FCA Puts Firms on Notice Over Anti-Money Laundering Shortfalls

April 10, 2026

By Arun Srivastava,Nina Moffatt,Bhavesh Panchal and Samantha Wood

The FCA has provided feedback on its 2025 multi-firm review of customer due diligence (CDD), enhanced due diligence (EDD) and ongoing due diligence controls across various regulated sectors.

The feedback relates to the following topics:

Policies and procedures.
CDD and EDD processes.
Compliance monitoring and audit.

The FCA’s review is part of its wider financial crime supervisory work, with the aim of raising standards and sharing practical insights. As with feedback provided on other review work, the FCA has shared examples of good and poor practice. An interesting observation made by the FCA is that “Good practice often goes beyond minimum regulatory requirements…”, indicating that the FCA expects firms to be operating above the minimum legally required standards.

The key issues that arise in our view are:

Customer risk assessment (CRA) — The review work illustrates the importance of firms carrying out a proper CRA and understanding the different risks posed by customers. This is the foundation to ensuring that processes are correctly calibrated and respond effectively to the risks posed to the firm.
Providing detailed practical guidance — Policies and procedures must provide practical and sufficiently detailed guidance for staff to follow and understand what the firm’s processes are.
Recordkeeping — Making sure you document all stages of your processes is essential in demonstrating compliance. The FCA’s expectation is to be able to see an audit trail of all steps in a compliance process.
Independent second line assurance — Firms must ensure that second line testing/assurance is independent and operates impartially.

The findings from the FCA’s review are summarised in the table below

Review Topic	FCA Findings
Policies and procedures	The FCA found that some firms’ policies were lacking detail on practical steps to comply with customer identity verification. For example, there was insufficient coverage of what alternative ID verification could be carried out if customers lacked standard documentation. In our experience the FCA’s expectation is that policies and procedures must be sufficiently detailed to provide practical guidance to staff on what specific steps they should take to implement the firm’s AML requirements. For example, the FCA has expressed the view that materials must be detailed enough so as to allow new staff members to pick the policies and procedures and know what they need to do to perform their role without further assistance. Periodic reviews and event-driven refreshes — The FCA noted that with some firms polices contained insufficient detail on these areas, including in relation to the cadence of periodic reviews and steps to be taken in relation to event-driven refreshes. Governance deficiencies — These issues relate to escalations and circumstances in which senior management sign off is needed. Distinctions between CDD, EDD and measures relating to PEPs — The review looked at whether firms distinguish between CDD and EDD sufficiently. It also looked at the response to the change in requirements around domestic PEPs. In some cases EDD measures were not sufficiently different from CDD to deliver enhanced scrutiny of the customer or business relationship.
CDD	Recording information on the purpose and intended nature of the business relationship — The FCA found that some firms do not do enough to record CDD information and other relevant matters as part of the CDD process. EDD — The FCA identified failures in evidencing and documenting EDD measures taken for high-risk customers. It is clear that the FCA has high expectations around EDD processes and noted that “strong firms” document each stage of this process. Customer risk assessment (CRA) — The FCA noted that most firms tailor their approach to the risk profile of each customer, ensuring that higher-risk customers are subject to enhanced checks and reviews. The CRA in our experience is a key area of focus for the FCA.
Compliance monitoring and audit	Level and depth of reviews and independence of these arrangements — The FCA noted a variation in the level and depth of compliance monitoring and audit. These matters need to be proportionate to a firm’s profile and risks. Independent second line assurance — The FCA noted that “strong firms” operate independent third line testing that assessed controls. This standard appears to be the FCA’s benchmark. The FCA questioned the effectiveness and impartiality of testing if firms did not have independent second line assurance, with the same staff responsible for both onboarding and reviewing customers.

Next Steps

The FCA signalled that it will keep a close eye on how firms respond to its findings, stating that “we will continue to monitor firms through our supervisory work, to make sure they are considering the points raised here.” Firms should therefore review and follow up on the agency’s findings to ensure compliance.

Click here for a PDF of the full text