FCA findings on customer due diligence controls: 2025 multi-firm review
The FCA published its findings from a 2025 multi-firm review of customer due diligence controls in April 2026, covering asset management, wholesale banking, crowdfunding, contracts for difference and non-bank lending firms in the UK. The review's central finding is that most firms had documented CDD policies but could not demonstrate consistent operational application through customer records, escalation trails or independent compliance testing. The findings apply to all firms with AML obligations under the Money Laundering Regulations 2017 — not only those reviewed. Law firms preparing for the transition of AML supervision from the SRA to the FCA should note that while the FCA has not yet published specific guidance for the legal sector, the standards applied in this review reflect the supervisory framework that will apply to newly supervised entities.
The gap isn't awareness. It's operational clarity
Operational failures in CDD policy and procedure
Firms generally know what they're supposed to do. Frameworks exist. Policies are written. Terminology is understood. What the FCA found is that most firms could not translate that into clear, actionable guidance for the people actually doing the work.
Most firms had documented procedures for verifying customer identity. Far fewer had procedures detailed enough to handle everyday edge cases. What happens when a client can't produce standard ID? What counts as acceptable alternative evidence? These aren't rare scenarios — they're routine operational realities, and many firms' policies were silent on them.
The same applies to periodic and event-driven reviews. Regulation 28 of the MLRs requires firms to keep CDD documents and information up to date. Firms referenced reviews at a policy level but failed to define when they should happen, how frequently, and what should trigger a reassessment. A policy that references periodic reviews without defining them does not satisfy that obligation.
This is a key point made by Amy Bell of Teal compliance in the AML audit prep playbook: How to spot and fix the 7 most common failures:
"If it's not written down, it didn't happen."
Amy Bell, Teal Compliance (AML audit prep playbook: How to spot and fix the 7 most common failures)
EDD is still poorly evidenced
EDD documentation failures for high-risk customers
Stronger firms clearly differentiated between standard CDD and EDD, with defined escalation paths, approval requirements and documented processes for higher-risk customers.
Weaker firms struggled with something more fundamental: proving that EDD had actually taken place. Customer files for high-risk individuals and entities contained no evidence of enhanced measures, no record of how risk-rating decisions were made and no audit trail distinguishing the treatment of low and high-risk customers.
Under Regulation 28 of the MLRs 2017 and FATF Recommendation 10, a risk-based approach requires documented evidence of both the risk assessment and the measures applied. An undocumented EDD process is indistinguishable from no EDD process in an FCA file review. If you can't evidence it, the regulatory position is that you didn't do it.
The missing piece: purpose and intent
Purpose and intended nature of business relationship as a CDD requirement under MLR 2017
A recurring gap in the review was the failure to capture the purpose and intended nature of the business relationship — a requirement under the MLRs that was routinely absent from customer records.
This might look like a minor administrative detail. It isn't. Transaction monitoring depends on a baseline record of what the customer said they would use the relationship for. Without it, ongoing monitoring has no reference point. Suspicious activity is harder to identify and harder to report with adequate detail.
The gap points to a deeper issue: firms treating onboarding as a one-off event rather than the starting point of a continuous risk assessment lifecycle. CDD isn't something you do at the beginning and file away. It's the foundation that everything downstream depends on.
Governance is often implied, not enforced
Governance inconsistency in senior management escalation and approval
The review exposed inconsistency in governance structures. Some firms had approval matrices and defined escalation paths. Others failed to specify when senior sign-off was required at all, leaving decisions to individual case handlers with no documented rationale for divergence between similar cases.
The practical consequence: two similar high-risk clients treated differently depending on who handles the case. That introduces regulatory risk and operational inconsistency — and it's exactly the kind of thing that shows up in an FCA file review.
Stronger firms removed that ambiguity. Escalation scenarios were defined, embedded in workflows and recorded in the customer file. The decision trail was there whether or not anyone ever looked for it.
Monitoring exists. Independence often doesn't
Compliance monitoring independence under the three lines of defence model
Most firms had some form of compliance monitoring in place. The differentiator was whether it was structurally independent of the function being tested.
"An audit is a window into how your firm thinks about risk and culture."
Kayleigh Smale, Smale Compliance (AML audit prep playbook: How to spot and fix the 7 most common failures)
Kayleigh Smale of Smale Compliance describes an audit as "a window into how your firm thinks about risk and culture". That framing matters here. High-performing firms applied the three lines of defence model to CDD: first-line controls in onboarding workflows, second-line oversight independent of the onboarding team, and third-line internal or external audit on a defined cycle with findings documented and tracked to resolution.
