Compliance and audits for FinTech
Regulatory audits, procedure reviews, ongoing compliance support and preparation for inspections — for payment institutions, lending firms and other supervised entities.
how can we help you?
Audits
We'll check whether your organisation's information security management system meets NIS2/KSC requirements. We'll identify gaps and show what to fix first.
Learn moreAudits
We'll verify the effectiveness of anti-money laundering procedures. The goal: not just compliance, but a real improvement of identification, monitoring and reporting processes.
Learn moreDORA Audits
We'll assess your organisation's digital operational resilience against DORA. We'll review IT policies, business continuity, vendor management and incident readiness.
Learn moreCompliance as a Service
Ongoing support for compliance and legal teams. We monitor changes, update procedures, help with reporting and advise on day-to-day decisions.
Learn moreDPO outsourcing
We take over the data protection officer or AML officer function. We perform the role, report to the board, handle incidents and liaise with regulators.
Learn moreAnnual procedure reviews
Regulations require annual reviews of AML, GDPR, ISMS and DORA procedures. We'll handle it for you and flag what needs updating.
Learn moreInspection support
We'll prepare your organisation for a KNF, GIIF or UODO inspection. We'll run a simulation, help during the inspection and analyse the outcome.
Learn moreTraining
We train teams in AML, GDPR, NIS2, DORA and board liability. On-site workshops and an e-learning platform — tailored to the role within the organisation.
Learn moreProcedure and process review
A comprehensive review of procedures and processes for supervised institutions. We map regulatory obligations, identify gaps and prepare a remediation plan.
Learn moreDue Diligence
A regulatory examination ahead of buying, selling or bringing an investor into a FinTech. We'll assess licences, procedures, compliance risks and IT security.
Learn moreour compliance and audit experts
We combine legal, regulatory and operational expertise. We know the reality of supervised institutions because we work with them every day.
Tomasz Klecor
Managing Partner
FinTech navigator. Lawyer.
Paweł Geremek
Attorney-at-law
ISO 27001 Auditor
fintech brands we have worked with
information security management system audits
We check whether your organisation's ISMS works as it should — not just on paper. We verify policies, processes and technical safeguards against NIS2/KSC requirements and best practices.
Asset inventory
We check whether you have an up-to-date register of information assets and whether ownership has been assigned for each of them. Without this, risk management becomes difficult.
Risk assessment
We verify whether the risk analysis is up to date and proportionate to the scale of the business. We check the methodology, criteria and links to board decisions.
Security policies
We assess the completeness and consistency of security policies: from access control, through encryption, to incident and vendor management.
Business continuity plan
We check whether BCP and DRP exist, are tested and cover realistic failure scenarios. Without them, the organisation is defenceless against a serious incident.
Tests and simulations
We verify whether the organisation regularly tests its security mechanisms: penetration tests, incident exercises and data recovery tests.
Audit report and recommendations
We deliver a report with the audit findings, prioritised gaps and specific remediation recommendations. We help implement the changes.
AML audits — improving procedures
We don't run audits just to produce a report. Our goal is to genuinely improve anti-money laundering procedures so they are effective in day-to-day work and ready for a GIIF inspection.
CDD/EDD procedure review
We check whether customer identification and verification procedures work properly: onboarding, source-of-funds verification, handling of PEPs and high-risk countries.
Transaction monitoring
We assess the effectiveness of the monitoring system: alert rules, amount thresholds, escalation logic and response time. We identify what generates false alarms and what overlooks real risks.
Alert and STR report testing
We test the path from detecting a suspicious transaction to the report sent to GIIF. We check whether alerts get lost in the system and whether reports are filed within the required deadline.
UBO identification verification
We check whether the beneficial owner identification process works properly: ownership structures, the 25% threshold, discrepancies with the register and documentation.
ML/FT risk assessment
We verify whether the institutional money laundering and terrorist financing risk assessment is up to date, complete and linked to specific mitigating measures.
Report and improvement plan
We deliver an AML audit report with specific recommendations and prioritisation. We help implement changes that genuinely improve the effectiveness of procedures.
