Money Laundering Regulations: Why the FCA’s Decision to Refuse Zeux Limited’s Authorisation Matters for All Regulated Firms – Including Insurers

Fairway Financial Crime
Mar 25
5 min read

The regulatory bar is rising. Financial services firms across all sectors are under increasing pressure to demonstrate that their financial crime frameworks are not only fit for purpose but effective, dynamic, and aligned with their business risks.

In January 2024, the Financial Conduct Authority (FCA) refused Zeux Limited’s application for registration under the Money Laundering Regulations 2017. Zeux, an Electronic Money Institution offering e-wallet and crypto-asset services, was operating under the Temporary Permissions Regime. What makes this case especially noteworthy is that the FCA has now chosen to publish its detailed reasons for refusal—one of the first such public disclosures for a crypto firm.

While this may seem like a crypto-specific matter, it isn’t. The decision reflects core regulatory expectations that apply across sectors. For insurance firms—including MGAs, brokers, Lloyd’s syndicates, and reinsurers—the lessons are direct and urgent. The FCA’s scrutiny of financial crime risk frameworks, governance, and control effectiveness is now sector-agnostic. Understanding and acting on the lessons from Zeux could help your firm avoid costly remediation or reputational damage.

Public Enforcement is a Strategic Choice – Take Note

69% of crypto firms applying for FCA AML registration since March 2020 withdrew their applications. Only 4% received a formal Decision Notice. Zeux Limited’s case, published in full, represents the FCA’s shift towards using enforcement transparency as a compliance driver.

This is consistent with FCA speeches in late 2024 calling for “proactive remediation and cultural change” in financial crime compliance. Insurance firms are not exempt. The FCA’s public messaging increasingly positions financial crime failings as firm-wide governance failures, not just compliance issues.

What Went Wrong – FCA Findings Against Zeux

The FCA decision highlights a number of issues – all of which could equally occur in any financial services organisation, including insurance firms. They covered:

Outdated and incomplete Business-Wide Risk Assessment (BWRA) and Customer Risk Assessment (CRA) processes;
Lack of operational Enhanced Due Diligence (EDD) procedures;
Absence of internal escalation or review mechanisms for Suspicious Activity Reports (SARs);
Policies and controls unaligned with business risks and regulatory change;
Governance gaps, with minimal senior oversight or Board engagement; and
Poor data management—Zeux could not provide requested information reliably.

These failings mirror themes seen in recent FCA enforcement against Metro Bank (2024), where risk assessments and MI were insufficiently aligned with the firm's actual risk exposure, and in Starling Bank (2024) where risk governance and control testing were inconsistent.

What This Means for Insurance Firms – Practical Risk Scenarios

Insurers face unique risks, particularly when underwriting, claims handling, or customer onboarding are delegated to third parties. In such models, regulators expect insurers to demonstrate oversight and control over outsourced activities. The following scenarios demonstrate how the same issues could easily arise for insurance firms.

Delegated Authority (DA) Risk

An MGA writes high-risk property policies via third-party agents in high-risk regions. Have you verified the coverholder’s sanctions screening processes? Are claims payments routed through compliant channels? Is there regular audit or assurance? How and how quickly are high risk transactions escalated to the insurer?

Reinsurance Risk (Treaty and Facultative)

A reinsurer underwrites facultative marine hull and cargo risks globally. Are ownership and cargo origins checked for sanctions evasion techniques? Are counterparties’ financial crime controls understood? Are ownership structures clearly understood and risk factors such as potential flags of convenience identified? Are reinsurance claims vetted against risk assessments? Are vessels monitored for indicators of involvement in circumvention activities?

Broker Intermediation Risk

A broker introduces commercial clients that formerly had extensive dealings with Russia and Belarus. The clients have complex ownership structures including use of potential secrecy jurisdictions. Have you conducted adequate due diligence yourself or is reliance being placed on the broker? How confident are you that the corporate structure is accurately mapped? Are you confident the insured activity does not involve sanctions circumvention? Is any reliance placed upon the broker justified, evidenced, and subject to oversight?

In all cases, failure to identify, assess, and mitigate these risks through a structured and evolving framework could invite regulatory attention.

Challenge Your Framework – Expanded Questions for Insurance Firms

Is your Business Wide Risk Assessment reviewed annually and tailored to underwriting, claims, and distribution risks?
Are risk assessments updated when you enter new markets or deploy new products (e.g., embedded insurance)?
Does your Customer Risk Assessment incorporate emerging threats, such as sanctions evasion in shipping or dual use product risks in product liability?
Are high risk transactions and enhanced due diligence cases escalated, documented, and signed off by senior management?
How do you test the effectiveness of SAR processes across underwriting, claims, and third-party handlers?
Can you provide evidence of a complete and up to date frozen assets register, comprehensive sanctions screening performance metrics, and a documented audit trail of decisions in high-risk scenarios within 5 working days or less?

Governance is in the Spotlight – FCA Expectations

Regulators expect senior management to own and oversee financial crime compliance. Inadequate governance was a key failing in the Zeux refusal.

Insurance firms should ask:

Is financial crime MI provided regularly and tailored to your risk exposure?
Are breaches of risk appetite escalated and tracked?
Do your Board and ExCo challenge the adequacy of controls and risk responses?

The FCA’s 2025 strategy has been well sign-posted and is expected to call for firms to “embed effective governance structures that promote accountability and responsiveness.” Compliance culture must be demonstrable—not just claimed.

Data Readiness and Technology – Are You Audit-Proof?

Can your firm respond quickly and accurately to a regulatory request? Can you:

Retrieve screening logs and exception reports?
Provide complete, up-to-date EDD documentation for increased risk customers?
Show that controls were tested and findings acted upon?
Firms must use technology commensurate with complexity:
- Centralised risk dashboards
- Automated MI generation
- Auditable control records
- Real-time monitoring capabilities

AI tools can support many aspects of your compliance framework, including fraud detection and sanctions evasion monitoring, but they must be well governed, explainable, and risk appropriate. Firms that rely on third parties must evidence oversight—not just contractual reliance.

Three Practical Steps for Firms – Prepare, Don’t React

Audit your risk assessments – Are they business-specific, reflect your operating model, up to date, and action-oriented?
Conduct a data readiness drill – Can your teams respond to a simulated regulator request for high-risk customer files or screening performance?
Evaluate governance – Is your Board engaged and challenging? Are compliance risks and failures documented and addressed?

How Fairway Financial Crime Can Help

Fairway Financial Crime helps insurers, MGAs, brokers, and Lloyd’s syndicates build effective, proportionate, and practical financial crime frameworks. Our services include:

Independent risk assessment review, design and build
Control framework review, design and implementation
MI and governance improvement
Data readiness audits
Regulatory engagement support

Don’t wait for the regulator to identify your gaps. We can help you assess where you stand—and what to improve.

This article was originally published by ICSR. Andrew Roberts acts as an independent consultant and part of the ICSR Talent Pool.

If you would like to discuss any aspect of your own organisation’s approach to the issues discussed in this article, please do speak with the author.

Andrew Roberts is the Managing Director and Founder of Fairway Financial Crime, a consultancy specialising in financial crime compliance for the insurance sector.