top of page

FCA Financial Crime Compliance Priorities and Expectations for Insurance Firms


Lighthouse

The priorities for the Financial Conduct Authority (FCA) have been broadly consistent for the past 2-3 years – becoming more efficient and data led, an absolute focus on the consumer and the way that firms interact with them, protecting the public and the market from bad actors and becoming a more visible regulator when it comes to enforcement, advocating for active supervision and early intervention.

As we wait to see how the FCA frame their approach to financial crime in their 2025-6 Business Plan, we can get a good sense of what will be included by taking a look at recent FCA speeches, publications and enforcement actions in relation to financial crime compliance specifically. These have focused on the need to address commonly identified failings and what organisations should be doing to review and strengthen their financial crime control environment to ensure they do not fall foul of the same issues.

What has the FCA Said and Done?

The past 12 months has seen a number of publications by the FCA relating to financial crime, from the Dear CEO Letter in March 2024 – Action Needed in Response to Common Control Failings Identified in AML Frameworks, to the FCA Report: Assessing and Reducing the Risk of Money Laundering Through Markets in January 2025, with plenty more in between, there have been clear themes that are being communicated. Both the March 2024 Dear CEO Letter and the FCA Report identified gaps in risk assessments, customer due diligence (CDD), governance, and transaction monitoring.

Steve Smart (Joint Executive Director of Enforcement and Market Oversight), stated in a speech in June, 2024:

“When it comes to countering financial crime, we are in many respects a law enforcement agency as well as a regulator. We must stay a step ahead of the criminals, whether it is to pre-empt the way they use new technology such as AI and deep fakes or whether it is to work together with the firms we regulate, to ensure their systems and controls keep a step ahead of those seeking to exploit them.”

The FCA’s goal is to get to a position where enforcement, supervision and authorisation teams work seamlessly together, to provide clearer, more consistent and faster outcomes. He emphasised that the FCA expects the industry to work smarter and collaborate with peers, industry groups, regulators and law enforcement to achieve improved outcomes in financial crime compliance.

In September, 2024 Sarah Pritchard (Executive Director for International Markets), made clear that financial crime was a key focus of the FCA’s 3-year plan. She reinforced that the FCA was going to be focusing on outcomes, relying on data more heavily, making pre-emptive interventions where issues are identified and using the complete regulatory toolbox when it comes to enforcement. She made it clear that the FCA will not hesitate to act decisively to penalise those firms it views as failing to meet the required standards.

November 2024, saw the publication of a number of updates to the FCA: Financial Crime Guide for Firms. The introduction made clear that the FCA is working to be a pro-active and data led regulator, that is focused on effectiveness and outcomes. The announcement stated that the FCA expected improved compliance and for firms to be able to demonstrate that they have considered and acted on the contents of the Guide.

Within enforcement, in the past 6 months, we have seen actions and fines for financial crime failings being brought against Starling Bank, Metro Bank, Macquarie Bank, Arian Financial LLP and Mako Financial Markets Partnership LLP, which have all highlighted a number of key themes in terms of FCA expectations:

  • Failures in the risk assessment processes from an enterprise to a customer and transaction level.

  • Poorly designed and maintained governance and oversight processes supported by ineffective management information.

  • Policies, controls and procedures not aligned to the risk exposure of the business.

  • Ineffective customer due diligence and transaction monitoring processes that were not updated as the profile of the business changed.

What does this mean for Financial Crime Compliance?

It is essential that compliance teams take note of the continued focus on and increasing reliance on data to support a strategy based upon early intervention, active supervision, and a goal of faster enforcement. What has been seen through the evolution of the approach to being more data led, is that firms need to be able to respond to FCA requests accurately, promptly and with complete data sets.

The FCA has already begun to more fully question delays and extension requests, query data completeness and structure, as well as more fully probing issues identified through data weakness and anomalies, in some cases to launch full scale reviews and even enforcement actions that started from an inability to provide complete or comprehensive data in response to a query.