DORA audits — improving procedures
We check the organisation's readiness for digital operational resilience requirements: from IT policies, through vendor management, to incident readiness. We point out what to fix so that DORA implementation makes sense.
IT policy review
We assess IT risk management policies: documentation, division of responsibilities, control mechanisms and their link to board decisions.
BCP and DRP testing
We verify business continuity and disaster recovery plans: whether they exist, whether they are tested and whether they cover the scenarios required by DORA.
IT vendor management
We check whether IT vendors are classified, monitored and covered by appropriate contractual clauses. Particularly important for critical providers.
Incident classification
We assess the IT incident classification procedure: materiality criteria, escalation paths, reporting deadlines and links to supervisory obligations.
IT risk register
We verify whether the IT risk register is complete and up to date, and whether risks have assigned owners and planned mitigation actions.
Report and improvement plan
We deliver a DORA audit report with prioritised gaps and recommendations. We help prepare a change implementation plan tailored to the organisation's scale.
compliance as a service — ongoing support
Ongoing support for compliance and legal teams on a subscription basis. We monitor changes, update documents and help with day-to-day decisions — so you don't have to track everything yourself.
Regulatory change monitoring
We track changes in legislation, guidelines and supervisory positions. We inform you of what matters for your business and recommend a response.
Source update
When the law changes, we update your procedures, policies and internal documents. We don't wait for an inspection — we act ahead of time.
Compliance team support
We help in-house compliance teams resolve complex cases, prepare positions and make decisions in non-standard situations.
Periodic reports
We prepare reports for the management board and supervisory board: compliance status, risk list, implementation progress and recommendations for next steps.
Ad hoc consultations
Have a question about a new product, process change or unusual situation? Get in touch — we respond on the fly, without waiting for a scheduled meeting.
Cross-departmental coordination
We help synchronise the work of compliance, legal, IT and business teams. We make sure regulations don't block processes and no one works in isolation.
DPO outsourcing
We take over the role of AML officer (AMLRO) or data protection officer (DPO). We perform the role, report to the board, handle incidents and maintain contact with regulators — with full accountability.
Acting as AMLRO
We take on the AML officer role: we oversee CDD/EDD procedures, monitor transactions, approve STR reports and handle contact with GIIF.
Acting as DPO
We perform the data protection officer role: we oversee processing, advise on DPIAs, handle data subject rights and liaise with UODO.
Reporting to the board
We regularly report compliance status, risks and recommendations to the management and supervisory boards. We prepare materials for meetings on an agreed cadence.
Incident handling
In the event of a data breach or suspicious transaction, we act immediately: we run the investigation, prepare notifications and coordinate the response.
Regulator contacts
We handle correspondence and contacts with KNF, GIIF, UODO and other supervisory authorities. We represent the organisation in compliance matters.
Employee training
As part of the outsourcing service, we train employees in AML and data protection. We make sure the team knows how to act in day-to-day work.
annual procedure reviews
Most regulations require annual reviews of procedures and documentation. We do this systematically, compare the current state with the previous year and point out what needs updating.
AML procedure review
An annual review of AML procedure effectiveness: CDD/EDD, transaction monitoring, STR reporting, sanctions screening and institutional risk assessment.
GDPR review
An annual GDPR compliance audit: currency of the record of processing activities, privacy notices, processing agreements, DPIAs and the breach procedure.
ISMS and NIS2 review
Review of the information security management system: policies, risk analysis, incident management, supply chain and reporting obligations.
DORA review
An annual review of digital operational resilience procedures: IT policies, IT vendor management, incident classification, BCP/DRP tests and the risk register.
Legislative change analysis
We check which changes in the law have occurred since the last review and assess their impact on the organisation's procedures. We identify gaps resulting from new rules.
Annual report and recommendations
We deliver a report summarising the compliance status, changes versus the previous year, a list of gaps and a prioritised remediation action plan.
support for KNF / GIIF / UODO inspections
We'll prepare you for an inspection before it arrives, support you during it and analyse the outcome. We know what regulators look for, because we've worked with them.
