MacEagle.ai
AI-assisted regulatory compliance workspace for Board Review, Policy Review, Risk Assessment, and AML Review.
Controlled audit workflow
Not an unmanaged chatbot
Portal objective
The page is designed as the front-end workspace first. Authentication, live user accounts, Supabase flows, Zoho API wiring, and document processing services can be connected after the page design and user journey are approved.
Login, MFA, RBAC, lockouts, and session controls are reserved for the later backend phase.
Each review is mapped to approved rule sets for UK, Cayman Islands, BVI, and Anguilla.
AI guides evidence collection, drafts findings, and flags gaps, but does not issue final conclusions.
Final reports, high-risk findings, AML conclusions, and legal interpretations require reviewer sign-off.
Review workspace
This section recreates the user work page without active login logic. It shows how the audit journey should function once authentication and document processing services are connected later.
Workflow Summary
Client: Example Regulated Client Ltd • Engagement: 2026 Interim Audit Review • Product: Starter
Selected Service
Board Review
Best for small businesses that want a structured internal audit workspace but do not yet need full AML or multi-jurisdiction coverage.
Pricing
£249/month
Setup: $350
Key Details
Included Features
Best For
Assess governance, board oversight, decision-making, conflicts, committees, accountability, and board management information.
CRM status
Draft engagement
Evidence storage
WorkDrive planned
Approval state
Editable working fields for jurisdiction-specific privacy, regulatory and source notes.
Tip: Click the + button to add additional sources. Sources cannot be deleted once added. Each entry can be converted into a controlled source register item later.
All four jurisdictions are expected to align with the FATF Recommendations, which are the global standards for combating money laundering, terrorist financing, and proliferation financing. FATF's Recommendations (amended October 2025) set a risk-based framework covering customer due diligence, beneficial ownership, suspicious reporting, sanctions controls, internal controls, supervision, enforcement, and targeted financial sanctions.
Select the standards and frameworks applicable to this review. Your selections will guide the audit scope and assessment criteria.
Expected Evidence:
Board minutes and board packs
Terms of reference and committee reports
Conflict of interest registers
Attendance records and action logs
Governance policies and regulatory correspondence
Evidence Storage
Upload workflow
Select files from your local computer. They will be automatically uploaded to Zoho WorkDrive and stored in your evidence folder.
United Kingdom • Example Regulated Client Ltd • 2026 Interim Audit Review
Board Review Assistant for United Kingdom activated. I will assess governance, board oversight, decision-making, conflicts, committees, and accountability against United Kingdom regulatory standards. To begin, please upload or reference: 1. Board minutes (last 12 months) 2. Terms of reference and committee charters 3. Conflict of interest registers 4. Governance policies 5. Any regulatory correspondence What evidence would you like to start with?
3:33:15 PM
No files uploaded yet
Human Review Required
This assessment is draft analysis only. Final governance conclusions, high-risk findings, and regulatory interpretations require approval from a qualified compliance reviewer before issuance to the client.
Board Review - United Kingdom
Status
Ready for review
Total outputs
5
Generated
Draft format
Governance adequacy score
Section 1
Missing evidence list
Section 2
Findings and risk rating
Section 3
Remediation actions
Section 4
Reviewer notes
Section 5
Important note
All outputs are draft format pending reviewer approval. Download includes draft status markers. Final reports require sign-off from the approval authority before distribution.
User login, verification, live document upload, and API integrations are intentionally excluded from this design phase and can be added later.
Governance framework
These sections translate the proposal requirements into visible page components that can later be wired into backend services.
Privacy notice covering data categories, purposes, lawful basis, retention, recipients, transfers, AI processing, rights, and contacts
Purpose limitation: uploaded material used only for the selected client, engagement, module, and jurisdiction
Data minimisation, redaction support, personal-data tagging, and controlled document processing
DPIA before launch covering AI processing, document ingestion, ratings, logs, storage, and provider processing
Controller/processor mapping for MacEagle.ai, clients, AI providers, email/SMS providers, and hosting providers
International transfer documentation, data-centre region review, retention rules, and rights-handling process
Approved prompt registry with module, jurisdiction, version, owner, and approval status
Jurisdiction-specific retrieval from approved rule sets and knowledge sources only
Prompt injection defence: uploaded documents are evidence, not instructions
Evidence manifest showing reviewed, missing, stale, contradictory, or weak evidence
Output provenance separating requirement, evidence, AI inference, reviewer comment, and action
Human review gate for final reports, high-risk AML findings, and regulatory interpretations
Client user
Upload evidence, answer AI questions, view released drafts and final reports. Cannot approve findings or access other clients.
