Real-time compliance monitoring: why sampled audits are too late

A managing director at a UK lending network recently told us why his firm walked away from after-the-fact file auditing. "When you've done a deal and then you do an audit on it, it's usually too late if you find out there's a problem because the deal's done. So one of the reasons we went down the route we've gone is so that we're actually auditing it as the deal's in process, rather than auditing it after the fact."

That isn't a preference. It's the line between compliance that changes outcomes and compliance that records them.

Most regulated firms still sit on the wrong side of it. The compliance calendar runs on periodic file review: a sample of completed cases, pulled monthly or quarterly, checked by a reviewer who never touched the case while it was live. That exercise can tell you what went wrong last quarter. It can't stop anything, because the deal completed weeks before the file was opened.

The alternative is worth defining plainly. Real-time compliance monitoring checks every case as it moves through the workflow, gating decisions before completion, rather than sampling files for review after the deal has already closed.

Periodic file audits don't reduce compliance risk; they document it after the loss is locked in. By the time a sampled file reaches a reviewer the deal has completed, the customer has the product, and the breach is already on your books.

The regulator has been pushing this way for two years. The Consumer Duty requires firms to monitor and evidence customer outcomes on an ongoing basis, set out in the FCA's final guidance, and the FCA's framing since has been blunt: the Duty is "not once and done". An annual sample doesn't evidence ongoing anything.

No compliance director ever chose sampling because it was the best way to manage risk. It won because manual review was too slow to allow anything else.

A manual file review takes 50 to 90 minutes. At real volumes, checking every completed case by hand would swallow the compliance budget, so firms check what they can afford: typically 10 to 15% of files, weighted by risk. The rest complete unchecked, and problems surface the expensive way, through customer complaints, lender feedback or a regulator's visit.

Risk you only measure on a sample is risk you've decided not to manage.

The sharpest operators worked this out years ago and re-architected. The MD quoted above runs every deal through a rule-based system: "[I]n order to progress a deal, the AR has to complete the mandatory fields and the mandatory steps. So we're actually auditing the deals in real time." Notice who that is: a principal firm answerable for the conduct of its appointed representatives, exactly the population the FCA expects principals to oversee with adequate systems and controls.

For networks, the supervisory question is shifting from how big the sample was to what the system stopped, and when. We've set out the principal-firm side in a principal firm's playbook for network compliance.

Real-time monitoring isn't a faster report. It's a gate inside the workflow that stops a case advancing until it's clean.

The distinction matters because "monitoring" has been colonised by dashboards, and a dashboard that tells you about a breach faster is still telling you after it happened. Embedded means the check fires at the point of decision: when an adviser assembles a case in the CRM, the checks run before submission, and the case can't reach the lender until it passes. We build this at Curvestone as an API-first layer that plugs into whatever CRM or origination system a firm already runs, with pre-submission checking as a distinct trigger from post-submission review. The gate lives where the work happens, not in a second system beside it.

The economics are what changed. Manual file review of over an hour per case collapses to minutes at about 99% accuracy. That speed makes checking 100% of cases in real time economically possible, instead of sampling 10 to 15%. Sampling was never a method; it was a price. When the price falls this far, the rationale built on it falls too.

The same MD again: "The system is always overlooking to see what has and hasn't been done. And so anything that has to be done, you can't move the deal forward unless it's been completed."

When we show real-time checking to sophisticated compliance teams, the instinct is to file it against what already exists. One operator said it to us directly: "it's like you say, it's a review tool, doesn't it?"

It's the natural category, and it's the wrong one. A review tells you about a decision after it's been made; a gate changes the decision while it can still change. The checks may be identical, but the relationship to the outcome is not. File real-time monitoring under "review" and you'll score it against the audit team you already have, and buy nothing more than a faster way to read about the past.

A faster rear-view mirror is still a rear-view mirror. Monitoring that matters changes the decision, not just the report.

None of this removes human review; it relocates it. When every case is checked in flight, reviewers stop re-keying the 95% of files that were always going to be fine and spend their judgement on the flagged exceptions. The system surfaces findings for a human to approve or override; it doesn't make the decision. That division of labour is the point: judgement is the scarce resource in every compliance team, and sampling was only ever a way of rationing it.

In a real-time model the audit trail stops being paperwork you assemble after the fact and becomes the live record of every gated decision: what was checked, what was flagged, who overrode it, and when. That's the evidence a regulator, a PI insurer and your own board now ask for, and it's the difference between asserting your controls work and showing it.

Most of the market isn't ready for that question. Three quarters of UK financial services firms already use AI, yet 46% report only a partial understanding of the technologies they use, according to the FCA and Bank of England's joint AI survey. That governance gap makes a provable, real-time audit trail a buying requirement, not a nice-to-have.

So when the next Consumer Duty board report is due, the question worth asking isn't "how big was our sample?" It's "what did we gate before the case completed?" The first produces a percentage; the second produces evidence.

If you want to see what gating a case in-workflow looks like on your own files, talk to us. Thirty minutes, your case shape, no slides.