Introduction
Regulators across the US, UK, Canada, and EU don't just want compliance programs to exist — they want proof they work. Enforcement actions increasingly hinge not on whether a company has a program, but on whether that program is operational and actually tested.
The stakes are concrete. In 2024, TD Bank pleaded guilty to conspiring to fail to maintain an adequate AML program, resulting in a $1.8B criminal penalty and approximately $3B total resolution. The DOJ noted that 92% of transaction volume — roughly $18.3 trillion — went unmonitored for more than six years. The program existed. It just didn't work.
For many growth-stage financial services companies, the real exposure is subtler: a compliance framework built under pressure, checked off, and never revisited. Regulations change. Products launch. Businesses scale. The program that satisfied a sponsor bank at seed stage becomes a liability by Series B.
This guide covers what a compliance program assessment actually involves, the six components regulators evaluate, and a repeatable methodology for conducting one — whether the trigger is a regulatory examination, a sponsor bank review, or a fundraising process.
TL;DR
- A compliance program assessment tests whether your policies, controls, and practices are actually preventing and detecting violations — not just documenting that they exist.
- Effective programs share six components: risk assessment, written standards, training, monitoring and auditing, reporting and incident response, and leadership oversight.
- The DOJ, FCA, and FinCEN evaluate programs on three questions: Is it well-designed? Is it adequately resourced? Does it work in practice?
- Assessments should run at least annually — and sooner when regulations shift, the business scales, or an incident occurs.
- For fintechs without a full-time CCO, fractional compliance leadership can own the assessment and remediation process at a fraction of the cost.
What Is a Compliance Program Assessment?
A compliance program assessment is a formal, structured evaluation of whether an organization's program is adequately designed, sufficiently resourced, and operating effectively. It goes beyond a document review — the goal is to test whether controls actually work in practice, not just confirm they've been written down.
This is distinct from a compliance audit, which typically covers a specific area or control domain. A full program assessment evaluates the entire program's structure, culture, and performance holistically. Regulators now expect organizations to conduct both.
The Regulatory Frameworks That Define the Standard
The definition of "effective" varies by regulator and jurisdiction. These are the primary frameworks that set the standard:
- DOJ Evaluation of Corporate Compliance Programs (updated September 2024) — tests whether the program is well-designed, adequately resourced, and working in practice
- US Federal Sentencing Guidelines, §8B2.1 — defines minimum program elements: periodic risk assessment, training, monitoring, and corrective action
- FCA SM&CR — requires SMF16/SMF17 holders with sufficient seniority, independence, and role-relevant training
- FinCEN / 31 CFR 1022.210 — mandates an effective AML program for money services businesses, covering policies, a designated compliance officer, training, and independent review
- FINTRAC — requires five core program elements for Canadian reporting entities, including a mandatory two-year effectiveness review
The assessment methodology in this guide maps directly to these requirements — so findings are defensible to the regulators most likely to ask.
The Six Core Components of an Effective Compliance Program
Regulators across jurisdictions consistently look for the same foundational elements. An assessment must confirm these components aren't just present — they're functioning.
1. Risk Assessment
Risk assessment is the foundation everything else builds on. It identifies the specific legal, operational, and reputational risks the organization faces given its products, customers, geographies, and business model.
For fintech and crypto companies, this includes BSA/AML exposure, sanctions risk, UDAAP concerns, and cross-border regulatory complexity. Regulators are specific about scope — the FFIEC requires risk categories to cover products, services, customers, and geographic locations; FINTRAC extends this to affiliates, new technologies, and national risk assessment factors.
Risk assessments must be documented, updated regularly, and used to drive program priorities. Completing one at launch and shelving it doesn't satisfy the standard.
2. Written Standards, Policies, and Procedures
An effective program requires a clearly documented code of conduct, plus policies and procedures that translate regulatory requirements into actionable internal standards.
For financial services companies, this means current, accessible policies covering:
- AML/KYC and customer due diligence
- Transaction monitoring and SAR/CTR filing
- Sanctions screening and OFAC compliance
- Fraud prevention and Reg E compliance
- Privacy and data protection
Policies must be reviewed and updated when regulations change or the business model shifts. Generic templates that don't reflect actual operations are a common gap — and one that regulators identify quickly during examinations.
3. Compliance Training and Communication
Training is evaluated on substance, not completion. Regulators assess frequency, content relevance, completion rates, and whether employees can demonstrate understanding — not just whether a training module was assigned.
FinCEN's 2023 consent order against Binance cited nearly two years of operation without AML training for personnel. The FCA has stated explicitly that short introductory courses are generally insufficient for compliance and MLRO roles, even at smaller firms.
