The regulator is already in the room.
BaFin, HNB, HANFA, ECB JST and the FSA review your programme every cycle. Compliance is not a project. It is the operating state the supervisor watches all year.
SERVICE PRACTICE · FINANCIAL COMPLIANCE
Financial-sector compliance advisory.
We support compliance officers, MLROs and second-line teams across banks, payment institutions, investment firms, asset managers and insurers. DORA, MiFID II, AML, sanctions, MiCA and prudential rules in one programme that the supervisor recognises.
FINANCE.DESK · ROLLING 12 MONTHS● LIVE
Regulated entities advised62
BaFin / HNB / HANFA filings supported184
DORA third-party registers built27
AML SAR reviews assisted411
SREP / on-site exam preparations19
Board compliance briefings73
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / PRIMER
Compliance load.
DORA, MiFID II, AML, MiCA, prudential.
One transaction touches five rulebooks. The compliance function has to map each rule to a control, a record, a report and an owner. No gaps. No duplication.
The board carries the risk.
Management board members are named in supervisory letters. Compliance officers carry personal duties under MaRisk, the KWG and the ZKI. Documentation is the defence.
ADMINISTRATIVE FINES
Up to 10% of turnover
Senior-management breaches of prudential or conduct rules under CRD V, MiFID II and AMLR.
INDIVIDUAL SANCTIONS
Up to €5M / fit-and-proper revocation
Personal fines and disqualifications for compliance officers, MLROs and board members.
§ 02 / WHERE IT BITES
Core regulations.
REGIME. WHAT IT REQUIRES
DORAICT risk managementArticle 6 framework, Article 11 response, Article 28 third-party register, board sign-off.
MIFID IIConduct of businessSuitability, appropriateness, product governance, cost disclosure, best execution, recordkeeping.
AMLR / AMLDAML/CFT programmeCDD, EDD, SAR filing, sanctions screening, beneficial owner verification, AML officer.
MICACrypto-asset servicesCASP authorisation, custody and conflicts rules, white-paper, market abuse for crypto-assets.
REGIME. WHAT IT REQUIRES
CRR / CRDPrudential reportingCOREP, FINREP, large exposures, leverage ratio, ICAAP, ILAAP, SREP dialogue with the supervisor.
PSD2 / PSD3Payment servicesSCA, RTS for fraud reporting, outsourcing notifications, complaint handling, safeguarding.
SFDR / CSRDSustainability disclosurePrincipal adverse impact, taxonomy alignment, ESG product classification, double materiality.
MARMarket abuseInsider lists, STORs, PDMR notifications, market-sounding records, surveillance calibration.
§ 03 / ENGAGEMENT MODELS
Engagement models.
MODEL ARETAINER
Compliance Officer support
Ongoing second-line support for the Head of Compliance, MLRO or DORA owner. Monthly retainer.
- →Programme calendar, deliverable owners, deadlines
- →Regulator filings, SREP and on-site prep
- →Board and risk committee briefings
- →AML, sanctions and DORA monitoring inputs
MODEL BBUILD
Programme set-up
Fixed-scope build for a new authorisation, a new regulation, or a regulator-driven remediation plan.
- →Authorisation file (KWG, ZAG, KAGB, HANFA, HNB)
- →DORA framework with third-party register
- →AML/CFT programme rebuild
- →MiFID II policy and procedure pack
MODEL CREVIEW
Independent review
Section-44 KWG style independent reviews, fit-and-proper interviews, or pre-inspection diagnostics.
- →Independent compliance function review
- →AML programme effectiveness review
- →Pre-SREP / pre-inspection diagnostic
- →Outsourcing and DORA third-party audit
§ 04 / SCOPE
Scope of work.
01 / 04
Programme & governance
- Compliance function design and reporting lines
- Annual compliance plan and risk assessment
- Board and risk committee reporting cadence
- Three-lines model and policy hierarchy
02 / 04
Conduct & markets
- MiFID II suitability and appropriateness
- Product governance and target market
- Best execution monitoring
- Market abuse and surveillance calibration
03 / 04
Financial crime
- AML/CFT programme and KYC tooling
- Sanctions screening (EU, OFAC, UK, UN)
- Transaction monitoring tuning
- SAR filing and FIU liaison
04 / 04
DORA & resilience
- ICT risk framework and incident response
- Third-party ICT register (Article 28)
- TLPT and exit-strategy testing
- Major incident reporting to the supervisor
§ 05 / IN PRACTICEBook a review45 MIN
How we run the programme.
We write the programme so the examiner can open it, follow the trail and close the file. Tickets, evidence, sign-offs, board minutes. Documented before the visit, not on the day of it.
