Guide to Prepare for Regulatory Examination

Introduction

A regulatory examination is a formal review conducted by a regulatory authority (the FCA, SEC, FinCEN, FINTRAC, or a state regulator) to assess whether your firm is operating in compliance with applicable laws, rules, and supervisory standards.

This guide is written for FinTech companies, crypto firms, money transmitters, BaaS banks, and embedded finance companies operating in the US, UK, Canada, and EU. It's particularly relevant for firms facing their first examination or running with lean compliance teams.

The stakes are real. Poor preparation can result in Matters Requiring Attention (MRAs), consent orders, civil money penalties, reputational damage with sponsor banks and investors, or loss of your operating license.

The FCA fined Starling Bank £28,959,426 in 2024 for financial crime systems and controls failings. Growth-stage firms are not exempt from serious enforcement consequences.

This guide covers:

What a regulatory examination is and which regulators conduct them
How the examination process works from notice to close
How to prepare your team and documentation effectively
What mistakes to avoid before and during an exam

TL;DR

A regulatory examination is a formal compliance review by a regulator (SEC, FCA, FinCEN, FINTRAC, etc.) assessing your firm's controls, documentation, and risk management practices.
Preparation is ongoing — firms that treat compliance as a year-round discipline consistently fare better than those who react after receiving notice.
The exam lifecycle flows in four stages: document request → active review → exit interview → findings letter, each demanding a distinct response.
Strong preparation rests on four pillars: documentation readiness, a cross-functional exam team, mock internal reviews, and experienced compliance leadership.
Common mistakes include over-volunteering information, reactive preparation, and lacking a designated exam coordinator.

What Is a Regulatory Examination?

A regulatory examination — also called a supervisory exam, compliance review, or regulatory visit — is a structured process by which a regulatory authority evaluates a firm's adherence to applicable laws, regulations, and supervisory expectations. Coverage areas typically include BSA/AML, consumer protection, data privacy, and risk management.

Examination Types

Not all examinations carry the same scope or intensity. Understanding which type you're facing shapes your response strategy:

Periodic supervisory examination — scheduled based on firm size, risk profile, and time since last review. OCC national banks are examined on a cycle of generally every 12–18 months.
Risk-based or cause examination — triggered by complaints, red flags, or disciplinary history. The SEC's approach factors in prior findings, leadership changes, and material business changes to prioritize which firms get scrutinized.
Thematic review — an industry-wide assessment of a specific risk area. The FCA uses thematic reviews to assess current or emerging risks across multiple firms in a sector.
Document-based desk review — conducted remotely; no on-site visit, but document requests can be just as demanding.

Four types of regulatory examinations comparison infographic for financial firms

How This Differs from Internal or External Audit

Regulators have enforcement authority. An internal audit finding triggers internal accountability — a regulatory finding can trigger public enforcement action, binding remediation requirements, fines, or sanctions.

That exposure is what makes exam preparation a strategic priority, not just a compliance checkbox.

Why Regulatory Examination Preparation Is Critical

Weak preparation doesn't just produce findings — it produces escalating findings. The FFIEC's BSA/AML guidance states that substantive compliance program deficiencies may require supervisory action, and FDIC guidance treats Matters Requiring Board Attention (MRBAs) as signals of significant issues demanding management response.

What the Enforcement Record Shows

The penalty exposure for FinTechs and non-bank financial institutions is concrete:

FinCEN assessed a $29 million enforcement action against Bittrex in 2022 for willful BSA violations, citing ineffective transaction monitoring and reliance on as few as two employees with minimal AML training.
The FCA fined CB Payments Limited £3,503,546 in 2024 after the firm failed to implement voluntary restrictions while financial crime controls were being remediated.

Both cases share the same underlying pattern. Weak operational evidence became the penalty multiplier: thin staffing rationale, absent restriction governance, and policies that didn't match actual controls.

What Examiners Are Really Assessing

Those enforcement outcomes reflect something broader. Examiners don't stop at technical compliance — they probe whether the program actually functions. Specifically, they assess:

Whether senior management actively owns compliance decisions, not just signs off on them
Whether compliance obligations are embedded in daily operations or treated as an afterthought
Whether past findings have been fully addressed with documented, verifiable evidence
Whether the program is scaled to the firm's actual risk profile — not copied from a larger institution's template

Why FinTechs and Startups Face Heightened Risk

Lean compliance teams, rapidly evolving products, and first-time examinations create the exact gaps that mature institutions have spent years addressing. Fraxtional regularly sees firms arrive with documentation scattered across drives, no version control, and AML policies that don't reflect actual operations — all of which examiners identify within hours of beginning a document review.

How the Regulatory Examination Process Works

The examination lifecycle follows a predictable pattern. Firms that map each stage in advance — and assign clear ownership at each — consistently outperform those that treat the process as reactive.

