Compliance & Regulatory Mapping Glossary

AIFMD (Alternative Investment Fund Managers Directive)

A European Union directive that establishes a harmonised regulatory framework for the authorisation, supervision, and oversight of alternative investment fund managers (AIFMs). AIFMD imposes obligations relating to transparency, reporting, leverage limits, remuneration policies, depositary requirements, and delegation arrangements. For fund administrators and corporate service providers, AIFMD creates specific obligations around the oversight of delegated functions, risk management, and the provision of accurate and timely reporting to regulators and investors. Compliance mapping under AIFMD requires tracing obligations across multiple functional areas, from portfolio management through to investor disclosure.

CDD (Customer Due Diligence)

The process of verifying a customer's identity, understanding the nature and purpose of the business relationship, and assessing the risk the customer poses. CDD is a core requirement under AML/CFT legislation and typically includes identity verification, source of funds assessment, and ongoing monitoring. The depth of CDD applied is proportionate to the risk level of the customer, with enhanced measures required for higher-risk relationships.

Compliance Framework

The structured system of policies, procedures, controls, roles, and governance arrangements that a regulated firm uses to meet its regulatory obligations. A mature compliance framework is not a collection of documents but an interconnected system where obligations flow through to controls, controls are evidenced, and the entire chain is traceable and auditable. Effective frameworks are actively maintained rather than created once and left static.

Compliance Monitoring

The ongoing, systematic process of assessing whether a firm's controls, policies, and procedures are operating effectively and in accordance with regulatory requirements. Compliance monitoring is distinct from internal audit in that it is typically performed by the compliance function as part of its first or second line responsibilities, rather than as an independent third-line assurance activity. A robust monitoring programme is risk-based, follows a defined plan approved by the board or compliance committee, and produces documented findings that are tracked through to resolution. Monitoring outputs — including testing results, identified deficiencies, and remediation actions — are critical evidence for demonstrating to regulators that the firm does not merely have a compliance framework on paper, but actively tests and maintains it.

Consumer Duty

A regulatory standard, most notably introduced by the FCA in the United Kingdom, that requires firms to deliver good outcomes for retail customers across four key areas: products and services, price and value, consumer understanding, and consumer support. Consumer Duty shifts the regulatory approach from prescriptive rules about what firms must do to an outcomes-based standard focused on the results that customers actually experience. For compliance teams, Consumer Duty requires a fundamentally different mapping approach: obligations cannot be satisfied by documented processes alone but must be evidenced through demonstrated outcomes, customer data analysis, and ongoing monitoring of whether the firm's products and services are delivering fair value and meeting customer needs.

Control

A specific action, process, or mechanism that a firm implements to meet a regulatory obligation or mitigate a risk. Controls can be preventive (designed to stop non-compliance from occurring), detective (designed to identify non-compliance when it does occur), or corrective (designed to remediate non-compliance after it is identified). Each control should be linked to one or more obligations and supported by evidence of both its design and its operating effectiveness.

Control Evidence

Documented proof that a control has been designed, implemented, and is operating effectively. Evidence can take many forms: completed checklists, approval records, system logs, meeting minutes, training attendance records, or monitoring reports. The critical requirement is that evidence is specific enough to demonstrate that the control was executed as designed, at the right time, by the appropriate person. Without evidence, a control is merely an assertion.

Defensible Mapping

A regulatory mapping that can withstand scrutiny from regulators, auditors, and internal stakeholders because every link in the chain — from regulation to obligation to control to evidence — is documented, reasoned, and current. A defensible mapping is not simply one that exists, but one that can explain why each connection was made, when it was last reviewed, and what evidence supports it. The term distinguishes rigorous, audit-ready mappings from superficial checkbox exercises.

Delegation Oversight

The governance and monitoring arrangements that a regulated firm maintains over functions, activities, or services that it has delegated to third parties. Regulatory frameworks consistently hold that a firm may delegate tasks but cannot delegate regulatory responsibility. Delegation oversight therefore encompasses the initial due diligence on the delegate, the documented delegation agreement (including service levels, reporting requirements, and termination rights), ongoing monitoring of the delegate's performance and compliance, and the maintenance of sufficient expertise within the firm to oversee the delegated function effectively. For fund administrators and corporate service providers — which frequently both delegate to and receive delegations from other entities — mapping delegation oversight obligations is a critical component of the compliance framework.