Firms should act now to assess and where appropriate, strengthen their compliance frameworks based on the outputs that it must be able to produce to evidence its effectiveness. This output should be a prompt for regular reflection on the overall approach to and management of financial crime risk, in the light of the changing internal and external environment.

At the same time boards must ensure that they are building a culture of continuous improvement. This does not just mean reaching for the latest technology or AI tool. In this rapidly changing AI world, it is tempting to overestimate the impact of technology while underestimating the role of processes, structure, and accountability in driving real operational efficiency. AI and technology are not magic bullets, but part of a financial crime framework built upon strong core foundations and poorly configured and deployed technology can embed issues and not solve them. It is essential to identify, implement and embed the right combination of tools for the organisation, within a considered and connected compliance framework and directly relevant to the way that it operates and the risk exposure of the business.

Finally, it is essential for firms is to consider how they can strengthen relationships with the FCA (and other regulators), to ensure that there is trust on both sides, and a clear understanding of what the regulator is asking for and seeking to achieve through its interactions, enabling businesses to react accordingly. It is clear to see for example, that there is a move within the Office of Financial Sanctions Implementation (OFSI) and Office of Trade Sanctions Implementation (OTSI), that they are seeking to pro-actively engage and educate industry, other more established regulators may be far more structured in their approach, and less willing to engage informally. Knowing your regulator, their priorities and the pressures that they are coming under can help you and your firm to more successfully navigate your interactions.

What Steps to Take?

There is no magic bullet to ensure financial crime compliance effectiveness, but below, are several recommendations and questions for firms to be asking themselves to help them be confident that their control frameworks will stand up to regulatory scrutiny.

Financial Crime Risk Assessments Must Be Comprehensive and Updated

Firms must identify and assess financial crime risks on a continuing basis, and not as a standalone or one-off exercise. The FCA expects risk assessments to be detailed, tailored, and updated in response to internal and external changes.

Common Failings Identified by the FCA:

  • Incomplete or outdated risk assessments: The FCA Report: Assessing and Reducing the Risk of Money Laundering Through Markets found that many firms underestimate financial crime risks or fail to document them properly in their business-wide risk assessments (BWRAs).

  • Failure to adapt to business changes: In the Metro Bank enforcement notice, transaction monitoring systems failed to assess over 60 million transactions, as they failed to integrate a key customer platform, leaving major gaps in risk detection.

  • Weak customer risk assessments (CRAs): The FCA Report: Assessing and Reducing the Risk of Money Laundering Through Markets (“MLTM 2025”) highlighted that firms often override customer risk ratings without proper documentation, leading to inconsistent risk classification. The Starling Bank notice detailed how they failed to comply with an agreed action because they could not correctly identify and prevent the onboarding of high risk customers, despite a commitment to do so.

Key Actions for Firms - Financial Crime Risk Assessments

  • Update enterprise-wide risk assessments at least annually or when there is a significant change.

  • Use granular risk ratings for customers, transactions, and third parties. One-size-fits-all models do not work.

  • Ensure risk assessments drive policies and controls, not the other way around.

  • Test Your Risk Assessment Methodology and Process:

    • How do you know your risk assessment reflects real threats?

    • Are risk assessment factors and processes adapted to local regulatory requirements, or focused from a head office perspective only?

    • Can your firm quickly explain how risks are identified and controlled?

    • Can you draw a clear thread from your risk assessment findings through all the components of your control environment?

    • Are changes in risk exposure identified, assessed and do they lead to updates in policies and procedures?

Governance and Accountability Must Be Clear and Effective

Senior management must take responsibility for financial crime risks. The FCA expects boards and executives to be actively involved in compliance oversight.

Common Failings Identified by the FCA:

  • Lack of senior management engagement: The Macquarie Bank enforcement notice showed that a junior trader was able to manipulate controls, making over 400 fictitious trades over 20 months, exposing the firm's poor oversight.