Step 1: Pre-Examination Notice and Document Request

The examination typically initiates with a document request letter outlining scope and required materials. These commonly include:

Written compliance policies and procedures
AML/BSA program documentation
Risk assessments and compliance exception logs
Transaction monitoring records and SAR decisioning files
Employee training logs and testing records
Prior examination letters and remediation evidence
Form ADV or equivalent regulatory filings

The SEC's 2023 risk alert provides a model of what investment adviser examinations request. The FFIEC BSA/AML Examination Manual does the same for bank examinations. Both are worth reviewing before any notice arrives.

Critical point: Delays or disorganized responses to document requests signal compliance weakness immediately. Examiners form early impressions from how quickly and cleanly you respond.

Step 2: On-Site or Remote Examination Review

During the active review, examiners will:

Interview compliance, risk, and business personnel
Test whether stated policies are actually implemented in practice
Review transaction samples, alert dispositions, and SAR filings
Probe internal controls against documented procedures

Coordinate staff access in advance and brief every interviewee on their role. Basic response discipline matters:

Answer only what is asked — don't volunteer beyond the question
Don't speculate; request time to research if uncertain
Escalate unexpected lines of inquiry to the compliance lead immediately

Unprepared staff create risk that prepared policies cannot offset.

Step 3: Exit Interview, Findings Letter, and Remediation

The examination closes with an exit interview where preliminary findings are discussed. A formal deficiency or findings letter follows. For SEC examinations, registrants are expected to respond within 30 days — though response deadlines vary by regulator, so calendar the deadline stated in the actual letter rather than assuming a universal timeframe.

How a firm responds to findings often matters as much as the findings themselves. Regulators assess responsiveness, good faith effort, and whether the remediation plan is credible and specific. A strong response names the root cause, identifies who owns the fix, and sets a realistic completion date — not just an acknowledgment that a gap exists.

Three-stage regulatory examination lifecycle from document request to remediation response

How to Prepare for a Regulatory Examination

Exam preparation isn't a project that starts when the notice arrives. It's a standing operating discipline.

Build a Cross-Functional Exam Readiness Team

Identify who owns the examination response (typically the CCO or BSA Officer) and ensure legal, operations, finance, and technology stakeholders know their roles, have access to relevant documentation, and are prepared to respond to examiner questions accurately and consistently.

Firms without a full-time CCO or BSA Officer can engage fractional compliance leadership to fill that ownership gap. Fraxtional's fractional CCO, BSA Officer, and MLRO services place named, accountable directors into the examination management role: serving as the primary point of contact with regulators, overseeing document production, briefing interviewees, and managing findings responses. Regulators and sponsor banks treat embedded leadership differently from advisory-only support — and the distinction shows up in examination outcomes.

Establish a Document Management System Before the Request Arrives

Centralize compliance documentation in an indexed, readily retrievable format. Categories to organize include:

Compliance policies (with version history and ownership)
Board minutes and compliance committee reporting
Current risk assessment
Transaction monitoring reports and alert disposition records
SAR/CTR filings and supporting documentation
Employee training logs and testing evidence
Prior examination letters and remediation evidence

Fraxtional helps clients structure this documentation with clear ownership, escalation paths, and version controls — formatted to withstand examination and enhanced due diligence.

Conduct a Pre-Examination Internal Review

Treat your own compliance program the way a regulator would. Before any notice arrives:

Review open findings from prior examinations or internal audits — confirm each has documented remediation evidence, not just a closure date
Test high-risk controls — AML/BSA transaction monitoring, UDAAP, Reg E, and sanctions screening are recurring examination focus areas
Gap-assess against current examination priorities — the SEC's 2025 examination priorities include crypto assets, AI, cybersecurity, and AML for broker-dealers; FINRA's 2025 report highlights third-party risk and crypto; FCA materials keep financial crime supervision in focus
Document your findings — a pre-exam gap assessment with a remediation log is itself evidence of a functioning compliance program

Four-step pre-examination internal compliance review process flow diagram

This is not a one-time exercise. It belongs on a recurring compliance calendar.

Prepare Staff for Examiner Interactions

Coach relevant employees on response discipline:

Answer only what is asked — nothing more
Don't speculate or volunteer information outside the question's scope
If uncertain, say so and commit to following up with a researched answer
Escalate any unexpected lines of inquiry to the compliance lead immediately

Consistent, disciplined responses across multiple interviewees signal a mature compliance culture. Inconsistent answers — especially on high-risk topics — become findings.

Establish a Communication Protocol

During the examination period, track everything formally:

Log all document requests and production dates
Maintain a running record of what has been submitted and when
Communicate proactively if additional time is needed to fulfill a request
Maintain clear escalation lines between the exam coordinator, senior management, and legal

Regulators notice when they're kept waiting without explanation. Proactive communication is a credibility signal.

