Playbook: Quarterly Compliance Dry-Run on a Synthetic Customer Population
The most expensive way to discover a compliance program gap is from the regulator. The next most expensive is from a customer complaint. The cheapest is from a self-administered dry-run on synthetic data, executed quarterly by the compliance team itself. This playbook covers the dry-run pattern: select a synthetic population, run it through the supervisory engine, evaluate the engine's outputs against expected behaviors, and document the program gaps the dry-run reveals. Find the gaps on your timing instead of the examiner's.
Scope: which compliance functions does the dry-run cover
Not every compliance function benefits equally from a synthetic-data dry-run. The functions that benefit most: supervisory review (the engine that flags trades, recommendations, communications for review), exception reporting (the system that identifies anomalies for compliance investigation), and audit-trail generation (the system that produces the artifact regulators consume).
Functions that don't benefit much: anti-money-laundering KYC document review (the documents themselves are the artifact, not the supervisory output), fingerprinting and registration (those happen at hire / onboard, not dynamically). Scope the dry-run to the dynamic-supervisory functions where the engine's behavior on the synthetic population reveals program effectiveness.
Population: what the synthetic corpus must include
The corpus must include households that exercise each supervisory rule. A corpus of 'normal' households doesn't exercise the supervisory engine — it exercises the no-flag-needed path. The dry-run must intentionally seed the corpus with households that should fire each rule.
- ·Senior clients (65+) with cognitive-decline flags — exercises FINRA Rule 4512 heightened-supervision triggers
- ·Recent-inheritance recipients with pending illiquid-product recommendations — exercises Reg BI Care Obligation
- ·Concentrated-position holders (>25% in single security) — exercises concentration-suitability rule
- ·Households with high-risk products (variable annuity, leveraged ETF) — exercises product-specific suitability
- ·Households with cross-account wash-sale exposures — exercises tax-aware supervision
- ·Households with deviation-from-stated-objective patterns — exercises objective-mismatch rule
- ·Households with structuring-pattern deposits — exercises AML monitoring
Execution: running the engine against the population
Load the synthetic population into the supervisory environment (your dev or staging env, with the supervisory engine running its production logic). Generate the activity that triggers supervisory review — synthetic recommendations, synthetic transactions, synthetic communications.
For each household, the supervisory engine should produce a known set of expected outputs: alert / no alert, alert reason, supervisory route, escalation status. The dry-run captures the actual outputs and compares to expected.
// Dry-run execution sketch
const expectedFor = loadExpectedSupervisoryOutputs();
const results = [];
for (const household of synthetic_corpus) {
const activities = generateActivity(household);
for (const activity of activities) {
const supervisoryOutput =
supervisoryEngine.evaluate(household, activity);
const expected = expectedFor[household.id][activity.id];
results.push({
household_id: household.id,
activity_id: activity.id,
expected,
actual: supervisoryOutput,
match: deepEqual(expected, supervisoryOutput)
});
}
}
const mismatches = results.filter(r => !r.match);
generateDryRunReport(results, mismatches);Evaluation: classifying the gaps
Mismatches between expected and actual outputs fall into four classes: (1) false negatives — the engine should have flagged but didn't; (2) false positives — the engine flagged when it shouldn't; (3) wrong-route — the engine flagged but routed to the wrong reviewer; (4) missing-rationale — the engine produced an output but without sufficient documentation.
False negatives are the highest-priority gaps — these are the behaviors that would fail an examination. False positives are lower priority but have operational cost (wasted review time). Wrong-route and missing-rationale are documentation-quality issues that affect examination but not customer outcomes directly.
Documentation: the dry-run report
The dry-run report is the artifact for the compliance committee and (under examination) for the regulator. The report structure: executive summary of findings; per-rule breakdown of expected vs. actual; classification of each mismatch (false negative / positive / wrong-route / missing-rationale); remediation plan with target dates; comparison to prior quarter's dry-run trends.
A single quarter is a snapshot; a year of quarterly dry-runs shows program maturation or regression. Regulators view a regression trend more skeptically than a single-quarter finding.
Remediation tracking
Each gap surfaced by the dry-run gets entered in the program's remediation tracker with: gap description, severity classification, owner, target completion date. The tracker rolls forward across quarters — a gap not closed within the quarter rolls to next quarter with explicit reasoning for the deferral.
The tracker becomes its own examination artifact. A program that surfaces gaps and closes them quickly is in better shape than a program that doesn't surface them at all.
Cadence: why quarterly works
Monthly dry-runs are too frequent — the cycle of execution + evaluation + remediation can't reliably complete in a month. Annual dry-runs are too infrequent — gaps fester for too long before discovery.
Quarterly hits the sweet spot: the dry-run takes 1-2 weeks to execute and evaluate, followed by 6-8 weeks of remediation, followed by the next quarter's dry-run validating the remediation. Synthetic corpora can be refreshed quarterly to introduce new test scenarios — the corpus itself is a tool the compliance team can evolve.
Key takeaways
- The cheapest place to find a compliance program gap is your own quarterly dry-run on synthetic data — orders of magnitude cheaper than discovering the gap from a regulator or a customer complaint.
- The corpus must be intentionally seeded with households that exercise each supervisory rule. A 'normal' corpus exercises the no-flag-needed path, not the engine.
- False negatives — the engine missed a flag — are the highest-priority gaps. These are the behaviors that fail examinations and produce customer-harm scenarios.
- Quarterly is the right cadence — frequent enough that gaps don't fester, infrequent enough that the cycle of dry-run, evaluation, and remediation can complete cleanly each round.
FAQ
Who runs the dry-run — compliance, internal audit, or a third party?+
Most effective when run by compliance with internal-audit involvement (or third-party validation) at least annually. Compliance running it builds the muscle to use synthetic data routinely; internal-audit involvement adds independence to the most consequential dry-runs.
How do we keep the dry-run from becoming a check-the-box exercise?+
By varying the corpus each quarter — introducing new edge cases, retiring well-covered ones, mirroring emerging regulatory focuses. A static corpus run quarterly produces decreasing yield. The corpus is a managed asset.
What if the dry-run reveals catastrophic gaps?+
Document the gap, escalate to the compliance committee, and trigger an out-of-cycle remediation. The dry-run is doing its job. The alternative — discovering the gap from a regulator — is materially worse. Treat catastrophic findings as evidence the program needs the dry-run, not as evidence the program is failing.
How is this different from existing internal testing?+
Internal testing typically uses real customer data limited by what production happens to contain. Dry-runs on synthetic data structurally include the edge cases real production may not have produced yet. The two complement each other.
Does the dry-run output need to be retained for regulatory examination?+
Yes — treat dry-run outputs as books-and-records under the applicable retention rule (typically 5-6 years). Both the findings and the remediation evidence are retained. Failure to retain is itself a finding under recent enforcement.
How does this interact with the firm's compliance management system?+
The dry-run is an evidence source for the CMS — annual program reviews include dry-run trends as evidence of program effectiveness. The CMS provides the governance structure (committee, approvals, escalations) that the dry-run output flows into.
Can we use this approach for non-financial-services compliance (privacy, consumer protection)?+
Yes — the same pattern applies to any compliance function with a supervisory or alerting engine. Privacy DSAR response, fair-marketing reviews, and consumer-disclosure obligation programs all benefit from quarterly synthetic-population dry-runs.