Consumer Investments insights #2 – Financial crime

Published on: 07/10/2025 00:00

Skilled Person (FSMA s166) reports continue to drive up costs for firms, increase regulatory scrutiny, and cause reputational damage. There is no sign that they are reducing in number. Although a lack of proactive engagement with the FCA often contributes to a Skilled Person report being mandated, we often find weaknesses in critical, embedded controls.

This is the second in a series of articles which share practical ‘lessons learned’ insights from our Skilled Person and advisory work covering:

1. CASS
2. Financial crime
3. Advisory and sales practices
4. Portfolio and fund management
5. Product governance

We aim to provide actionable takeaways for firms. If you would like a healthcheck or simply a discussion about the application of these areas to your business, please let us know.

Top Ten Actionable Learnings from our Work

Financial crime has been an area of focus for the FCA for several years, and there is every indication from the FCA’s succession of strategy documents and business plans that this will continue for the foreseeable future. The new Failure to Prevent Fraud offence created by ECCTA will increase the focus on appointed representatives and other agents, who are likely to be “associated persons” under s199(7), and so able to create liability for the principal.

In our experience, perceived weaknesses in firms’ financial crime frameworks are one of the most common triggers of enhanced supervisory attention or s166 Skilled Person reports. We have summarised from our Skilled Person reporting experience the most common “background” reasons stated in FCA feedback letters that trigger interventions:

• Inadequate oversight and challenge – Often there are unclear financial crime governance structures with undocumented roles and responsibilities. This is compounded by inadequate coverage of financial crime topics in governance fora, a lack of relevant and timely management information and insufficient discussion and/or challenge of decisions.
• Lack of awareness of AML regulations – Worryingly we have seen cases where, because there are no cash or transaction flows going through the business, the firm struggles to see the relevance of AML regulations and guidance (MLRs, JMLSG, etc.). There is also sometimes a misplaced assumption that – because end clients are FCA regulated entities themselves – there is a reduced need to conduct key activities such as screening.   
• High MLRO turnover and insufficiently experienced resources – High turnover or lack of experience in the MLRO role is often a contributory factor towards commencement of regulatory reviews (even if not the main factor). In addition insufficient investment in recruiting experienced people or the training of existing people to fulfil 1LOD / 2LOD activities can lead to backlogs, incorrect decisions and concerns of ongoing sustainability of the functions. 
• Poor coverage and assessment of financial crime risks – Although now rare for a business to have no Business Wide Risk Assessment (or equivalent) in place – gaps are common. At a macro level financial crime risks beyond AML/CTF are not always covered (e.g. proliferation financing, bribery and corruption, tax evasion, fraud). At a micro level there is oversimplification with the business not considering the detailed underlying financial crime risk factors that are relevant to their business.
• Poor design and inconsistent application of Customer Risk Assessments (CRAs) – We see CRAs that are not reflective of the firm’s business, that don’t cover all of the necessary risk factors or that are designed in a way that ends up masking the true risk (i.e. due to weighting, more critical areas can be diluted). Added to this, an absence of guidance, training and operational testing leads to cases where the CRA has not been completed correctly leading to over or under rating of clients.
• Failure to identify and verify new clients – Know Your Client (KYC) is foundational, requiring firms to verify customer identities, understand business relationships, and assess the purpose of transactions. We often see a lack of verification, an overreliance on familiarity (long standing relationships) and non-identification of Ultimate Beneficial Owners (UBO).
• Absence of Enhanced Due Diligence (EDD) – Failure to apply EDD to higher-risk clients, such as Politically Exposed Persons (PEPs) or those from high-risk jurisdictions, is a critical and common compliance gap. We have found material issues with EDD in almost 50% of the reviews we have conducted with some firms failing to conduct it at all.
• Insufficient monitoring and investigation of transactions – Our reviews have highlighted poorly calibrated systems, a lack of rules that are relevant to the business and a failure to update systems as the business grows.
• Gaps in evidence and record keeping – Often there is incomplete or missing documentation to support work undertaken or decisions made. Examples of gaps include a lack of evidence supporting decisions over customer risk levels, rationale for discounting of alerts, and document trail in support of suspicious activity reports.
• Transparency of group structure – The firm is the sole UK regulated entity in a larger group of international entities (with perhaps a common UBO). This attracts interest as the regulator looks to understand the nature of entities under common ownership, the nature of any transactions and the potential for conflicts of interest and undue influence. The firm needs to be able to provide transparency to the regulator over this.

DOWNLOAD WHITEPAPER