Key Factors That Influence Examination Outcomes

Compliance Program Maturity and Documentation Quality

Examiners assess whether a compliance program is risk-based, proportionate, and operational — not just documented. The gap between policy and practice is one of the first things tested. Firms with written procedures linked to control evidence, exception logs, and documented remediation of past issues consistently receive better outcomes than those with informal or disconnected programs.

Prior Examination History

Regulators scrutinize whether prior findings have been fully remediated. Repeat findings or unresolved MRAs signal systemic weakness and escalate examiner scrutiny in subsequent cycles. Track every finding with:

Assigned owners and target remediation dates
Completion evidence tied to the specific finding
Board or senior management reporting on status
Closed-loop documentation — not just a status checkbox

Quality of Compliance Leadership

The competence and credibility of the compliance officer leading the examination matters. Examiners assess whether the CCO or BSA Officer demonstrates genuine fluency with the firm's risk profile, regulatory requirements, and day-to-day compliance operations.

Fraxtional's directors bring direct regulatory experience to examination engagements — including professionals who have served as CFPB examiners, held BSA Officer roles through OCC, FDIC, and NCUA examinations, and led compliance at growth-stage FinTechs and banks. That dual perspective — regulator and examined institution — provides credibility that junior consultants or staffing placements cannot replicate.

Current Examination Priorities

Regulators publish annual examination priorities and risk alerts that signal thematic focus areas. Firms that map their controls against these published priorities — and can demonstrate proactive remediation of flagged areas — are better positioned than those who discover gaps during the examination itself.

Regulatory compliance officer reviewing published examination priorities and risk alerts

Common Mistakes Firms Make During Regulatory Examinations

Over-Volunteering Information

Many firms — especially those new to regulatory examinations — provide more documentation than requested, introduce unrelated issues, or allow staff to speculate during examiner interviews. Responses should be precise, reviewed by compliance leadership before submission, and limited strictly to what was requested. Scope creep in document production can introduce issues that weren't on the examiner's radar.

Treating Preparation as a One-Time Event

Firms that begin preparing only after receiving an examination notice are already behind. Examiners can tell the difference between a compliance program genuinely embedded in operations and one assembled reactively. Audit-ready documentation, a current risk assessment, and evidence of ongoing monitoring cannot be fabricated on short notice. Examiners recognize the difference, and the credibility cost is immediate.

Failing to Escalate and Coordinate During the Exam

When examiner questions surface potential compliance gaps, some firms delay escalation to senior management or legal. The consequences compound quickly:

Inconsistent answers across interviewees
Missed windows to address issues before the exam closes
Lost credibility with the examining team

Real-time internal coordination throughout the examination period is what keeps the firm's narrative consistent and its response posture credible.

Frequently Asked Questions

What is a regulatory examination?

A regulatory examination is a formal review conducted by a government authority — such as the FCA, SEC, FinCEN, or FINTRAC — to assess whether a financial institution complies with applicable laws, regulations, and supervisory standards. Coverage typically spans AML, consumer protection, data privacy, and risk management controls.

What do regulators typically look for during a financial institution examination?

Regulators assess compliance program adequacy, internal control quality, management tone, prior finding remediation, and whether documented policies match actual practice. That last point — gaps between policy and operations — tends to draw the most scrutiny.

How often do regulatory examinations occur?

Frequency varies by regulator, firm type, and risk profile. OCC national banks are examined generally every 12–18 months. FDIC consumer compliance examination cycles range from 24–78 months depending on asset size. The SEC examined approximately 15% of registered investment advisers annually. The FCA operates on a risk-based, data-led model without a fixed universal visit frequency.

What happens if a firm receives a deficiency letter after an examination?

A deficiency letter identifies examination findings and gives the firm a defined period to respond — often 30 days for SEC matters, though timelines vary by regulator. The quality and specificity of that remediation plan significantly influences how the regulator assesses the firm's compliance culture.

Do FinTech startups and crypto firms face regulatory examinations?

Yes. FinTechs, crypto firms, and money transmitters are subject to examination by FinCEN, state regulators, the FCA, FINTRAC, and others depending on jurisdiction. Regulators are actively expanding oversight of non-bank financial institutions, and early-stage firms are increasingly being examined as they scale.

How can a firm prepare for a regulatory examination without a full-time CCO?

Firms without a full-time CCO can engage fractional compliance leadership — experienced compliance executives who provide director-level oversight on a flexible basis. Fraxtional's fractional CCO, BSA Officer, and MLRO services typically deploy within the same week, with engagements structured for three to nine months depending on the firm's needs, timeline, and regulatory situation.