When an AML supervisor — ICAEW, ACCA, AAT, CIOT, IFA, or HMRC — visits your firm to review your ACSP work, they have a fairly narrow set of questions. The questions are not surprising. The answers, in most firms we’ve seen, are surprisingly hard to produce.

This article walks through what the supervisor will ask, what evidence answers each question, and what shape that evidence needs to be in.

The supervisor’s actual questions

The five questions, in order:

  1. Show me the policy. What is your firm’s documented AML and identity-verification policy?
  2. Show me a sample. Pick one verification at random. Walk me through what happened, who approved it, and when.
  3. Show me the failures. When verifications failed or required manual review, what did your firm do? Show me the records.
  4. Show me the audit trail. How do I know nothing has been altered after the fact?
  5. Show me the volume. How many verifications did your firm run last quarter? Last year? Per client?

Each of these questions, in a healthy workflow, takes under five minutes to answer. In an unhealthy workflow, each one is a panic.

Question 1 — The policy

This isn’t an evidence question. It’s a documentation question. You either have a current AML policy that reflects the Money Laundering Regulations 2017 (as amended) and the ECCT Act 2023, or you don’t.

If yours is older than 2024, rewrite it. The standard your supervisor expects covers:

  • Risk assessment methodology.
  • Customer due diligence procedures (with specific reference to ACSP-related verification).
  • Enhanced due diligence triggers.
  • Manual review and escalation procedures.
  • Record-keeping standards (minimum five years).
  • MLRO contact and reporting obligations.

Endorser doesn’t write your policy for you. But it makes the operational side match what the policy promises — so when the supervisor cross-references the two, they line up.

Question 2 — The single-sample walkthrough

This is the question that exposes most spreadsheet workflows.

The supervisor picks an individual at random — say, “John Smith, director of Acme Trading Limited” — and asks you to walk through everything that happened. They want to see, in order:

  1. When the verification request was sent.
  2. What method was used (GOV.UK One Login direct, or ACSP-mediated).
  3. The result returned by the IDV provider, including confidence scores and any flags.
  4. Any manual review steps, with the reviewer’s name, the timestamp, and the decision rationale.
  5. The final approval and the resulting Companies House identity reference.
  6. The fee charged to the client and the invoice it appeared on.

In a spreadsheet workflow, this typically requires opening four files, cross-referencing three different timestamps, and eventually admitting that the manual-review note “looked OK to me — Sarah” doesn’t quite meet the standard.

In a system of record, you click the individual’s name and the entire trail appears on one screen. Endorser is built around this exact view.

Question 3 — The failure cases

Approximately 5–10% of verifications require manual review. Of those, perhaps a third end up rejected, redone, or escalated.

The supervisor will deliberately ask about these cases. They want to see:

  • Why the verification was flagged for manual review.
  • Who reviewed it.
  • What decision was made and on what basis.
  • Whether any subsequent verification attempt was made, and what happened.
  • Whether the client was informed.

Critically: the rationale must be stored at the time of the decision, not reconstructed later. A reviewer can’t write “I decided this was fine” two months after the fact and expect the supervisor to accept it.

This is what tamper-evident audit logs are for. Every Endorser decision — pass, fail, manual override — is recorded with the reviewer, the timestamp, the rationale, and a cryptographic hash that chains into the firm’s overall audit log. You can’t backdate a decision. The supervisor knows you can’t backdate a decision.

Question 4 — The audit trail

This is where Silicon-Valley-style “we have logs” answers fall apart.

The supervisor isn’t asking whether you have logs. They’re asking whether the logs are tamper-evident. Specifically:

  • Are the logs append-only, or could a database administrator have modified them?
  • Is there a cryptographic mechanism that would expose any modification?
  • Can you produce a third party (an auditor, a service provider) who can independently verify the chain?

Endorser’s audit log is hash-chained per firm. Each entry includes the hash of the previous entry. Modifying any historical entry would invalidate every subsequent hash. The chain is exposed via API; an auditor can verify it from outside the system. We’ve designed this specifically so the answer to “how do I know nothing has been altered” is here is the cryptographic proof.

Question 5 — The volume report

The fifth question is mostly a calibration check. The supervisor wants to see:

  • Total verifications run in the period.
  • Pass / fail / manual-review breakdown.
  • Per-client volume (to check that the firm hasn’t quietly stopped serving a client whose risk profile would otherwise demand attention).
  • Trend over time.

This is the easy one — if the data lives in a system of record. From a spreadsheet, building a quarterly volume report from scratch takes a half-day. From Endorser, it’s a single export.

What the evidence pack looks like

We call the deliverable an evidence pack: a signed bundle, per-client or per-individual or per-date-range, that answers all five questions in one file.

A typical evidence pack contains:

  • A PDF with a human-readable summary, ready for the supervisor to read on screen or print.
  • A JSON manifest with every verification, every decision, every hash, every timestamp — for any auditor who wants to verify independently.
  • A signature binding the bundle’s hash to the firm’s identity at the moment of export.
  • An integrity proof showing the chain from the bundle back to the individual entries in the live audit log.

It’s the same shape regardless of whether the supervisor is from ICAEW, HMRC, or an external auditor performing a SOC-equivalent review. We’ve designed it to be boring on inspection — and the highest praise from a supervisor’s mouth is “this is fine.”

The honest truth: most ACSP-registered firms can pass an AML supervisor review with effort. What they can’t do is pass it efficiently. The difference between a four-hour panic and a 25-minute polite chat is whether the evidence already exists in the right shape.

That’s what Endorser is for. Book a 15-minute demo and we’ll show you what the evidence pack looks like for a real verification.