Internal auditor
Create reviews, request evidence, run AI draft assessments, draft findings, and update review status.
Reviewer / approver
Approve or reject AI outputs, risk ratings, reports, and remediation closure.
Administrator
Manage users, roles, engagements, integrations, folder mappings, and operational settings.
End-to-End AML Workflow
The core UK AML regime is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended. The Regulations include requirements for business-wide risk assessments, customer due diligence, policies, controls and procedures, group-level controls, internal controls, training, and recordkeeping. The FCA's financial crime materials remain central for FCA-regulated firms, including expectations around a risk-based approach to AML and CFT controls. Last updated 11 February 2026.
| Requirement area | Practical requirement |
|---|---|
| Business-wide risk assessment | Maintain a documented AML/CFT risk assessment covering customers, countries, products, services, delivery channels, transactions, and emerging risks. |
| Proliferation financing risk assessment | Maintain a documented PF risk assessment, either standalone or embedded in the wider financial crime risk assessment. UK Regulation 16A defines PF in relation to funds or financial services connected with CBRN weapons and related goods/technology in breach of relevant sanctions obligations. |
| Customer due diligence | Identify and verify customers; identify beneficial owners; understand ownership and control; assess purpose and intended nature of the relationship. |
| Enhanced due diligence | Apply EDD for high-risk countries, PEPs, complex or unusual structures, sanctions exposure, high-risk sectors, and other elevated-risk scenarios. |
| Ongoing monitoring | Monitor customer activity against expected behaviour; refresh KYC on a risk basis; investigate unusual activity. |
| Sanctions / targeted financial sanctions | Screen customers, beneficial owners, controllers, counterparties, and payments against UK and applicable international sanctions lists. Escalate potential matches promptly. |
| Suspicious activity reporting | Maintain internal escalation and SAR processes; report suspicious activity to the NCA where required. |
| Training | Provide role-specific AML/CFT/PF and sanctions training at onboarding and periodically thereafter. |
| Recordkeeping | Retain CDD, transaction, risk assessment, training, and investigation records for statutory periods. |
| Independent audit / assurance | Establish independent testing proportionate to risk, including review of AML systems, CDD quality, transaction monitoring, sanctions screening, and SAR governance. |
FCA Alignment: FCA-regulated firms must apply these requirements in accordance with the FCA's published guidance on AML/CFT and sanctions, including the Senior Managers Regime where applicable. The Regulation 16A reference to PF controls is now embedded in the wider financial crime framework and requires explicit PF risk assessment and policy governance.
Client user
Upload evidence, answer AI questions, view released drafts and final reports. Cannot approve findings or access other clients.
Internal auditor
Create reviews, request evidence, run AI draft assessments, draft findings, and update review status.
Reviewer / approver
Approve or reject AI outputs, risk ratings, reports, and remediation closure.
Administrator
Manage users, roles, engagements, integrations, folder mappings, and operational settings.
End-to-End AML Workflow
CIMA's AML/CFT Guidance Notes provide guidance to financial services providers on preventing and detecting money laundering, terrorist financing, and proliferation financing in the Cayman Islands. CIMA's AML/CFT legislative framework includes the Proliferation Financing (Prohibition) Act, which empowers CIMA to act against persons engaged in activities connected with terrorist financing, money laundering, or development of weapons of mass destruction. The Cayman Islands AML Unit states that its mission is to promote a multi-agency approach to protect the financial system against ML, TF, and PF.
| Area | Description |
|---|---|
| Financial services regulation and AML supervision | Cayman Islands Monetary Authority |
| National AML/CFT coordination | Cayman Islands Government AML Unit |
| Suspicious activity reporting | Cayman Islands Financial Reporting Authority |
| Sanctions / PF | CIMA and relevant Cayman Islands competent authorities, including under the PF framework |
| Beneficial ownership / entities | Cayman Islands Registrar / competent authority framework, depending on entity type |
Regulatory Framework Context: CIMA's Rule on Corporate Governance for Regulated Entities establishes corporate governance requirements for entities regulated by CIMA. The Rule applies to the governing body of CIMA-regulated entities and expects the governance framework to be commensurate with the entity's size, complexity, structure, business nature, and risk profile. All AML/CFT/PF requirements must be implemented within the context of this governance framework and coordinated with CIMA supervision.
Client user
Upload evidence, answer AI questions, view released drafts and final reports. Cannot approve findings or access other clients.
