The AML Analyst

May 26th, 2026

On the 8th of April, the FCA released its 2025 multi-firm review of Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and ongoing due diligence reviews. The reviews focused on firms’ approaches to: Policies and Procedures, CDD Processes, and Compliance Monitoring and Audit. The FCA’s findings reveal that firms understand the regulations, but are failing to embed the culture and focus on an outcomes-based approach.

For the Policies and Procedures, the FCA identified that, in general, firms made clear distinctions about when to apply CDD or EDD, and had comprehensive frameworks for identifying PEPs. However, the FCA mentioned four examples of poor practices in this area. There are two of these practices that I want to discuss as I see them as critical. 

The first is a lack of detail on the schedule of periodic reviews and event-driven reviews. As the first line of defence (1LOD), it is known to compliance professionals that the due diligence collected at the start of a relationship is important to understand expected behaviours and to be able to distinguish suspicious behaviours. But customers’ profiles are always evolving, and the risk rating is never static. This brings periodic reviews as key to mitigating financial crime. With the risk-based approach (RBA), firms should be setting clear timelines for the refresh of KYC and risk rating. It isn’t possible to review every customer, and that is where the RBA comes in, as firms can set different timelines depending on customers’ risk; i.e., every year for high-risk, two years for medium, and three years for low. However, it’s not only important to have set timelines for reviews, but also to base them on events. If a customer is flagged for a large volume of transactions, there should be clear policies in place for the review process of KYC information. 

Periodic reviews are directly related to the second weakness regarding firms not following their own policies. Compliance isn’t a secondary function of a firm; it is critical, and has to be embedded into the culture of the firm. Top management needs to set the tone for compliance and the policies and procedures that come with it; otherwise, no amount of changes in the policy to meet the gaps the FCA observed will work. Creating this culture doesn’t rely only on top management. While their support and push for compliance are important, the controls in place and communication are also key. Firms should set controls that make it difficult to override policies, especially regarding CDD/EDD, for the sake of speedy onboarding. Moreover, communication between business units, instead of keeping each as its own individual silo, will help push a greater understanding of the requirements of compliance and due diligence. 

However, one area that could strengthen this further would be receiving feedback from financial intelligence units. Every SAR that gets filed feels like it’s gone into a void, with compliance teams knowing they have complied with regulations but not hearing back on the SAR’s effectiveness or usefulness. Being able to receive this feedback would help professionals understand their work and continue to strengthen the culture of compliance required for policies and procedures to be followed.

Moving away from the policies and procedures, during the review of CDD processes, the FCA observed strong performances regarding the steps required for EDD and risk-based CDD. One of the poor practices, however, was related to a lack of documentation for the EDD measures. Keeping clear documentation is important not only for audit purposes and to prove EDD was taken, but it can also serve as a template for other EDD processes, creating a consistent picture of the EDD completed firm-wide. This allows regulators to see the adherence to regulations, as well as help build the culture of compliance talked about earlier. If analysts can clearly record the EDD steps taken, following the set policies,  it helps build and strengthen the compliance framework and prevent regulatory action from being taken.

In the final section of the FCA review, Compliance Monitoring and Audit, it was found that firms lacked details on quality control. Monitoring and auditing the compliance function is essential to find gaps in the policies and procedures, as well as to ensure all regulations are being met. A simple system could be the use of sample testing on a handful of customers with a variety of risk ratings to determine whether the right due diligence was taken and whether it was applied consistently. Compliance should not be a tick-box exercise, but a function that is built on and always progressed.

An interesting example of poor practice that the FCA identified in this section was that there was no independent review of CDD/EDD. What this meant was that onboarding staff also performed the second line task of reviewing and quality control. While it can be thought that staff who specialise in onboarding would be better able to understand and identify strengths and weaknesses in the onboarding process, I can also see the point of bias coming in, and the belief that their work is up to standard and doesn’t need a review. The independent review is a strong point when you compare it to the four-eyes standard in onboarding. Having a second line during onboarding helps ensure that standards are being met and that there is no bias occurring. Bringing this standard into the reviews will vastly improve the process of CDD/EDD and continue to strengthen firms’ adherence to regulations. However, it is important to note that resources are a strong constraint and would need a workaround. Firms could split their onboarding teams to keep some in their same role of handling the day-to-day onboarding, and the other team handles the reviews from now on, helping keep the standard consistent, but this may bring more workload for individuals. The FCA needs to set a clear standard so firms better understand how to handle this weakness.

Have you noticed any of the FCA’s mentioned weaknesses in your own firm’s policies and procedures?

Sources:FCA Review: https://www.fca.org.uk/publications/good-and-poor-practice/firms-customer-due-diligence-processes-and-controls-our-findings