if program meets complexity threshold - [ ] → Chapter 35 Key Takeaways — Building a RegTech Program: Strategy, Governance, and Roadmapping
Guidance notes:
For `flag_exceptions`, the `exception_reasons` column should contain a Python list of strings (e.g., `["slippage_exceeded", "fill_rate_below_threshold"]`) - For `monthly_venue_ranking`, filter executions by `execution_time.month` and `execution_time.year` - For `implementation_shortfall_time_series` → Chapter 18 Exercises: MiFID II, MiFIR, and Best Execution Compliance
PEP status (no PEP indicators): Low - Adverse media (no results, but absence is noted): Low - Country risk (BVI incorporation, Azerbaijani BO, Dubai residence, international wire transfers): **High** (multiple high-risk jurisdiction indicators) - Industry ("real estate investment" — classic layering → Answers to Selected Exercises
budget constrained; approved for one additional hire (not enough) 2. **Implement a full ML replacement system** — capital-intensive, long implementation, significant regulatory documentation burden 3. **Deploy an ML triage layer** — a scoring model that prioritizes the existing alert queue without r → Case Study 7.1: From Alert Chaos to Priority Queue — Meridian Capital's AML Transformation
[ ] Certified copy of unexpired government-issued photo ID (passport preferred) - [ ] Independent verification against registry, credit bureau, or biometric liveness check - [ ] PEP database check: current status, role description, jurisdiction, family/associates listed → Chapter 10: Customer Risk Rating and Enhanced Due Diligence
If DORA Major Incident:
Initial notification: within 4 hours of classification - Intermediate report: within 72 hours of classification - Final report: within 30 days of classification → Appendix D: Templates and Checklists
Immediate
no delay between activation and order cancellation 2. **Comprehensive** — cancels orders on all trading venues simultaneously 3. **Tested** — tested at least annually (quarterly best practice) 4. **Automated trigger** — activates automatically on intraday loss limit breach 5. **Audit trail** — every → Key Takeaways — Chapter 21: Algorithmic Trading Controls and Kill Switches
Implications for Farida:
Post-trade APA publication for OTC trades in this bond: end of trading day (standard illiquid deferral) for most trade sizes; 48-hour deferral if notional exceeds EUR 50 million. - No continuous SI quote obligation applies if Farida is an SI in this instrument (illiquid non-equity SI obligations are → Case Study 2: Finding Gaps in the Bond Tape
Inline snippets
Short excerpts illustrating a specific concept, embedded in the chapter text. 2. **Full examples** — Complete, runnable scripts in `code/example-XX-{name}.py` within each chapter folder. 3. **Case study code** — Longer implementations tied to the chapter case studies, in `code/case-study-code.py`. → How to Use This Book
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Regulation S-K, S-1, 10-K): Final rule, adopted 26 July 2023 (effective 5 September 2023; compliance dates from December 2023) - Cybersecurity Risk Management Rules for Broker-Dealers, Clearing Agencies, Investment Compani → Appendix B: Major Regulatory Frameworks Reference Guide
internal conformity assessment
no mandatory third-party auditor is required. The provider must follow a defined conformity assessment procedure, prepare technical documentation, implement a quality management system, and draw up an EU Declaration of Conformity. → Chapter 30: The EU AI Act and Algorithmic Accountability
*CFTC v. Navinder Singh Sarao* (2015/2016): Foundational spoofing case; see the complaint and settlement order for detailed behavioral analysis - *CFTC v. JPMorgan Chase & Co.* (2020): $920M settlement involving precious metals futures spoofing; notable for the institutional scale and the communicat → Chapter 22: Further Reading — Trade Surveillance: Spoofing, Layering, and Front-Running Detection
Key changes in CSF 2.0