EDD (Enhanced Due Diligence)

Additional due diligence measures applied to customers, business relationships, or transactions that present a higher risk of money laundering, terrorist financing, or other financial crime. EDD goes beyond standard CDD and may include obtaining additional information about the source of wealth, conducting enhanced ongoing monitoring, obtaining senior management approval for the relationship, and performing more frequent reviews. EDD is typically required for politically exposed persons (PEPs), high-risk jurisdictions, complex ownership structures, and other elevated-risk scenarios.

Gap Analysis

A systematic process of comparing the current state of a firm's compliance arrangements against its regulatory obligations to identify areas of non-compliance, incomplete coverage, or missing controls. In the context of regulatory mapping, a gap analysis examines whether every applicable obligation has an assigned control, whether each control is evidenced, and whether policies and procedures adequately address the requirements. Gap analyses are typically performed during regulatory change implementations, pre-inspection preparations, and periodic compliance reviews.

Governance Framework

The overarching structure of roles, responsibilities, decision-making authorities, reporting lines, and oversight mechanisms through which a firm directs and controls its operations. A governance framework defines who is responsible for what, how decisions are made and escalated, how information flows between the board, management, and operational teams, and how the firm ensures accountability at every level. In regulated financial services, the governance framework is subject to specific regulatory requirements covering board composition, the role of independent directors, the establishment of committees (such as audit, risk, and compliance committees), the qualifications and fitness of key persons, and the documentation of governance arrangements. A well-mapped governance framework connects regulatory governance obligations to the specific roles, committees, and reporting structures that satisfy them.

GRC (Governance, Risk & Compliance)

An integrated approach to managing an organisation's governance obligations, enterprise risks, and regulatory compliance requirements. GRC recognises that these three disciplines are interconnected and that managing them in silos leads to duplication, gaps, and inconsistency. In practice, GRC often refers to both the strategic approach and the technology platforms used to implement it. Govix focuses specifically on the compliance and regulatory mapping dimension of GRC, providing the structured data layer that connects regulation to operational reality.

Horizon Scanning

The systematic, ongoing process of monitoring regulatory and legislative sources to identify upcoming changes that may affect a firm's compliance obligations. Horizon scanning encompasses tracking new and proposed legislation, consultation papers, supervisory guidance, thematic review findings, enforcement trends, and pronouncements from supranational bodies (such as FATF, IOSCO, and the European Commission) that influence domestic regulation. Effective horizon scanning is structured rather than ad hoc: it defines the sources to be monitored, the frequency of review, the criteria for escalation, and the person or team responsible. The output of horizon scanning feeds directly into the regulatory change management process, providing the early warning that allows firms to assess and implement changes proactively rather than reactively.

IDD (Insurance Distribution Directive)

A European Union directive that establishes harmonised rules for the distribution of insurance and reinsurance products. IDD imposes conduct-of-business requirements on insurance distributors, including obligations relating to product oversight and governance, demands and needs assessments, suitability and appropriateness testing, conflicts of interest management, remuneration disclosure, and professional knowledge and competence. For firms involved in insurance distribution — whether as primary distributors or as corporate service providers supporting insurance entities — IDD creates a distinct set of compliance obligations that must be mapped alongside other applicable regulatory frameworks. IDD is particularly notable for its emphasis on customer outcomes and product governance, themes that also appear in MiFID II and Consumer Duty.

Impact Assessment

The structured process of evaluating how a regulatory change — such as new legislation, an amendment, or updated supervisory guidance — affects a firm's existing compliance framework. A thorough impact assessment identifies which obligations are created, modified, or removed; which policies, procedures, and controls need to be updated; which evidence requirements change; and what operational or resource implications arise. The assessment should be documented and form part of the firm's regulatory change management record. Without a consistent impact assessment methodology, firms risk implementing changes incompletely, missing cascading effects on controls and evidence chains, or failing to update their regulatory mappings to reflect the new requirements.

Mapping Drift

The gradual divergence between a firm's documented regulatory mappings and the actual regulatory landscape or operational reality. Mapping drift occurs when regulations change but mappings are not updated, when internal processes evolve without corresponding mapping adjustments, or when new obligations are enacted but not incorporated into the compliance framework. Over time, mapping drift undermines the reliability and defensibility of the entire compliance structure. It is one of the most common findings in regulatory inspections.

MiFID II

Markets in Financial Instruments Directive II

A comprehensive European Union legislative framework governing firms that provide services in relation to financial instruments (such as shares, bonds, units in collective investment schemes, and derivatives) and the venues where those instruments are traded. MiFID II imposes extensive obligations across multiple domains, including client categorisation, suitability and appropriateness assessments, best execution, transaction reporting, product governance, conflicts of interest management, inducements, record-keeping, and organisational requirements. For fund administrators, wealth managers, and investment managers, MiFID II creates a complex web of obligations that must be mapped to specific controls and policies. The directive's breadth means that a single firm may have hundreds of individual MiFID II obligations, each requiring traceable controls and evidence.

