FCA Publishes Findings on Firms' Risk Assessment and Criticises Poor Practice

On 11 November 2025, the Financial Conduct Authority (FCA) shared its findings following its review of risk assessment processes and controls in firms subject to its regulation. The FCA’s review considered both business-wide risk assessments (BWRA) and customer risk assessments (CRA).

The FCA’s findings highlight examples of good and bad practices which can be adopted when identifying, mitigating and managing risk. They are particularly important to firms, money laundering reporting officers (MLROs), senior managers and professionals in the risk assessment and financial crime prevention areas.

The BWRA and CRA systems were assessed against the regulatory backdrop comprising of Money Laundering Regulations 2017, Financial Crime Guide, Senior Management Arrangements, Systems and Controls, Joint Money Laundering Steering Group guidance and Financial Action Task Force guidance.

FCA’s Findings 

The FCA found that many firms’ BWRAs and CRAs are unsatisfactory. BWRAs were identified as untailored to the specific business circumstances and focussed on generic risks. The FCA found that senior management often had a limited awareness of financial crime risks–for example, focusing on fraud but omitting money laundering, sanctions or bribery risks.

Further, the FCA found that many firms were unable to explain how they managed risk, as well as not updating processes in line with business growth.

Below, we discuss how businesses can comply with the regulatory requirements and adopt ‘good practice’ as set out by the FCA.

Good Practice: Understanding, Mitigating and Managing Risk

Understanding and Identifying Risk

• Risk assessments should consider both internal and external factors. 
• Risks are to be assessed by business area. Firms should take account of their business model, industry and key stakeholders, including customers. The latter is particularly important considering the FCA’s focus on conducting a separate CRA alongside the BWRA.
• To maintain an accurate assessment, a BWRA should be conducted on a regular basis, ideally annually.
• It is crucial that senior managers have a sound understanding of the various forms of financial crime risks and appropriate legal advice can help firms guard against a broad range of risks.

Mitigating Risk

• Keeping a record of informed actions is key. Firms should document measures which resulted from identifying risks – firms should be able to show a clear link between risk assessment and decision making.
• To mitigate future risks, firms should develop a compliance plan which accurately reflects their growth strategy. Businesses which quickly expand their product offering and client base should make sure that their controls and processes continue to remain appropriate throughout their growth.
• Customer risks identified in a CRA can be mitigated by undertaking customer due diligence and transaction monitoring. It may be helpful to critically assess the business’s broader value chain.

Managing Risk

• The FCA places a strong emphasis on governance and oversight. Accordingly, senior management should review the BWRA and CRA and play an active role in related discussions. It is also beneficial to document input from the firm’s MLRO.
• Appropriate governance extends to formally documenting risk assessment methodologies, followed by a discussion between the key decision-makers. These models and methodologies should be regularly assessed to make sure they address the dynamic regulatory and risk landscape.
• Having made the necessary updates to keep the BWRA and CRA up to date, it is important to carry out reviews and testing of the new, enhanced assessments.

Concluding Remarks

The risk landscape is becoming increasingly complex, whether firms operate domestically or internationally. The FCA has set out a clear expectation that firms should be proactive in identifying risks unique to their business, as well as taking appropriate steps to mitigate them.

In addition, the singling-out of the CRA suggests that the FCA expects firms to place significant weight on customer risks.

Our experienced team can help you understand the various financial crime risks and how they can be managed, as well as how to comply with the FCA’s requirements. If you have any questions or would like to know how your business can comply, please do not hesitate to contact the authors of this alert.