**Govern function:** Elevates governance and supply chain risk to a top-level function, reflecting that cybersecurity requires board-level engagement and extends through the supply chain. - **Supply chain risk management (GV.SC):** Strengthened subcategory with expanded guidance on third-party risk → Appendix B: Major Regulatory Frameworks Reference Guide
Key Distinctions
**Legal compliance vs. ethical practice**: compliance is the floor; ethics asks what is right above that floor - **Aggregate performance vs. distributional impact**: a system can perform well overall while causing disproportionate harm to specific groups - **Technical explainability vs. meaningful e → Key Takeaways
Key distinctions:
EL is what the bank expects to lose on average — it is priced into loan rates and covered by provisions. - Unexpected Loss (UL) is the deviation from expectation — covered by regulatory capital. - Capital requirements under Basel target a 99.9% confidence interval for UL. → Chapter 15: Key Takeaways — Credit Risk Modelling and Model Risk Management
Key DORA Concepts:
**Classification trigger**: Date of detection, not date of recovery - **Major incident criteria**: Defined in Commission Delegated Regulation (thresholds for affected users, duration, geographic spread, economic impact) - **Management body**: Must be "adequately trained" on ICT risk (Article 5) → Appendix E: Quick Reference Cards
Key FCA Manipulation Cases
*FCA v. Swift Trade Inc.* (2013): £8M penalty; first significant UK layering enforcement action; the FCA's final notice describes the order book pattern in detail and is essential reading for surveillance professionals - *FCA v. Rameshkumar Goenka* (2020): £1.48M penalty; marking the close in single → Chapter 22: Further Reading — Trade Surveillance: Spoofing, Layering, and Front-Running Detection
DPA 2018 Schedule 2, paragraph 14: crime and taxation exemption from data subject rights - POCA 2002 section 333A: tipping-off prohibition - MLR 2017 regulation 40: five-year AML retention obligation - GDPR Article 17(3)(b): legal obligation exception to erasure → Chapter 17 Key Takeaways: Data Privacy, GDPR, and Cross-Border Data Compliance
Key people in this case:
**Oliver Hartley**: Cornerstone's Chief Risk Officer, responsible for overall ICAAP ownership - **Fernanda Câmara**: Head of Capital Adequacy, author of the ICAAP - **James Ng**: PRA Lead Supervisor for Cornerstone - **Dr. Mei Xiu**: PRA Senior Specialist, Stress Testing and Capital Analysis - **Raf → Case Study 16.1: Cornerstone's ICAAP Under Scrutiny — The PRA's Deep Dive
Key principles for RegTech
**Principle 3 (Accuracy and Integrity):** Risk data must be accurate and reliable. Reconciliation between risk systems and source systems. - **Principle 4 (Completeness):** Must capture all material risk data across all business lines and geographies. - **Principle 5 (Timeliness):** Must be able to → Appendix B: Major Regulatory Frameworks Reference Guide
Key RegTech relevance
Transaction reporting accuracy is a key area of FCA/ESMA supervisory focus; systematic errors attract significant fines - LEI data quality is critical — transactions with missing or invalid LEIs cannot be reported - Algorithmic trading surveillance: firms must monitor for wash trades, spoofing, laye → Appendix B: Major Regulatory Frameworks Reference Guide
Key Screening Lists:
**OFAC SDN List** (US): US-mandated for US persons and dollar transactions globally - **HM Treasury Consolidated List** (UK): Post-Brexit UK sanctions - **EU Consolidated Sanctions List**: EU persons and entities - **UN Security Council Consolidated List**: Binding on all UN members - **OFAC Sectora → Appendix E: Quick Reference Cards
Key SR 11-7 concepts:
**Model risk**: Potential adverse consequences from decisions based on incorrect or misused models - **Model inventory**: Required for all models; must include model purpose, use, owner, validation status - **Ongoing monitoring**: Not just at deployment; performance must be monitored in production - → Appendix E: Quick Reference Cards
The platform replaces a legacy in-house system that has been in operation for nine years - There are approximately 280,000 historical data records that must be migrated to establish the platform's lookback period for regulatory calculations - The platform requires integration with three existing sys → Chapter 36 Exercises — Vendor Selection, Due Diligence, and Implementation Management