  • Inadequate oversight: In the Starling Bank investigation, the FCA found severe governance failings, leading to weak financial crime detection measures

  • Failure to escalate risks: The MLTM 2025 found that firms do not always escalate material financial crime risks to senior management, resulting in delayed responses

Key Actions for Firms - Governance and Accountability

  • Hold regular board-level discussions on financial crime risks and control effectiveness.

  • Assign clear accountability under the Senior Managers and Certification Regime (SMCR).

  • Establish an escalation framework for high-risk issues and ensure it is used in practice.

  • Conduct board and executive committee level training on financial crime risks, including practical case studies.

  • Test your firms Governance and Accountability:

    • Can senior leaders explain the firm's financial crime risks and controls in a coherent way and explain why certain approaches have been adopted?

    • Are financial crime issues escalated and resolved promptly? Can you demonstrate this?

    • Are roles and responsibilities clearly documented both generally and specifically in relation to control ownership and operation, as well as for remediation activities and improvement programmes?

Policies and Procedures Must Be Aligned with Real Risks

Policies and procedures must reflect the firm's actual risks and business model. They should be clear, practical, and embedded into daily operations.

Common Failings Identified by the FCA:

  • Outdated or misaligned policies: Metro Bank's enforcement revealed outdated transaction monitoring rules that failed to detect high-risk transactions, as key systems were not integrated.

  • Failure to link policies to real risks: One theme highly relevant for insurance is that several enforcement actions have found that firms can overly rely on third parties or others in the distribution chain for due diligence, assuming others have conducted proper risk assessments, and do little to verify or monitor the effectiveness of the checks and subsequent actions.

  • Inconsistent application of procedures: While some employee actions were totally locked down, the Macquarie Bank case exposed inconsistent internal controls, enabling a single employee to bypass key compliance processes.

Key Actions for Firms – Policies and Procedures

  • Align policies with risk assessments and update them whenever risks change.

  • Ensure procedures are practical and used in day-to-day operations.

  • Regularly test policy effectiveness through spot checks and assurance reviews.

  • Provide regular staff training with real-life case studies and interactive sessions that are relevant to their roles.

  • Tests for your Policies and Procedures:

    • Is there a clear connection between the risk assessment and the controls put in place?

    • Are financial crime policies easy to follow for non-experts and are they linked to actual activities?

    • How often do you test whether policies, controls and procedures are working as intended?

    • Can employees explain how financial crime policies apply to their roles?

    • Are employees confident that they can raise concerns about compliance matters and their concerns be investigated and acted upon?

Screening and Monitoring Must Be Accurate and Efficient

Screening and transaction monitoring systems must detect risks effectively. The FCA expects firms to validate and improve their systems continuously.

Common Failings Identified by the FCA:

  • Inadequate transaction monitoring: Metro Bank (2024) failed to monitor 60 million transactions worth £51 billion, leaving critical financial crime risks undetected.

  • Failure to embed and maintain screening systems effectively: There are 3 common ways that screening controls fail – Organisations procure (or build) an inappropriate platform for their operating model, risk exposure and resource availability, they failure to integrate it effectively and utilise its capabilities, and finally they failure to manage the platform on an on-going basis.

  • Failure to detect suspicious activity through backlogs and false positive rates: A common theme of s166 enforcements around screening is the failure to calibrate screening and transaction monitoring tools correctly and manage the subsequent workload in a timely manner, meaning risks are missed or identified too late to be relevant.

  • Weak transaction monitoring controls: The MLTM report found that firms lack tailored monitoring rules for market transactions, resulting in missed red flags.

Key Actions for Firms - Screening and Monitoring:

  • Regularly test and validate screening systems to ensure they detect sanctioned entities and high-risk individuals correctly.

  • Improve transaction monitoring rules based on real risks and past case reviews.

  • Ensure alerts are investigated and escalated within defined timelines.

