Outsourced BSA/AML Compliance Officer for MSBs and Fintechs: FinCEN Requirements, Costs, and How It Works

Every money services business registered with FinCEN and every fintech operating under a state money transmitter licence is required to designate a qualified individual responsible for day-to-day BSA/AML compliance. There are no exceptions for startups. There are no grace periods for companies still “building out” their compliance function. And there is no regulatory distinction between an MSB that processes ten transactions per month and one that processes ten thousand — the obligation is the same.

Yet the reality on the ground is that the majority of early-stage and growth-stage fintechs do not have a dedicated, senior-level compliance officer managing their AML programme. Some have assigned the role to a co-founder who carries it alongside product development. Others have listed a name on FinCEN Form 107 without giving that person the authority, resources, or training to actually run the programme. A significant number have no designated officer at all — a federal offence under 18 U.S.C. § 1960.

This article explains what FinCEN actually requires from your BSA/AML compliance officer, why the full-time hire model breaks down for most fintechs and MSBs, how outsourced and fractional compliance leadership works in practice, and what it costs compared to building an in-house function. It also addresses the April 2026 proposed rulemaking that is set to fundamentally reshape how AML programmes are evaluated — and what that means for firms relying on external compliance leadership.

Why the BSA Compliance Officer Role Matters More Than Ever

The US regulatory environment for money services businesses and fintechs has intensified considerably over the past eighteen months. FinCEN enforcement actions in 2025 and early 2026 signal a clear pattern: regulators are no longer treating BSA/AML programme deficiencies as technical findings. They are treating them as willful failures.

In December 2025, FinCEN imposed a $3.5 million civil money penalty against a peer-to-peer virtual asset trading platform that had processed over $500 million in suspicious activity — including transactions linked to sanctioned jurisdictions, ransomware attacks, and darknet marketplaces — without filing the required suspicious activity reports. The platform’s fundamental failure was not technological. It was the absence of effective compliance leadership: no one with the authority, expertise, and mandate to ensure the BSA programme was actually functioning.

Then in March 2026, FinCEN announced its largest-ever enforcement action against a broker-dealer — an $80 million civil money penalty against Canaccord Genuity for BSA violations spanning from 2018 to 2024. The consent order identified at least 160 unfiled SARs and, critically, documented the falsification of nearly 400 compliance documents. FinCEN Director Andrea Gacki characterised the action as “a wake-up call” to regulated firms that wilfully fail to maintain effective AML programmes.

The pattern is unmistakable. FinCEN is not looking at whether your policies exist on paper. It is looking at whether they work — and at whether the person responsible for making them work has the resources, authority, and competence to do so.

For MSBs and fintechs, this raises an uncomfortable question: if your designated BSA compliance officer is a founder wearing five other hats, or a junior analyst without the seniority to escalate issues to the board, is your programme actually effective? And if it is not, are you materially different from the firms that have already been penalised?

What Does a BSA/AML Compliance Officer Actually Do?

Under FinCEN’s regulatory framework, the BSA/AML compliance officer — sometimes referred to as the BSA Officer, AML Compliance Officer, or Chief Compliance Officer (CCO) — is the designated individual responsible for the day-to-day operation of the AML programme. This is not a figurehead role. It carries real operational responsibility and, in cases of willful non-compliance, personal liability.

The officer’s core responsibilities span the entire AML lifecycle. They own the development and ongoing maintenance of written BSA/AML policies and procedures — documents that must be tailored to the firm’s specific products, services, customer base, and risk profile. Generic, template-based policies that do not reflect how the business actually operates have been explicitly flagged by FinCEN and the IRS (FinCEN’s delegated examiner for MSBs) as a programme deficiency.

Beyond policy development, the BSA Officer oversees the firm’s transaction monitoring and suspicious activity detection systems. They are responsible for ensuring that alerts are reviewed, investigated, and dispositioned in a timely manner, and that suspicious activity reports (SARs) are filed with FinCEN when the evidence warrants it. Failure to file — or filing late — is the single most common trigger for FinCEN enforcement actions against MSBs and fintechs.

The officer also manages the firm’s risk assessment process, ensuring that risks are identified, documented, and reassessed on a regular basis as the business evolves. They coordinate internal and external AML training, serve as the primary point of contact for regulatory examinations, and oversee the firm’s independent testing programme — the annual or biennial review that validates whether the AML programme is functioning as designed.

