FCA Review of Customer Due Diligence Controls – Key Findings and Regulatory Expectations

The Financial Conduct Authority (FCA) has published a detailed review of firms’ Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and ongoing due diligence frameworks, setting out examples of good and poor practice observed across a wide range of regulated sectors. The review forms part of the FCA’s wider financial crime supervisory strategy for 2025–2030 and provides important insights into supervisory expectations for authorized and registered firms. It also highlights the FCA’s increased assertiveness and scrutiny in financial crime supervision.

This alert summarizes the FCA’s key findings and highlights practical implications for senior management, compliance teams and Money Laundering Reporting Officers (MLROs).

Scope and Approach of the FCA Review

In 2025, the FCA conducted a multi-firm review assessing how firms design, implement and monitor CDD and EDD controls. The review covered firms across asset management, wholesale banking, crowdfunding, non bank lending and derivatives sectors, but the findings apply broadly to all firms subject to the Money Laundering Regulations 2017 (MLRs).

The FCA assessed firms using:

• A questionnaire (some firms will have received a survey in late 2025)
• Desk based reviews of policies and procedures
• Customer file reviews
• Interviews with key staff
• Benchmarking against Senior Management Arrangements, Systems and Controls (SYSC), the FCA Financial Crime Guide, Joint Money Laundering Steering Group (JMLSG) and Financial Action Task Force (FATF) standards

Key Findings

1. Policies and Procedures - General

While most firms had documented CDD frameworks, the FCA identified recurring weaknesses in the quality and usability of policies. In particular:

• Policies often lacked practical guidance for staff, particularly when dealing with non‑standard or higher‑risk customer scenarios
• Many firms failed to clearly articulate EDD triggers, escalation pathways or senior management approval requirements
• Periodic and event driven review cycles were frequently undefined or inconsistently applied

Firms with stronger controls clearly differentiated between standard CDD and EDD, incorporated recent changes on domestic PEPs and maintained robust governance and version control arrangements.

2. Weaknesses in CDD and EDD Execution

The FCA found that although firms generally claimed to operate a risk based approach, execution was often deficient. Common issues included:

• Failure to document the purpose and intended nature of customer relationships
• Inadequate evidencing of EDD measures for higher risk customers
• Limited demonstrable distinction between controls applied to low and high risk customers

By contrast, stronger firms maintained end to end documentation of EDD decisions, ensured meaningful senior management oversight and aligned depth of due diligence to customer risk profiles.

3. Compliance Monitoring and Independent Assurance

The FCA emphasized the importance of effective second and third line assurance. While many firms operated compliance monitoring programs, the FCA observed:

• Insufficient detail on testing methodologies
• Lack of independence where onboarding staff also performed assurance reviews
• Weak audit trails and documentation version control

Good practice included the performance of regular internal or external thematic reviews and maintaining clear cycles for ongoing assessment.

What This Means for Firms

The FCA’s findings demonstrate that procedural compliance alone does not meet regulatory expectations. Firms are expected to demonstrate operationally effective, well governed and consistently applied CDD and EDD frameworks. Senior managers should consider:

• Whether policies provide clear, actionable guidance
• How EDD decisions are evidenced and approved
• The robustness and independence of compliance monitoring and assurance functions

The FCA has indicated that it will continue to challenge firms where weaknesses persist and expects firms to proactively address gaps identified in this review.

How Kroll Can Help

Given the FCA’s increasing focus on financial crime controls and its willingness to escalate supervisory action, firms should expect continued regulatory scrutiny frameworks throughout 2026 and beyond.

Kroll’s award-winning Financial Services Compliance and Regulation practice can assist your firm in meeting its regulatory requirements and expectations while maintaining your own unique compliance program. We can support firms in responding effectively to the FCA’s findings by providing targeted expertise. Kroll can help firms by:

• Independently assessing the KYC and ongoing due diligence frameworks against the MLRs, the FCA Financial Crime Guide and JMLSG Guidance
• Drafting and refining practical, tailored and risk-based Anti-Money Laundering (AML) policies and procedures, focusing on, among others, the clear definition of the EDD steps required to onboard high-risk clients and establishing general and staff-specific training obligations
• Undertaking targeted reviews of screening systems and controls, encompassing PEP identification processes and including the discounting of PEP hits and the escalation of alerts to senior management for approval
• Providing outsourced KYC services, including initial and ongoing PEP, sanctions and adverse media screening, end-to-end customer onboarding, completion of customer risk assessments and periodic review
• Providing practical support for MLROs, compliance teams and SMFs in preparing for FCA supervisory engagement, remediation programs and internal governance discussions
• Designing and delivering proportionate compliance monitoring programs (CMPs) – underpinned by a CMP testing plan based on multiple clearly documented methodologies - thematic reviews and independent second or third-line testing of CDD controls, including remediation planning