Since 2016 I have been leading COREDO through dozens of investigations, thematic reviews and interviews with regulators in the EU, the UK, Singapore and the UAE. During that time the COREDO team has assisted clients in obtaining crypto, payments, forex and banking licenses, as well as in subsequent supervision, including high-stakes episodes: from AML investigations and sanctions issues to requests concerning cross-border transactions. This article is a distillation of practice: how to prepare the Chief Compliance Officer (CCO) and MLRO for questioning, what to expect, which rights to protect and which documents to present in order to pass the inspection professionally, maintain the regulator’s trust and controllably reduce risks.
COREDO’s experience shows: a regulatory interview is a controllable process if you start preparing in advance, ensure a transparent communications strategy and establish documentation discipline. Below is the working framework I personally use when, together with a client, I build the defence, communications and execution of supervisory authorities’ requests.
Activation of the response plan
The first signal is a request for documents, an invitation to an interview, or a supervisory notice. At this stage it is important to ensure procedural fairness: confirm receipt of the notice, clarify the scope of the inspection, agree on the timing and format of interaction, including consent to record the interview and participation of an external lawyer. The solution developed by COREDO begins with a risk triage: determining the scope of affected jurisdictions, applicable regulations (AMLD5/AMLD6, FATF, Wolfsberg), data categories (GDPR), and the list of involved roles.
Roles and responsibilities of CCO, MLRO, CEO
The rights and duties of the Compliance Officer during an inspection should be documented in writing. CCO and MLRO are responsible for the completeness of the factual part and the accuracy of references to policy, the CEO – for the company’s position and the strategy for interaction with supervisory authorities, and the board of directors for oversight and approval of key decisions, including the remediation plan and the budget for external consultants and forensic investigation.
Privilege and data protection: documents
Handling documents, observing privilege and data protection measures determine which materials are subject to disclosure and how to store them securely during a dispute. Below we will examine document production, legal hold and the practical application of privilege rules to clarify steps and minimize risks.
Documents, legal hold and privilege
GDPR: DPIA and cross-border requests
Cross‑border issues and cross‑border requests often raise GDPR compatibility questions when transferring data to regulators. At COREDO we prepare a DPIA in advance, determine the legal basis for the transfer (for example, performance of a legal obligation), and apply data minimization and encryption. Under MLAT (mutual legal assistance) we check compliance with local law and bank secrecy exceptions, and also ensure client confidentiality when multiple supervisory authorities are involved.
Preparing the CCO and MLRO for an interview
I view preparation as a multi-level program. First, we conduct interview preparation for legally significant statements: we build a structured interview protocol and template answers, and practice regulator question scenarios on sanctions, AML and KYC, SAR/STR procedures and monitoring. Then we run mock interviews and stress tests to prepare for interrogations, including roleplay scenarios and assessment of witness suitability.
Questions on AML/KYC/sanctions/transactions
Regulators often examine the depth of the risk‑based approach. We prepare responses to regulator questions about transactions: matching transactions and monitoring analytics, methods to reduce false positives, use of automated AML monitoring and machine learning in transaction monitoring. If external software is used, we present AML‑software providers and vendor screening, results of independent testing, and the monitoring and testing of AML controls.
Forensics and electronic evidence
In complex cases we engage the use of an external forensic expert and electronic examination and e-discovery, including e-mail discovery and investigation of corporate mail. We perform forensics and recovery of deleted data in compliance with the chain of custody, and carry out data handling in protected interview rooms and secure rooms, especially when the materials contain personal data or banking secrecy.
Mitigating factors and remediation
Notice of an investigation and self‑reporting is a difficult decision, but often yields credit for cooperation (voluntary disclosure strategies and credit for cooperation). In COREDO’s practice there is a case of a payment company in one of the EU countries where early disclosure and an immediate remediation plan with subsequent verification of the corrections and an independent audit of compliance‑measures allowed them to avoid a fine and be limited to an official warning.
