On 11 November 2025, the Financial Conduct Authority (FCA) published its findings following a multi-firm review focusing on risk assessment processes and controls in firms as part of its wider financial crime supervisory work.

Overview

The FCA set out examples of good and poor practice on how firms can assess, mitigate, and manage risk and made clear that this will be relevant for firms, money laundering reporting officers, senior managers and industry practitioners who are responsible for financial crime prevention, assessing risk and setting strategy.

The multi-firm review involved evaluating firms’ business-wide risk assessment (BWRA) and customer risk assessment (CRA) systems and controls against the Money Laundering Regulations 2017, Financial Crime Guide, Senior Management Arrangements Systems and Controls (SYSC), Joint Money Laundering Steering Group guidance and Financial Action Task Force guidance.

Key findings

The FCA gave examples of good and poor practice in a range of areas, including:

  • Identifying, understanding and assessing risk: The FCA found that while most firms had a BWRA many were not tailored to the specific business and some BWRAs oversimplified the risks firms were exposed to, failed to explain how each risk affected them, and often ignored specific money laundering sanctions, anti-bribery and corruption, proliferation financing and terrorist financing risks; some firms’ risk assessments were solely qualitative and were missing quantitative analysis; some BWRAs lacked clarity on how the firm identifies and assesses inherent risks; and, some firms were concluding their business as low risk or that controls were effective without evidence to support this.
  • Mitigating risk: The FCA also highlighted that in many firms financial crime risk was often considered in business strategy, growth and product development and some firms had a clear risk appetite that is closely linked to the BWRA; however, it also highlighted that the development of firms’ CRAs did not appear to be in line with business growth to ensure scalability, consistency and accuracy; some firms did not record BWRA actions or assign them owners; and, some firms rapidly expanded products, services and customers types without considering whether they still had appropriate controls.
  • Managing risk: The FCA set out that many firms recognised the importance of appropriate governance and oversight to ensure risk awareness and thorough risk assessments, and most firms had considered how they document and share their risk assessments, but that some firms did not document senior management discussion, challenge and approval of BWRAs; in some firms senior management understanding of financial crime risk mainly focused on fraud; there was limited or no testing and reviews of risk assessment processes when firms made enhancements, upgrades or automation; and, risk assessments were not sufficiently dynamic leading to outdated risk profiles adversely informing business strategy and decisions on control design.

Next steps

The FCA made clear that it expects firms to understand the risks they are exposed to and ensure they have robust financial crime systems and controls to manage and mitigate those risks.

The FCA also stated that it will continue to monitor firms through its supervisory work to drive improvements and reduce risk across the industry.