.webp)
Virtual Site Visits and Inspections - Verifying Existence in a Synthetic World; A Control Framework for Modern Risk Management
Site visits and inspections are a foundational risk management control used by financial institutions to validate that a customer exists, operates as represented, and presents a risk profile consistent with the institution's understanding and risk appetite. While regulators do not mandate site visits for every customer, they consistently expect institutions to apply reasonable, risk-based methods to understand the nature and purpose of customer relationships and to conduct ongoing monitoring that reflects actual customer activity.
A site visit is not a procedural formality. It is an evidentiary control. Its purpose is to validate reality rather than paperwork. As financial crime risk increasingly involves synthetic businesses, fabricated documentation, and remote deception, reliance on document-only due diligence has become insufficient for higher-risk customers.
This perspective is informed by direct responsibility for overseeing complex compliance and financial crime programs for cash-intensive and operationally complex businesses operating across broad geographies under heightened regulatory scrutiny. In those environments, site visits were not optional controls. They were among the only mechanisms capable of validating that a business actually existed, operated as represented, and maintained controls consistent with its stated risk profile. At the same time, the traditional model for executing site visits proved operationally inconsistent, costly, and difficult to sustain at scale.
This document provides a practical, examiner-aligned guide to site visits and inspections. It explains regulatory expectations, risks of non-performance, the role of remote and virtual site visits, and best practice methodologies for designing, executing, and documenting a defensible program.
What Is a Site Visit or Inspection
A site visit is a structured review of a customer's physical location performed to validate existence, operations, and observable risk indicators. An inspection is the analytical assessment of what is observed during the visit and how those observations affect the customer risk profile.
A properly designed site visit seeks to answer several core questions:
- Does the business physically exist at the stated location
- Are operations active and consistent with the stated business purpose
- Do observable activities align with expected transaction patterns
- Are there visible indicators of heightened or undisclosed risk
- Are controls for cash, inventory, access, and compliance present and functioning
Site visits differ fundamentally from document reviews. Documents validate consistency. Site visits validate existence and behavior.
Why Site Visits are Necessary
The limits of document-based due diligence
Most onboarding and monitoring programs rely heavily on corporate records, licenses, tax filings, and third-party databases. These tools confirm internal consistency across sources, but they do not establish that a business actually exists, is actively operating, or is conducting legitimate activity in the real world.
The FFIEC Bank Secrecy Act and Anti-Money Laundering Examination Manual states that customer due diligence should enable institutions to:
"Understand the nature and purpose of customer relationships and develop a customer risk profile."
When physical operations are central to the risk profile, understanding nature and purpose cannot be achieved through documents alone.
The supervisory logic behind site visits
Regulators expect controls to scale with risk. Where customer risk is driven by physical activity, cash handling, inventory movement, or location-specific licensing requirements, site visits become a reasonable and often necessary control measure.
Federal Reserve supervisory guidance reflects this logic explicitly:
"When circumstances allow, perform a visual check of the business to verify the actual existence of the business."
The expectation is verification of reality, not performance of a ritual.
Regulatory Foundations Supporting Site Visits
FFIEC expectations
The FFIEC emphasizes the importance of ongoing monitoring, which includes maintaining and updating customer information in a manner commensurate with the risk. If changes in operations, location, or scale materially affect risk, institutions must have mechanisms in place to detect and validate these changes.
Site visits directly support this obligation by providing observable evidence rather than assumptions.
FDIC, NCUA, and OCC perspectives
The Office of the Comptroller of the Currency includes site visits in its third-party risk management examination procedures, instructing examiners to determine whether banks:
"Conduct on-site visits or meetings with third parties involved in critical activities."
This reinforces a broader supervisory principle. When operational reality matters to risk, verification is expected.
Higher risk customers and cash-intensive activity
The Government Accountability Office has noted that FFIEC guidance for higher-risk money transmitter accounts includes: "Conducting on-site visits."
This principle is commonly applied to money services businesses, state-licensed cannabis businesses, and other cash-intensive or operationally complex customers.
Risks of Failing to Conduct Site Visits
Failure to conduct meaningful site visits introduces predictable risks that can lead to the following:
Acceptance of synthetic or phantom businesses
Synthetic businesses are designed to pass document-based controls. They may have valid registrations and licenses, but lack real operations. Without site visits, institutions may unknowingly onboard entities that exist only on paper.
