ZYC-COMP-MON – Compliance Monitoring Plan
Purpose
This plan sets out how Zeyro tests, evidences, and reports compliance with its policies and regulatory obligations. It ensures ongoing assurance that systems and controls remain effective, proportionate, and documented.
Scope
Applies to all areas of the firm’s regulated and supporting activities, including:
Financial promotion approval and withdrawal
MiFID arranging (Facilities Services)
AML / CTF / ABC / Fraud prevention
Data protection, record-keeping, and outsourcing
Governance, conduct, and culture
Monitoring Principles
Risk-based – Focus on higher-risk activities, informed by the Business-Wide Risk Assessment (ZYC-RSK-001).
Proportionate – Frequency and depth of testing reflect Zeyro’s small-firm structure.
Evidence-driven – All reviews must produce verifiable records in Confluence.
Continuous improvement – Findings are used to refine controls, not only detect failures.
Monitoring Cycle and Testing Interaction
Monitoring at Zeyro follows a risk-based calendar where each testing area is reviewed through the cycle types below. The cycle defines when testing happens; the testing areas define what is reviewed within that cycle.
Cycle Type
Frequency
Applies To
Purpose / Evidence Location
Quarterly Reviews
4× per year
Financial crime, onboarding, financial promotions
Rolling assurance on AML controls (DotFile data), risk scoring accuracy, and approval quality. Evidence in Confluence.
Thematic Reviews
Ad hoc (as needed)
Any testing area
Used for focused deep dives into areas with higher residual risk (e.g. data protection, consumer vulnerability). Reports stored in Confluence.
Event-Driven Checks
Trigger-based
Any domain where an incident, breach, or regulatory change occurs
Verify that remedial actions are effective. Logged and tracked via Jira Service Management.
Annual Assessment
Year-end
All testing areas
Comprehensive review across all domains to confirm compliance status and closure of prior findings. Summarised in the Board compliance report.
The table below shows how each policy domain is embedded within the monitoring cycle:
Testing Domain
Cycle Types Applied
Focus of Review
Key Policy References
Governance & Conduct
Annual, Thematic
SMCR compliance, conflict management, remuneration governance
Financial Crime & Integrity
Quarterly, Event-Driven, Annual
AML / CTF, bribery, fraud response, sanctions monitoring
Clients & Services
Quarterly, Thematic, Event-Driven
Onboarding controls, financial promotion approval, client categorisation
Operations & Information
Thematic, Annual
Data protection, outsourcing oversight, business continuity effectiveness
Culture & HR
Annual
Fitness and propriety, training completion, fairness and inclusion
This structure ensures every risk area is tested at least annually, with higher-risk areas (financial crime, promotions) receiving more frequent or event-driven monitoring. Results from all cycles are consolidated in the Quarterly Compliance Report presented to the Board.
Reporting & Escalation
All findings are summarised in a Quarterly Compliance Report presented to the Board.
High-risk or repeated findings trigger corrective actions logged in Jira Service Management.
Serious breaches are escalated immediately to the MLRO and, if required, reported to the FCA under SUP 15.
The Board tracks closure of all actions via Confluence dashboards.
Record-Keeping & Review
Monitoring evidence, reports, and follow-up actions are stored in Confluence for at least five years.
The MLRO reviews this plan annually to confirm coverage of all material risks and updates it after any significant regulatory change.
Last updated