KYC Program:
KYC-current rate: target > 99%; <95% is a material gap - High-risk customer review on schedule: 100% → Key Takeaways
L
Lead with outcomes, not activities
the Board cares what happened, not what the compliance team did 2. **Three key messages, not ten** — the constraint forces you to identify what actually matters 3. **Every metric must translate** — if you cannot explain what it means in business terms, cut it 4. **State the recommendation explicitly → Chapter 38: Key Takeaways — RegTech ROI: Measuring and Communicating Compliance Efficiency
The probability that the order will be filled in full, at an acceptable price, and that the resulting transaction will settle without fail. This factor is particularly important for illiquid instruments where there is genuine risk that an order cannot be filled. → Chapter 18: MiFID II, MiFIR, and Best Execution Compliance
Particularly for natural person identification (concatenated code format errors) and for legal entities whose LEIs have lapsed 2. **Stale best execution policies** — Not updated to reflect new venues, new instruments, or post-Brexit regulatory divergence 3. **Late RTS 28 publication** — Consistently → Chapter 18: Key Takeaways — MiFID II, MiFIR, and Best Execution Compliance
Model Development
[ ] Development documentation complete before model goes into production - [ ] Training/test/validation samples clearly defined and segregated - [ ] Data sources documented; data quality assessment completed - [ ] Variable selection methodology documented with IV/statistical rationale - [ ] Model li → Chapter 15: Key Takeaways — Credit Risk Modelling and Model Risk Management
Model Governance:
Population Stability Index (PSI): >0.25 requires recalibration assessment - Validation: all models validated annually at minimum - Model inventory: all production models documented with owner, purpose, validation date → Key Takeaways
Model Inventory
[ ] All models formally registered with unique ID, owner, purpose, materiality tier - [ ] Inventory updated within 30 days of any model change - [ ] Vendor models included in the inventory - [ ] Retired models documented and de-registered → Chapter 15: Key Takeaways — Credit Risk Modelling and Model Risk Management
[ ] Override policy documented: when overrides are permitted, who approves, and how they are recorded - [ ] Model cannot be applied outside its documented scope without validation committee approval - [ ] Relevant staff trained on model limitations and appropriate use - [ ] Model outputs reviewed by → Chapter 15: Key Takeaways — Credit Risk Modelling and Model Risk Management
Model Validation (Independence)
[ ] Validator(s) independent of development team - [ ] Validation scope covers conceptual soundness, methodology, and implementation - [ ] Out-of-time or out-of-sample testing performed - [ ] Validation findings documented with severity ratings - [ ] All open findings tracked to remediation with tar → Chapter 15: Key Takeaways — Credit Risk Modelling and Model Risk Management
False positive rate: target < 20%; >30% requires recalibration - Overdue alerts (>5 days): zero tolerance; 10+ requires escalation - SAR filing on time: 100% required; any breach is a regulatory event → Key Takeaways
N
NCA Financial Intelligence (UK)
The NCA's financial intelligence team provides engagement and feedback mechanisms for major filing institutions. Engagement with NCA financial intelligence improves SAR quality and law enforcement utility. → Further Reading
Notes for Solution Guidance
Gini of 0.47 on hold-out: passes (above 0.30). A drop of 0.06 from dev to test is within typical degradation (<10 Gini points). Not a failure, but should be monitored. - PSI of 0.19 on live population: in the "monitor" zone (0.10–0.25) — not a failure yet, but warrants a 6-month monitoring trigger a → Chapter 15 Exercises: Credit Risk Modelling and Model Risk Management
