RegTech Operations at a UK Challenger Bank — Continuous Controls Testing Across 1,400 FCA Obligations
Compliance Engine + Regulatory Reporter + Compliance Monitor turning periodic compliance attestations into a continuous, evidence-backed posture.
The challenge
The client — a UK challenger bank licensed for retail and SME banking — was operating a compliance programme whose mechanics had not kept pace with its operational scale. The bank's FCA obligations spanned approximately 1,400 distinct controls across conduct, consumer-duty, financial-crime, prudential and operational-resilience domains. The bank's compliance team operated on a quarterly-attestation cycle: each quarter, control owners attested that the control had operated effectively, with evidence captured in a SharePoint-based control-evidence repository.
The model was breaking. The bank's growth had compressed the quarterly cycle — control owners were chasing evidence days before each attestation deadline rather than capturing it as part of normal operations. The bank's internal audit team had identified material evidence gaps in its most recent annual review. The FCA's increasing supervisory expectations on Consumer Duty (which had come into force in 2023) and Operational Resilience (which had progressively tightened through 2024-25) were generating new control requirements faster than the bank's attestation model could absorb them.
The bank's CCO had set a target of moving the compliance programme from periodic attestation to continuous testing — controls would be tested continuously by automated mechanisms, with the evidence captured as a by-product of operations rather than as a separate manual exercise. The previous compliance-platform vendors evaluated had been able to deliver workflow management but not the continuous-testing capability the CCO was seeking.
The approach
MindMap deployed Compliance Engine (Ce) as the control-library and rules engine, Compliance Monitor (Cm) as the continuous-testing layer, Regulatory Reporter (Rr) for the periodic regulatory filings the bank still had to make, and Data Quality Auditor (Da) for the underlying control-evidence data-quality.
Phase one was the control-library rebuild. The bank's existing control inventory — held in a combination of SharePoint and Excel — was migrated to Compliance Engine's structured control library. Each control was decomposed into its testable assertion (what must be true for the control to be operating effectively), its evidence sources (which systems generate the evidence that the assertion holds), and its testing frequency (most controls migrated to continuous testing; a small minority retained periodic testing for inherent reasons).
Phase two was the evidence-integration layer. For each control, we built (or, where possible, configured from the bank's existing data feeds) the data flow that captured the evidence the control's assertion required. The bank's core banking platform, fraud-and-screening engine, customer-correspondence repository, complaints system, lending-decision engine and operational-resilience-monitoring platform were all integrated.
Phase three was the continuous-testing engine. Compliance Monitor evaluates each control's testable assertion against the streamed evidence on the control's defined cadence. Controls that fail (where the evidence does not support the assertion) generate an exception with the specific evidence cited and a routing to the control owner for resolution. The control's compliance state is continuously visible to the bank's compliance team, internal audit, and (in summary form) to the bank's board risk committee.
Phase four was the regulatory-filing integration. Regulatory Reporter generates the periodic regulatory returns the bank still has to make (the FCA filings, the Bank of England prudential filings) from the same continuously-tested evidence base, with full lineage from each filed line item to the underlying evidence.
The pre-built building blocks
Rather than commission a ground-up build, the engagement leaned on MindMap's pre-built accelerator library — production-tested components that compress what would otherwise be a six-to-nine-month build into weeks.
Compliance Engine
FCA control library and rules engine
Compliance Monitor
Continuous controls testing and exception management
Regulatory Reporter
Periodic FCA and PRA filing generation
Data Quality Auditor
Control-evidence data-quality monitoring
The architecture
The platform runs on the bank's AWS environment in the London region, with all PII processing inside the bank's VPC and full data residency in the UK. The platform is deployed as a microservices stack on EKS with autoscaling for the periodic-testing workloads (some controls run continuously; some run on hourly, daily or weekly cadences and have peakier load patterns).
Compliance Engine's control library is structured. Each control is represented as a structured entity with the control description, the regulatory citation, the testable assertion (in a domain-specific language that the rules engine evaluates), the evidence sources, the test frequency, the owner, the escalation path and the historical test results.
