Governance pack
Accountability mapping, policies, procedures, escalation paths, and control owner assignments.
- Org chart and role mapping
- Compliance and risk ownership
- Conflicts management and conduct
Application Process
The application pathway is designed to be structured and document-led. Reviews follow a completeness-first approach to reduce ambiguity and follow-up cycles. Applicants should align submissions to the applicable licensing category and prepare evidence modules that demonstrate control design and control effectiveness.
Six-step pathway
The pathway below is designed to support consistent submissions, reduce category mismatch, and improve clarity during completeness checks and assessment. Applicants should prepare documentation using a controlled versioning approach and maintain an evidence index to support review efficiency.
1
Pre-application alignment
Scope mapping, risk module selection, evidence checklist planning, and governance readiness review.
2
Registered agent preparation
Submission packaging, controlled representations, disclosure alignment, and filing readiness checks.
3
Submission
Category selection, evidence index attachment, declarations, and supporting artefacts filed via the pathway.
4
Completeness check
Mandatory module verification, document integrity review, and initial clarification requests if required.
5
Assessment
Governance, AML, safeguarding, and technology risk review scaled to the business model risk profile.
6
Decision & issuance
Approval, conditions (if any), issuance steps, publication routing, and ongoing obligations onboarding.
What you need to prepare
Submissions should be supported by documentation demonstrating how controls operate in practice. Generic policies without operational artefacts typically increase follow-up cycles. The items below represent core evidence modules; additional category-specific evidence may apply.
AML / CFT module
Risk assessment, CDD/EDD, monitoring scenarios, sanctions screening, reporting triggers, and recordkeeping.
- Customer segmentation
- Monitoring coverage map
- Suspicious activity escalation
Safeguarding & custody
Wallet architecture, segregation approach, key management controls, reconciliation, and incident response readiness.
- Key management model
- Segregation and reconciliation
- Recovery readiness
Technology risk
Security controls, access governance, change management, logging, monitoring, and resilience planning.
- Access control and audit logs
- Change and release governance
- BCP/DR planning
Market conduct
Client communications, disclosures, complaint handling, conflict controls, and retention expectations.
- Risk warnings and marketing discipline
- Complaint handling procedure
- Record retention approach
Key persons & fitness
Role mapping, competence evidence, integrity declarations, conflicts disclosures, and accountability statements.
- Key person register
- Role descriptions and competence
- Conflicts and disclosures
Completeness check and assessment
The review begins with a completeness check. If mandatory modules are missing or inconsistencies are found, clarifications may be requested. Once complete, the assessment reviews control effectiveness, governance ownership, and risk readiness, scaled to custody and cross-border complexity.
Completeness check (typical focus)
Designed to confirm the submission is assessable and consistent with the stated category and activity scope.
- Category / scope alignment vs stated business model
- Mandatory module presence (AML, governance, tech, custody where applicable)
- Evidence index integrity and version control clarity
- Declarations and representations consistency
Assessment (typical focus)
Designed to evaluate whether controls are fit-for-purpose and demonstrably effective for the risk profile.
- Governance ownership and escalation pathways
- AML monitoring coverage and sanctions approach
- Custody controls and incident response readiness
- Technology resilience, logging, and change governance
Evidence matters more than length
A shorter submission with strong evidence (logs, testing, governance artefacts, and clear ownership) typically performs better than long documents with generic statements.
Most common avoidable delays
Category mismatch, unclear custody architecture, AML policies without monitoring coverage mapping, and missing change-management evidence.
Decision outcomes and post-approval onboarding
Decisions may include approval, approval with conditions, or requests for further clarification. Following approval, license holders are expected to align to ongoing obligations, including reporting cadence, material change notifications, and supervisory engagement readiness.
Approval (or approval with conditions)
Where conditions apply, they typically address evidence gaps, control improvements, or operational readiness requirements. Conditions should be treated as time-bound actions with accountable ownership and documented remediation.
- Condition plan with dates, owners, and remediation evidence
- Operational readiness check for custody and incident response
- Disclosure alignment and client communications updates
Clarification cycle (if required)
Clarification requests typically relate to scope mismatch, unclear custody model, incomplete AML coverage mapping, or missing technology governance evidence. Clear, indexed responses reduce additional follow-ups.
- Provide a response index mapping to each request
- Attach artefacts (logs, approvals, diagrams) not only narrative
- Align updated documents with version control and dates
Next: ongoing obligations and reporting expectations
Understand reporting cadence, material change notifications, supervisory engagement, and compliance maintenance.