In practical terms, the BSA Officer needs to understand the regulatory framework deeply enough to build a programme that satisfies FinCEN, the IRS, state regulators, and banking partners simultaneously. They need enough seniority within the organisation to escalate issues to the board or senior management without being overruled by commercial interests. And they need enough bandwidth to actually perform the role — reviewing alerts, managing SAR filings, updating policies, coordinating training — on an ongoing basis.

This is where the model breaks down for most fintechs and MSBs.

FinCEN’s Legal Requirements: The Four Pillars of an MSB AML Programme

Under 31 CFR § 1022.210, every MSB is required to develop, implement, and maintain an effective written AML programme. FinCEN’s regulations specify four minimum elements that every programme must contain, and the designated compliance officer sits at the centre of all four.

Pillar 1: Internal Policies, Procedures, and Controls. The programme must incorporate written policies, procedures, and internal controls reasonably designed to ensure compliance with the BSA and its implementing regulations. These must address customer identification, transaction monitoring, SAR filing, recordkeeping, sanctions screening, and all other applicable BSA obligations.

Pillar 2: Designation of a Compliance Officer. The programme must designate an individual responsible for assuring day-to-day compliance with the programme and with all BSA requirements. This person’s name is recorded on FinCEN Form 107 and becomes part of the MSB’s public registration record.

Pillar 3: Training. The programme must provide education and training for appropriate personnel concerning their responsibilities under the programme, including training in the detection of suspicious transactions.

Pillar 4: Independent Review. The programme must provide for an independent review — commonly referred to as an independent test or audit — to monitor and maintain an adequate programme.

What the regulation does not say is equally important. It does not require the compliance officer to be a full-time employee. It does not require the officer to be physically located in the same office as the MSB. And it does not prohibit the use of outsourced or fractional compliance professionals to fulfil the role — provided that the individual has sufficient authority, resources, and access to information to carry out the role effectively.

This regulatory flexibility is precisely what has driven the growth of the outsourced BSA/AML compliance model. But flexibility does not mean informality. The relationship between the MSB and its outsourced compliance officer must be documented, governed, and operationally integrated — not simply a name on a form.

The Full-Time BSA Officer Problem: Why Fintechs Are Rethinking the Model

The traditional model — hiring a full-time, in-house BSA/AML compliance officer — works well for established financial institutions with stable transaction volumes, mature compliance infrastructure, and the budget to support a dedicated compliance function. For most fintechs and growth-stage MSBs, however, the model creates a series of practical problems that are difficult to solve.

The cost problem is significant but often understated. The average annual salary for a BSA/AML compliance officer in the United States ranges from approximately $80,000 to $115,000, with senior officers and directors commanding $140,000 to $175,000 or more depending on geography and experience. But salary is only part of the total cost. Factor in benefits, payroll taxes, compliance technology subscriptions, training, professional development, and the management overhead of supervising a compliance function, and the fully loaded annual cost of an in-house BSA officer for a fintech typically falls between $150,000 and $250,000 — before the cost of independent testing, legal counsel, and regtech tooling.

For a pre-revenue or early-revenue fintech that has just completed FinCEN registration and is still building its customer base, that number is often prohibitive. The result is a compromise: the role gets assigned to someone who does not have the qualifications, bandwidth, or authority to perform it effectively.

The talent problem compounds the cost problem. Experienced BSA/AML compliance professionals — those who have built programmes, managed SAR filing operations, navigated FinCEN examinations, and maintained banking relationships — are in high demand. They are not typically looking for roles at Series A fintechs offering below-market compensation. And even when a fintech can attract an experienced officer, the role is often isolating: a single compliance professional in a company of engineers and product managers, without a team, without institutional support, and without peers to pressure-test their judgments.

The coverage problem is the most dangerous. A single full-time officer takes vacation, gets sick, and eventually leaves. When they do, the MSB faces a gap in its compliance coverage — and operating without a designated BSA compliance officer, even temporarily, is itself a BSA violation. FinCEN expects the role to be filled at all times. If the officer departs, an interim designation (typically the CEO or a senior manager) must be made immediately while a permanent replacement is identified.

These three problems — cost, talent, and coverage — are the structural reasons why an increasing number of fintechs and MSBs are turning to outsourced compliance leadership.

