View .md

Playbook: Prepare for an ACRA inspection

Pull together the evidence a regulator asks for — per client — using the tools available today, while the one-click inspection pack is on its way.

CorpSec AI product guide·Updated 2026-07-11
Note

The regulator-ready inspection pack is available today in Settings → Inspection Pack (admin only); the CDD dossier and data export are there too if you want a raw snapshot. For the underlying obligations, see AML/CFT obligations for CSPs.

Why you are already in good shape

Because of how CorpSec AI records work as you go, a lot of inspection readiness is already done for you:

  • The audit log is append-only — a tamper-evident history of every action, enforced by the database.
  • Each client has a CDD dossier capturing identity, risk, screening snapshots, documents, the review schedule and a decision trail.
  • Generated documents carry an integrity fingerprint (a hash) so you can prove they were not altered.
  • Identity numbers are masked everywhere by default.

Step 1 — Confirm each client’s KYC is current

Use the compliance review radar to make sure no client is overdue for review. Clear anything outstanding first (see Run a periodic KYC review) so the evidence you hand over is up to date.

Step 2 — Export the CDD dossier for each client in scope

Open a client’s Compliance tab and click Export CDD Dossier. You get a complete, reconstructable due-diligence record for that client — the core of what an inspector wants to see.

The Compliance tab with the "Export CDD Dossier" button highlighted.
  1. Compliance tab → Export CDD DossierDo this for each client the inspection covers.
  2. Check the honesty flagsWhere screening ran on demo data, the record says so — be ready to explain your screening arrangements.

Step 3 — Take a firm-wide data exportLive

For the broader picture, an admin can export the whole firm from Settings → Account → Export firm data. The ZIP option bundles the JSON snapshot, the ACRA-style CSV registers, and every generated document file, with a manifest of what is included — a single evidence bundle.

Note

Exports mask identity numbers by default. If the inspection needs unmasked identifiers, an admin can produce the unmasked export via the explicit confirmation step — which is itself recorded in the audit log.

Step 4 — Show the audit trail

If asked to demonstrate controls — who approved what, that four-eyes was applied, that a document was blocked until KYC passed — open Settings → Audit Log. Because it cannot be edited or deleted, it stands as reliable evidence of your process.

Generate the inspection packLive

The built-in inspection pack produces all of this as a single, admin-gated bundle in one action — a cover attestation, each client’s dossier, a firm summary, and an integrity manifest a third party can re-verify. Open Settings → Inspection Pack, choose the pack type (ACRA CSP AML/CFT, PDPC data protection, or general due-diligence), and generate it. The steps above remain a useful walkthrough of what the pack contains.

Common pitfalls & edge cases

  • Overdue reviews left unaddressed. An inspection will surface a client whose periodic KYC is overdue. Clear the review radar first so the evidence you hand over is current (see the periodic KYC playbook).
  • Hiding the demo-data screening. The honest move is to disclose it — the record flags where screening ran on demo data. Be ready to explain your screening arrangements rather than presenting demo results as live checks.
  • RORC out of date. The register of registrable controllers must be current (internal 7 days, ACRA central 2 business days). A stale RORC is a common finding — reconcile it before the inspection.
  • Unmasking identifiers without recording it. Exports mask identity numbers by default. If an inspector needs unmasked data, use the explicit confirmation step — which is itself recorded in the audit log — rather than working around masking.
  • No RQI cover. A CSP must have a Registered Qualified Individual involved. If the RQI position has lapsed or is unclear, that is a gap to fix before an inspection, not during one.
  • Assembling by hand when the pack exists. The one-click inspection pack (Settings → Inspection Pack, admin only) bundles the cover attestation, per-client dossiers, firm summary and integrity manifest. Prefer it over hand-assembling piecemeal exports.
Note

Transparency beats polish. An inspector values an honest, complete, tamper-evident record — including flags on anything that ran on demo data — over a tidy but misleading one. Not legal advice.

Frequently asked questions

Is there a single "inspection pack" button today?

Yes — in Settings → Inspection Pack (admin only). It generates a regulator-ready bundle in one action. The per-client CDD dossier export and the firm-wide data export are also available if you want a raw snapshot.

How do I prove documents were not altered?

Each generated document carries an integrity fingerprint (a hash), and the append-only audit log records when it was created and edited. Together these give tamper-evidence.

What about the demo-data screening?

Be transparent: where screening ran on demo data, the record flags it. Explain your screening arrangements, and connect a screening provider before an inspection if live watchlist checks are expected.

This is a product guide for CorpSec AI. Where a feature runs on demo data or is not yet released, it is labelled as such. Compliance references are general information for Singapore corporate service providers, not legal advice.

Was this helpful?