“Audit-ready” is one of the most overused phrases in compliance, and one of the least consistent. Let me tell you what it means to us, and what it looks like when an AI KYC agent produces it by default.
An audit-ready onboarding file is one that, years from now, a regulator, an auditor, or an MLRO on their first day on the job can pick up cold and reconstruct every decision that was made. Every check run. Every source used. Every flag raised. Every judgment applied. No missing context, no tribal knowledge, no need to chase down the compliance officer who built the file to ask what they meant.
That is the bar. It sounds simple. In practice, across the industry, it is surprisingly rare.
Every file an AI KYC agent produces is built to meet that bar by default. The anatomy of that file is what this piece is about.
The client summary
The top of the file tells you who the client is, what they are being onboarded for, and how they classify under the relevant regulatory framework. This is where client classification sits — whether the framework is the FCA, MAS, CIMA, ADGM FSRA, DFSA, or any other applicable regime. The classification drives what checks come next — customer due diligence (CDD) as the baseline, enhanced due diligence (EDD) where the client profile triggers it — which is exactly how a regulator expects it to work.
Identity and address
Identity verification (IDV) and proof of address (PoA) live together because they answer the same question: is this person who they say they are, and do they live where they say they live. The file captures the document that was used, the result, the timestamp, and the source of verification. If it was cross-checked against a government register, that register is cited.
Beneficial ownership
For entity clients, the ultimate beneficial owner (UBO) chain is laid out in full. Who owns what, at what percentage, down to the natural persons at the end of the chain. Every layer is sourced. Every name has been run through the screens that follow.
The screens
Sanctions screening, PEP screening, and adverse media are the backbone of any institutional-grade onboarding file. The anatomy here matters.
For sanctions and PEP, the file shows which lists were screened, what matches were found, and the disposition on each match — confirmed, dismissed, or escalated. Every match cites the list.
For adverse media, the file shows the search terms run, the sources covered, and the findings. Every finding cites the article — with the URL, the publication, the date, and a short extract. A finding that was reviewed and dismissed is still on the file, with the reason for dismissal documented. Nothing disappears.
Source of wealth
Source-of-wealth (SoW) verification is where the file earns its depth. The narrative is captured, along with the supporting documentation and the public evidence — filings, articles, registries, third-party data — that corroborates it. A claim that cannot be corroborated is flagged as unsupported, and the reason it could not be corroborated is documented. EDD triggers, where they apply, are called out with the rulebook clause that triggered them.
Industry and business classification
For entity clients, industry classification and business activity are captured and scored against the risk matrix. A high-risk industry is flagged. A cross-border business model is flagged. A nexus to a sanctioned jurisdiction is flagged. Every flag cites the matrix clause it came from.
The risk rating
The risk rating is a structured output — low, medium, high, or whatever tiers the institution uses — driven directly by the risk matrix in force on the day the file was built. The rating shows each input that fed it, each weighting applied, and the resulting score. Changing a matrix clause later does not retroactively change the rating — the version of the matrix used at the time is captured on the file.
The narrative
Above every structured section sits a narrative. This is the piece that makes a compliance file readable — a few paragraphs that tie the structured findings together into a coherent assessment. The narrative references every structured finding. No loose claims. No unsupported conclusions.
The evidence trail
Every claim in the file, in every section, links to the source it came from. Every source links to the moment in the workflow it was pulled. A click takes you from the risk rating to the matrix clause to the input that triggered it. From an adverse media flag to the article. From a UBO layer to the registry extract. A full evidence trail, end-to-end.
The recommendation
The file closes with a recommended next step — approve, conditionally approve, escalate, reject — and the reasoning. The compliance officer reviewing the file decides whether to accept the recommendation, amend it, or overrule it. Their decision is captured, timestamped, and signed off on the file. That is where the AI stops and the human stands behind the call.
Why this matters
An institutional-grade onboarding file is not a nice-to-have. It is the artefact a regulator asks for, the artefact an auditor tests against, and the artefact an MLRO has to stand behind. When the work is consistent, cited, and structured the way the regulator expects, the MLRO’s review becomes an exercise in judgment rather than reconstruction. The compliance officer’s time goes to the decisions that actually need their attention.
That is what audit-ready means in practice. Not a phrase. A file.
This is what Tarth produces, by default, on every client.