On 8 April 2026, the Financial Conduct Authority (FCA) published findings from its 2025 multi-firm review of customer due diligence (CDD), enhanced due diligence (EDD), and ongoing monitoring controls.
Conducted under its 2025–30 financial crime strategy, the review assessed firms through questionnaires, policy reviews, file testing, and interviews. Firms were evaluated against the Money Laundering Regulations 2017, the FCA Financial Crime Guide, SYSC, JMLSG guidance, and FATF standards. Although covering sectors including asset management, banking, and non-bank lending, the findings are intended to apply broadly across all firms undertaking CDD.
The review is particularly relevant ahead of the UK’s FATF mutual evaluation in 2027, which will assess the effectiveness of the UK’s anti-money laundering framework. The findings therefore signal the standards likely to inform that assessment.
Policies and Procedures
Most firms distinguished between CDD and EDD in their policies and reflected recent updates on domestic politically exposed persons (PEPs). However, many lacked sufficient operational detail. Common gaps included limited guidance on verifying identity where standard documentation is unavailable, unclear periodic and event-driven review processes, and weak governance tools such as approval matrices and version control.
Good practice included clear differentiation between CDD and EDD, robust PEP frameworks, and risk-based measures. Poor practice included vague EDD requirements, lack of alternative identification methods, and undefined review cycles.
CDD and EDD Processes
Most firms adopted a risk-based approach, applying enhanced checks to higher-risk customers. Stronger firms documented EDD steps clearly and required senior management approval with oversight through governance structures.
However, weaknesses were identified where firms failed to record key information such as the purpose of the business relationship, did not evidence EDD measures, or showed little distinction between low- and high-risk customers. Periodic reviews were also inconsistently applied.
Good practice involved clear documentation and risk-calibrated processes. Poor practice included missing EDD evidence, incomplete customer information, and weak governance or approval frameworks.
Compliance Monitoring and Audit
While most firms had compliance monitoring and audit functions, quality and independence varied. Stronger firms conducted regular reviews, used sample-based testing, and implemented independent third-line assurance with documented outcomes.
Concerns arose where independence was lacking – particularly where the same staff handled onboarding and review. Other issues included weak quality control, absence of independent assurance, and poor document version control, limiting audit trails.
Next Steps
The FCA expects firms to assess their frameworks against these findings and address any gaps. It will continue supervisory engagement with firms where weaknesses were identified.
Subscribe to Ropes & Gray Viewpoints by topic here.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.