By guest writer, Eloise Butterworth, Head of Risk and Compliance, Hive Risk
If you’re an MLRO or COLP, you don’t need reminding that 2025 has been a year of constant change.
Updates to the LSAG as well as the National Risk Assessment and Sectoral Risk Assessment. Thematic review findings released and future reviews announced. And now, the bombshell that the FCA will take over from the SRA as the sector’s AML supervisor. It’s been the kind of year that makes even seasoned compliance leaders pause and ask: which fire do I fight first?
The year of compliance overload
For many firms, it’s not a lack of will - it’s a lack of bandwidth. The sharp rise in AML fines has made everyone twitchy. The cost of non-compliance, both financially and reputationally, feels higher than ever.
Having recently moved from in-house to consultancy, I’ve seen first-hand what happens when attention is spread too thin. Every new update feels urgent, every regulator announcement is another flashing red light and overwhelming paralysis can set in.
And yet, amid the noise, one update really matters: the SRA’s next thematic review into the effectiveness of Policies, Controls and Procedures (PCPs).
After client and matter risk assessments and source of funds checks, PCPs are now the third most common issue found in inspections. The question is simple: does your policy actually work in practice?
From manuals to meaningful frameworks
Many PCPs have grown into sprawling manuals - technically compliant but impossible to follow, or practical but incomplete. Over time, layers of fixes and bolt-ons create contradiction and confusion.
The SRA itself noted that 77% of firms carried out file reviews, yet a third didn’t consider source of funds as part of those reviews. In those cases, how can a firm prove its policy effectively manages risk?
Simplifying without shrinking oversight is easier said than done, but is possible. Cut duplication, keep the essentials clear and start with the basics:
- Go back to the MLRs and LSAG before drowning in guidance.
- Tailor to your firm’s structure - centralised, decentralised or hybrid.
- Make controls explicit: “If alert A triggers, do X, document Y, escalate to Z”.
- Write in plain English. If your team can’t understand it, they can’t follow it. The result is clearer decisions, fewer escalations and far less compliance drag.
Time, people and priorities
Every MLRO I know says the same thing - there’s never enough time, people or budget. But much of what clogs capacity isn’t regulatory, it’s habitual: chasing documents, fielding repeat questions, manually reconciling data.
Start by auditing your workload. Identify high-volume-low-value tasks that could be automated or delegated (or maybe even disposed of!). And don’t assume leadership knows the scale of what your team does and how long it takes - show them. Data earns visibility and open conversations will help identify priorities.
Technology that helps, not hinders
Technology should lighten the load, not add noise. The best systems mirror how your firm already works, linking risk rules to CDD outcomes and automating repetitive tasks.
Choose platforms that make compliance easier to evidence, not harder to manage. Poorly configured tech creates friction; well-configured tech enables proof.
The FCA era: evidence over excuses
The FCA’s arrival signals a mindset of evidence and outcomes over policies and promises. Expect data-driven supervision, requests for metrics and more testing of effectiveness.
Firms won’t be judged by how much paper they produce, but by how well their frameworks work. That’s a good thing. It rewards clarity, proportionality and real-world delivery.
From firefighting to foresight
If 2025 has been about firefighting, 2026 needs to be about regaining control; clarity over complexity, structure over strain.
That’s exactly what I’ll be exploring in my upcoming webinar with First AML; “Compliance overload! How to simplify without slipping up.”
We’ll unpack how to:
- Simplify PCPs without jeopardising compliance
- Refocus time and resources
- Use technology that helps, not hinders
- Prepare for the FCA’s evidence-based supervision model
Register here to secure your place. Because after a year of firefighting, it’s time to build compliance frameworks that actually work.
About First AML
First AML comes from the perspective of both a technology provider, but also as compliance professionals. Prior to releasing, First AML’s all-in-one AML workflow platform, we processed over 2,000,000 AML cases ourselves. Understanding the acute problem that faces firms these days as they try to scale their own AML, is in our DNA.
That's why First AML now powers thousands of compliance experts around the globe to reduce the time and cost burden of complex and international entity KYC. Source stands out as a leading solution for organisations with complex or international onboarding needs. It provides streamlined collaboration and ensures uniformity in all AML practices.
Keen to find out more? Book a demo today!