ofac.treas.gov — The authoritative source for all US sanctions compliance practitioners, including updated SDN List, enforcement actions database, and guidance documents. → Further Reading
[ ] Enhanced transaction monitoring parameters applied (tighter thresholds) - [ ] Next review date set: 6 months (high risk) - [ ] Trigger events documented: what would prompt an off-cycle review? → Chapter 10: Customer Risk Rating and Enhanced Due Diligence
Operational metrics:
System uptime and availability - Processing speed per transaction (for time-sensitive processes) - Integration error rate (failures in data feeds to/from the platform) - User adoption rate (proportion of eligible processes using the technology versus manual workarounds) → Chapter 38: RegTech ROI — Measuring and Communicating Compliance Efficiency
Annual expected cost before technology: 9% × £2,000,000 = £180,000 - Technology reduces enforcement probability by 50%: new probability = 4.5% - Annual expected cost after technology: 4.5% × £2,000,000 = £90,000 - **Annual risk reduction value: £180,000 − £90,000 = £90,000** → Chapter 38: Quiz — RegTech ROI: Measuring and Communicating Compliance Efficiency
Part a) Scheduled reviews per year:
High Risk (5% of 15,000 = 750): semi-annual review = 750 × 2 = **1,500 reviews/year** - Medium Risk (20% of 15,000 = 3,000): annual review = **3,000 reviews/year** - Low Risk (75% of 15,000 = 11,250): triennial review = 11,250 / 3 = **3,750 reviews/year** → Answers to Selected Exercises
Part B: Surveillance Threshold Assessment
Cancel ratio (0.875 = 87.5%): exceeds the 0.85 threshold. - Size asymmetry ratio (5.15): exceeds the 5.0 threshold. - Directional asymmetry: 6/6 buy cancellations followed by sell executions within 20 seconds = 100%, well above the 60% trigger. → Answers to Selected Exercises
Part c) Compliant kill switch design:
**Activation authority:** Single authorized individual (Head of Compliance, Head of Risk, or designated deputy) can activate without requiring a second authorization. A log of activations is maintained. - **Coverage:** All 12 algorithms across all 5 venues. Legacy algorithms must be included within → Answers to Selected Exercises
Bitcoin, Ethereum, and most public cryptocurrencies — are open networks. Anyone can participate as a node, submit transactions, or (for PoW chains) attempt to mine blocks. Participants are identified only by cryptographic key pairs: public addresses that look like strings of random characters and re → Chapter 24: Blockchain, Smart Contracts, and Immutable Audit Trails
a UCITS fund distributed across the EU and UK - **Pinnacle Global Alternative Fund** — an AIFMD-regulated fund, primarily institutional EU investors - **Pinnacle UK Opportunities Fund** — a UK-only retail fund, distributed under UK NURS rules → Case Study 2.2: Brexit Divergence — When Two Regulatory Regimes Separate
Platform cost:
Annual software license: £210,000 in Year 1, with 3% annual escalation - Implementation (one-time): £380,000 - Data migration and mapping (one-time): £85,000 - IT integration work (internal cost, one-time): £55,000 - User training: £28,000 in Year 0; £9,000 per year thereafter - Ongoing vendor suppo → Chapter 38: Exercises — RegTech ROI: Measuring and Communicating Compliance Efficiency
POCA 2002 (Proceeds of Crime Act 2002)
Sections 327–335, 330–332. The UK statutory basis for money laundering offences and SAR reporting obligations for the regulated sector. Free at legislation.gov.uk. → Further Reading
Portfolio management and trading
active management of client portfolios; order generation and execution via prime brokerage. 2. **Client reporting** — quarterly performance reports, monthly factsheets, and ad hoc client correspondence. 3. **Trade execution and settlement** — submission of orders to brokers, confirmation matching, T → Exercises
Post Go-Live (Hypercare Period):
[ ] Adoption metrics reviewed daily for first 30 days - [ ] Second training wave scheduled (2-4 weeks post go-live) - [ ] Reversion indicators monitored (old system access logs) - [ ] Super-user feedback collected weekly - [ ] Formal hypercare closure review at 90 days → Key Takeaways