Undisclosed or higher risk activity
Site visits frequently reveal activities not disclosed during onboarding, including unlicensed money transmission, cannabis activity embedded in non-cannabis entities, or third-party processing arrangements that materially change risk.
Weak examination defensibility
In California Pacific Bank v FDIC, regulators cited failures to document Bank Secrecy Act site visits. Testimony described assessments being kept "in my head," illustrating that undocumented verification is treated as if it were no verification at all.
Physical and Virtual Site Visits in Regulatory Context
Regulatory expectations are outcome-based
Regulators do not prescribe whether a site visit must be physical or remote (virtual). They evaluate outcomes, evidence, and governance. The core question is whether the institution reasonably verified the existence, operations, and risk.
Both physical and virtual site visits can be acceptable when they achieve that objective.
Physical site visits are not inherently sufficient
Physical presence alone does not satisfy regulatory expectations. In-person visits that lack structure, documentation, or follow-up may fail to meet supervisory standards. Regulators focus on evidence, not proximity.
Virtual site visits as a practical evolution
Virtual site visits have emerged as a practical response to the operational challenges of conducting physical visits at scale. They are not a relaxation of standards. They are an attempt to preserve rigor while reducing friction.
Methodology Matters More Than Modality
Examiners focus on methodology rather than modality. Whether a site visit is physical or virtual, institutions are expected to demonstrate a defined, repeatable approach.
Typical examiner questions include:
- Why was a site visit required for this customer
- What specifically was reviewed or observed
- How were observations documented
- What risks were identified or ruled out
- How did the visit affect the customer risk rating
- What follow-up actions were taken
- How often are site visits refreshed, and why
An institution that cannot consistently answer these questions is exposed to criticism, regardless of the visit format.
Best Practice Framework for Site Visits
Governance and policy
A defensible program begins with a policy that defines:
- Purpose and objectives of site visits
- Customer types and risk tiers requiring visits
- Frequency and refresh expectations
- Criteria for physical versus virtual visits
- Roles and responsibilities across the first and second lines
- Escalation, remediation, and exception handling
- Documentation and retention requirements
Risk-based applicability
Site visits should be applied based on risk drivers, such as cash intensity, licensing exposure,
Standardized inspection scope
Each site visit should follow a standardized checklist aligned to the customer type. Core elements include:
- Address and signage confirmation
- Walkthrough of operating areas
- Observation of cash handling and storage
- Inventory or product handling, where applicable
- Confirmation of operating hours and staffing
- Verification of licenses and permits
- Identification of third-party service providers
- Review of customer-specific red flags
GPS-Enabled Virtual Site Visits and the Origin of VerifyC™
Why GPS-enabled virtual site visits were necessary
In my role overseeing some of the most complex risk and compliance programs for cash-intensive businesses, I have been directly responsible for institutions serving customers spread across the contiguous United States. These programs included industries where physical operations, cash handling, licensing, and on-site controls materially determine risk. In those environments, site visits were not optional. They were one of the few controls capable of validating that a business actually existed and operated as represented.
That responsibility required my teams and me to conduct physical site visits across vast geographies, often under tight regulatory scrutiny and with limited operational resources. What became clear over time was not that site visits lacked value, but that the traditional model for executing them was fundamentally broken.
After conducting physical site visits across the country, the operational burden became clear. Travel time frequently exceeded inspection time. Scheduling delays limited coverage. Costs constrained frequency. Documentation varied widely by reviewer. Despite significant effort, visits remained episodic, leaving long gaps where changes in operations went unobserved.
More importantly, the risk of not conducting site visits was systemic. Institutions that failed to validate the physical existence and operations of their assets were exposed to synthetic businesses, undisclosed activity, and weak examination defensibility. Yet the traditional model made consistent execution impractical.
Based on that experience, my team and I recognized that a different approach was required. We needed a software solution that maintained regulatory rigor while transforming the way site visits were conducted. That solution became VerifyC™.
VerifyC™ as a GPS-enabled virtual site visit methodology
VerifyC™ enables live, GPS-enabled virtual site visits designed to replicate the core objectives of a physical inspection while addressing the limitations that prevent scale.
From a risk and compliance perspective, VerifyC™ provides:
- GPS-verified location evidence confirming physical presence
- Live guided walkthroughs rather than static uploads
- Time-stamped photo and video capture
- Structured inspection workflows aligned to customer risk type
- Analyst observation and narrative documentation
- Immutable audit trails are suitable for examination and audit
The intent was not to lower standards. The purpose was to make it possible to meet them consistently.