What Is an Outsourced or Fractional BSA/AML Compliance Officer?

An outsourced or fractional BSA/AML compliance officer is a senior compliance professional engaged on a part-time or retainer basis to serve as the firm’s designated compliance officer under the BSA. Rather than hiring a full-time employee, the firm engages an external specialist — typically through a compliance advisory firm — who takes on the regulatory responsibilities of the role while working across multiple client engagements.

The term “fractional” is borrowed from the fractional executive model that has become common in finance (fractional CFOs), legal (outside general counsel), and technology (fractional CTOs). The principle is the same: access to senior-level expertise at a fraction of the cost of a full-time hire, with the flexibility to scale the engagement as the business grows.

In practice, a fractional BSA officer typically provides a defined scope of services that covers the core regulatory requirements. This scope usually includes development or remediation of the written AML programme, ongoing oversight of transaction monitoring and SAR filing, management of the firm’s risk assessment process, coordination of staff training, preparation for and management of regulatory examinations and independent testing, and serving as the primary point of contact for banking partners on compliance matters.

The engagement structure varies. Some firms use a monthly retainer model with a fixed number of hours per month. Others use a project-based model for programme build-outs followed by a lighter-touch ongoing oversight arrangement. The most effective engagements are those where the fractional officer is genuinely embedded in the firm’s operations — with access to the transaction monitoring system, regular touchpoints with senior management, and the authority to make compliance decisions without seeking approval for every SAR filing or policy update.

What distinguishes a well-structured fractional BSA arrangement from a poorly structured one is the degree of integration. A compliance consultant who reviews your policies once a quarter and sends a report is not functioning as your BSA compliance officer. A fractional officer who attends your compliance committee meetings, reviews your SAR pipeline weekly, and has a direct line to your CEO is.

What an Outsourced BSA Officer Does Day-to-Day

The day-to-day work of an outsourced BSA/AML compliance officer mirrors what an in-house officer would do — the difference is in the operational model, not the substance of the work.

On a typical week, the fractional BSA officer reviews transaction monitoring alerts that have been escalated for second-level review, determines whether SARs need to be filed, and ensures that filing deadlines are met. They review new customer onboarding decisions for higher-risk accounts — those involving foreign jurisdictions, politically exposed persons, high-volume money transmission, or virtual assets. They review and respond to requests for information (RFIs) from banking partners, which have become increasingly frequent as correspondent banks tighten their own due diligence on fintech and MSB relationships.

On a monthly basis, the officer typically reviews the firm’s risk assessment dashboard, identifies emerging risk trends, and updates policies and procedures where necessary. They review and update the firm’s sanctions screening processes, ensure that OFAC lists are being applied correctly, and document any false-positive dispositions. They provide compliance reporting to the board or senior management, flagging any areas of concern, open regulatory matters, or upcoming deadlines.

On a quarterly or annual basis, the officer coordinates staff training, manages the independent testing engagement, prepares for FinCEN or IRS examinations, and conducts a comprehensive review of the AML programme to ensure it remains aligned with the firm’s evolving risk profile.

This operational cadence requires consistent access to the firm’s systems and data. The most effective outsourced arrangements provide the fractional officer with direct access to the transaction monitoring platform, the customer onboarding system, the SAR filing portal, and the compliance case management system — the same access an in-house officer would have.

BSA Officer vs MLRO: Understanding the Terminology Across Jurisdictions

If your fintech or MSB operates across multiple jurisdictions — or if your founding team comes from a UK, EU, or UAE regulatory background — you will encounter a terminology difference that is important to understand.

In the United States, the designated compliance officer is typically referred to as the BSA Officer, AML Compliance Officer, or Chief Compliance Officer (CCO). The role is governed by the Bank Secrecy Act, the USA PATRIOT Act, and FinCEN’s implementing regulations.

In the United Kingdom, the equivalent role is the Money Laundering Reporting Officer (MLRO), governed by the Money Laundering Regulations 2017 and supervised by the FCA. In the EU under MiCA and the Anti-Money Laundering Directives, the role carries similar responsibilities but may be titled differently depending on the member state. In the UAE, the CBUAE Rulebook designates the role as the Compliance Officer/MLRO. In Canada, the equivalent is the Chief Anti-Money Laundering Officer (CAMLO), designated under the PCMLTFA and supervised by FINTRAC.