Weaker firms blurred these lines. In some cases, the same individuals responsible for onboarding customers were also responsible for reviewing those decisions. That is not oversight. It is self-assessment — and it cannot detect systematic errors in onboarding judgement because the reviewer shares the same assumptions as the person who made the original decision.
What this means in practice
Four characteristics of effective CDD controls: FCA expectations
The FCA's findings identify four characteristics of firms with effective controls:
- Policies that specify staff actions for non-standard scenarios;
- Customer files that evidence the risk assessment and measures applied;
- Governance structures that define and record escalation decisions; and
- Compliance monitoring independent of the onboarding function.
Amy Bell puts it plainly: an AML audit is "a behavioural assessment of whether your AML programme is implemented, understood and supported at every level - especially at the top." The FCA's findings confirm that is exactly the lens being applied.
"An AML audit is a behavioural assessment of whether your AML programme is implemented, understood and supported at every level - especially at the top."
Amy Bell, Teal Compliance (AML audit prep playbook: How to spot and fix the 7 most common failures)
It is no longer sufficient to have policies that reference JMLSG guidance or align with high-level frameworks. Firms are expected to operationalise those policies in a way that is clear for staff to follow, consistent across the organisation, evidenced at every stage and testable through independent review.
One observation worth making: the sectors reviewed are among the most heavily supervised in UK financial services, with mature compliance functions and dedicated MLROs. If documentation and independence failures of this kind exist there, the baseline across less-supervised populations is likely materially worse. The FCA's decision to publish as good and poor practice rather than enforcement action — under its 2025-30 strategy, which identifies financial crime prevention as a cross-sector priority — suggests the intent is to raise the floor across all sectors simultaneously, including those not yet under FCA supervision.
Most of the failures identified are not due to a lack of intent. They stem from fragmented processes, unclear workflows and reliance on manual systems that don't hold up under scrutiny. Firms that performed well weren't necessarily doing more. They were doing things more consistently, with better control over how decisions are made, recorded and reviewed.
That is the difference between a compliance framework that exists on paper and one that actually works.
See how First AML maps to each of the FCA's four characteristics of effective CDD controls.
Frequently asked questions
Frequently asked questions on the FCA's 2025 CDD review
What did the FCA find in its 2025 CDD review?
The FCA found that most firms had documented CDD policies but could not demonstrate consistent operational application. The most common failures were insufficient procedural detail for staff, absent EDD records for high-risk customers, and compliance monitoring that lacked independence from the onboarding function.
What are the most common CDD compliance failures the FCA identified?
The two most common failures were: no instructions for verifying identity when standard documents are unavailable, and no defined criteria for triggering periodic or event-driven reviews. Both produced inconsistent treatment of customers across the firm.
How should firms evidence EDD for high-risk customers?
EDD must be evidenced through customer files documenting the enhanced measures applied, the risk-rating rationale and the approval steps followed. Under Regulation 28 of the MLRs 2017 and FATF Recommendation 10, an undocumented EDD process is treated as no EDD process in an FCA file review.
Does the FCA's CDD review apply to law firms?
Yes. The FCA states the findings apply to all firms undertaking CDD. Law firms preparing for the transition of AML supervision from the SRA to the FCA should treat this as advance guidance on supervisory expectations, noting that specific legal sector guidance has not yet been published.
What should firms prioritise in response to these findings?
File-level EDD documentation is the highest priority — it is the area most likely to produce a visible gap in an FCA file review and the most straightforward to remediate. Review cycle definition and compliance monitoring independence should follow.
What does good compliance monitoring look like according to the FCA?
Good compliance monitoring applies the three lines of defence model to CDD, with second-line oversight structurally independent of the onboarding team and third-line audit on a defined cycle. The FCA's concern was not the absence of monitoring but the absence of independence.
About First AML
First AML comes from the perspective of both a technology provider, but also as compliance professionals. Prior to releasing, First AML’s all-in-one AML workflow platform, we processed over 2,000,000 AML cases ourselves. Understanding the acute problem that faces firms these days as they try to scale their own AML, is in our DNA.
That's why First AML now powers thousands of compliance experts around the globe to reduce the time and cost burden of complex and international entity KYC. First AML stands out as a leading solution for organisations with complex or international onboarding needs. It provides streamlined collaboration and ensures uniformity in all AML practices.
Keen to find out more? Book a demo today!