Evidence capture
Best practices require identity verification of participants, live guided walkthroughs, time-stamped photo or video capture, location verification signals, and written analyst observations, all of which are retained in a centralized system.
Physical and Virtual Site Visits as Complementary Controls
Best practice treats physical and virtual site visits as complementary.
Physical site visits remain appropriate for the initial onboarding of high-risk customers, complex operations that require tactile inspection, or situations involving heightened regulatory scrutiny.
Virtual site visits using VerifyC™ are well-suited for ongoing monitoring, refresh requirements, geographic scale, and rapid response to trigger events.
Both rely on the same methodological foundation. Defined scope. Structured evidence capture. Documented decisioning. Risk-based refresh.
Refresh Cadence, Decisioning, and Audit Trail
Site visits are an ongoing part of monitoring, not a one-time exercise.
The refresh cadence should align with risk, with trigger events including ownership changes, location changes, material activity shifts, adverse media, or changes in license status.
Each site visit must result in a documented outcome tied to evidence, including risk rating and impact, remediation requirements, and follow-up tracking. This documentation is critical to examination defensibility.
Conclusion
Regulatory expectations for site visits are grounded in risk-based supervision rather than rigid procedural mandates. Both physical and virtual site visits are acceptable when they are used intentionally, executed with specificity, and documented using defined methodologies.
Even in-person site visits require a structured approach, evidence, and thorough documentation. Virtual site visits, when properly designed, often improve consistency, auditability, and refresh cadence.
VerifyC™ was created out of necessity to address the operational reality of site visit execution while preserving regulatory rigor. In modern risk environments, the question is no longer whether site visits should be conducted; rather, the question is how to conduct them effectively. The question is whether institutions have the methodology and tools to perform them effectively.
About the Author
Robert Baron is a senior executive with extensive experience in risk, compliance, and financial crimes, designing, overseeing, and remediating complex programs for financial institutions that serve high-risk, cash-intensive businesses. His work has spanned money services businesses, state-licensed cannabis, gaming, adult entertainment, hospitality, and other operationally complex customer segments with heightened regulatory scrutiny.
Robert is a Certified Anti-Money Laundering Specialist (CAMS). He has collaborated with regulators, core banking providers, and compliance technology firms to address systemic gaps in traditional risk management controls. His firsthand experience with the operational burden and inconsistency of physical site visit programs directly informed the creation of VerifyC™, a GPS-enabled virtual site visit solution designed to preserve regulatory rigor while enabling scale, consistency, and auditability.
Robert currently serves as Chief Experience Officer at StandardC, where he focuses on helping financial institutions verify business existence, strengthen customer due diligence, and manage risk in an environment increasingly defined by synthetic activity and remote deception.
References
Federal Financial Institutions Examination Council. Bank Secrecy Act and Anti Money Laundering Examination Manual. Customer Due Diligence.
https://bsaaml.ffiec.gov/manual/AssessingComplianceWithBSARegulatoryRequirements/02
Federal Financial Institutions Examination Council. Bank Secrecy Act and Anti Money Laundering Examination Manual.
Federal Reserve Board. Supervision and Regulation Examination Manuals.
https://www.federalreserve.gov/publications/supmanual.htm
Federal Reserve Board. Supervision and Regulation Overview.
https://www.federalreserve.gov/supervisionreg/topics/exam_n_supervision.htm
Government Accountability Office. Bank Secrecy Act. Examiners Need More Information on Banks Risk Assessments for Money Transmitters. GAO 20 46.
https://www.gao.gov/products/gao-20-46
https://www.gao.gov/assets/gao-20-46.pdf
Office of the Comptroller of the Currency. Supplemental Examination Procedures for Third Party Relationships.
https://www.occ.gov/news-issuances/bulletins/2017/pub-third-party-exam-supplemental-procedures.pdf
Office of the Comptroller of the Currency. Interagency Guidance on Third Party Relationships. Bulletin 2023 17.
https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-17.html
Federal Reserve Board. Interagency Guidance on Third Party Relationships Press Release.
https://www.federalreserve.gov/newsevents/pressreleases/bcreg20230606a.htm
Financial Crimes Enforcement Network. Joint Statement on the Risk Based Approach to Assessing Customer Relationships and Conducting Customer Due Diligence.
.png)