AML compliance programmes have a persistent structural problem. The operational side, transaction monitoring, sanctions screening, KYC verification, has mature tooling and established vendors. The procedural side does not. The annual business-wide risk assessment is done in Word. The obligations register lives in a shared spreadsheet. The Board pack is assembled by pulling screenshots into PowerPoint. The risk appetite statement is signed off once a year and filed.
Regulators are increasingly focused on this gap. The FCA Dear CEO letters on AML and the SAMA supervisory guidance both call out appetite-versus-operation drift and evidence quality as top concerns. When an inspector asks "show me which obligations you are subject to, and which ones are met," a spreadsheet is not the right answer.
The RateYourCyber Financial Crime Compliance module replaces those artefacts with a structured database and a working interface. It sits alongside the firm's operational stack and handles the procedural front: the business-wide risk assessment, the obligations register, risk appetite governance, policy generation, tabletop exercises, risk register integration, and Board and regulator reporting.
Business-Wide Risk Assessment
58 questions across 10 sections: Programme Governance, Business-Wide Risk Assessment, Customer Due Diligence, Enhanced Due Diligence, Beneficial Ownership, Transaction Monitoring, Sanctions Screening, Suspicious Activity Reporting, Record Keeping, and Training and Awareness. Structured around the FATF 40 Recommendations risk dimensions: customer, product, geography, channel, typology, and transaction value.
Maturity levels 1 to 5 per question. 1,000-point scoring on the standard A to F grade scale. Authored recommendations per question surface automatically in the Results tab when maturity falls below target. Completed assessments feed the platform cross-domain compliance score.
Risk Appetite Management
Board-approved appetite statements across six dimensions: Customer, Product, Geography, Channel, Typology, Transaction Value. Each category is assigned an appetite level: Accept, Accept with EDD, or Not Accept. Each dimension carries its own governance record: owner, role, board approval date, next review date, review cadence, approval minute reference.
The platform automatically detects categories where the Board has stated Not Accept appetite but the operational control in the BWRA scores at maturity level 3 or below. Critical at level 1 or 2. High at level 3. Conflicts surface on the dashboard, in the Risk Appetite tab, and in every regulator pack.
Regulatory Obligations Register
48 binding obligations across FATF, FCA/JMLSG, FinCEN BSA, SAMA AML, CNBV, and SEPBLAC. Each obligation carries a citation reference, full obligation text, required evidence type, and an auto-derived status from the BWRA: Covered, Partial, or Gap.
The MLRO can override any auto-status with a manual workflow capturing status, evidence type, evidence link, owner, last reviewed date, next review date, and a named-approver Approval state. The dashboard surfaces obligation coverage as three buckets: Met, In progress, and Not met.
Tabletop Exercises
Scenario runner with phase progression (briefing, inject sequence, decision points, debrief), participant capture, observations log, and after-action report PDF. Each completed session updates the tabletop readiness percentage on the dashboard.
Board and Regulator Reporting
PDF, DOCX, XLSX, and on-screen HTML from the same data layer. Board Report and Regulator Pack as separate report types. Twelve selectable sections. Tone selector on the Board Report: standard, enterprise, or board. The Regulator Pack carries a CONFIDENTIAL regulatory disclosure caveat and is designed to be submitted directly without further editing.
Generated reports are logged with regenerate and remove actions. Regenerate re-runs the same parameters and updates the existing history row in place. The audit trail stays clean.
Policy Generation
AML Policy live through the Policy Centre. Basic, Developing, and Advanced maturity tiers. UK, EU, Mexico, Saudi Arabia, and Spain jurisdiction plug-ins. Organisation settings, MLRO details, board approval dates, and regulatory regimes in scope resolve into the document at generation time. Ten further FCC policies on the roadmap: Sanctions Screening, PEP, CDD/EDD, SAR Filing, Transaction Monitoring, Record Retention, Training, Whistleblowing, Tipping-Off Prevention, and Risk Appetite Statement.
Risk Register Integration
FCC is registered as a source type in the platform FAIR-based risk register. Every BWRA question scoring below target maturity is written into the risk register on assessment completion. Each risk carries a code tied to the originating question, a residual annual loss expectancy from the FAIR engine, and local breach-cost coefficients from the organisation profile. Risks close automatically when the BWRA is re-run and the underlying question scores at or above target.
Frameworks referenced: FATF 40 Recommendations, MLR 2017, JMLSG, POCA, Bribery Act s.7, FCA Handbook, FinCEN BSA, OFAC, SAMA AML Law, CNBV LFPIORPI, Ley 10/2010 SEPBLAC, ISO 27001, NIST CSF 2.0, DORA, NCA ECC, SOC 2, HIPAA.
See the FCC Module in Action
Available on Enterprise and Professional plans. Book a demo or start your assessment.
Book a Demo Start Your Assessment