FCA flags weaknesses in financial crime & client categorisation

On 20 October 2025, the FCA published key observations from a multi-firm review and survey responses, focusing on: 

1. financial crime controls; and
2. client categorisation (COBS3) and certification requirements (COBS4). 

These findings will interest all FCA regulated firms doing corporate finance business. Compliance gaps across firms are highlighted, and these findings serve as an urgent call for firms to review and consider whether they need to enhance their internal frameworks. 

1. Addressing financial crime control gaps

The FCA's survey on financial crime controls revealed that about two-thirds of corporate finance firms (CFFs) may not be fully compliant with the Money Laundering Regulations (MLRs) in one or more elements of their frameworks.

Key areas identified for improvement include:

• Business-wide risk assessments. The FCA explicitly reminds firms that they must have documented business-wide risk assessments in place under the MLRs.
• Customer risk assessment (CRA) and Customer Due Diligence (CDD). Firms must maintain CRA forms for clients (even those with whom they have enduring and close business relationships) and records of CDD (and enhanced due diligence where appropriate).
• Ongoing monitoring. The FCA highlights that even if firms do not handle client funds directly, they should assess the sources of all received payments (e.g., engagement fees and other administrative payments) and periodically review client relationships to ensure compliance, as required by the MLRs.
• Oversight of appointed representatives (ARs). Survey responses were particularly concerning with respect to ARs. The FCA reminds principal firms that they must properly supervise the regulated activities carried out by ARs and urges them to implement specific policies to manage the financial crime risks (e.g., financial crime risk assessments, on-site visits or audits).

Areas of good practice were also highlighted such as regular reporting to senior management regarding financial crime matters, using customer risk assessment forms, maintaining risk registers and using detailed management information to strengthen crime controls.

2. Refining client categorisation practices

The FCA’s review of COBS3 and COBS4 compliance also identified gaps in firms’ assessments and records related to client categorisation and compliance with certification requirements.

Key areas identified for improvement include:

• Conducting and documenting client assessments. Many firms adopted a "superficial approach" to client categorisation or applied invalid or not clearly defined criteria to assess “professional clients”, “eligible counterparties” and “elective professionals”. The FCA recommends firms use a clear process to record structured assessments in defined documents (e.g., the New Business Committee form) that clearly outline how clients meet COBS3 criteria when onboarding and retaining relevant supporting documents. Compliance reviews should then be periodically undertaken (especially where clients engage firms on subsequent transactions). In addition, clear processes should be in place for reviewing client responses and representations.
• Categorising corporate finance contacts. Although many CFFs maintained a list of contacts, there was often not a clear process for assessing their client category, either when adding them to the list or before communicating a financial promotion. The FCA found that firms often relied on 'feel' rather than formal assessments. The FCA suggests firms have a clear process for adding, assessing, verifying, and periodically reviewing an organised contact list. In addition, firms must retain records and supporting documentation. Firms must also make the contact aware in a clear and unambiguous way, at multiple points throughout the onboarding and transaction lifecycle, that they are not a client of the firm (only a contact) and will not be afforded protections that a client would.
• Certifying retail investors. Firms showed a lack of clarity regarding whether FCA financial promotion rules (COBS4) or Financial Promotion Order exemptions were being relied upon for marketing investments to investors who are certified high net worth or self-certified sophisticated. These rules differ in scope, application and requirements – crucially, the relevant investor statements to use are different. Firms must have clear systems and processes to: (A) identify the investment category and applicable COBS4 requirements for certification; (B) form a reasonable belief that a completed and signed statement exists (and that the potential investor satisfies the conditions therein); and (C) renew such statements every 12 months.
• Tailoring policies and procedures. The FCA noted that many firms had policies that were incomplete, fragmented, or high-level. These policies were often not tailored to their business model and/or lacked distinction between clients. Policies must be tailored to the firm's business model, detailing regulatory permissions and how relevant COBS3 and COBS4 rules are met. Flowcharts, diagrams and templates should be used to cover the entire process lifecycle.

On 29 October 2025, the Court of Appeal in Linear Investments Ltd v Financial Ombudsman Service Ltd confirmed that firms must go beyond tick-box compliance when classifying clients as elective professionals under COBS. The Court upheld the FOS’s use of a lower-risk benchmark to calculate redress given the client’s lack of experience and the firm’s failure to assess suitability, but found that the FOS had failed to consider contributory negligence. Please see our blog post for more details.

3. Next Steps

The FCA intends to use these findings for supervisory guidance and will intervene where firms fall short. It is crucial for firms to review and update their current practices in light of these detailed observations.

The FCA also plans to update the COBS3 client categorisation rules across all regulated firms (not just CFFs) and will consult shortly on proposals to address the feedback to CP24/24 about modernising the COBS3 rules.