FCA updates its Financial Crime Guide

Posted: 09/05/2025

Financial crime remains a top priority for the Financial Conduct Authority (FCA), with a particular focus on sanctions in light of the ongoing geopolitical tensions with Russia. In order to strengthen firms' financial crime systems and controls, the FCA updated its Financial Crime Guide in November 2024, following a consultation.  

The sections of the guide which the FCA has amended include those addressing sanctions and transaction monitoring. The FCA has also addressed the interaction between financial crime requirements and firms' consumer duty obligations. This article discusses some of the key FCA changes.

The guide applies to firms supervised by the FCA for financial crime purposes, including those supervised under the 2017 Money Laundering Regulations.

Sanctions: governance and management information

The FCA expects senior management to take clear responsibility for managing sanctions risks. There should be evidence that (i) senior management are actively engaged in the firm’s approach to addressing the risks of non-compliance with UK financial sanctions; and (ii) sanctions issues are escalated to senior management where warranted.  

The FCA expects that senior management should be sufficiently aware of the firm’s obligations regarding sanctions to enable them to discharge their functions effectively. Firms should ensure there is regular and ad hoc management information provided which equips senior management with a clear understanding of the firm’s sanctions compliance risk.

Senior management should set a clear risk appetite in relation to sanctions risks. There should be established procedures to identify and escalate new sanctions risk events, such as new sanctions regimes, sanctioned activities and evasion typologies. 

Sanctions: customer due diligence

Sanctions compliance should be proactively incorporated into a firm's customer due diligence (CDD) processes, whose focus should not be confined to anti-money laundering. CDD procedures should aim to identify all parties relevant for sanctions screening, including customers who make use of corporate vehicles to obscure ownership or source of funds. They should aim to identify activity that is not in line with the customer profile or is otherwise suspicious, thus introducing an element of suspicious activity monitoring in the context of sanctions compliance.

The FCA gives the following as examples of poor practice in sanctions CDD:

• The firm has low-quality CDD and KYC assessments and review backlogs, raising the risk of not identifying sanctioned individuals and entities.
• The firm’s CDD processes are unable to identify connected parties and corporate structures that may be subject to sanctions.
• The firm’s CDD does not articulate full ownership structures of entities and the firm is unable to show that it is screening all relevant parties.

Sanctions screening

The FCA expects screening not just of customers but also counterparties and payment recipients. There should be service level agreements that cover how quickly the firm updates its sanctions screening lists following updates to the consolidated list and that are appropriate to the sanctions risks of its business. The screening system should be tested regularly.

The following are provided as examples of good practice in sanctions screening:

• The firm understands its automated screening tool and how it is calibrated, and is able to demonstrate that it is appropriate for the firm’s risk exposure.
• There are controls in place to measure the effectiveness of its automated system, thresholds and parameters, such as sample testing and tuning.

Examples of bad practice include:

• The sanctions screening tool's calibration is not adequately tailored and the system is either too sensitive or not sensitive enough, such as failing to detect name variations.
• There is limited or no understanding by the firm about how a third-party tool is calibrated and when lists are updated.
• The firm is overly reliant on a third-party provider screening solution, with no oversight.
• The firm lacks proper resources and expertise to ensure effective screening and investigation of alerts. It has significant backlogs and faces the risk of non-compliance with its obligations.

Reporting sanctions breaches

The guide states that firms should 'consider' notifying the FCA of suspected sanctions breaches in line with SUP 15.3, for example, where suspected breaches result from significant financial crime systems and controls failures. Firms will need to consider any notification obligations to OFSI, for example, if they discover or suspect any sanctions breach while conducting their business.

AML transaction monitoring

The FCA has also expanded guidance on transaction monitoring systems used as part of ongoing monitoring. The guide sets out the following examples of good practice:

• New approaches to transaction monitoring are piloted or subject to evaluation periods, with firms able to demonstrate appropriate testing.
• Before a new system replaces an existing one, a robust judgement is formed about the relative usefulness of both systems. While each system may not flag all the same events, the firm is able to demonstrate that one approach produces better quality alerts overall.
• The firm tailors the monitoring system rules to its business, risk and relevant typologies. The system and rules are tested and reviewed for right outcomes.

The guide sets out the following examples of poor practice:

• Threshold-based transaction monitoring approaches are used in situations where they are not suitable, while other methods of scrutiny (such as oversight of customers by relationship managers) are neglected.
• A threshold-based, rule-driven transaction monitoring system is used but is poorly calibrated and the firm struggles to articulate the rationale for particular rules and scenarios.
• Data fed into an automated system is not migrated smoothly when feeder systems are modified or upgraded or transactions from a specific system have been erroneously omitted from the transaction monitoring system.

Consumer duty

The guide now includes express references to the consumer duty, recommending that firms  consider whether their financial crime systems and controls are consistent, where applicable, with their consumer duty obligations. This obviously raises the prospect of conflict between financial crime obligations and consumer duty obligations.

To reassure firms, the FCA has confirmed that the duty does not imply that consumers can or will be protected from all harms or that all harms are preventable. In addition, the consumer duty does not replace or override legislation such as the Money Laundering Regulations and does not require firms to act in a way that is incompatible with any legal or regulatory requirements, such as those under financial crime legislation and rules.

If financial crime requirements prescribe certain actions, firms must comply with them, but they will need to think more widely about their approach to complying with the duty. For instance, in complying with the consumer duty, firms may consider offering additional consumer support, such as a real-time human interface to deal with security or fraud concerns or engagement with customers during CDD processes. Firms will, however, need to tread carefully to avoid falling foul of criminal legislation, such as the tipping off offence.

Cryptoasset businesses

Cryptoasset businesses registered under the Money Laundering Regulations have been subject to FCA financial crime supervision since January 2020. The FCA has updated the guide to make it clear that such businesses should refer to the guide.

Conclusion

The FCA expects firms to have read and understood changes made to the guide, to review their systems and controls, evaluate whether they are adequate and proportionate and to have a heightened awareness of what constitutes good and poor practice. 

Return to news headlines