Briefings·Methodology
20 February 2026 6 min read GSIG-B-2026-006

The Examination Room: What Regulators Actually Ask For

Eighteen months ago, your compliance team approved a flagged transaction. Today, an examiner is asking you to walk through the reasoning. Your screening vendor produced a risk score; you have a record of it. The examiner wants to know what came next.

A specific scenario, drawn from patterns we see repeatedly in conversations with institutional compliance leaders.

It is mid-2027. A mid-sized regulated exchange has been notified of an upcoming supervisory examination. The examiners have requested documentation on a series of transactions that the institution's monitoring system flagged eighteen months prior. The transactions were not blocked — they were reviewed, scored, and approved.

The examiner sits down with the head of compliance. The first question is procedural: what is your monitoring stack? The answer is straightforward: a leading commercial blockchain analytics subscription, integrated into the transaction monitoring workflow, configured to surface risk above a specified threshold.

The second question is the one most compliance programmes are not built to answer.

"Take me through the reasoning your team applied when these transactions were approved. Show me the entity analysis. Show me how you assessed the counterparty. Show me the basis for the conclusion."

This is the moment at which screening becomes insufficient — and at which the structural difference between screening and intelligence becomes operationally consequential.

What the institution actually has

In most cases, the institution has the following:

  • A timestamped log of risk scores returned by the screening vendor at the time of the transactions
  • A workflow record showing that the transactions were escalated according to internal procedure
  • A note from the analyst confirming that the counterparty was reviewed and the transaction approved
  • A reference to the vendor's label (or absence of label) for each address involved

Each of these artefacts is real. None of them, individually or collectively, answers the examiner's question.

The risk score is a number generated by a model whose weights the institution cannot inspect. The vendor's label is a categorical assignment whose evidentiary basis is not exposed to the customer. The analyst's note is a procedural record, not a forensic narrative. The decision was, in functional terms, we trusted the vendor.

For routine transactions in 2018, this would have been adequate. For institutionally significant transactions in 2026 and beyond, it increasingly is not.

What the examiner wants instead

The examiner is asking for a specific category of artefact — one that screening systems do not produce and were not designed to produce. They want:

  • Entity-level identification of the counterparties involved. Not "the address belonged to an exchange" but "the address belonged to this specific operator, whose business is this specific activity, attributed to this specific jurisdiction, with the following evidence base."
  • A traceable flow of funds. Not "the funds came from an unflagged address" but "the funds originated from this entity, passed through these intermediaries, and arrived at the institution via this specific pattern — and the pattern was assessed as follows."
  • A defensible analytical narrative. Not "the score was below threshold" but "the team examined the counterparty's broader transactional profile, found these characteristics, and concluded this assessment on the basis of this reasoning."
  • Continuity of reasoning. Not a one-time score but a documented investigative trail that another analyst — or an examiner, or a court — can audit and follow.

This is not screening output. This is intelligence output.

Screening tells you whether a transaction hits a list. Intelligence tells you what the transaction actually is, who is behind it, and what the defensible position looks like. Both are necessary. Only one of them is what most institutions currently have.

Why the gap matters specifically here

The examiner's question — take me through the reasoning your team applied — does not have a screening-shaped answer. It has an intelligence-shaped answer.

The institution that produces an intelligence-shaped answer demonstrates a compliance programme that operates above the level of vendor-as-default. The institution that produces only screening artefacts demonstrates a programme that has, in effect, outsourced its analytical function to a vendor whose model the institution cannot defend.

In a routine examination, this distinction may not surface as a finding. In a serious one — particularly one prompted by a specific concern — it will. And it will surface in the form that examination findings always take: a request for remediation, a timeline, and a documented gap that the institution must close before the next cycle.

What an intelligence-grade case file actually contains

For the institution that does maintain an intelligence function, the answer to the examiner's question is a file. The file contains:

  • The counterparty identification: who the institution determined the counterparty actually was, with the evidentiary basis for that determination
  • The transactional reconstruction: where the funds came from, where they went after the institution received or disbursed them, across however many chains and intermediaries
  • The risk assessment: what risks were identified, what risks were considered and discounted, and on what basis each judgement was made
  • The analytical narrative: the reasoning chain that connected the available evidence to the disposition decision
  • The provenance: the data sources, the methodology, the analyst, the date, and any subsequent updates as new information emerged

A regulator examining this file does not necessarily agree with every conclusion. They may have been disposed differently. But they can see the reasoning, the evidence, and the institution's analytical posture. This is what a defensible compliance programme looks like under examination.

Operational implication The institutional capability that increasingly differentiates compliance programmes under examination is the ability to produce a forensic narrative on demand. Institutions that cannot produce this narrative are finding themselves structurally exposed — not because their screening failed, but because screening alone is no longer considered sufficient evidence of adequate supervision.

The economics of building this capability

Building an internal forensic intelligence function is expensive. A production-grade intelligence operation requires multi-chain data infrastructure, attribution methodology, a team of analysts with cross-disciplinary expertise, and continuous refresh of attribution data as new entities, services, and patterns emerge. The fixed cost is significant; the marginal cost of serving each additional case is low.

This profile — high fixed cost, low marginal cost — is the reason intelligence is almost always delivered as a subscription service rather than an in-house capability. The same graph, the same analysts, and the same methodology can serve many institutions. The alternative is for each institution to build the infrastructure alone, at a cost most cannot justify against the frequency of use.

Closing

Examination cycles do not test what compliance programmes were configured to do. They test what compliance programmes can demonstrate. A programme that can only demonstrate vendor outputs is, increasingly, a programme that has not been tested under pressure.

The institutions that will be operating above the standard in the next cycle are those that have built the intelligence layer between their screening infrastructure and their regulatory engagement. The institutions that have not built this layer will discover, repeatedly, that we used a leading vendor is not the answer the examiner is asking for.

GSIG provides forensic intelligence as a subscription service for regulated financial institutions, governments, and counsel. Engagements include on-demand investigation, intelligence-grade case file production, and audit-trail support under engagement letter and privilege.

Suggested citation
Global Sanctions Intelligence Group (2026). "The Examination Room: What Regulators Actually Ask For." GSIG Briefing GSIG-B-2026-006, 20 February 2026. Available at: https://gsig.uk/briefings/examination-room
GSIG-B-2026-006 · Methodology · 20 February 2026 ← All briefings