Playbook: Prepare for an ACRA inspection
Pull together the evidence a regulator asks for — per client — using the tools available today, while the one-click inspection pack is on its way.
The regulator-ready inspection pack is available today in Settings → Inspection Pack (admin only); the CDD dossier and data export are there too if you want a raw snapshot. For the underlying obligations, see AML/CFT obligations for CSPs.
Legal basis — what an inspector is testing
An ACRA inspection of a CSP tests whether you met your due-diligence and record-keeping duties. The basis below is from CorpSec AI’s verified citation table; this is general information, not legal advice.
- Records for at least 5 years: a registered CSP must keep records for at least 5 years and must have completed CDD before providing services — the Corporate Service Providers Act 2024 (in force 9 June 2025; verified). Your dossiers and audit log are that record.
- At least one RQI: the CSP must have a Registered Qualified Individual (verified; the exact firm cap is to be confirmed by counsel).
- Beneficial ownership: the register of registrable controllers must be current (internal 7 days, ACRA central 2 business days; verified).
For the framework, see MAS, AML/CFT & the CSP Act. Be transparent about anything that ran on demo data (screening) — the record flags it.
Why you are already in good shape
Because of how CorpSec AI records work as you go, a lot of inspection readiness is already done for you:
- The audit log is append-only — a tamper-evident history of every action, enforced by the database.
- Each client has a CDD dossier capturing identity, risk, screening snapshots, documents, the review schedule and a decision trail.
- Generated documents carry an integrity fingerprint (a hash) so you can prove they were not altered.
- Identity numbers are masked everywhere by default.
Step 1 — Confirm each client’s KYC is current
Use the compliance review radar to make sure no client is overdue for review. Clear anything outstanding first (see Run a periodic KYC review) so the evidence you hand over is up to date.
Step 2 — Export the CDD dossier for each client in scope
Open a client’s Compliance tab and click Export CDD Dossier. You get a complete, reconstructable due-diligence record for that client — the core of what an inspector wants to see.
- Compliance tab → Export CDD DossierDo this for each client the inspection covers.
- Check the honesty flagsWhere screening ran on demo data, the record says so — be ready to explain your screening arrangements.
Step 3 — Take a firm-wide data exportLive
For the broader picture, an admin can export the whole firm from Settings → Account → Export firm data. The ZIP option bundles the JSON snapshot, the ACRA-style CSV registers, and every generated document file, with a manifest of what is included — a single evidence bundle.
Exports mask identity numbers by default. If the inspection needs unmasked identifiers, an admin can produce the unmasked export via the explicit confirmation step — which is itself recorded in the audit log.
Step 4 — Show the audit trail
If asked to demonstrate controls — who approved what, that four-eyes was applied, that a document was blocked until KYC passed — open Settings → Audit Log. Because it cannot be edited or deleted, it stands as reliable evidence of your process.
Generate the inspection packLive
The built-in inspection pack produces all of this as a single, admin-gated bundle in one action — a cover attestation, each client’s dossier, a firm summary, and an integrity manifest a third party can re-verify. Open Settings → Inspection Pack, choose the pack type (ACRA CSP AML/CFT, PDPC data protection, or general due-diligence), and generate it. The steps above remain a useful walkthrough of what the pack contains.
Common pitfalls & edge cases
- Overdue reviews left unaddressed. An inspection will surface a client whose periodic KYC is overdue. Clear the review radar first so the evidence you hand over is current (see the periodic KYC playbook).
- Hiding the demo-data screening. The honest move is to disclose it — the record flags where screening ran on demo data. Be ready to explain your screening arrangements rather than presenting demo results as live checks.
- RORC out of date. The register of registrable controllers must be current (internal 7 days, ACRA central 2 business days). A stale RORC is a common finding — reconcile it before the inspection.
- Unmasking identifiers without recording it. Exports mask identity numbers by default. If an inspector needs unmasked data, use the explicit confirmation step — which is itself recorded in the audit log — rather than working around masking.
- No RQI cover. A CSP must have a Registered Qualified Individual involved. If the RQI position has lapsed or is unclear, that is a gap to fix before an inspection, not during one.
- Assembling by hand when the pack exists. The one-click inspection pack (Settings → Inspection Pack, admin only) bundles the cover attestation, per-client dossiers, firm summary and integrity manifest. Prefer it over hand-assembling piecemeal exports.
Transparency beats polish. An inspector values an honest, complete, tamper-evident record — including flags on anything that ran on demo data — over a tidy but misleading one. Not legal advice.
Frequently asked questions
Is there a single "inspection pack" button today?
Yes — in Settings → Inspection Pack (admin only). It generates a regulator-ready bundle in one action. The per-client CDD dossier export and the firm-wide data export are also available if you want a raw snapshot.
How do I prove documents were not altered?
Each generated document carries an integrity fingerprint (a hash), and the append-only audit log records when it was created and edited. Together these give tamper-evidence.
What about the demo-data screening?
Be transparent: where screening ran on demo data, the record flags it. Explain your screening arrangements, and connect a screening provider before an inspection if live watchlist checks are expected.
This is a product guide for CorpSec AI. Where a feature runs on demo data or is not yet released, it is labelled as such. Compliance references are general information for Singapore corporate service providers, not legal advice.