Effective training is role-based. What a product manager needs to know differs significantly from what a transaction monitoring analyst needs to know. Role-specific content should cover:
- Applicable regulatory obligations for that function
- Red flags and escalation triggers relevant to their work
- Current sanctions and AML typologies in the firm's risk profile
A regular communication cadence from compliance leadership reinforces the program between formal training cycles.
4. Monitoring, Auditing, and Testing
Ongoing monitoring and periodic auditing serve different purposes, and an effective program requires both.
- Ongoing monitoring involves continuous, risk-based controls testing — identifying control failures and anomalies in real time
- Periodic auditing is a formal, independent review of whether controls are designed and operating effectively
The results of both must feed back into the program through documented findings, root cause analysis, and corrective action. Regulators look for evidence that monitoring actually catches issues — not just that monitoring activities are scheduled on a calendar.
5. Reporting Mechanisms and Incident Response
Reporting channels are table stakes. What regulators actually evaluate is the quality of incident response — how quickly the organization acted, whether root cause analysis was conducted, what corrective action followed, and whether findings reached leadership.
The documentation trail is critical. SAR workflows, escalation paths, sanctions review records, and investigation logs all serve as evidence of a program that responds to real issues — not just theoretical ones.
6. Leadership Oversight and Governance Structure
Compliance must be embedded into governance at the highest level. The US Sentencing Guidelines §8B2.1 require that individuals with day-to-day compliance responsibility have adequate resources, appropriate authority, and direct access to the governing authority.
For growth-stage companies, "adequately resourced" doesn't mean a full-time compliance team. It means the organization has access to the expertise needed to manage its actual risk profile.
The FCA has noted that relying solely on external support without designated accountable individuals will likely lead to application refusal. A qualified fractional CCO or MLRO with real independence and authority does satisfy the standard.
How to Assess Your Compliance Program for Effectiveness
The most common mistake is treating an assessment as a one-time document review. The following six-step methodology treats it as a live test of whether controls work in practice, producing an honest picture of where the program stands and what needs to change.
Step 1 — Define the Scope and Objective
Determine whether this is a full program review or a targeted assessment triggered by a specific event: a regulatory change, an incident, a new product launch, or geographic expansion. Establish which regulatory frameworks apply and align leadership on the assessment's purpose before beginning.
Getting this right upfront means every finding maps directly to a decision someone can act on.
Step 2 — Map Applicable Regulatory Requirements
Document the specific laws, regulations, and supervisory expectations that apply to the organization's current business model, jurisdiction by jurisdiction. This establishes the baseline against which the program will be measured and ensures that gaps aren't missed because a regulation wasn't on anyone's radar.
For a US-based fintech with Canadian operations, this means mapping both FinCEN/BSA requirements and FINTRAC's five-element framework simultaneously.
Step 3 — Evaluate Each Program Component
Systematically review each of the six core components against the regulatory baseline. A traffic-light scoring approach works well here:
| Rating | Meaning |
|---|---|
| 🟢 Meeting best practices | Control is documented, tested, and operating effectively |
| 🟡 In progress | Control exists but has gaps in operation or documentation |
| 🔴 Not yet meeting expectations | Control is absent, untested, or not functioning as designed |
This creates a clear, shareable picture of program maturity that leadership and the board can act on.
Step 4 — Conduct Interviews and Gather Evidence
Test whether the program works in practice by conducting structured interviews across compliance, operations, finance, and product teams. Gather documentary evidence that controls are being executed:
- Training completion records and knowledge assessments
- Transaction monitoring audit logs and alert disposition records
- Incident reports and SAR filing documentation
- Board meeting minutes covering compliance matters
- Sanctions screening logs
What employees say and what documentation shows often diverge. Both matter to regulators — and the gap between them is frequently where enforcement exposure lives.
Step 5 — Identify Gaps and Conduct Root Cause Analysis
For every deficiency identified, go beyond the symptom to the root cause. Is the policy unclear? Was training insufficient? Is the control under-resourced? Is there a cultural barrier to escalation?
Root cause analysis is what separates a meaningful assessment from a compliance inventory. It determines what remediation will actually fix the problem.
Fraxtional's fractional CCO and BSA Officer engagements often begin at this step, particularly for clients scaling quickly or entering new regulatory environments where the existing program hasn't kept pace with the business.
Step 6 — Build a Remediation Plan and Schedule Reassessment
Document findings, prioritize by risk level, assign ownership, and set measurable timelines. Then establish a reassessment schedule, including trigger-based reviews when the business model changes, a new product launches, or a regulatory update occurs.
FINTRAC requires a formal effectiveness review at minimum every two years. Best practice goes further: assess specific components on a rolling basis so the program reflects the business as it actually operates today, not as it was structured 18 months ago.
