Chapter 40 Exercises

Integrating the RegTech Stack — A Full Program Review

Exercise 40.1: Integration Gap Analysis

Difficulty: Introductory

The following describes the compliance technology environment at Meridian Wealth Management, a UK-regulated wealth manager with £8.5bn in assets under management:

Systems in operation: - KYC platform (Vendor A): Customer identity verification, risk classification, PEP/adverse media screening - Transaction monitoring (Vendor B): AML monitoring for client transactions; alert generation and initial triage - Sanctions screening (Vendor C): Real-time screening against OFAC, UN, HM Treasury lists; alerts for potential matches - Regulatory reporting (Internal): Excel-based manual process for CASS reporting and MiFIR transaction reporting - Case management (Vendor B, same as TM): Case creation, escalation, SAR drafting

Current data flows: - KYC exports a weekly CSV to Transaction Monitoring containing customer risk classifications - Sanctions Screening has no connection to any other system - Case Management receives alerts from Transaction Monitoring only - Management reports are produced manually by the CCO's assistant each month using Excel

a) Apply all four integration tests (single customer view, cross-domain alert correlation, audit trail continuity, management information consistency) to this environment. For each test, state whether Meridian passes or fails, and identify the specific gap.

b) Map the data flows that are missing. For each missing data flow, describe: what data should flow; from which system to which system; what the consequence of the missing flow is; and what the implementation approach would be (API, batch, shared database).

c) Rank the missing integrations in priority order. For each, justify your ranking based on: (i) regulatory risk of the current gap; (ii) operational impact; (iii) implementation complexity.

d) Propose a 12-month integration roadmap for Meridian. What is addressed in each phase? What are the dependencies between phases?

Exercise 40.2: Program Health Dashboard Design

Difficulty: Intermediate

You are the Head of Compliance Technology at a mid-size UK asset manager. You have been asked to design a program health dashboard that will be presented to the Risk Committee quarterly. The dashboard must provide a unified view of compliance program performance across all domains.

a) Identify 12 key performance indicators (KPIs) for the compliance program health dashboard. For each KPI, specify: - The metric name and definition - The domain it covers (KYC/identity, financial crime, regulatory reporting, governance) - The data source - The target range (green / amber / red thresholds) - The frequency of measurement (daily, weekly, monthly) - The escalation action if the metric enters red

b) Design the dashboard layout. Describe what a reader sees at first glance (the top-line health score), in the second layer (domain-level indicators), and in the detail view (individual metric drill-down). The dashboard should require no more than 3 minutes for an informed Risk Committee member to interpret.

c) The CFO asks why the compliance health score was 72% last quarter but has risen to 81% this quarter. Write the two-paragraph explanation, in non-technical terms, that the CCO would use to explain this improvement.

d) Two of your KPIs conflict this quarter: the false positive rate is at an all-time low (excellent), but the number of SARs filed has declined significantly (potentially concerning). Write the Risk Committee briefing note explaining this correlation and its compliance implications.

Exercise 40.3: Cross-Domain Incident Response Design

Difficulty: Intermediate-Applied

A customer at a UK challenger bank simultaneously triggers: - An AML alert (transaction monitoring flagged an unusual cash pattern) - A potential sanctions match (screening flagged a name similarity to a UN-listed individual) - A fraud alert (device fingerprinting flagged a device associated with a prior fraud account)

All three alerts are generated on the same day and are in separate queues for three different teams.

a) Without an integrated alert registry, describe specifically what happens in this scenario — the sequence of events, the information available to each team, and the likely outcomes. Include: what each team investigates; what information they lack; what decisions they make; and whether the combined picture is ever assembled.

b) With an integrated alert registry and cross-domain correlation capability, describe how the scenario unfolds differently. What does each team see? How does the cross-domain flag change their approach? Who makes the final decision about the combined picture?

c) Design the cross-domain investigation protocol for this scenario — the specific steps, responsibilities, and information-sharing process that should apply when a customer has concurrent alerts in three domains.

d) One of the three investigations involves a potential SAR filing. The other two do not individually meet the SAR threshold. Does the combined picture meet the threshold? Design the decision framework that the compliance team should use to assess whether cross-domain combinations constitute SAR-worthy suspicion.

Exercise 40.4: Technical Integration Architecture

Difficulty: Applied — Technical

You are designing the data integration architecture for a fictional fintech (Apex Payments Ltd) that is building its compliance technology stack from scratch. Apex will deploy: - A KYC/identity platform (vendor-provided) - A transaction monitoring system (vendor-provided) - An in-house Python application for regulatory reporting (Apex's own code) - A vendor case management system

a) Design the data architecture for the customer master record. Specify: - Which system is the "master" (source of truth for customer data) - What fields it contains (minimum 10 fields across identity, risk, screening, and history) - How updates from non-master systems are handled (case management flags a risk upgrade) - How the master record is versioned (how do you know what the customer's risk classification was on a specific date 18 months ago?)

b) Design the API specification for the unified alert registry. Write a Python dataclass-based schema for: - UnifiedAlert — the canonical alert record across all systems - AlertEnrichmentRequest — the request that an investigation UI would make - AlertEnrichmentResponse — the enriched view returned to the investigator

c) Write the Python function signature (with type hints and docstring) for the cross-domain correlation check:

def check_cross_domain_correlations(
    customer_id: str,
    new_alert: UnifiedAlert,
    alert_registry: list[UnifiedAlert],
    lookback_days: int = 90
) -> list[str]:
    """
    [Write the complete docstring here]
    """
    ...

Implement the function body using reasonable logic.

d) Design the audit log aggregation schema. The audit log must be able to answer the question: "On date X, what was the compliance status of customer Y, and what decisions had been made about them?" Specify the table structure, the required fields, and the query that would retrieve the complete decision history for a specific customer.

Exercise 40.5: Program Maturity Progression

Difficulty: Applied — Reflective

This exercise asks you to apply the full arc of this textbook — from individual technology components to integrated program — to a single institution's journey.

Scenario: You are the newly appointed CCO of Glenbrook Building Society, a UK mutual with 320,000 members, £4.2bn in assets. The outgoing CCO left a compliance technology environment with four vendor systems, no API integrations between them, a manual regulatory reporting process, and a compliance team that describes their work as "fighting fires."

a) Conduct a maturity assessment of Glenbrook's current compliance technology program using the five-dimension framework from Chapter 35 (process automation, data quality, reporting capability, monitoring effectiveness, audit trail completeness). Assign a score of 1-5 for each dimension based on the description above, with justification.

b) You have three years and a cumulative budget of £1.5M to transform the program. Using the three-horizon roadmap approach from Chapter 35 and the integration priorities from Chapter 40, design the complete three-year transformation roadmap. Specify: - What gets done in Horizon 1 (0-6 months) - What gets done in Horizon 2 (6-18 months) - What gets done in Horizon 3 (18-36 months) - The measurable outcome at each horizon milestone

c) At the end of Year 3, you present the program to the PRA in a regulatory visit. The PRA examiner asks: "Can you show me everything your systems knew about customer XYZ and every compliance decision your institution made about them over the past three years?" Draft your response — what you can show, what you pull up, how long it takes, and what the examiner sees.

d) A junior colleague asks: "Why did we spend £1.5M on technology we already had? We already had transaction monitoring, KYC, and case management." Write a 200-word response that explains the distinction between having tools and having an integrated program — using specific examples from Glenbrook's transformation.