CLARITY - our library of practical, frank compliance information for regulated businesses

Preparing for Your Next On-Site Inspection

For many years, the approach to an FSA on-site inspection followed a familiar pattern. The notification arrived, the firm moved into a higher gear, files were reviewed, policies were checked, and everyone hoped that the relationship built up over years of supervision would provide some useful context if questions arose. It was never a particularly elegant approach, but it reflected how supervision worked at the time.

It no longer reflects how supervision works at all.

Data, not knowledge

The FSA has moved to an impact and risk-based supervision model, and the practical consequences of that shift are more significant than many regulated firms have appreciated.

The change runs deeper than structural. The FSA is now working primarily from data, not from knowledge. Where supervision once relied in part on an accumulated understanding of individual firms and sectors, their history, their senior people, and their particular circumstances, it now relies on what the data shows and what the documentation says. The supervisor who knew your business, who understood the context behind a decision or the history of a particular client relationship, is a thing of the past.

What that means is that your firm is being assessed on the basis of what can be seen and measured, often before anyone has set foot in your office. By the time a visit is scheduled, a data-based view will already have been formed. The files, the policies, the risk assessments, the monitoring records: these are no longer supporting material. They are the primary evidence.

What the thematic programme is telling you

The FSA publishes its supervisory calendar and issues thematic questionnaires as part of its ongoing programme. These are usually directed at a particular cohort of firms, but that is not the only reason to pay attention to them.

A thematic questionnaire tells you what the FSA is focused on right now. It sets out the questions the Regulator considers important, the areas it is examining across the sector, and implicitly the standard it expects to find when it looks. Even where a questionnaire is not addressed to your firm, it is providing you with something genuinely useful: an advance view of what matters to your supervisor at this moment.

The thematic reports that follow are equally valuable. They describe what the FSA found when it looked across the sector, where firms fell short, and what good practice looked like on the ground. That is a gap analysis on a plate, available to anyone who reads it and is honest about where their own firm would sit in that picture.

Building a standing readiness programme

The firms that will handle on-site visits well in this environment are not the ones that prepare hardest in the fortnight after the notification. They are the ones that have already been through the relevant ground as a matter of routine.
That requires a deliberate addition to your compliance monitoring plan: a rolling internal audit schedule, running alongside your standard programme, built around two parallel tracks.

The first track follows the FSA’s thematic calendar. When a questionnaire is issued, it triggers an internal review of that area of your business. When the thematic report follows, it informs a gap analysis. You are, in effect, running a version of the FSA’s own exercise internally, before they run it on you.

The second track is led by your own assessment of where the hotspots are in your business. Mapped section by section, it works through the areas of highest risk or greatest complexity in a rolling sequence, revisiting each on a cycle that reflects the level of risk it carries. The two tracks will often overlap, which is useful information in itself.

Neither track waits for an inspection notification to begin. That is the point.

The programme also needs to report upwards. A rolling internal audit workplan that runs in isolation from the rest of the business is only doing half its job. The findings should feed into the board’s risk oversight: informing updates to the BRA, flagging emerging issues before they become entrenched, and giving senior management the material they need to demonstrate an active and responsive compliance framework.
A board that can show it receives regular internal audit findings, considers them, and acts on them is demonstrating exactly the kind of governance the Regulator wants to see. For firms thinking about how compliance and governance connect at board level, the question of what the Regulator expects from senior management is explored in our article ”Is Governance the Regulator’s Next Focus?”

The file as the only voice

In a supervision model built on relationships, a file that was not quite complete could sometimes be supplemented by context. A conversation could explain a decision that the paperwork did not fully capture. That latitude has gone.

The file now has to make the case on its own. It needs to tell a coherent story to someone who does not know your firm, has not met your team, and is working through it without the benefit of, or frankly, interest in explanation. If the reasoning behind a decision is not recorded, it does not exist for supervision purposes. If the monitoring is not documented, it did not happen.

That is a higher standard than many firms are currently meeting, and it is worth being clear-eyed about the gap.

The FSA has told you what it cares about

There is something quietly useful about the current supervision model, even if its demands are greater. The FSA publishes its priorities. Its thematic calendar sets out where it intends to look. Its reports tell you what it found and what it expects. The information needed to prepare is, in most cases, already available.

The firms that treat that published programme as their internal audit agenda will find on-site visits considerably more manageable than those still waiting for the notification to arrive before they start thinking about it.