pre-trade transparency waivers
exemptions from the obligation to publish pre-trade data — under specific, narrowly defined conditions. MiFIR Article 4 establishes the waiver categories for equities; MiFIR Article 9 establishes them for non-equities. → Chapter 20: Pre-Trade and Post-Trade Transparency Requirements
License grant (SaaS, multi-tenant deployment) - License fees: £220,000 per year, with "annual adjustments in line with RPI" - Uptime guarantee: 99.2% with monthly service credits of 5% per hour of downtime below threshold - IP ownership: vendor retains all IP; customer receives usage license - Suppo → Chapter 36 Exercises — Vendor Selection, Due Diligence, and Implementation Management
PSI Interpretation:
**< 0.10**: Stable — no action required - **0.10–0.25**: Minor shift — increase monitoring frequency - **> 0.25**: Major shift — recalibrate model → Appendix E: Quick Reference Cards
Q
Quality metrics:
Error rate in system-generated reports: 1.8% (target: <1%) - Error rate in manual reports: 3.4% - 2 regulatory submissions required corrections (both from manual reports) → Chapter 37 Exercises
**Compliance Practitioner:** Parts 1→2→3→7, then selective chapters from Parts 4–6 as relevant - **Technology Professional:** Parts 1→5→4→6, then Parts 2–3 for domain grounding - **Executive / Strategic Reader:** Ch. 1, 3, 35, 38, 39, Part 8 capstone - **Student / Sequential Reader:** Chapters 1–40 → Regulatory Technology (RegTech)
Recommended tools:
**VS Code** with the Python extension — free, widely used, excellent for beginners - **Jupyter notebooks** — good for exploratory work - **PyCharm** — more full-featured IDE for those who prefer it → Prerequisites
Red Flags by Stage:
**Awareness**: "I don't understand why we're changing" / repeated basic questions - **Desire**: "I'd rather keep the old system" / working around the new tool - **Knowledge**: "I don't know how to do X in the new system" - **Ability**: High error rates in production; excessive escalations; long comp → Appendix E: Quick Reference Cards
Credit risk models and scoring engines: likely high-risk (Annex III.5(b)) — full regime applies - AML transaction monitoring models: assessment needed; law enforcement use triggers high-risk classification - Customer service chatbots: general AI transparency obligations under Article 50 - Explainabi → Appendix B: Major Regulatory Frameworks Reference Guide
On-time submission rate: target > 99% - Rejected submissions: should be zero; investigate root cause for any occurrence → Key Takeaways
Regulatory update lag
if EMIR reporting requirements change (new fields, new thresholds, format changes), the smart contract logic must be updated. If the update process is slow or requires multi-party governance approval, the firm could find itself mis-reporting during the transition period, with the mis-reporting poten → Chapter 24: Quiz — Blockchain, Smart Contracts, and Immutable Audit Trails
European Commission adequacy decisions page (ec.europa.eu) - noyb.eu announcements and legal submissions (noyb.eu) - EDPB opinion on the EU-US DPF - CJEU case tracker for any pending proceedings - FT, Reuters, and specialist privacy law blogs (IAPP, Bird & Bird Data Protection, Linklaters Data Prote → Chapter 17 Exercises: Data Privacy, GDPR, and Cross-Border Data Compliance
Risk metrics:
Alert accuracy rate (proportion of alerts that lead to escalation or SAR filing) - Regulatory finding rate in supervisory examinations - SAR filing timelines (proportion of SARs filed within the regulatory deadline) - Internal audit finding rate for compliance processes → Chapter 38: RegTech ROI — Measuring and Communicating Compliance Efficiency
[ ] Three-horizon roadmap constructed with dependency mapping - [ ] Prioritization scoring completed using risk-weighted, value/effort, and dependency criteria - [ ] Horizon 1 scope agreed and deliverables confirmed achievable within six months - [ ] Horizon 2 work scoped with clear entry criteria ( → Chapter 35 Key Takeaways — Building a RegTech Program: Strategy, Governance, and Roadmapping
RoPA maintenance:
