top of page

FCA's 2025 Risk Assessment Findings: What Firms Need to Know

  • Writer: Andrew Arginovski
    Andrew Arginovski
  • 4 days ago
  • 4 min read
ree

The Financial Conduct Authority (FCA) today published its latest multi-firm review into risk assessment processes and controls, setting out examples of good and poor practice in Business-Wide Risk Assessments (BWRAs) and Customer Risk Assessments (CRAs).


The findings, which form part of the FCA’s 2025–2030 strategy to reduce financial crime harm, underline the regulator’s expectation that firms must not only have risk assessments in place, but that these must be robust, tailored, and evidence-based.


The review covered a broad range of firms, from building societies and wealth managers to payments and e-money institutions, and assessed how effectively they:


  1. Identify, understand and assess financial crime risks.

  2. Mitigate those risks through appropriate systems and controls.

  3. Manage those risks through strong governance and oversight.


Below, we break down the FCA’s findings and what they mean in practice for firms and Money Laundering Reporting Officers (MLROs).


  1. Identifying, Understanding and Assessing Risk


The FCA found that while most firms have a BWRA on paper, many are generic or lack sufficient depth, often copied from templates or focused too narrowly on fraud rather than the full spectrum of financial crime risks.


Common shortcomings


  • Failure to tailor assessments to specific products, services, or customer segments.

  • Over-reliance on qualitative judgement with little or no quantitative evidence.

  • Insufficient articulation of residual risk or rationale for risk ratings.

  • Minimal linkage between the BWRA, CRA, and the firm’s overall risk appetite or governance framework.


In several cases, firms were unable to explain how identified risks were being mitigated or monitored in practice, a major red flag from the FCA’s perspective.


Examples of good practice


Firms demonstrating maturity in this area:

  • Combine qualitative and quantitative methods (e.g. risk scoring models based on exposure metrics, transaction volumes, jurisdictional data).

  • Assign risk weightings and sub-factors to reflect the specific nature of their business.

  • Integrate risk assessment outcomes into business and compliance functions, ensuring a joined-up, firm-wide view.

  • Conduct annual formal reviews (not just “refreshes”), challenging underlying assumptions and updating data inputs.


Compliance Angle's view


Your BWRA should reflect your business model, not the industry average. This means linking every inherent risk, from customer demographics and delivery channels to product design and geographic footprint, to specific controls and measurable outcomes.


MLROs should be able to evidence not only the process but the reasoning behind risk scores, and how these influence the firm’s ongoing monitoring, resource allocation and control development.


  1. Mitigating Risk


The FCA’s second theme focused on how firms translate risk assessments into practical, risk-based mitigation actions.


While many firms do factor financial crime into their strategic discussions, the FCA found limited evidence that risk assessments directly influence business decisions, control design, or product approval processes.


Common shortcomings


  • Rapid business expansion without assessing whether existing controls remain suitable.

  • Failure to update CRAs as customer types or products evolve.

  • No documented action tracking or accountability for risk mitigation.

  • Insufficient capacity in financial crime teams relative to the firm’s growth or complexity.


Examples of good practice


  • Firms that plan for compliance alongside growth, ensuring that systems, people, and technology scale with the business.

  • BWRA outputs feed into risk appetite statements, control testing programmes, and ongoing monitoring.

  • Action tracking mechanisms (e.g. logs or registers) record mitigation tasks, assign ownership, and monitor completion.

  • The MLRO or financial crime function plays an active role in product development and business planning committees.


Compliance Angle's view


Firms must demonstrate a clear “line of sight” between the risk assessment and their control environment. When a BWRA identifies elevated risks, such as exposure to high-risk jurisdictions, complex corporate structures, or PEPs, there should be documented evidence of enhanced CDD measures, system upgrades, or resource allocation decisions to mitigate them.


In short: a risk identified but not acted upon is a control failure.


  1. Managing Risk


The third area of focus was governance and oversight. The FCA noted that many firms have improved awareness of financial crime risks, but that this understanding remains uneven, with senior management often more familiar with fraud than with money laundering, sanctions, or proliferation financing risks.


Poor governance traits


  • No evidence of senior management approval or challenge.

  • Static, outdated assessments that fail to reflect the current business profile.

  • Lack of documented testing or validation of automated models.

  • Narrow risk focus, often limited to fraud, missing broader financial crime threats.


Strong governance practices


  • Documented MLRO and committee challenge during BWRA and CRA reviews.

  • Regular updates (quarterly or triggered) to ensure assessments reflect emerging risks and regulatory changes.

  • Clear, consistent risk assessment methodology, including version control and formal approvals for changes.

  • Integrated reporting: BWRA summaries provided to senior management and relevant committees highlighting trends, conclusions, and action status.

  • Dynamic and tested models, including validation of automation or system-driven risk scoring tools.


Compliance Angle's view


Senior management ownership is a regulatory must. The Senior Managers and Certification Regime (SM&CR) requires demonstrable oversight and accountability for financial crime systems and controls.


Boards and ExCo committees should be routinely briefed on BWRA outcomes, residual risk trends, and the status of mitigation actions. Firms should also consider introducing triggers for interim reviews, for instance, after material business change, new products, or jurisdictional expansion.


FCA's Expectations Going Forward


The FCA’s closing message is unequivocal: these are not new expectations. Firms should already be:

  • Understanding the specific risks their business faces.

  • Maintaining proportionate, effective controls to manage and mitigate those risks.

  • Reviewing and updating their frameworks regularly as the firm or external environment evolves.


The FCA will continue engaging directly with firms where weaknesses are found, and will incorporate these themes into ongoing supervisory work and future thematic reviews.


What Firms Should Do Now


To meet the FCA’s expectations and strengthen their frameworks, firms should:

  • Revisit your BWRA and CRA frameworks: ensure they are bespoke, evidence-driven, and integrated with your business strategy.

  • Document everything: from data sources and rationale for risk ratings to committee minutes and mitigation actions.

  • Ensure scalability: your financial crime framework must grow with your business.

  • Track actions and ownership: create a clear audit trail of risk mitigation activities and completion status.

  • Embed governance and challenge: make BWRA and CRA outputs regular agenda items at ExCo or Risk Committee meetings.

  • Test and validate: review your models and processes regularly to confirm they remain fit for purpose.


Contact Us


Contact Compliance Angle at info@complianceangle.co.uk or call +44 7427 792594 to schedule a free consultation and ensure your firm stays aligned, efficient and ready for the next phase of UK regulatory reform.


 
 
bottom of page