Compliance Monitor's continuous-testing engine runs on Kafka, consuming the streamed evidence from the integrated source systems. Each evidence event triggers the controls that depend on it; the control's assertion is evaluated; the result is persisted to the control's evidence history. Failed assertions trigger the exception workflow.
The integration layer is the work that took the longest to build. The bank's various source systems each have their own data shapes and access patterns; the platform's integration library wraps each in a normalised event-emitter that produces the evidence in the standard schema the continuous-testing engine expects. The integration library now covers approximately forty source systems.
Regulatory Reporter sits on top of the evidence base and generates the periodic regulatory filings the bank submits. Because the filings are drawn from the same evidence base that the continuous testing operates against, the bank has direct lineage from each filed line item through the underlying evidence to the source-system record.
The full audit trail — every control test, every exception, every evidence record — is persisted with the FCA-required retention. The bank's internal audit team has direct access to the audit trail and the FCA has been granted read-only inspection access under the bank's regulatory inspection protocol.
The numbers behind the story
All 1,400 FCA controls in the bank's control library are now either continuously tested (approximately 78%) or tested on a defined sub-quarterly cadence (the remainder). The quarterly-attestation cycle has been replaced by a continuous-evidence model.
Compliance-team capacity has been freed by approximately 61%. The reclaimed capacity has been redirected to two priorities: deep-dive review of the controls where the continuous testing identifies recurring exceptions (the genuine compliance-risk areas that the previous attestation model did not surface), and proactive engagement with the bank's product and operations teams on emerging regulatory expectations.
The bank's most recent FCA supervisory engagement — the first since the platform went live — explicitly commended the bank's compliance infrastructure and used the bank as a reference for other supervised challenger banks. The bank's internal audit team's latest annual review identified materially fewer evidence gaps than in prior years.
Control-exception resolution time has dropped from a median of several weeks (under the quarterly model, where exceptions were typically identified only at attestation time) to a median of 36 hours (under the continuous model, where exceptions surface in near-real-time and reach the control owner immediately).
An unexpected outcome: the platform has materially improved the bank's ability to onboard new regulatory requirements. The bank's response to a recent FCA Consumer Duty update — which added 28 new controls — was completed in three weeks, against a comparable update under the previous model that had taken roughly four months.
“Quarterly attestation was structurally inadequate for the regulatory environment we are operating in. MindMap's platform moved us to continuous controls testing across all fourteen hundred FCA controls in nine months. The FCA specifically commended our compliance infrastructure in their last supervisory engagement, and our compliance team is now doing strategic risk work instead of evidence chasing.”— Chief Compliance Officer· UK Challenger Bank
Why MindMap was chosen
The bank had evaluated three RegTech platforms. All three were strong on the workflow-management aspect (control inventory, attestation workflow, evidence capture) but none had the continuous-testing capability the CCO was specifically seeking. The continuous-testing capability requires deep integration with the bank's source systems, which the RegTech platform vendors generally did not undertake.
MindMap's accelerator-composition approach — bringing Compliance Engine for the rules and library, Compliance Monitor for the continuous testing, and the integration accelerators for the source-system connectivity — was the unique proposition. We could demonstrate the continuous-testing pattern in production at another UK-regulated institution.
Our embedded compliance expertise on the delivery team (two former compliance heads from UK-regulated firms and a former FCA supervisor) was the third factor. The bank's CCO felt that the team understood the regulatory and operational realities of UK compliance, not just the technology.
Related deployments
Sovereign WhatsApp Banking
ChatNext-powered WhatsApp bot deployed inside the bank's air-gapped data centre, handling balance, transfers, statements and loan applications in English and Swahili.
Cheque OCR at 99.1% Accuracy
DocuMage replaced a legacy template OCR for cheque clearing, processing 10,000 cheques per day at 99.1% field accuracy with 94% straight-through processing.
UK Challenger Bank KYC
OnboardX rebuilt the KYC pipeline with liveness, sanctions and PEP enrichment in a single STP flow, collapsing onboarding from 5 days to 4 hours.
Want an outcome like this?
Start with a 2-week AI Readiness Sprint. We deliver a prioritised use-case backlog and business case grounded in what's actually buildable with our accelerator library.