[ ] Annual review of all entries; more frequent review after system changes - [ ] Owner assigned for each processing activity - [ ] New processing activities added before commencement - [ ] Available for supervisory authority inspection on request → Chapter 17 Key Takeaways: Data Privacy, GDPR, and Cross-Border Data Compliance
RoPA must capture for each processing activity:
[ ] Activity name and description - [ ] Purpose(s) of processing - [ ] Categories of data subjects - [ ] Categories of personal data processed - [ ] Lawful basis (and Article 9(2) condition if special category data) - [ ] Categories of recipients (including processors and sub-processors) - [ ] Trans → Chapter 17 Key Takeaways: Data Privacy, GDPR, and Cross-Border Data Compliance
Route:
Start: Chapters 1, 2, 3 (context and ecosystem) - Core: Your domain chapters from Parts 2, 3, or 4 - Technology grounding: Chapter 4, then relevant chapters from Part 5 - Strategy: Part 7 (Chapters 35–39) - Ethics and governance: Selected chapters from Part 6 → How to Use This Book
S
Sanctions screening:
False positive rate: reduced from 94% to 82% - Weekly screening volume: 12,400 items (unchanged) - False positive investigation time: 8 minutes per item - Analyst fully-loaded cost: £72,000 / year (1,600 hrs) - One OFAC near-miss averted (documented internally): estimated exposure £350K–£2.5M based → Chapter 38: Exercises — RegTech ROI: Measuring and Communicating Compliance Efficiency
Sarah Okonjo
Chief Risk Officer (CRO): Has direct accountability for Solvency II Pillar III reporting. Is sponsoring the programme. Has a history of successful technology implementations but is known to be protective of her team's independence. - **James Whitfield** — Chief Compliance Officer (CCO): Owns Consume → Chapter 35 Exercises — Building a RegTech Program: Strategy, Governance, and Roadmapping
Section 1: Purpose and Ownership
What is the ICAAP and who owns it? - How does it differ from a regulatory reporting obligation? - What does PRA SS31/15 say about the relationship between the ICAAP and the management body? → Chapter 16 Exercises: Stress Testing and Scenario Analysis
the team can only review approximately 49% of the expected alert volume. This is a material capacity deficiency. Options: (i) hire additional analyst(s); (ii) reduce scenario library scope; (iii) raise alert thresholds to reduce volume; (iv) implement ML triage (see Part e). → Answers to Selected Exercises
Signature of layering:
Multiple orders placed within a short time window on the same side (e.g., buy side) at different but progressively lower price levels - These orders collectively account for a significant fraction of the visible order book depth - All orders are cancelled within a defined window (e.g., 30 seconds) - → Chapter 19 Exercises: Market Surveillance: Detecting Manipulation and Abuse
[ ] Bank statements showing origin of funds to be deposited - [ ] Wire transfer confirmations identifying source account and originating bank - [ ] For property proceeds: completion statement from conveyancer - [ ] For business sale: purchase agreement summary or completion statement → Chapter 10: Customer Risk Rating and Enhanced Due Diligence
Source of wealth
Client narrative: written career summary and wealth accumulation history - Documentary corroboration: - For business sale: signed purchase agreement or completion summary - For investment returns: audited fund statements or custodian reports - For employment income: tax returns (last 3 years) or com → Case Study 10.2: EDD in Practice — Rafael's High-Risk Client Onboarding Checklist in Action
Speed
The time taken to execute the order from receipt to completion. Speed may be critical for certain clients and instruments; for others, it may be less important than price or certainty of execution. → Chapter 18: MiFID II, MiFIR, and Best Execution Compliance
Staff costs:
The monitoring team consists of 6 analysts (average fully-loaded cost: £62,000 per year) and one lead (£78,000 per year) - Each analyst processes approximately 45 alerts per day; the lead spends approximately 40% of their time on alert review - The team estimates that genuine suspicious activity acc → Chapter 35 Exercises — Building a RegTech Program: Strategy, Governance, and Roadmapping
