Global Regulation Tomorrow

On 8 April 2026, the Financial Conduct Authority (FCA) published a summary of its main findings in relation to firms’ customer due diligence processes and controls, the good and poor practice it has observed, and its expectations for firms.

Summary

The FCA set out the following key findings:

• Policies and procedures: Good practice included policies clearly distinguishing between enhanced due diligence (EDD) and standard client due diligence (CDD) and outline what measures should be taken for each of these, under a risk-based approach, and where firms had comprehensive and detailed control frameworks for identifying politically exposed persons. Poor practice included where policies and procedures didn’t explain what additional measures should be taken for the purposes of EDD, mot enough detail on how often periodic reviews should take place and what firms were expected to do in the case of event driven review, policies and procedures lacked information for staff on how they could identify and verify a customer if the latter couldn’t provide the usual forms of identification, and where firms failed to follow their own policies and procedures such as when to conduct periodic reviews of customers.

• CDD processes: Good practice included where firms had clearly documented steps for EDD measures, and CDD information collected was determined by the financial crime risks posed by each customer. Poor practice included where firms failed to produce any evidence of what EDD measures had been taken and recorded, no details on purpose and intended nature of the business relationship to assist with ongoing monitoring and where there were no examples of scenarios or types of customers that require senior management approval to demonstrate effective governance and oversight.

• Compliance monitoring and audit: Good practice included where a firm conducted a thematic review of its CDD processes using external audit and where a firm operated a regular audit review cycle of its CDD systems and controls. Poor practice included that some firms lacked detail on how they were checking for quality control, one firm’s staff onboarded customers as well as performed second line assurance work on those customers, and where firms had no version control of their documentation, so could not demonstrate an audit trail of reviews or changes made.