Internal auditor
Create reviews, request evidence, run AI draft assessments, draft findings, and update review status.
Reviewer / approver
Approve or reject AI outputs, risk ratings, reports, and remediation closure.
Administrator
Manage users, roles, engagements, integrations, folder mappings, and operational settings.
End-to-End AML Workflow
This framework maps the 18 key control areas expected by CIMA (Cayman Islands Monetary Authority) for AML/CFT/PF compliance. Each control area identifies typical risks, key controls, and integration points with the audit workflow.
When reviewing AML controls, prioritize these common risk factors. They directly map to CIMA expectations around risk-based approach, CDD, sanctions screening, internal reporting, training, audit, and group-wide arrangements:
High-risk customers and beneficial owners
Complex or opaque ownership structures
High-risk countries/jurisdictions
Non-face-to-face onboarding
Products/channels with faster movement of funds or reduced transparency
Sanctions and PF exposure
Unusual transaction activity
Weak KYC refresh / periodic review
Poor SAR escalation and documentation
Weak employee screening/training
Inadequate independent testing
Inconsistent standards across group entities
Integration note: Each control area flows into the internal audit workspace modules. The Board Review module assesses governance and oversight. The AML Review module covers controls 1-17 in depth. The Risk Assessment module examines the institutional risk assessment and framework. All findings, gaps, and remediation actions are tracked through the CRM and stored in WorkDrive folders organized by jurisdiction, control area, and module.
End-to-End AML Workflow
The BVI FSC is responsible for ensuring compliance by regulated financial institutions with AML/CFT systems and controls under the Anti-Money Laundering Regulations, 2008 and the Anti-Money Laundering and Terrorist Financing Code of Practice, 2008. The BVI's national AML/CFT/CPF strategy for 2024–2026 addresses ML, TF, and PF risks and focuses on supervision, enforcement, cooperation, and stakeholder awareness. The AML/CFT Code of Practice supplements the AML Regulations and establishes a framework for AML, CFT, and CPF compliance.
| Area | Description |
|---|---|
| Financial services regulation and AML supervision | BVI Financial Services Commission |
| Financial intelligence / suspicious reporting | BVI Financial Investigation Agency |
| National AML/CFT coordination | National AML/CFT Coordinating Council and related competent authority committees |
| Sanctions / PF | BVI sanctions and competent authority framework, including Governor's Office / relevant sanctions functions |
| Beneficial ownership | BVI competent authority / beneficial ownership framework |
Regulatory Code Context: The BVI Regulatory Code provides a broader framework for regulated financial services business, including governance, systems and controls, abuse of financial services, complaints, and regulatory notifications. All AML/CFT/CPF requirements must be implemented within the context of the BVI Regulatory Code and coordinated with FSC and FIA supervision.
Client user
Upload evidence, answer AI questions, view released drafts and final reports. Cannot approve findings or access other clients.
Internal auditor
Create reviews, request evidence, run AI draft assessments, draft findings, and update review status.
Reviewer / approver
Approve or reject AI outputs, risk ratings, reports, and remediation closure.
Administrator
Manage users, roles, engagements, integrations, folder mappings, and operational settings.
End-to-End AML Workflow
Anguilla's AML/CFT framework is built around the Proceeds of Crime Act, supported by the Anti-Money Laundering and Terrorist Financing Regulations and the Anti-Money Laundering and Terrorist Financing Code. The FSC states that the framework captures financial service providers and non-profit organisations under Schedule 2 of the AML/CFT Regulations. The FSC document library lists current AML/CFT legislation including the AML/CFT Code, AML Regulations, 2023 amendments, the Proceeds of Crime Act, and sector-specific digital asset / utility token AML regulations.
| Area | Description |
|---|---|
| Financial services regulation and AML supervision | Anguilla Financial Services Commission |
| Financial intelligence / suspicious reporting | Anguilla Financial Intelligence Unit |
| Sanctions and PF framework | Government of Anguilla, Attorney General's Chambers, Governor's Office, FSC, and FIU as applicable |
| AML/CFT national framework | Government of Anguilla and competent authorities |
Regulatory Framework Context: Anguilla's financial sanctions guidance is produced with the Attorney General's Chambers, FSC, FIU, and Governor's support. The Government of Anguilla maintains an AML/CFT/PF page containing notices and guidelines, including financial sanctions materials and national risk assessment materials. All AML/CFT/PF requirements must be implemented within the context of this regulatory environment and coordinated with FSC and FIU supervision.
Client user
Upload evidence, answer AI questions, view released drafts and final reports. Cannot approve findings or access other clients.