Standard Risk Factors:
Customer type (natural person / legal entity / PEP / high-risk business) - Country of origin / country of transaction (FATF greylist / blacklist) - Product/service used (high-value, cash-intensive, anonymous) - Delivery channel (non-face-to-face, correspondent) - Transaction patterns (unusual amount → Appendix E: Quick Reference Cards
Start with Harris (2003)
Chapters 14–16 — to understand market microstructure and price discovery before engaging with manipulation. 2. **Read MAR Article 12 and Delegated Regulation 2016/522** — the regulatory foundation. 3. **Review the FCA's Swift Trade final notice (2013)** — the most detailed regulatory description of → Chapter 22: Further Reading — Trade Surveillance: Spoofing, Layering, and Front-Running Detection
Step 2 — Venue-level dark percentages:
XLON Dark: 3,800,000 / 86,690,000 = **4.38%** — **BREACH (>4%)** - BATD: 2,100,000 / 86,690,000 = **2.42%** — within cap - Turquoise Dark: 1,200,000 / 86,690,000 = **1.38%** — within cap - Instinet Dark: 890,000 / 86,690,000 = **1.03%** — within cap → Chapter 20: Exercises — Pre-Trade and Post-Trade Transparency Requirements
Strategic Foundation
[ ] Regulatory obligation inventory completed and current - [ ] Compliance maturity assessment conducted with evidence-based scoring - [ ] Strategic orientation selected (compliance-driven, risk-driven, or business-driven) and documented - [ ] Priya's Five Questions answered satisfactorily for the i → Chapter 35 Key Takeaways — Building a RegTech Program: Strategy, Governance, and Roadmapping
Stream 1: Pre-trade control enhancement
Price band checks extended to market orders: for any market order, the system fetches the current order book depth, estimates a worst-case execution price (at the 5th level of the order book), and compares to the reference. If the estimated execution price deviates more than the price band threshold → Case Study 21.1: The Algorithm That Didn't Know It Was Wrong — Cornerstone's Pre-Trade Control Gap
Stream 2: Data quality validation
Currency denomination validation added to all pricing feeds including fallbacks: any price sourced from a fallback without explicit currency confirmation generates a data quality warning and triggers a fallback-indicator flag in the pricing system. - Instruments with fallback-sourced prices are flag → Case Study 21.1: The Algorithm That Didn't Know It Was Wrong — Cornerstone's Pre-Trade Control Gap
[ ] Core tracker class implemented with all methods - [ ] Test script creates 10+ requests and exercises all tracker methods - [ ] AML flag and `handle_aml_dsar()` function implemented - [ ] CSV export works and produces readable output - [ ] Code follows PEP 8; classes and methods have docstrings - → Chapter 17 Exercises: Data Privacy, GDPR, and Cross-Border Data Compliance
Suggested primary sources:
FCA Consultation Paper CP23/15: "UK Consolidated Tape for Bonds" - FCA Policy Statement on Wholesale Markets Review - Financial Services and Markets Act 2023 (UK) - ESMA Consultation Paper on Consolidated Tape (for comparison) - AFME publications on consolidated tape design → Chapter 20: Exercises — Pre-Trade and Post-Trade Transparency Requirements
SupTech
supervisory technology — refers to the technology tools used by regulatory supervisors to improve their oversight capabilities. Just as institutions use RegTech to comply more efficiently, regulators use SupTech to supervise more effectively. → Chapter 3: The RegTech Ecosystem: Players, Platforms, and Market Dynamics
Average report generation time: reduced by 28% for system-generated reports - System uptime: 99.6% → Chapter 37 Exercises
Systems in operation:
KYC platform (Vendor A): Customer identity verification, risk classification, PEP/adverse media screening - Transaction monitoring (Vendor B): AML monitoring for client transactions; alert generation and initial triage - Sanctions screening (Vendor C): Real-time screening against OFAC, UN, HM Treasu → Chapter 40 Exercises