The functional responsibilities are broadly aligned across all of these frameworks: oversight of the AML programme, management of suspicious activity reporting, risk assessment, training, and serving as the regulatory point of contact. The differences lie in specific reporting obligations, timelines, supervisory expectations, and the degree of personal liability attached to the role.

For fintechs operating across borders, this jurisdictional complexity is precisely the argument for working with a compliance advisory firm that operates across multiple regulatory frameworks rather than engaging separate specialists in each market. A firm’s BSA Officer in the US needs to understand how FinCEN’s expectations interact with the FCA’s or FINTRAC’s — particularly when the same transaction flows cross multiple jurisdictions and trigger reporting obligations in more than one country.

Cost Comparison: Full-Time BSA Officer vs Outsourced Compliance Leadership

The economics of outsourced compliance leadership are straightforward, but the comparison must be honest — both about what you save and about what you trade off.

Cost Component	Full-Time In-House BSA Officer	Outsourced/Fractional BSA Officer
Base salary	$80,000–$175,000/year	N/A
Benefits, payroll taxes, overheads	$25,000–$55,000/year	N/A
Monthly retainer fee	N/A	$3,000–$12,000/month
Estimated annual compliance cost	$150,000–$250,000+	$36,000–$144,000
Coverage during leave/turnover	Gap risk — interim designation required	Built-in continuity (team-based model)
Regulatory technology (TM, sanctions, CMS)	Separate cost	Often included or guided
Scalability	Fixed cost regardless of volume	Scales with engagement scope

The cost differential is significant, particularly for early-stage and growth-stage fintechs. A fractional engagement at $5,000–$8,000 per month provides access to a senior-level BSA officer with director-level experience for approximately $60,000–$96,000 per year — roughly half to one-third the fully loaded cost of an in-house hire at a comparable experience level.

However, cost is not the only factor. The outsourced model also addresses the coverage gap: because the engagement is typically with a firm rather than an individual, there is built-in redundancy. If the primary fractional officer is unavailable, another qualified professional within the firm can provide interim coverage without the MSB needing to scramble for an internal designation.

The trade-off is proximity. An outsourced officer, no matter how well integrated, does not sit in your office, overhear conversations in the hallway, or absorb the company culture through daily exposure. This is why the most effective fractional engagements include regular on-site visits (or intensive virtual integration), direct access to internal communication channels, and a clear escalation framework that ensures the officer hears about compliance-relevant developments in real time — not after the fact.

When Does Outsourcing Make Sense — and When Does It Not?

Outsourced BSA/AML compliance leadership is not a universal solution. It works exceptionally well in certain contexts and poorly in others. Understanding the distinction is critical.

Outsourcing works well when the firm is pre-launch or early-stage and needs to stand up a BSA programme from scratch before going live. It works well during periods of rapid growth when the compliance function needs to scale faster than the firm can hire. It works well when the firm has experienced a leadership transition — a departing BSA officer — and needs immediate interim coverage while searching for a permanent replacement. It works well for firms operating across multiple jurisdictions that need a compliance officer who understands how US BSA requirements interact with UK FCA expectations, FINTRAC obligations in Canada, or VARA requirements in the UAE.

Outsourcing works poorly when the firm has reached a scale where the volume of alerts, SARs, and regulatory interactions requires a full-time, dedicated resource. For a fintech processing thousands of transactions daily with a complex customer base and multiple state licences, the operational demands of the BSA officer role will eventually exceed what a fractional engagement can deliver. At that point, the right model is typically a full-time in-house BSA officer supported by an external advisory firm for specialist guidance, independent testing, and surge capacity.

The transition point varies by business model, but a useful heuristic is this: when the BSA officer role requires more than 25–30 hours per week of consistent attention, it is typically more cost-effective and operationally sound to bring the role in-house. Below that threshold, fractional leadership almost always delivers better outcomes at lower cost.

FinCEN’s April 2026 NPRM: What the Proposed AML Programme Reforms Mean for Outsourced Compliance

On April 7, 2026, FinCEN issued a Notice of Proposed Rulemaking (NPRM) that, if adopted, would fundamentally reform how AML/CFT programmes are structured, evaluated, and supervised across all covered financial institutions — including MSBs.