Internal auditor
Create reviews, request evidence, run AI draft assessments, draft findings, and update review status.
Reviewer / approver
Approve or reject AI outputs, risk ratings, reports, and remediation closure.
Administrator
Manage users, roles, engagements, integrations, folder mappings, and operational settings.
Practical comparison
This checklist compares key AML/CFT/PF control requirements across the four jurisdictions. Colours indicate requirement status: green for mandatory, amber for conditional or expected, and blue for conditional based on business activities. Use this to identify common controls, jurisdiction-specific gaps, and requirements that vary by entity type or sector.
| Control Area | United Kingdom | Cayman Islands | Anguilla | British Virgin Islands |
|---|---|---|---|---|
| Enterprise AML/CFT risk assessment | Required | Required | Required | Required |
| Proliferation financing risk assessment | Required | Required / expected | Required / expected via AML/CFT/PF framework | Required / expected via AML/CFT/CPF framework |
| Written AML/CFT/PF policies | Required | Required | Required | Required |
| Customer due diligence | Required | Required | Required | Required |
| Beneficial ownership verification | Required | Required | Required | Required |
| Enhanced due diligence | Required | Required | Required | Required |
| PEP controls | Required | Required | Required | Required |
| Sanctions screening | Required | Required | Required | Required |
| Transaction monitoring | Required | Required | Required | Required |
| Suspicious activity reporting | Required | Required | Required | Required |
| MLRO / nominated officer | Required for in-scope firms | Required / expected | Required / expected | Required |
| Staff training | Required | Required | Required | Required |
| Recordkeeping | Required | Required | Required | Required |
| Board oversight | Required / expected | Required | Required / expected | Required / expected |
| Independent audit / assurance | Risk-based / expected | Required or expected depending on entity | Risk-based / expected | Risk-based / expected |
| VASP-specific AML obligations | Yes, if cryptoasset activity in scope | Yes, if VASP activity in scope | Yes, if digital asset / token activity in scope | Yes, if VASP activity in scope |
Required
Mandatory control in all regulated entities within the jurisdiction.
Required / Expected
Typically required or expected by regulators, with possible sector or entity-specific exceptions.
Conditional
Required based on business type, activity, entity structure, or exposure to specific risks.
Note: This checklist reflects publicly available regulatory guidance as of early 2026. Practitioners must verify requirements against current legislation, regulatory guidance, and sector-specific rules applicable to the entity. Regulators may update expectations without formal amendment, so review guidance documents, recent circulars, and regulatory correspondence regularly. Compliance obligations differ by entity type (financial services, non-profit, VASP, etc.) and business activities. Outsourced or group-wide arrangements may introduce additional coordination requirements. Seek legal or regulatory counsel for entity-specific or emerging guidance.
Backend integration design
The proposal positions CRM as the operational record and WorkDrive as the controlled repository for evidence, drafts, comments, final reports, and versioned working papers.
Production should store stable WorkDrive folder IDs in CRM and audit logs rather than relying on folder names alone.
Create or update CRM record and WorkDrive folders.
Capture file ID, version, checksum, module, uploader, and timestamp.
Save draft to WorkDrive and sync key findings to CRM.
Save comments, update findings, and log approval status.
Workflow and reporting
The live system should use this front-end flow as the blueprint for backend tasks, CRM updates, WorkDrive storage, audit logging, and reviewer approvals.
Module-specific draft assessment report
Final internal audit report with approval metadata
Evidence request and gap schedule
Findings register with risk ratings, owners, due dates, and status
Remediation action plan and closure pack
Board / reviewer MI pack
Exportable audit trail for prompts, outputs, documents, approvals, and sync events
Every AI output should show evidence reviewed, missing evidence, draft findings, risk rationale, assumptions, and human-review requirement. Prompt version, model version, rule-set version, evidence IDs, and output hash should be logged in production.
Implementation plan
The current page avoids active login logic so the design and workflow can be reviewed first. Backend services can be layered in once the visual and operational model is agreed.
Approve this work page, content hierarchy, review modules, jurisdiction selector, and user journey before adding authentication.
Add sign-up, sign-in, email verification, MFA, RBAC, session controls, and audit logging after the design is stable.
Connect approved prompt registry, rule-set loader, evidence manifest, draft outputs, reviewer queue, and output templates.
Wire CRM records, WorkDrive folders, evidence upload, draft/final report storage, findings, and remediation sync.
Run functional, privacy, security, prompt injection, access control, and CRM/WorkDrive sync testing before controlled release.