For AML professionals, the FCA is both the referee and the spotlight. It defines what “good” looks like, and it pays attention to whether your firm is living up to that. Your AML framework needs to stand up not only to audit but to the regulator’s scrutiny – and potentially to public examination.
Start with your risk assessment. This is where the FCA starts too. It expects you to show how your firm understands its financial crime risks – not just to tick off a list, but to show the link between risks, controls, and actual business activities. It needs to be refreshed regularly, and your policies and procedures should clearly flow from what your risk assessment says.
Your customer due diligence (CDD) controls need to be proportionate, consistent, and evidence-based. This means tailoring CDD by customer type, using effective screening tools, and documenting decisions. When it comes to enhanced due diligence (EDD), the FCA wants to see why you’ve triggered it and what additional steps were taken — not just a generic checklist.
The role of senior management is also in the spotlight. Under the Senior Managers and Certification Regime (SM&CR), the FCA expects a named senior manager to be accountable for financial crime compliance. That means being able to show how they’re engaged with AML risks, not just that their name is on a responsibility map. If you’re that person, you need to be able to speak to the detail – and to demonstrate how financial crime risk is managed in practice.
Training also matters. The FCA wants to see that staff understood your training, and that the content reflects their actual roles. That might mean bespoke training for relationship managers, onboarding teams, or even Board members – all with a focus on real-life case studies and red flags.
Monitoring and testing are another area the FCA is watching closely. You should be reviewing the effectiveness of your controls regularly – not just through internal audit, but through independent reviews or thematic testing. And when you find issues, you need to act on them. The FCA wants to see that firms are not just aware of weaknesses, but are fixing them, with proper tracking and reporting to the Board.
Finally, don’t overlook the FCA’s focus on data and reporting. Your Suspicious Activity Reports (SARs) process, your use of monitoring systems, and your reporting to the FCA itself are all areas where missteps can raise red flags. If you’re submitting inaccurate or late data, that undermines the regulator’s trust – and suggests deeper control issues.
In short, the FCA’s role means AML can’t be passive. It’s not enough to have a policy; you need to be able to defend it, demonstrate it and improve it. If you want to be audit-ready, regulator-ready and resilient – you have to treat FCA expectations as active guideposts, not just a line in a handbook.