The proposed rule reflects statutory changes mandated by the Anti-Money Laundering Act of 2020 and supersedes a prior NPRM published in July 2024. Comments are due 60 days after Federal Register publication, and FinCEN has proposed a 12-month implementation period following issuance of a final rule.

The key reforms relevant to outsourced BSA compliance leadership include the following.

A shift from process compliance to effectiveness. The proposed rule explicitly reorients AML programme evaluation away from checking whether policies exist and toward assessing whether those policies actually prevent, detect, and report illicit finance activity. For outsourced BSA officers, this is a significant change: it means that the quality of the programme — not just its existence — will be the benchmark. A well-drafted policy that is not operationally implemented will not satisfy the new standard.

Greater institutional discretion on risk-based resource allocation. The NPRM would allow financial institutions to direct more resources toward higher-risk areas and less toward lower-risk areas, rather than applying uniform controls across the board. For MSBs and fintechs using fractional compliance leadership, this is positive: it supports the argument that a senior-level fractional officer focused on high-risk areas delivers better outcomes than a junior full-time employee applying a one-size-fits-all approach.

Clarified expectations for independent testing. The proposed rule would clarify the role of independent testing and ensure that examiners and auditors do not substitute their subjective judgment for a financial institution’s risk-based and reasonably designed programme. This is directly relevant to firms using outsourced compliance officers, as it reinforces the principle that programme design should reflect the institution’s own risk assessment — not a template imposed by an examiner.

FinCEN’s expanded supervisory role. The NPRM would, for the first time, require federal banking regulators to consult with FinCEN before taking certain supervisory or enforcement actions related to AML/CFT programmes. While this primarily affects banks, it has downstream implications for MSBs and fintechs that maintain banking relationships: your bank’s expectations of your AML programme will likely evolve in response to this rule.

The bottom line is that the April 2026 NPRM reinforces the value proposition of outsourced compliance leadership — but only for firms that use it correctly. A fractional BSA officer who delivers genuine, risk-based programme management will be better positioned under the new framework than a full-time officer running a checkbox compliance operation. Conversely, a fractional arrangement that amounts to nothing more than a name on a registration form will face heightened scrutiny.

The Whistleblower Factor: Why Your BSA Officer Appointment Needs to Be Bulletproof

On April 1, 2026, FinCEN published a separate NPRM establishing a comprehensive whistleblower award and protection programme under the Anti-Money Laundering Act of 2020. The proposed rule would formalise monetary awards of 10% to 30% of collected penalties for individuals whose tips lead to successful enforcement actions, along with anti-retaliation protections.

This development has a direct and often overlooked implication for BSA compliance staffing decisions. When employees, contractors, or even former compliance officers can receive a financial reward of up to 30% of any penalty for reporting BSA programme deficiencies to FinCEN, the risk calculus around compliance leadership changes fundamentally.

A BSA officer who is under-resourced, overruled by commercial interests, or unable to file SARs in a timely manner now has a financial incentive — in addition to their professional and legal obligation — to report the failure externally. For MSBs and fintechs, this means that the BSA officer appointment is no longer just a regulatory checkbox. It is a critical governance decision. The person in the role must have genuine authority, adequate resources, and documented support from the board. If they do not, the firm is not just at risk of a FinCEN enforcement action — it is at risk of a whistleblower-initiated investigation that could be far more damaging.

How to Select the Right Outsourced BSA/AML Compliance Partner

Not all outsourced compliance arrangements are created equal. The difference between a well-structured fractional BSA engagement and a poorly structured one can be the difference between regulatory confidence and enforcement exposure.

When evaluating potential partners, prioritise the following factors.

Regulatory experience with your specific business model. A compliance officer who has spent their career in traditional banking may not understand the nuances of money transmission, stored value, crypto custody, or cross-border remittance. Ensure the firm has direct experience with MSBs, money transmitters, virtual asset service providers, or payment processors — whichever category applies to your business.

Multi-jurisdictional capability. If your fintech operates in or serves customers across multiple jurisdictions, your BSA officer needs to understand how US requirements interact with UK MLR 2017, FINTRAC’s PCMLTFA framework, MiCA, or VARA regulations in the UAE. A compliance partner with a single-jurisdiction focus will create gaps in your programme wherever your business crosses borders.

Examination and audit track record. Has the firm’s designated officer managed FinCEN or IRS examinations? Have they prepared MSBs for independent testing? Have they successfully remediated programmes that were flagged by examiners or banking partners? These are not theoretical questions — they are the practical indicators of whether the firm can protect you when it matters.

