The publication of the Financial Conduct Authority’s (FCA) latest multi-firm review marks a watershed moment for the UK’s financial crime landscape. The timing is no coincidence. The National Risk Assessment (NRA) has officially elevated the money laundering risk for the e-money and payment services sector from ‘medium’ to ‘high’, while the MLRs are going through further updates, and firms are increasingly using AI-driven means to streamline their compliance function.
For firms in this space, the FCA’s findings – though drawn from a broad range of sectors outside of payments – offer a diagnostic roadmap for surviving an era of unprecedented supervisory intensity.
Further, at fscom – through our work with hundreds of payments firms in the UK – we can confirm that the FCA’s findings are prevalent across many of our own AML and anti-financial crime audits.
FCA supervisory approach: shift to operational effectiveness
As the FCA advances its 2025–2030 strategy, the regulator is pivoting from validating and trusting policy design in a vacuum to ensuring ground-level operational credibility. They are demanding data-driven evidence that compliance programmes identify, detect, and remediate risks in real-time. This is particularly urgent for the payments sector, where growth has frequently outpaced the maturity of its compliance infrastructure. Following the release of the FCA’s five-year plan, fscom noted the impending trust model from the FCA, and the review has very much cemented its arrival.
The FCA’s assessment revealed a persistent ‘implementation gap’. Many firms possessed robust documented policies but failed to demonstrate their execution through customer records or independent testing. One of the most damaging findings was the lack of practical, operational guidance. While policies correctly referenced the Money Laundering Regulations 2017 (MLRs), they often failed to provide staff with the ‘how-to’ instructions needed for non-standard scenarios. In a high-volume sector, this lack of clarity leads to inconsistent risk judgements and missed triggers for event-driven reviews.
AML controls: gap between policy and execution
A recurring failure identified by the FCA was the widespread absence of documented information regarding the purpose and intended nature of the business relationship. Under the MLRs, capturing this is not a ‘tick-box’ exercise; it is the prerequisite for effective monitoring.
Without a clear record of expected transaction volumes, geographies, and counterparties, a transaction monitoring system has no baseline against which to measure suspicious activity. The FCA noted this data was routinely missing, particularly for customers onboarded via ‘frictionless’ digital paths where speed was prioritised over substance.
Governance and the illusion of independence
The review also exposed fragility in the second and third lines of defence. In several instances, compliance monitoring lacked true independence, with the same staff members who onboarded customers also performing assurance work on those files. Furthermore, a lack of document version control made it impossible to provide an audit trail of how policies evolved in response to shifting risks.
Effective governance in 2026 requires a clear distinction between Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD), with risk ratings justified by documented rationale. Independent thematic reviews are no longer ‘optional extras’; they are the only way to prove a compliant ecosystem is actually functioning.
What this means for firms
The regulator, through directly tying this review to its five year plan, and explicitly noting the applicability of the findings beyond the focus subset, has warned of its awareness of the prevalence of consistent quality and detail lapses across all three lines of defence in anti-financial crime frameworks.
Firms must act swiftly to ensure that their documentation, risk assessments, and due diligence are not subjective or templated (by AI or otherwise), and ensure data driven material is embedded within every corner of the anti-financial crime framework.
How fscom can help
At fscom, our expert audit and advisory teams work at the front line of anti-financial crime and know what high quality AML/CTF frameworks look like and, more importantly, how they should be built to last and to exceed regulatory expectation.
Contact our anti-financial crime specialists today to arrange a review of the impact of the multi-firm review on your firm.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
