Annual Compliance Review
In brief: MLR reg 21(1)(b) independent annual review — five-step wizard with dual sign-off.
A dual-signed, supervisor-defensible review of your firm's AML programme for a stated period. Required by reg 21(1)(b) of the Money Laundering Regulations 2017 ("an independent audit function shall examine and evaluate the adequacy and effectiveness of the policies, controls and procedures").
The ACR wizard captures what we knew, what we checked, what we found, and who signed off in a single archived record so a supervisor (HMRC, ICAEW, SRA, etc.) can verify your programme end-to-end without you having to assemble evidence after the fact.
Where it lives
Sidebar → Annual Review (or /firm/compliance/annual-review).
The surface is entitlement-gated on the compliance.annual_review
plan tier. Free firms see a paywall card; Professional and
Enterprise plans get the wizard.
The five steps
1. Posture snapshot
Read-only record of what Certivus saw at the moment the ACR was started — compliance health score + traffic light, client portfolio distribution by risk band, MLRO appointment, and any open exceptions carried forward from the previous ACR. The snapshot is frozen, so even if your numbers change mid-review the report still reflects the "what we knew" baseline.
2. Policies + procedures
Three-row checklist — PCP currency, FWRA currency, MLRO appointment status. Each is classified as current / due-soon / overdue / missing against a 12-month currency window. Each row links to the source surface (Settings → Compliance, Settings → Risk) so you can verify before signing off in step 5.
3. Sample testing
A stratified-random sample of clients drawn deterministically from the review ID (so an auditor can re-derive the same set). Strata cover high-risk, EDD-required, recent-onboard, long-standing, and a sanity sweep of medium/low. For each sampled client you record an outcome — pass / minor / major / critical — and a non-pass outcome nudges you straight into the exception-logging dialog so the finding doesn't get lost.
4. Exceptions
Every exception attached to this ACR — those logged from sample testing plus any carried forward from the previous ACR. Filter by status + severity, and inline-resolve (or mark "accepted risk") with a short note. The audit log captures every state change.
5. Sign-off
Dual sign-off — the appointed MLRO signs first, then a senior
manager (firm owner, partner, managing partner) countersigns.
The two signatures must come from different users — the
database enforces this and the UI nudges towards it. When the
second sign-off lands, the ACR flips to completed and becomes
archivable for supervisor inspection.
How sampling works
- Deterministic seed.
setseed(md5(review_id))means the same review ID always selects the same clients. An auditor can verify your sample by re-running the function. - Stratified. The default size scales with portfolio size (capped) and partitions across high-risk, EDD-required, recent-onboard, long-standing, plus a random medium/low sweep. No accidental bias toward any one cohort.
- Idempotent re-draw. Calling
acr_select_sampleagain on the same review is a no-op — the table holds the existing rows and the page stays stable.
Exceptions carry-forward
When you start a new ACR, any exceptions with status open or
in_progress from the previous completed ACR are duplicated
into the new period with their original metadata preserved (the
new row records metadata.carried_from_review_id). The badge
"Carried forward" appears on those rows in the Exceptions
step so you can see the year-on-year overhang at a glance.
Why dual sign-off
Reg 21 requires both the MLRO and "the board / senior management" to take ownership of the firm's AML programme. The two-signature requirement on the ACR captures both halves of that ownership in one place. The server enforces same-user rejection, so the firm owner cannot sign as both MLRO and senior manager — even if they hold both roles.
Editing after completion
You can't. Once both sign-offs land, the row is locked. To re-open or correct an error you would start a new ACR (typically mid-period as a "supplementary review") with a narrow period covering only the corrected items.
What goes on the PDF (coming in 78d)
- Posture snapshot block
- Methodology + sample table with stratum labels
- Per-sample outcomes
- Exceptions table grouped by severity
- Both signatures with timestamps, IPs, and attestations
- An auditor's appendix showing the sampling parameters so they can independently reproduce the draw
The PDF is exportable and forms the supervisor-facing artifact when HMRC / your professional body asks for evidence of an independent annual review.
Didn't find what you needed?
Contact support