Interaction with suppliers
Scaling the preparation process in a global company requires managing third parties and vendors during investigations. The COREDO team developed criteria for third‑party Due Diligence and supplier risk, as well as contracts with external consultants and experts, where responsibilities for confidentiality, information security and response times are clearly defined.
Compliance checklist for a regulator interview
This checklist is not an abstraction, but a distillation of our approach. Before the interview the team goes through it in full, recording execution in the incident management and tracking system (incident management):
- Confirm the scope of the review: supervisory notice, subject matter, timelines, recording format, and participation of counsel.
- Implement a litigation hold, define the legal hold scope, build a privilege log, and appoint custodians.
- Define the internal counsel vs external counsel strategy, select an approach and the boundaries of privilege.
- Conduct a gap analysis, prepare a remediation plan, and agree it with the board of directors.
- Confirm GDPR/DPIA, data transfer channels, encryption, cross‑border mechanisms, and banking secrecy.
- Organize document production: chain of custody, audit trail, document versions, and access control.
- Conduct mock interviews and stress tests, assess psychological readiness and backup witnesses.
- Form a structured response protocol and templates for the regulator reply.
- Check sanctions and AML/KYC blocks: OFAC/EU/UN, BO disclosure, SAR/STR, and automated monitoring.
- Prepare an executive summary of the investigation for the regulator and case law materials.
- Set up secure rooms/video conferences, obtain consent to record the interview, and document the risks.
- Conduct vendor screening (AML software, forensics), confirm ISO 27001/SOC 2.
- Agree media policy, D&O, escalation matrix, and BCP plans for the review period.
- Calculate preparation costs and economic efficiency, balance external consultant vs internal team.
- Set KPIs and ROI for preparation for regulatory interviews, time to resolution and recovery metrics.
Recording and Retention Policies
A records-keeping and retention policy is the foundation for the evidentiary base. We implement a retention policy and a destruction schedule with exceptions for legal hold, maintain an access log, and, as part of training, establish rules for documenting interviews and creating a transcript. Virtual interviews and secure videoconferences must meet recording requirements: obtaining consent and legal risks, storage and access in accordance with GDPR.
Pace and the economics of scaling
Preparation costs and economic efficiency — a matter not only of budget but also of decision-making speed. Analysis of costs for external consultants vs internal team allows forming a hybrid model: internal fact-gathering and preservation of privilege, external legal strategy and forensics. At COREDO we plan resources for investigations (resource planning), set SLAs for responses and rank issues by priority and risk so as not to waste time on secondary issues.
Typical question scenarios
During questioning of the AML officer (MLRO), the regulator may move on to the details of specific alerts, late escalation, or the absence of SAR/STR. Here the CCO should point to the risk‑assessment methodology, the monitoring frequency and the second‑line control function, as well as the improvements implemented after the incident. If sanctions are involved, we demonstrate checks against OFAC/EU/UN, enhanced triggers and a post‑event review.
COREDO practice cases
In one European jurisdiction, the COREDO team accompanied the questioning of the payment organization’s CCO after a series of sanctions alerts triggered on a client from a third country. We confirmed the correct configuration of the lists, demonstrated a reduction in false positives through retraining of the rules, and provided periodic monitoring reports. The outcome — an instruction to strengthen due diligence for a specific category of clients without imposing fines.
Pre-litigation dialogue with regulators
Best practices for preparing the CCO for European regulators include early pre-litigation dialogue, transparent demonstration of methodologies (AMLD5/6, FATF, Wolfsberg), a structured executive summary of the investigation and a clear reference base to policies and procedures. It is important not to argue about form, but to agree on reasonable timelines and process while protecting privilege and GDPR.
Conclusions
COREDO, after years of work in the EU, the United Kingdom, Estonia, Cyprus, the Czech Republic and Slovakia, Singapore and Dubai, has built a predictable, transparent approach that helps clients pass inspections, obtain licenses and grow. If you need a regulator engagement strategy, external legal support for an interrogation, e‑discovery or an independent audit of compliance measures, the COREDO team will offer a solution adapted to your business model and jurisdictions. I am convinced: a prepared CCO is the best argument for trust in your company and its sustainable growth.