Team depth and continuity planning. If your outsourced BSA officer is a sole practitioner, you face the same coverage risk as a single in-house hire. Prioritise firms that offer team-based coverage — a designated primary officer backed by a second professional who knows your business and can step in without a ramp-up period.

Transparent engagement terms. The scope of the engagement — hours, deliverables, access, escalation procedures, and termination provisions — should be documented clearly. Ambiguity in the engagement agreement creates ambiguity in regulatory accountability, and FinCEN examiners will probe exactly where the boundaries of responsibility lie.

Red Flags That Your Current BSA Compliance Setup Is Failing

Most fintech founders and MSB operators do not realise their BSA compliance function is underperforming until an examiner, a banking partner, or — worst case — a FinCEN enforcement notice tells them. The warning signs are often visible well before that point.

Your designated BSA officer has not updated the firm’s risk assessment in the past twelve months. Your SAR filing backlog is growing rather than shrinking. Your banking partner has started asking for additional compliance documentation that your team cannot produce on short notice. Your last independent test identified findings that have not been remediated. Your compliance officer has flagged resource constraints to senior management, but no additional resources have been allocated.

Any one of these indicators suggests a programme that is not functioning as designed. Combined, they describe exactly the pattern that FinCEN has penalised in its recent enforcement actions — and that the proposed whistleblower programme would incentivise individuals to report.

The firms that avoid enforcement actions are not the ones with perfect programmes. They are the ones that identify gaps early, remediate proactively, and ensure that their compliance leadership has the authority and resources to execute. Whether that leadership is in-house or outsourced is a structural decision. Whether it is effective is a governance decision — and one that the board, not the compliance officer, is ultimately accountable for.

Frequently Asked Questions

Can FinCEN penalise an MSB for using an outsourced BSA compliance officer instead of a full-time hire?

No. FinCEN’s regulations under 31 CFR § 1022.210 require the designation of a person to assure day-to-day BSA compliance — they do not require that person to be a full-time employee. What matters is that the designated individual has the qualifications, authority, access, and resources to fulfil the role effectively. An outsourced officer who meets these criteria is fully compliant with the regulation. An in-house officer who does not meet them is not.

What happens if our outsourced BSA officer leaves the engagement?

The same regulatory expectation applies as with an in-house departure: the role must be filled at all times. A well-structured outsourced arrangement with a team-based compliance firm provides built-in continuity — another qualified professional within the firm can assume interim responsibility without a gap in coverage. This is one of the structural advantages of the outsourced model over a single-person in-house arrangement.

Do we still need independent testing if our BSA officer is outsourced?

Yes, absolutely. The independent testing requirement is a separate pillar of the AML programme and must be conducted by a party independent of the compliance function. If your outsourced BSA officer is provided by Firm A, your independent testing should be conducted by a different firm or a qualified internal resource that is not involved in day-to-day compliance operations. The independence requirement is non-negotiable.

Will our banking partners accept an outsourced BSA officer?

Most banking partners that serve MSBs and fintechs are familiar with the outsourced compliance model and accept it — provided the arrangement is professionally structured, the officer has genuine authority, and the firm can demonstrate programme effectiveness during the bank’s due diligence reviews. Some banks may request documentation of the engagement, including the scope of services, the officer’s qualifications, and the escalation framework. Having this documentation readily available strengthens the banking relationship rather than undermining it.

How does this work with state money transmitter licence requirements?

State MTL requirements vary by jurisdiction, but most states that require a designated compliance officer for money transmitter licensees will accept an outsourced officer under the same conditions as FinCEN: the officer must be qualified, have sufficient authority, and be operationally integrated into the firm’s compliance function. Some states may require the compliance officer to be named in the licence application. Check with your legal counsel on state-specific requirements, as these can differ materially from federal BSA obligations.

What is the typical contract length for a fractional BSA officer engagement?

Engagement terms vary, but most fractional BSA engagements run on an initial term of six to twelve months with monthly or quarterly renewal thereafter. Programme build-out engagements (standing up a new AML programme from scratch) typically require a more intensive initial phase of three to six months, followed by a lighter-touch ongoing oversight arrangement. The most effective engagements are open-ended, scaling up or down with the firm’s needs rather than terminating at a fixed date.