For years, Annexe I firms have occupied the grey zone in UK financial regulation. Commercial lenders, money brokers, invoice-factoring providers, leasing companies and safety-deposit box operators are not fully authorised by the FCA, yet they sit squarely in the path of illicit finance.
That grey zone is now closing.
The FCA has made clear, through surveys, supervisory reviews and public warnings that Annexe I firms are no longer treated as lightly supervised participants in the financial system. The regulator now expects the same level of AML and sanctions checks it demands from fully regulated financial institutions.
For firms that have historically viewed FCA registration as a formality rather than a compliance regime, this marks a fundamental shift.
What are Annexe I firms?
Annexe I firms carry out “specified activities” under the MLRs 2017 . This brings them into scope of FCA supervision for AML and counter-terrorist financing (CTF), even though they are not authorised under FSMA for conduct or prudential purposes.
The category includes, among others:
- commercial and specialist lenders
- money brokers
- leasing companies
- invoice-factoring and receivables-finance providers
- safety-deposit box operators
These businesses often operate at the edges of mainstream financial regulation, which is exactly the place criminals prefer. The FCA has repeatedly warned that weak controls in this sector pose a systemic risk to the integrity of UK markets.
Too many firms are not getting the basics right
In March 2024, the FCA published a widely read Dear CEO letter highlighting common AML failings across Annexe I firms. The themes were familiar and concerning:
- inadequate business-wide and customer risk assessments
- controls that had not kept pace with business growth
- poorly defined or outdated due-diligence policies
- weak governance and limited senior management oversight
- under-resourced and under-trained AML teams
Fast-forward to late 2025, and the regulator escalated further, issuing a detailed survey to around 300 Annexe I firms. The exercise focused on whether firms had actually conducted gap analyses and remediated weaknesses identified in earlier FCA reviews.
This reflected a data-led supervisory strategy designed to identify firms most likely to face enforcement action.
AML obligations apply in full
One of the most persistent misconceptions among Annexe I firms is that FCA registration equates to a “lighter” AML regime. The FCA has made it clear that that is no longer the case.
Annexe I firms are directly subject to the full scope of the MLRs, including:
- governance and senior management accountability
- documented business-wide risk assessments
- customer due diligence and enhanced due diligence
- ongoing monitoring and transaction scrutiny
- suspicious activity reporting (SARs)
- training, audit and record-keeping
In regulatory terms, there is no such thing as “AML-lite”.
Sanctions compliance is not optional
While the FCA supervises Annexe I firms under the MLRs, UK financial sanctions apply to every UK business, regardless of regulatory status. Enforcement sits with OFSI, but the obligation is universal. AML systems that fail to screen for sanctions exposure are, by definition, defective.
The FCA has been clear that financial crime systems must incorporate sanctions screening, escalation and reporting as part of customer risk assessment, ongoing monitoring and transaction review.
Firms that treat sanctions as an afterthought or assume it sits outside their AML framework, are exposing themselves to regulatory and legal risk.
Enforcement is no longer theoretical
The FCA has warned that Annexe I firms must reassess and remediate their AML frameworks within six months where deficiencies are identified. Failure to do so may result in formal supervisory intervention, restrictions or removal from the FCA register and public enforcement action.
What should financial services firms do now?
For Annexe I firms, and the advisers who support them, the question is no longer whether scrutiny will increase, but how prepared they are when it does.
Key priorities include:
Treat FCA AML supervision as real regulation
Registration is not symbolic. Firms should assume their AML frameworks will be tested against the same standards applied to authorised institutions.
Refresh business-wide risk assessments
Risk assessments must reflect actual activities, not historical descriptions submitted at registration. Discrepancies are now a major red flag for the FCA.
Strengthen governance and senior oversight
Boards and senior managers must be visibly engaged. Delegating AML entirely to junior staff is no longer defensible.
Embed sanctions into AML controls
Sanctions screening, escalation and reporting must be integrated, documented and understood across the business.
Resource compliance properly
Under-staffed AML teams and generic policies copied from templates are increasingly easy for the FCA to spot and challenge.
The FCA’s intensified focus on Annexe I firms is part of a broader strategy to close loopholes exploited by criminals. Businesses operating outside the traditional regulatory perimeter are no longer flying under the radar. For firms that invest in robust AML and sanctions frameworks, this shift can be navigated. For those that continue to treat AML as a registration requirement rather than an operational discipline, enforcement risk is rising fast.
Our Conversational Learning course on AML due diligence turns passive training into active engagement. Through rich, multimedia scenarios and guidance from our AI experts, you’ll explore fundamental AML principles with the ability to adapt to your experience, role and level of understanding. Try it now.