KNF inspection readiness
We check the organisation's readiness for an inspection by the Polish Financial Supervision Authority: documentation, procedures, reports and compliance status across key areas.
GIIF inspection readiness
We verify readiness for an inspection by the General Inspector of Financial Information: AML procedures, transaction registers, CDD documentation and STR reports.
UODO inspection readiness
We check readiness for an inspection by the President of the Personal Data Protection Office: record of processing activities, privacy notices, processing agreements and the breach procedure.
Inspection simulation
We run a simulation of a regulatory inspection: we test procedures, review documentation and check the team's response. We identify weak points before the real inspection arrives.
On-site assistance during inspection
We stand with you during the inspection: we help draft responses, coordinate the handover of documents and advise on the spot.
Post-inspection analysis
After the inspection we analyse the findings and the supervisor's recommendations. We help prepare the response, the remediation plan and implement the necessary changes.
compliance and regulatory training
We train the board, the compliance team, sales, IT and the entire organisation — split by role and tailored to your specifics. On-site workshops and an e-learning platform.
Training
Anti-money laundering training: CDD/EDD, transaction monitoring, STR reporting, recognising red flags and employee responsibilities.
GDPR Training
Personal data protection training: processing obligations, data subject rights, the breach procedure, DPIAs and practical rules for working safely with data.
NIS2 and cybersecurity training
Training on NIS2/KSC obligations: information security management, incident reporting, board liability and cyber hygiene.
DORA Training
Digital operational resilience training: IT risk management, vendor management, business continuity, incident classification and reporting obligations.
Training
Dedicated workshops for the management and supervisory boards: personal liability, the decision-making model, oversight of compliance and obligations stemming from regulation.
E-learning platform
We provide an e-learning platform with training modules for every employee. Tests, certificates and a training register ready for inspection.
review of procedures and processes for supervised institutions
A comprehensive review of all procedures and processes of a supervised institution. We check whether the organisation meets every requirement — from governance, through documentation, to the operating model.
Operational process audit
We check what the organisation's key operational processes look like: from customer onboarding, through transaction handling, to complaints and dispute management.
Governance review
We assess the organisation's governance model: allocation of responsibilities, compliance structure, reporting to the board, internal oversight and control.
Regulatory obligation mapping
We build a map of the organisation's regulatory obligations: what PSD2, AML, DORA, NIS2, GDPR and other rules require, and who is responsible.
Gap identification
We point out exactly where the organisation fails to meet the requirements: missing procedures, outdated documents, insufficient controls and weak points in processes.
Remediation plan
We prepare a prioritised remediation plan: what to do first, what can wait, how long implementation will take and what resources will be needed.
Post-review documentation
We deliver complete documentation from the review: report, risk matrix, remediation plan and a set of recommendations ready to present to the board and regulators.
due diligence ahead of a FinTech transaction
Buying or selling a FinTech, or bringing in an investor? We'll examine the organisation's regulatory standing: licences, procedures, compliance risks and IT security — so you know the real risks before signing.
Regulatory DD
We verify licences, register entries, the status of KNF obligations and other sector-specific requirements. We check whether the company operates legally and is not exposed to proceedings.
Compliance DD
We assess the state of compliance procedures: completeness of documentation, effectiveness of internal controls, incident history and regulatory risk exposure.
AML DD
We examine AML procedures: effectiveness of customer identification, transaction monitoring, GIIF reporting, inspection history and sanctions exposure.
Data protection DD
We check GDPR compliance: record of processing activities, legal bases, processing agreements, data transfers, breach history and exposure to UODO proceedings.
IT and cybersecurity DD
We assess IT security: system architecture, vendor management, security policies, incident readiness and DORA/NIS2 compliance.
DD report and risk scoring
We deliver a due diligence report with a risk assessment for each area, an overall score and recommendations for the transaction or investment process.
get in touch about compliance and audits
Write or call — in our first conversation we'll determine the scope and the stage your organisation is at.