FCA highlights shortcomings in UK firms’ financial crime risk assessments

The FCA has published the findings of a thematic review into how firms manage financial crime risk. The review focused on business-wide risk assessments (BWRA) and customer risk assessments (CRA), gathering evidence from a range of firms, including building societies, payment providers and wealth managers through a combination of questionnaires, desk-based reviews of policies and procedures and interviews. 

The review, part of the FCA’s 2025-30 financial crime strategy, has identified what the FCA considers to be weak points that could lead to supervisory attention or even enforcement action. 

FCA findings 

Three recurring themes stand out in the findings:

1. Tailored assessments

The review found a common failure properly to tailor risk assessments to the specific circumstances of a particular firm. While most firms had a BWRA, the FCA noted that “few are identifying relevant risks and tailoring the BWRA to the specific business”. Poor practice included overly simplistic assessments that focused mainly on fraud or generic risks, while failing to adequately consider more specific threats. Some firms also failed to explain how each identified risk specifically affected their business. In contrast, the FCA highlighted good practice where assessments are comprehensive, combining both “quantitative and qualitative” analysis to consider inherent risks, the effectiveness of controls and residual risk. These assessments should be tailored to the firm, its products and customers. They should be dynamic and assessed annually, as opposed to simply ‘refreshed’ periodically.

2. Risk management and monitoring 

Another central finding of the review was the failure to translate risk assessments into practical, demonstrable action. The FCA observed a significant disconnect, noting “little evidence of how risk assessments, decision-making and monitoring activities are joined up”. 

This gap often manifested as a lack of formal process. For instance, firms would fail to create a record of actions flowing from a BWRA or to assign individuals with responsibility for completing them. It also found a corresponding lack of testing and reviews of risk assessment systems – the result was a static risk framework that allowed firms to expand into new products or customer segments without ensuring their existing controls remained adequate to deal with any different risks arising from such expansion. Ultimately, the FCA warned that this approach could lead to outdated risk profiles being used to inform business strategy.

In contrast, the FCA praised firms where the BWRA was a dynamic tool that clearly informed the firm’s risk appetite and its approach to controls testing. In these stronger frameworks, the high-level risks from the BWRA were translated into specific weightings or sub-factors within the CRA process. This created a practical link between the BWRA and day-to-day compliance functions like customer due diligence and transaction monitoring. These firms maintained a clear audit trail by formally tracking recommendations and actions from the BWRA. The framework was kept current through regular updates, such as quarterly reviews or event-triggered assessments, ensuring it remained responsive to new threats.

3. Focus beyond fraud

Lastly, the review found that senior management’s understanding of financial crime is often too narrow, noting that “senior management appear to better understand and be more aware of fraud risk, compared with other financial crime risks”.  The finding aligns with the timing of the new ‘Failure to Prevent Fraud’ (FTPF) offence, which came into force on 1 September 2025. The engagement required to prepare for this new offence may go some way to explain why other risk areas have received less focus, including bribery and corruption, money laundering, sanctions and terrorist financing. 

Regulatory expectations 

The FCA stresses that firms must understand the specific risks they face and maintain robust systems and controls to manage them. The regulator is encouraging firms to consider the findings from its review within the context of their firm. It is already working with firms to make improvements where weaknesses were found and will continue supervisory monitoring. Given the increased regulatory focus on this area, it will be important for firms to be able to explain and evidence how they are managing and mitigating identified risks, including through appropriate governance and senior management reporting and oversight.

As professional advisers (such as auditors) are soon to fall within the FCA’s remit for AML compliance, they should also consider the findings from this review to ensure they are taking the appropriate steps and meeting regulatory expectations.

The FCA's latest enforcement report, covering the 2024/25 period, shows that while the number of open investigations has decreased, the total value of financial penalties has risen sharply to £186.4 million. Financial crime remains the subject of the majority of new investigations opened and the root causes cited in enforcement cases often align with the shortcomings identified in this review, including inadequate risk management. Firms with unresolved deficiencies in their BWRA or CRA processes should therefore expect closer regulatory scrutiny. 

Firms should look carefully at the FCA’s review, identify any enhancements they should make to their own BWRA processes and wider AML control environment in the light of it, and ensure that assessment is appropriately documented.