Common Pitfalls That Undermine Compliance Program Effectiveness
The Paper Program Problem
The single most common compliance failure regulators cite is having policies and procedures that are never tested, trained on, or enforced. The DOJ's Evaluation of Corporate Compliance Programs (updated September 2024) explicitly instructs prosecutors to test whether a program is "merely a paper program" or one that is implemented, resourced, reviewed, and revised.
Binance is the defining crypto example: FinCEN's 2023 consent order described a paper-only AML program with failures in implementation, compliance officer designation, training, and independent testing — resulting in a $3.4B civil money penalty.
Regulators identify paper programs through document requests, structured interviews, and transactional data. A well-drafted policy manual won't survive scrutiny if no one in the organization can describe what it requires of them.
Static Programs in Dynamic Businesses
Fintech and crypto companies that scale rapidly, launch new products, or expand into new jurisdictions frequently outgrow their compliance programs without realizing it. A framework built for a seed-stage payments startup is not appropriate for a Series B company operating across multiple geographies.
Common failure patterns in scaling companies:
- AML thresholds not recalibrated as transaction volumes grow
- Policies not updated after new product lines launch
- Governance structures not adapted when entering new jurisdictions
- Monitoring rules that no longer reflect the current customer risk profile
Assessment cadence must scale with the business — not stay frozen at the interval set at launch.
The Leadership and Resourcing Gap
For early-stage companies, the resourcing gap is the hardest pitfall to close. The DOJ's second core evaluation question asks whether the program is "adequately resourced and empowered to function effectively" — and the answer directly affects charging and penalty decisions when a compliance function lacks the independence or authority to escalate issues.
The tradeoff is real:
- Hiring a full-time CCO too early is expensive and often premature
- Having no designated compliance leadership is a regulatory liability
- Fractional compliance leadership (a qualified director serving as named CCO, BSA Officer, MLRO, or CAMLO) lets growth-stage fintechs fill that gap without overcommitting on headcount
How Fraxtional Can Help
Fraxtional provides director-level compliance expertise for fintech, crypto, and banking companies that need to assess, build, or strengthen their compliance programs — without a full-time executive hire. Every engagement is overseen directly by an experienced compliance professional with deep regulatory experience across the US, UK, Canada, and EU.
Assessment and gap analysis services include:
- Benchmarking against BSA/AML, UDAAP, Reg E, privacy, and cyber risk requirements
- Evaluating governance structures for regulatory defensibility
- Advising on remediation priorities with findings organized by severity and urgency
- Preparing organizations for sponsor bank due diligence, regulatory examinations, and investor pre-deal compliance reviews
Fraxtional works across payments, embedded finance, and crypto — with clients including BayFirst, EarnUp, Artoh, and Winden — so assessment work is grounded in real program experience, not theory.
Three engagement models fit different stages and needs:
- On Demand Advisory — a one-time engagement delivering a gap analysis, risk prioritization matrix, and remediation roadmap
- Subscription Advisory — ongoing retainer providing continuous program monitoring as the business scales
- Fractional Advisory — a named compliance officer listed in regulatory filings, contracts, and audits, with full authority to represent the organization before regulators, auditors, and sponsor banks
Frequently Asked Questions
What does a compliance program include?
A compliance program covers six core elements: written policies and code of conduct, risk assessment, training and communications, monitoring and auditing, reporting mechanisms, and leadership oversight. For financial services firms, this also includes specific regulatory controls — AML/KYC, sanctions screening, transaction monitoring, and consumer compliance requirements like Reg E.
How serious is a compliance interview?
Very serious. Regulators and enforcement authorities conduct structured interviews with employees, the CCO, and board members specifically to test whether the program works in practice. Answers provided during these interviews directly influence enforcement decisions and can affect penalty calculations under the DOJ's ECCP framework.
How often should a compliance program be assessed?
A full program assessment should occur at minimum annually. FINTRAC requires a formal effectiveness review at least every two years. Best practice is to trigger targeted reviews whenever regulations change, new products launch, the company expands geographically, or a compliance incident occurs.
What are the key indicators that a compliance program is effective?
Look for these five signals:
- Documented and tested risk assessments
- High training completion rates with demonstrated understanding
- Functioning reporting channels with resolved incident records
- Monitoring that catches real issues, not just scheduled activities
- Documented board-level engagement with compliance outcomes
What is the DOJ's standard for evaluating compliance programs?
The DOJ applies three questions: Is the program well-designed? Is it adequately resourced and empowered? Does it work in practice? These questions determine whether compliance qualifies as a mitigating factor — evaluated at both the time of misconduct and at charging or resolution.
Can a startup or early-stage fintech build an effective compliance program without a full-time CCO?
Yes. Through fractional compliance leadership, early-stage companies can access director-level expertise to design a defensible program without a full-time hire. Regulatory bodies evaluate resourcing relative to actual risk profile and stage — a qualified fractional CCO or BSA Officer with genuine independence meets that bar.
