LITIGATION Adobestock 1044815630
Articles

FCA publishes findings on review of risk assessment processes

26 Nov 2025

On 11 November 2025 the Financial Conduct Authority (FCA) shared the findings of a multi-firm review focussing on business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes. The review forms part of the FCA's ongoing effort to combat financial crime, as outlined in its 2025 to 2030 strategy publication. 

Litigation & Dispute Resolution
Gena Ritchie
Gena Ritchie
Solicitor
+44 (0)117 992 9752

Scope of the review

The FCA's review assessed the BWRA and CRA processes of a range of financial services firms, such as building societies, e-money payment firms and wealth management firms.

Firm controls were evaluated against several key regulatory frameworks and guidance documents, including (but not limited to) the Money Laundering Regulations 2017, the Financial Crime Guide, and the Joint Money Laundering Steering Group guidance. 

Identifying, understanding and assessing risk

The FCA found that while most firms it reviewed had implemented a BWRA, many failed to identify relevant risks or tailor their assessments to their specific business. Additionally, some firms struggled to explain how they were managing and mitigating the risks they had identified.

Examples of good practice included:

  • Comprehensive BWRAs that are weighted, that incorporate quantitative and qualitative analysis, and which consider a range of internal and external factors.
  • Assessing risks by business area and combining results.
  • BWRAs which consider inherent risks, control effectiveness and residual risks.
  • Conducting an annual detailed BWRA.
  • BWRAs which are tailored to the firm, its products and its customers, with clear documentation on how the firm manages risks.

Examples of poor practice included:

  • BWRAs which focussed only on generic risks, ignoring specific risks such as money laundering, sanctions, anti-bribery and corruption, proliferation and terrorist financing risks.
  • Failing to carry out any quantitative analysis.
  • BWRAs which lack clarity on how inherent risks are identified and assessed.
  • Unsupported conclusions that a business is low risk or has effective controls in place.

Mitigating risk

The FCA's findings indicate that financial crime risk is often considered in business strategy, growth and product development, but there is little evidence of how risk assessments, monitoring and decision-making are joined up.

Few firms had documented actions arising from their risk assessments.

Examples of good practice included:

  • Considering the capacity of compliance and financial crime functions to support growth strategy.
  • BWRAs which feed into risk appetite, controls testing and the firm’s overall risk-based approach.
  • CRAs which directly impact customer due diligence, transaction monitoring and other processes and controls used to mitigate identified risks.
  • Tracking BWRA actions and noting recommendations on how the firm plans to mitigate or reduce overall risk.
  • Considering financial crime risks throughout the business.

Examples of poor practice included:

  • CRAs which are not developed in line with business growth.
  • Not recording BWRA actions or assigning them to owners.
  • Rapid business expansion without ensuring that controls remain appropriate and effective. 

Managing risk

The FCA found that many firms recognise the importance of governance and oversight, but senior management often focuses more on fraud risk than other financial crime risks.

Examples of good practice included:

  • Sharing BWRA summaries and CRA management information with senior management.
  • Challenging risk assessments and evidencing this.
  • Considering CRA processes in business continuity plans.
  • Documenting risk assessment methodologies in detail and formally logging, discussing and approving changes.
  • Regularly reviewing risk assessment models.
  • Reflecting the risks identified and assessed through weightings or sub-factors.

Examples of poor practice included:

  • Not documenting senior management discussion, challenge and approval of BWRAs.
  • Focussing mainly on fraud risks and neglecting other financial risks.
  • Insufficient testing and review of risk assessment processes.
  • Adopting a static approach to risk assessments that fails to adapt to emerging risks. 

Conclusion

The FCA’s findings highlight the importance of robust and tailored risk assessment processes. While many firms seemed to have demonstrated awareness of their obligations, the FCA's review reveals significant gaps in the identification, mitigation, and management of risks faced by some of the businesses having taken part in the multi-firm review.

Firms are encouraged to reflect on the FCA's findings and review their own risk assessment frameworks and overall risk-based approach to systems and controls. 

If you would like to discuss the FCA’s findings further or explore how they may apply to your business, please contact Terence Dickens or Gena Ritchie.

 

Sign up to our newsletter and law briefs

To keep abreast of legal developments in your industry or generally, please subscribe to our law briefs.
Contacts Us