View .md

Inspection pack

One click turns your compliance records into a regulator-ready evidence bundle — with a fingerprint on every file so an inspector can verify nothing was altered, without having to trust you.

CorpSec AI product guide·Updated 2026-07-11

What it is and when to use it

An inspection pack is a self-contained evidence bundle you can hand to a regulator during an ACRA CSP AML/CFT inspection, a PDPC enquiry, or a client’s due-diligence review. Instead of scrambling to assemble dossiers by hand, you generate the whole thing in one action — and it is built so the recipient can verify its integrity independently.

Reach for it whenever someone needs proof of your due-diligence posture: a scheduled inspection, an ad-hoc regulator request, an audit, or onboarding a bank that wants to see how you handle KYC.

Where to find itLive

Open Settings → Inspection Pack. It is restricted to firm admins and the responsible qualified individual (RQI) — anyone else sees a short message explaining that only those roles can generate a pack.

Settings → Inspection Pack: a Scope selector (Entire firm / Selected companies), a Pack type chooser (ACRA CSP AML/CFT, PDPC, General), an Output toggle (ZIP / JSON) and a "Generate inspection pack" button.

Generate a packLive

  1. Choose the scopePick Entire firm, or Selected companies and tick the ones you need from the list.
  2. Choose the pack typeACRA CSP AML/CFT (customer due-diligence, screening, UBO, decision trail), PDPC data protection (retention, masking, access control), or General due-diligence (a broad evidence pack for any reviewer).
  3. Optionally add the PDPC sectionTick Include PDPC data-protection posture section to append it to any pack type.
  4. Choose the output formatZIP (the full bundle with files) or JSON (the structured data on its own).
  5. Click "Generate inspection pack"CorpSec AI assembles the pack — allow up to around 15 minutes for a large firm — and downloads it to your browser.
Note

Identity numbers are L1-masked in the pack by default (for example S****567A), and generating a pack is written to the append-only audit log.

What’s inside — and why an inspector can trust it

The pack contains a cover attestation, each in-scope company’s CDD dossier (identity, risk rating, screening snapshots, UBO look-through, documents and the decision trail), a firm summary, and an integrity manifest.

The manifest is the key: every file carries a SHA-256 fingerprint the inspector re-computes themselves. If a single byte were changed, the hash would not match — so they can trust the record without trusting the CSP. That is what makes the pack credible in an inspection.

Honest disclosure of degraded recordsLive

The pack tells the truth about its own limits. Any company that is still on demo/mock screening, or whose screening was unavailable, is flagged red on the cover as "not independently screened" rather than being passed off as clean. CorpSec AI never hides a degraded record — a credible pack is worth more than a flattering one.

Heads up

This is why connecting a real screening provider matters before a formal inspection: until then, screening runs on demo data (see KYC & compliance) and every affected company is disclosed as not independently screened.

Frequently asked questions

Who can generate an inspection pack?

Only firm admins and the responsible qualified individual (RQI). Other roles see a message explaining the restriction.

How can a regulator be sure the pack wasn’t edited?

Every file carries a SHA-256 fingerprint recorded in the integrity manifest. The regulator re-computes the hashes themselves; any alteration breaks the match. They do not have to trust the CSP to trust the record.

Does the pack expose clients’ NRIC numbers?

No. Identity numbers are L1-masked by default (e.g. S****567A). A raw, unmasked snapshot is only available through the admin data-export path, which itself requires explicit confirmation and is audit-logged.

What if some companies were only screened on demo data?

They are flagged red on the cover as "not independently screened". The pack discloses this honestly rather than implying a clean bill of health.

ZIP or JSON — which should I choose?

ZIP gives you the full bundle including document files and is what you would normally hand over. JSON is the structured data on its own, useful for programmatic checks.

This is a product guide for CorpSec AI. Where a feature runs on demo data or is not yet released, it is labelled as such. Compliance references are general information for Singapore corporate service providers, not legal advice.

Was this helpful?