Findings per supervisory cycle
≤ 2 minor
First-time SREP letter response
100%
Authorisation files cleared at first review
92%
AML programme uplift cycle
6 months
BANK · BOARD COMPLIANCE PACKQ2 2026
AML programme ratingEffective
DORA register coverage100% critical
MiFID II breaches QoQ−38%
Open supervisory findings1 minor
Outsourcing notificationsFiled on time
Vision Compliance · second-line advisory
§ 06 / SELECTED WORK
See all case studies →Recent engagements.
FIN-23PAYMENT INSTITUTION
Authorisation file accepted by HNB at first review.
11
WEEKS
0
RFI
On plan
GO-LIVE
SCOPEZAG authorisation, AML programme, safeguarding
FIN-19ASSET MANAGER
DORA framework live across three jurisdictions.
3
ENTITIES
47
TPPS
Met
DEADLINE
SCOPEThird-party register, exit strategies, ICAAP-DORA bridge
FIN-16BANK
AML programme rebuild closed BaFin findings.
9 → 0
FINDINGS
+22%
SAR Q/Q
Briefed
BOARD
SCOPEProgramme rebuild, tuning, FIU liaison, board reporting
§ 07 / LANDSCAPE
Regulatory landscape.
€2.4B
AML fines in the EU in 2025
117
BaFin enforcement decisions, 2024
82%
of EU banks behind on DORA controls
Day 1
of MiCA enforcement, June 30 2024
TREND 01
AMLR replaces AMLD
Single rulebook applies directly. The AML Authority (AMLA) becomes the lead supervisor for major obliged entities.
TREND 02
DORA is the new audit pivot
Supervisory cycles open with DORA register reviews. Concentration risk findings move to the front of the letter.
TREND 03
MiCA opens a second perimeter
Crypto-asset firms, custodians and stablecoin issuers enter the supervised population. Banks face new counterparty obligations.
§ 08 / FAQ
Common questions.
01Are you regulated, and what is your status with BaFin / HNB / HANFA?+
We are an independent advisory firm. Our role is second-line support to the regulated entity. Our deliverables are signed off by the client's Head of Compliance or MLRO. We have worked alongside BaFin, HNB and HANFA in 60+ engagements.
02Can you take the compliance officer role directly?+
In most jurisdictions the compliance officer must be an internal appointment. We support the role with second-line capacity, drafts, monitoring and board materials. For some structures we serve as the responsible person under the firm's contract with the supervisor; the model depends on the entity type.
03How quickly can you mobilise on a regulator-driven remediation?+
For an enforcement letter or remediation plan we mobilise within 5 business days. Day 1 to day 5 is scope, plan and milestone agreement. From week 2 we run weekly status against the supervisor's deadlines.
04Do you cover DORA third-party registers end-to-end?+
Yes. We build the register, map contracts to Article 28 fields, run the criticality assessment, draft exit strategies and prepare the supervisory reporting. We do not sell the underlying tooling; we work in whatever GRC system the entity already uses.
05Can you help with an authorisation file (ZAG, KWG, KAGB, HANFA, HNB)?+
Yes. We have led authorisation files for payment institutions, e-money issuers, AIFs, investment firms and crypto-asset service providers. We draft, review against the application form, build the supporting policies and run the dry-run interview with the regulator.
06How do you bill, retainer, fixed scope or both?+
Both. Programme-set-up work is usually fixed scope. Compliance officer support is a monthly retainer with a defined deliverable calendar. Independent reviews are fixed fee on a defined scope letter.
§ 09 / RESOURCES
Templates and guides.
TEMPLATE12 PAGES
DORA third-party register starter
Column structure, criticality rubric, exit-strategy fields and supervisory reporting mapping.
Open ↓PDF / TEMPLATE
GUIDE18 PAGES
Pre-SREP self-assessment
Walkthrough of the dossier sections, governance evidence and the typical regulator follow-ups.
Open ↓PDF / TEMPLATE
CHECKLIST9 PAGES
AML programme review checklist
Effectiveness review questions that mirror BaFin and HNB inspection prompts.
Open ↓PDF / TEMPLATE
§ 10 / RELATED
Related practices.
DORA & operational resilience
ICT risk management, third-party registers, TLPT and major incident reporting for financial entities.
Open practice →Regulatory advisory
Multi-regulation programme oversight, horizon scanning and supervisory authority liaison.
Open practice →Vendor risk management
Third-party due diligence, contracts and ongoing monitoring across critical service providers.
Open practice →11 / GET STARTED
Talk to a senior advisor.
Authorisation file, DORA programme, AML rebuild or supervisory remediation. We respond with a scoped agenda for the first call.