Book an intro

Is FCA’s CDD review a turning point for due diligence?

  • UK businesses need to reconsider how they design, evidence, and govern CDD and EDD processes in a more demanding regulatory landscape

The FCA’s 2025 multi-firm review indicates that existing due diligence policies often, in practice, fail and due diligence processes lack the clarity and evidential rigour now expected under the money laundering regulations.

The FCA notes that while firms are not unaware of their obligations, they are not translating those obligations into effective, operational controls.

The illusion of compliance

Many organisations reviewed by the FCA had documented policies and procedures in place and, on paper, they appeared compliant. But when tested, through file reviews, staff interviews, and practical application, those frameworks often fell short.

Policies frequently lacked detail on what enhanced due diligence (EDD) actually required in practice. Staff were left without clear instructions on how to respond when customers could not provide standard forms of identification, or when an event triggered the need for a review.Some firms even failed to follow their own procedures altogether, particularly when it came to conducting periodic reviews.

This reveals a shift in regulatory expectation. Compliance is no longer about having policies. It is about whether those policies work in real-world scenarios. The FCA is more focused on usability and consistency and less on statements of intent.

The new front line is documentation

The one theme that runs consistently through the FCA’s findings is the importance of documentation. Across many firms, there was little to no evidence of EDD measures being carried out, even where high-risk customers were involved. Key information such as the purpose and intended nature of business relationships, was often missing, undermining the ability to conduct meaningful ongoing monitoring.

This has real implications for UK businesses. In the eyes of the regulator, work that is not documented does not exist. Firms must now be able to demonstrate not only that they have assessed risk appropriately, but that they have also acted on it in a structured way.

The stronger performers in the review were those who embedded documentation into every stage of the due diligence process. Their approach was not just theoretically risk-based. It was put into practice, with audit trails that showed how decisions were made and why.

A focus on governance 

The FCA’s concerns were not limited to due diligence. Weaknesses in compliance monitoring and audit functions point to deeper governance issues.

In some cases, the same people were responsible for onboarding customers and then reviewing those decisions. This raises obvious questions about objectivity and effectiveness. Firms were also unable to demonstrate version control over their policies, leaving no clear record of how procedures had evolved or whether they had been properly reviewed.

These findings reflect a broader regulatory emphasis on accountability. Senior managers are expected to oversee financial crime controls and to ensure they are robust, independent, and capable of standing up to scrutiny.

What this means for UK businesses

Although the review focused on FCA-regulated firms, its implications extend beyond the financial services sector. With increasing alignment to international standards set by the FATF and ongoing discussions about expanding regulatory scope, professional services firms, including law firms and accountants, should pay attention.

Due diligence is ongoing and driven by risk and must be managed, regularly reviewed, and documented.

For many organisations, this will require a fundamental rethink of how due diligence is done. Policies will need to evolve from static documents into practical tools. Risk-based approaches will need to be demonstrable. Ongoing monitoring will need to be clearly defined, with triggers and responsibilities embedded into operational processes.

Perhaps most importantly, governance structures will need to ensure genuine oversight. Independent review functions, clear approval frameworks, and robust audit trails are essential components of an effective control environment.

The tick box era is over 

The FCA’s review signals a shift away from “tick-box” compliance. Firms will need to prove that their controls are in place and effective. They need to be lived.

UK businesses that continue to rely on high-level policies and fragmented processes may find themselves exposed under increasing regulatory scrutiny. Those that invest in building clear, well-documented, and operationally sound due diligence frameworks will be better positioned to comply and to build trust in their operations.

The FCA’s findings are not just a critique of current practices. They are a roadmap for what effective due diligence must now look like.

The UK government has confirmed the FCA will take over from the SRA, the Law Society of Scotland, and other professional body supervisors as the Single Professional Services Supervisor (SPSS). For the first time, law and accountancy firms across the UK will fall under a single AML regulator. Early preparation will reduce cost, disruption, and regulatory surprises. Our webinar will help you understand how the FCA’s move could affect your firm’s compliance strategy and what you need to do to stay ahead. Watch here.

Recommended
Is FCA’s CDD review a turning point for due diligence?

Is FCA’s CDD review a turning point for due diligence?
Is Bosnia and Herzegovina heading back to the FATF grey list?

Is Bosnia and Herzegovina heading back to the FATF grey list?
Apple sanctions penalty shows how UK exposure can arise where firms least expect it

Apple sanctions penalty shows how UK exposure can arise where firms least expect it