Insights from the FCA's latest customer due diligence review

This article was first written for Law 360 here.

On 8 April, the Financial Conduct Authority (FCA) published a report focusing on due diligence controls within a wide range of regulated firms. As usual, it found a mix of good and sensible practices alongside things some firms could do better.

Thematic reviews of specific aspects of financial crime prevention controls are not new, but regulatory expectations and regulated firms' sophistication around knowing your customer for anti-money laundering (AML) purposes have come a very long way. No longer do we have the old "tick box" approach that seemed simply to require new customers to provide "one item from List A and one from List B" in order to open a bank account or sign up for another requlated product or service.

As AML legislation has evolved to make it clear that firms must know not only who their customer is, but also why they are doing business with the firm and how they are going to fund it, regulatory expectations have perhaps moved even faster.

The basis of the review

Financial crime prevention is always a hot topic with the FCA and is a priority in its 2025-30 strategy. So in 2025 it carried out a broadly scoped review of the approach regulated firms take to their policies, procedures, processes, compliance monitoring and audit in relation to customer due diligence (CDD) and enhanced due diligence (EDD). Its review covered firms in the asset management, crowdfunding, wholesale banking, contracts for difference and non-bank lending sectors, but the FCA stressed that all authorised and registered firms should read its conclusions and assess their own practices against the recommendations.

While CDD and EDD are concepts enshrined in AML legislation, the FCA was not solely reviewing them against the requirements of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLRs), but also against its own requirements in the Financial Crime Guide and Senior Management Arrangements, Systems and Controls Sourcebook, the Government approved Joint Money Laundering Steering Group guidance and the international guidance from the Financial Action Task Force. It has always been clear that firms should be looking across the entire range of guidance applicable to their business.

When the FCA finds good practice, this is invariably behaviour that goes beyond what is required by law and regulation, and shows that firms have applied the spirit of the requirements in a way that practically relates to their business. Inherently, the risks of the customer base and products of some industry sectors are higher than others, and the FCA will want to see that firms have assessed this in their business wide risk assessment that the MLRs require as well as in their more granular assessments of each customer.

Policies and procedures

Understanding what CDD entails and requires, and identifying when and how to carry out EDD are fundamental to MLR compliance. Except in very limited circumstances, CDD must be conducted on all customers, and is the mechanism that allows firms to understand who the customer is, who owns and controls corporate customers, what their business is and how they pay for the transactions they undertake with or through the regulated firm.

EDD is a top-up of this, required in a range of defined scenarios that present a higher inherent risk of money laundering, including when a firm is dealing with a politically exposed person (PEP). It has long been established that deciding to carry out EDD on all customers, even where no high-risk trigger is present, is not the way to comply with the MLRs – firms must take a risk-based approach, which involves applying the requirements of the MLRs sensibly to their business. A key part of evidencing this approach is having policies and procedures that clearly explain why the firm has taken certain decisions – for instance there may reasonably be factors that means that a customer or transaction that one firm would regard as requiring EDD would be less alarming to another.

The FCA reviewed the policies and procedures of the firms in its sample. Most firms had procedures (it would be hard to evidence compliance with the MLRs without them), but what distinguished the good ones from those that could be improved was their detail and practicality.

The best ones did clearly distinguish between standard CDD and EDD, and used a risk-based approach to outline what measures were appropriate for each. Identifying and carrying out EDD on PEPs is a key part of MLR compliance. Changes to legislation have affected how UK domestic PEPs are to be treated from early 2024, and in 2025 the FCA carried out a separate review which led to an update of its guidance on treatment of PEPs.

The FCA found the best firms had had incorporated all this into their policies and procedures and had comprehensive control frameworks for identifying PEPs. Part of the drive behind the 2024 updates to the PEP guidance was to ensure that firms did not treat as PEPs - and therefore subject to greater checks – officials whose status did not really merit them being treated as high risk. And, unlike other high-risk customers, a PEP can cease to be a PEP and as a result their risk category will change, and firms' policies and procedures need to recognise that.

More generally and less pleasingly, the review found most firms had procedures for verifying customer identity, but these tended not to be neither detailed enough nor to provide helpful guidance for staff. For example, some did not explain what additional measures were needed when EDD was required, and others had not addressed what to do when a customer could not provide evidence in one of the commonly accepted forms.

Regular review is also important, and some firms' policies lacked clarity on how often reviews should take place and what the firm should do when they needed to conduct an event-driven review – where a specific incident might necessitate a partial or total review. And, of course, when a policy is in place, it's there to be complied with, and there were some instances when firms did not follow their own policies, including in conducting periodic reviews of customers.

The FCA is keen to see organisation, so it liked to see approval matrices for when, for instance, senior managers needed to sign off on EDD, and it was pleased to see version controls on the policies and procedures themselves, which can help to provide clear evidence of review frequency and triggers, and of amendments made.

CDD processes

On the granular CDD processes, fundamentally firms need to identify when they need to carry out EDD, which involves correctly risk-profiling the customer. If that is done right, then the nuances of what due diligence is appropriate follow. Most of the firms surveyed did do this to some extent, but the firms that most impressed the FCA were very clear in how they set EDD requirements and the levels of senior management oversight and approval required, and had processes that were truly tailored to each customer.

Less impressive were the firms who could not show what they had done because they had not kept a record of key information, so that either it was not clear on what basis a customer had been assessed, or there was no evidence of what EDD measures had been taken. Given the requirement for senior management approval of EDD, some firms had not given examples of when the approval would be needed. This again relates to the FCA's observation that policies and procedures often failed to give appropriate guidance to staff.

Compliance monitoring and audit

Finally the FCA looked at practices for compliance monitoring and audit. And again, it was a mixed bag. All firms took some action, but the best had clear and documented review cycles, and ensured that there was an independent audit, either from the firm's own internal audit unit or by an external consultant. There were good practices in monitoring by taking samples, and by assessing a wide range of components of the CDD process. The FCA liked to see thematic, independent, documented reviews. And it did not like to see lack of detail on how quality control checks were undertaken, and the lack of version control.

What should firms do?

It barely needs saying that firms must have in place policies and procedures that clearly explain their CDD and EDD processes, and that these must be tailored to the business of the firm. Similarly, it should not be news to firms that they must ensure that these are followed. If they are not followed, firms should look at why this is and whether it's a question of the procedures not being fit for purpose or more a matter of poor culture or lack of training. They need to take appropriate action, whatever the cause.

Also, the message of conspicuous compliance and keeping records is not new, nor unique to AML. Independent and critical monitoring and review of policies and procedures is also not particularly ground-breaking. The independent review does not have to be done by an external consultant if the firm is big enough to have an internal audit function, although an outsider's view can be useful.

Possibly the most interesting comments in the review are those on practicality of procedures and guidance for staff. It suggests that many firms have perhaps crafted their procedures after careful consideration of all the relevant guidance, but have fallen short in expressing requirements in a way that makes sense in the context of their business and customers. Much as the best staff training is customised and relevant, so are the best procedures – if staff can relate to them, they are far more likely to get compliance right, and raise fewer queries on what they need to do.

As with all reviews, the FCA has made it clear that all firms within its community that are subject to the MLRs should read its conclusions and consider whether they can improve their policies and procedures as a result. The tone of the review could prove helpful in encouraging firms not just to check that their processes comply with all technical legal and regulatory obligations but also that they are expressed in the most relevant way for the business and customer base of the firm.