  • Use AI and machine learning carefully—to bolster and build on a strong framework and with thorough understanding of its role and strong governance and assurance in place since automation can create blind spots and weaknesses.

Test your Screening and Transaction Monitoring Processes:

  • When was the last time you validated your screening and transaction monitoring system's effectiveness and efficiency?

  • Are false positives overwhelming compliance teams, or is suspicious activity going undetected?

  • What metrics do you employ to tell how effective your screening controls are at identifying risks and enabling those increased risk situations to be investigated and worked to resolution in a timely manner?

  • Do you delegate screening or customer onboarding to third parties and how do you monitor the effectiveness of screening conducted by third parties?

Uncertainty and Rapidly Changing Risks Require Flexible Compliance Frameworks Conclusion

The risk environment is constantly shifting and becoming more challenging to navigate effectively without incurring costs and layering an unsustainable burden on business or compliance staff.

Sanctions programs have expanded rapidly and there is an increasing risk of divergence between USA, UK and EU as geopolitical conflicts are reshaping trade and financial flows. Governments are scrambling to respond to the new Trump Administration and the speed with which changes are occurring. Criminals are using more sophisticated methods to evade controls. Regulators are demanding businesses play a larger role in preventing fraud and financial crime. Firms must have a framework in place that can adapt quickly to keep up with these changes

Key Actions for Firms - Compliance Frameworks:

  • Ensure financial crime frameworks are flexible and scalable.

  • Monitor regulatory updates, geopolitical developments, and enforcement trends in real time.

  • Build an internal capability to assess new risks quickly and adjust controls accordingly.

  • Use scenario testing to assess how well your firm can handle fast-moving financial crime risks.

Test your Framework and its ability to adapt to change:

  • Is your compliance team equipped to respond to emerging threats and how are they communicated in a timely manner to senior management? Are funding reserves available for rapid adaptation?

  • How quickly (and completely) can your firm assess the risks of and then adapt to the different types of regulatory change, e.g., immediately effective sanctions regimes and restrictions, new AML guidance, new corporate criminal offence of failure to prevent fraud?

  • How are new financial crime risks reflected in policies and controls, and how are changes made at an operational level?

Next Steps

Firms should continuously assess, develop, and stress-test their financial crime frameworks. The FCA expects an ongoing process of improvement, not one-time fixes.

Key Steps to Take Immediately:

  • Review and update risk assessments to reflect the latest threats and regulatory expectations.

  • Strengthen governance by ensuring senior leaders engage with financial crime risk management.

  • Validate screening and monitoring systems to ensure they work effectively.

  • Test compliance processes through simulated regulatory requests and assurance reviews.

  • Prepare for FCA scrutiny—firms should be ready to demonstrate their financial crime controls at short notice.


Final Thoughts:

It is crucial that insurers, the wider insurance sector and other financial services firms pay close attention to the expectations being communicated and the issues being highlighted even when the enforcement actions are not in the same specific financial services sector.

The approach expected must be thoroughly considered and tailored to the firm in question, based upon a complete understanding of the risks faced by the business and that thread must be traceable through policy, procedure and controls, into actions that can be evidenced and proven to be effectively managing the risk exposure of the firm. There must be mechanisms that consistently test the foundations of the approach, and that re-affirm both the appropriateness and effectiveness of how the different components of it operate.

Can your firm evidence that it is meeting FCA expectations on financial crime compliance? If not, now is the time to act.

If you would like to discuss any aspect of your own organisation’s approach to the issues discussed in this article, please do speak with the author.

Andrew Roberts is the Managing Director and Founder of Fairway Financial Crime, a consultancy specialising in financial crime compliance for the insurance sector.

Andrew Roberts

Andrew Roberts

Managing Director and Founder

Connect with Andrew:

LinkedIn logo - Andrew Roberts profile





 
 

Our online tool combines the simplicity of a technology-led solution with the knowledge and expertise our team have built over many years helping firms manage their financial crime risks. Start your assessment now...

bottom of page