T
Team and cost data:
AML Analyst (3 FTEs): fully-loaded cost £58,000 per year each. 1,600 productive hours per year. - Senior AML Analyst (1 FTE): fully-loaded cost £72,000 per year. 1,600 productive hours per year. - Compliance Manager (1 FTE): fully-loaded cost £88,000 per year. 1,600 hours per year. (Note: the Compli → Chapter 38: Exercises — RegTech ROI: Measuring and Communicating Compliance Efficiency
The legal framework
US SAR (Bank Secrecy Act), UK SAR (POCA 2002), EU STR (AMLD5) — creates a mandatory reporting obligation when suspicion of money laundering exists, with specific filing deadlines, confidentiality requirements, and content standards. → Chapter 11: Suspicious Activity Reporting and Case Management
uneven global coverage, inconsistent public access, varying data quality — means that comprehensive beneficial ownership verification requires commercial data providers, not just public registry access. → Chapter 9: Beneficial Ownership and Corporate Transparency
EMIR reporting: previously required 2.5 days per reporting cycle, now 4 hours - DORA incident notifications: first DORA notification filed (new obligation) — filed on time - AML obligations for trade instruments: 3 high-risk trade transactions declined in 18 months that analysts believe would not ha → Chapter 38: Exercises — RegTech ROI: Measuring and Communicating Compliance Efficiency
Alert volume per week: reduced from 980 to 640 (partly better tuning, partly market conditions) - False positive rate: reduced from 96% to 85% - 4 SARs filed in the 18-month period that would not have been filed with the previous system (based on analyst assessment) - No SAR deadline breaches (two o → Chapter 38: Exercises — RegTech ROI: Measuring and Communicating Compliance Efficiency
Transaction terms:
Field 44: Transaction type - Field 45: Buy/sell indicator - Field 46: Price - Field 47: Price currency - Field 48: Net amount - Field 49: Venue of execution - Field 50: Quantity - Field 51: Price multiplier - Field 52: Commodity derivative indicator → Chapter 18: MiFID II, MiFIR, and Best Execution Compliance
Transfer Impact Assessment (TIA)
an assessment by the data exporter of whether the legal framework of the destination country provides effective protection for the data being transferred. If the TIA reveals that SCCs are insufficient (for example, because surveillance laws in the destination country allow bulk access to transferred → Chapter 17: Data Privacy, GDPR, and Cross-Border Data Compliance
*US v. Sarao* (NDIL 2015): Full docket available through PACER; plea agreement describes manipulation methodology in detail - *US v. Coscia* (NDIL 2014): First criminal spoofing conviction under Dodd-Frank; appellate decision (7th Cir. 2016) addresses the intent standard extensively - *US v. Thakkar → Chapter 22: Further Reading — Trade Surveillance: Spoofing, Layering, and Front-Running Detection
V
VaR limitations
tail blindness, normal distribution assumptions, procyclicality, and model gaming — motivated the shift to Expected Shortfall. - **IRRBB** is the separate risk framework covering interest rate risk in the banking book — measuring EVE and NII sensitivity to rate shocks. - **The market risk technology → Chapter 14: Market Risk and the Basel Framework in Practice
Vendor claims for the new platform:
The ML-enhanced platform has reduced alert volumes by 55–65% at comparable institutions (reducing false positives substantially while maintaining or improving detection of genuine suspicious activity) - Rule recalibration time is reduced by approximately 80% through automated model retraining → Chapter 35 Exercises — Building a RegTech Program: Strategy, Governance, and Roadmapping
W
What did not change
deliberately: the basic satellite model structure remained the same. Rafael's view on this was firm: "Year two is not the year to redesign the model. Year two is the year to make the year-one model better — more data, better validation, better documentation. Redesigning is a year-three conversation, → Case Study 16.2: Rafael Helps a Regional Bank Design Its First DFAST Submission