News

Financial crime: UK FCA shares findings from review of firms’ risk assessment processes and controls

13 November 2025
Games
Games

As part of its wider financial crime supervisory work in support of its 2025–30 strategy, the FCA has published the findings from its multi-firm review of firms' business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes. Firms involved in the review included building societies, platforms, custody and fund services, payments (e-money) and wealth management firms. While the FCA expects firms to already be complying with existing requirements in terms of understanding relevant risks and having robust financial crime systems and controls in place, it is encouraging firms to use its findings to review their current approach. The FCA's supervisory spotlight remains firmly trained on financial crime, so firms would be wise to take this opportunity to evaluate all relevant systems, processes and controls and make any necessary improvements in line with the FCA's review findings. We summarise a number of the key points from the review below.

Identifying, understanding and assessing risk

The FCA’s findings highlighted key challenges for firms as follows:

  • Tailored risk assessments: While most firms in the review have a BWRA, the FCA found that only a few are identifying relevant risks and tailoring the BWRA to the firm’s specific business, products and customers. Firms should be identifying the specific risks that apply to their business across the full range of financial crime topics of fraud, money laundering, sanctions, bribery and corruption, proliferation and terrorist financing etc. Their conclusions should be evidence-based, explaining how each risk affects the firm. Adopting generic or over-simplified risk categories, such as ‘fraud’, will not be sufficient.
  • Qualitative and quantitative analysis: Quantitative analysis within a financial crime BWRA is always a challenge for firms. Many components of financial crime risks are typology-based, which don’t lend themselves easily to a quantitative assessment methodology. These challenges were clearly visible in the data collated by the FCA. The FCA reminds firms that quantitative analysis is an important component of a good BWRA. Unfortunately, the FCA’s good practice outputs did not include examples of what a quantitative analysis might look like in the context of a financial crime BWRA. A combined approach of quantitative and qualitative analysis is perhaps easier to visualise in the context of the CRA. The FCA noted that some firms use sub-factors and weightings to tailor their CRA to the business and the specific risks they face, for example.
  • BWRA and CRA processes working in harmony: Whatever methodologies firms use to calculate their BWRA and CRA risks, it is important that the two assessments work together. For example, BWRA risks play a key role in identifying and calculating customer risk, and the prevailing risk profile of a firm’s customers impacts BWRA conclusions.
  • Good governance: The FCA identified that the process for how the firm identifies and assesses inherent risks should be clear. This should include a formal, documented annual review.

Mitigating risk

  • Capacity: The FCA places a particular emphasis on ensuring that firms consider the capacity of their compliance and financial crime functions to support the current and future growth strategy for the business. It is made clear that growth should not outpace risk assessment controls, which must remain appropriate and effective and should be reviewed before the planned growth takes place.
  • Joined-up activities: Risk assessments, decision-making and monitoring activities should be joined up. The BWRA should feed into risk appetite, controls testing and the firm’s overall risk-based approach. CRAs should directly impact firms’ customer due diligence, transaction monitoring and other processes and controls used to mitigate identified risks.
  • Financial crime risk should be at the heart of business decisions and strategy: Firms should be considering financial crime risks in product development, business strategy, growth and sales discussions. The MLRO should be represented in the associated committees to articulate the risks and financial crime framework enhancements needed to support the business.
  • Good governance: Firms need to make sure they are documenting actions resulting from their risk assessment. This includes formally tracking BWRA actions and assigning owners for those actions, as well as noting recommendations on how the firm plans to mitigate or reduce the overall risk.

Managing risk

  • CRA is an essential part of conducting business: The FCA reminds firms that CRA processes should be included in business continuity planning. If the firm cannot assess customer risk, it cannot comply with its obligations under the UK’s money laundering regulations.
  • Too much focus on financial crime targeted at the firm: The FCA reinforces its point that senior management’s understanding of financial crime risk should include the full range of relevant risks (such as money laundering, sanctions, bribery and corruption and proliferation and terrorist financing). The FCA expresses concern that some firms focus just (or mainly) on fraud. Focussing as much on financial crimes that affect society as a whole, rather than those (such as fraud) that might just be targeted at the firm or its customers, reflects the broader roles that firms play as financial crime risk gatekeepers.
  • Good governance: Firms should ensure that senior management oversight and challenge is taking place and is documented. This includes sharing the BWRA document and summary with senior management and committees for review and approval, providing CRA management information to senior management committees for discussion, and evidencing MLRO and committee challenge on risk assessments. Firms should regularly review their risk assessment models and processes, with quarterly or triggered updates to make sure they are responsive to emerging risks and changes in regulatory requirements.

What’s next and how can Hogan Lovells' combined legal and consulting teams help?

The FCA expects firms to already be complying with existing requirements, specifically in relation to understanding the risks their business is exposed to and having robust financial crime systems and controls to manage and mitigate those risks.

However, it will continue to monitor firms through its supervisory work to make sure they are considering the points raised in the review with a view to making any necessary improvements. Now could therefore be a good time for firms to evaluate all relevant systems, processes and controls.

With the FCA emphasising the importance of growing firms’ compliance and financial crime functions remaining fit for purpose, these firms should also note the recently announced joint FCA and PRA Scale-Up Unit designed to support fast-growing innovative firms in navigating changing regulatory requirements. Initially focused on dual regulated firms (banks/building societies and insurers), there are plans to expand the Unit's scope to solo regulated firms – take a look at this Our Thinking article for more.

Our combined legal and consulting teams bring decades of in-house experience of building BWRA and CRA assessment and governance frameworks together with world-leading legal advice. We have significant experience in supporting new, growing and established financial institutions with all aspects of their business journey.

If you would like to discuss how we can help you, please reach out to any of the people listed in this article or your usual Hogan Lovells contact.

 

Authored by Ann Doan and Virginia Montgomery.

Related topics

Related countries

Related keywords

Load more

View more insights and analysis

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register