MLCO / MLRO

Money Laundering Compliance Officer / Money Laundering Reporting Officer

The designated individuals responsible for overseeing a firm's AML/CFT compliance and for receiving and evaluating internal suspicious activity reports. The MLRO is responsible for deciding whether to file Suspicious Activity Reports (SARs) with the relevant Financial Intelligence Unit (FIU). The MLCO has broader responsibility for the firm's overall AML/CFT compliance framework. Depending on the jurisdiction and firm size, these roles may be held by the same person or by different individuals. Both roles carry significant personal regulatory responsibility.

Obligation

A specific requirement imposed on a firm by legislation, regulation, guidance, or a code of practice. Obligations are the atomic units of regulatory compliance — the granular “must do” or “must not do” statements that a firm needs to identify, understand, and address. Effective regulatory mapping depends on extracting obligations at a level of granularity that is actionable: specific enough to map to a control, but not so fragmented that the mapping becomes unmanageable. A single piece of legislation may contain hundreds of individual obligations.

Outsourcing Arrangement

A formal arrangement under which a regulated firm engages a third-party service provider to perform a function, activity, or service that the firm would otherwise undertake itself. Regulatory frameworks impose specific obligations on outsourcing arrangements, particularly where the outsourced function is critical or important to the firm's regulated activities. These obligations typically cover pre-outsourcing due diligence, documented service agreements with defined service levels and performance metrics, ongoing monitoring and oversight, business continuity and exit planning, notification to the regulator (for material or critical outsourcing), and the maintenance of sufficient internal expertise to oversee the provider. For fund administrators and corporate service providers, which operate complex webs of outsourcing relationships, mapping outsourcing obligations requires tracing requirements across multiple regulations and ensuring that each arrangement has documented controls and evidence of ongoing oversight.

PEP (Politically Exposed Person)

An individual who holds or has held a prominent public function, including heads of state, senior government officials, senior judicial or military officials, senior executives of state-owned enterprises, and important political party officials. The definition extends to immediate family members and close associates of such persons. PEPs are considered higher risk for money laundering and corruption because of the positions they hold or have held, and regulated firms are required to apply enhanced due diligence measures to business relationships and transactions involving PEPs. These measures include establishing the source of wealth and source of funds, obtaining senior management approval for the business relationship, and conducting enhanced ongoing monitoring. PEP screening and risk assessment are among the most scrutinised areas during AML/CFT regulatory inspections.

Policy Exception

A documented, approved departure from a firm's established policy or procedure in a specific instance. Policy exceptions recognise that rigid application of every policy in every circumstance is neither practical nor always appropriate, provided that deviations are controlled, justified, and recorded. A well-managed exception process requires a formal request documenting the reason for the exception, an assessment of the associated risks, approval by an individual with appropriate authority (typically a senior manager or compliance officer), any compensating controls or mitigating measures to be applied, and a defined duration or review date. The exception register — a log of all approved exceptions — is an important audit artefact that demonstrates the firm manages deviations through governance rather than ignoring them. Unmanaged exceptions are a common inspection finding and signal weak control discipline.

Policy Translation

The process of converting regulatory requirements and mapped obligations into clear, operational internal policies and procedures that staff can understand and follow. Policy translation bridges the gap between the language of regulation (often legalistic and abstract) and the language of operations (practical, role-specific, and action-oriented). Effective policy translation ensures that the intent of the regulation is preserved while making the requirement accessible to the people who need to implement it day to day.

Proportionality

A foundational regulatory principle that requires the measures a firm takes to meet its compliance obligations to be proportionate to the nature, scale, and complexity of its business and the risks it faces. Proportionality does not mean doing less — it means calibrating the depth, sophistication, and resource intensity of compliance arrangements to the firm's actual risk profile. A small trust company with a limited number of low-risk clients is not expected to have the same compliance infrastructure as a global investment bank, but its arrangements must still be adequate for its circumstances. In practice, proportionality affects how firms design their control frameworks, how they scope their compliance monitoring programmes, how they resource their compliance functions, and how they document and justify their approach. Regulators frequently assess whether a firm's compliance arrangements are proportionate, and both over-engineering and under-resourcing can be findings.

Regulatory Change Management

The structured process of identifying, assessing, and implementing changes to a firm's compliance framework in response to new or amended regulations, guidance, or regulatory expectations. Effective regulatory change management ensures that changes are detected early, their impact on existing mappings and controls is assessed, and the necessary updates to policies, procedures, and evidence requirements are implemented before the change takes effect. Without a robust change management process, firms are at risk of mapping drift and non-compliance.

Regulatory Mapping

The structured process of linking regulations and their individual obligations to the firm's internal controls, policies, procedures, and evidence. A regulatory map creates a traceable chain that answers the question: “For each thing we are required to do, what are we doing about it, and how can we prove it?” Regulatory mapping is the foundation of defensible compliance and sits at the centre of audit readiness, gap analysis, and regulatory change management.

Relevance Filtering

The process of determining which regulatory obligations are applicable to a specific firm, based on its activities, client types, jurisdictions of operation, and licence conditions. Not every obligation in a piece of legislation applies to every firm. Relevance filtering is the disciplined exercise of identifying which requirements are in-scope and documenting the rationale for including or excluding each one. A firm's relevance decisions should be recorded and defensible, as regulators may challenge the basis on which certain obligations were deemed not applicable.

Remediation

The process of correcting identified compliance deficiencies, control weaknesses, or regulatory findings. Remediation involves designing and implementing corrective actions, testing their effectiveness, and documenting the resolution. Effective remediation addresses root causes rather than symptoms, is tracked through to completion, and is integrated into the firm's governance reporting. Remediation actions typically arise from gap analyses, internal compliance monitoring, external audits, or regulatory inspections.

Risk Appetite

The level and type of risk that a firm's board is willing to accept in pursuit of its business objectives. In a compliance context, risk appetite defines the boundaries within which the firm operates — for example, which client types it will accept, which jurisdictions it will service, and what level of residual regulatory risk it considers tolerable after controls are applied. Risk appetite should be formally documented, approved by the board, and reflected in the firm's policies, procedures, and control design.

Risk-Based Approach

A methodology for allocating compliance resources, designing controls, and prioritising monitoring activities based on an assessment of the risks that each area, client, product, or jurisdiction presents. A risk-based approach is a core expectation of virtually every regulatory framework in financial services and stands in contrast to a uniform, one-size-fits-all approach. Under a risk-based approach, higher-risk areas receive more intensive scrutiny, deeper due diligence, more frequent monitoring, and stronger controls, while lower-risk areas receive proportionately lighter treatment. Critically, a risk-based approach must be documented and demonstrable: the firm must be able to show how it assessed the risk, what criteria it used, and how its control design and monitoring intensity reflect that assessment. A firm that claims to operate a risk-based approach but cannot produce the underlying risk assessments and methodology will struggle to defend its arrangements under regulatory scrutiny.

Supervisory Review

An assessment conducted by a regulatory authority to evaluate a firm's compliance with its regulatory obligations, the adequacy of its governance and risk management arrangements, and the effectiveness of its internal controls. Supervisory reviews take various forms: scheduled on-site inspections, desk-based reviews of submitted documentation, thematic assessments across multiple firms, and targeted examinations triggered by specific concerns or events. The outcome of a supervisory review may include formal findings, required actions with defined timelines, conditions on the firm's licence, public or private censure, or, in the most serious cases, enforcement proceedings. For compliance teams, the key to managing supervisory reviews effectively is maintaining permanent readiness through current regulatory mappings, traceable evidence chains, and documented governance arrangements — so that a review notification triggers a structured response process rather than an emergency preparation exercise.

Thematic Review

A focused examination conducted by a regulator across multiple firms, targeting a specific area of regulation, risk, or industry practice. Unlike firm-specific inspections, thematic reviews are designed to assess the state of compliance across a sector or subsector on a particular topic — such as AML/CFT effectiveness, governance quality, or outsourcing oversight. Thematic reviews often result in published findings and industry-wide recommendations, which may in turn trigger additional regulatory expectations or changes.

Traceability

The ability to trace a clear, documented path from a regulatory requirement through to the control that addresses it, the policy that governs it, and the evidence that proves it is operating. Traceability is the defining characteristic of a defensible compliance framework. When traceability exists, a firm can answer any regulatory or audit question by following the chain from regulation to evidence. When it is absent, the firm relies on institutional knowledge, ad hoc searches, and assertions that cannot be independently verified.

Traceability Pack

A compiled document or export that presents the end-to-end traceability chain for a specific regulatory domain, obligation set, or inspection theme. A traceability pack typically includes: the applicable regulations, the extracted obligations, the mapped controls, the governing policies and procedures, and the supporting evidence. Traceability packs are used to demonstrate compliance during inspections, audits, and board reporting. When maintained in real time rather than assembled ad hoc, they transform audit preparation from a project into an export.