top of page

FCA Review of Customer Due Diligence and Enhanced Due Diligence: A Practical Guide

  • Writer: Andrew Arginovski
    Andrew Arginovski
  • 2 days ago
  • 4 min read

Updated: 2 days ago


In April 2026, the Financial Conduct Authority (FCA) published the findings of its multi-firm review into Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and ongoing monitoring controls. This review is a clear reminder that firms must ensure their FCA compliance framework is not only documented but operating effectively in practice, particularly in areas such as AML controls, customer onboarding, and ongoing monitoring.


For firms seeking to strengthen their compliance monitoring framework or broader financial crime controls, the findings provide a practical benchmark for what “good” looks like.


What the FCA Reviewed


The FCA assessed firms’ CDD and EDD frameworks through policy reviews, customer file testing, interviews, and questionnaires. These were benchmarked against the Money Laundering Regulations 2017, alongside guidance from the Joint Money Laundering Steering Group and the Financial Action Task Force.


A key theme across the review was the alignment between firms’ business wide risk assessment (BWRA) and how this translates into their customer due diligence processes. In many cases, firms had identified risks at a high level but failed to embed these into their operational controls.


Policies and Procedures: Documented but Not Operational


Most firms had AML policies in place, but the FCA found these were often too high-level and lacked practical detail. While some firms demonstrated strong regulatory compliance frameworks, others struggled to translate policy into action.


Stronger firms clearly defined their CDD and EDD frameworks, including how risk assessments feed into onboarding and monitoring. However, weaker firms lacked clarity and consistency.


Key issues identified included:

  • Lack of practical guidance within AML policies and procedures

  • No clearly defined compliance monitoring plan for periodic or event-driven reviews

  • Limited guidance on alternative identity verification methods

  • Weak governance and unclear escalation thresholds

  • Failure to follow internal policies in practice


This highlights a common issue: firms may have a documented compliance monitoring programme, but it is not always aligned with day-to-day operations.


CDD and EDD Processes: Risk-Based but Poorly Evidenced


The FCA observed that most firms adopt a risk-based approach to customer due diligence, which is a core component of any compliance risk assessment. However, many firms failed to evidence how this approach was applied in practice.


Stronger firms demonstrated well-documented EDD processes, supported by clear governance and oversight. In contrast, weaker firms could not evidence what checks had been performed or why.


Common failings included:

  • Missing documentation on the purpose and nature of customer relationships

  • No evidence of enhanced due diligence measures being applied

  • Limited differentiation between low-risk and high-risk customers

  • Inconsistent ongoing monitoring and review cycles

  • Lack of clarity around senior management approval requirements


This creates a disconnect between a firm’s compliance risk assessment and its actual customer due diligence controls, something the FCA is clearly focused on addressing.


Compliance Monitoring and Audit: Weak Independence


The review also highlighted significant weaknesses in firms’ compliance monitoring frameworks, particularly around independence and oversight. While some firms operated robust compliance monitoring programmes, including internal audit and external reviews, others lacked structure and clarity.


Key issues included:

  • No clearly defined compliance monitoring framework or plan

  • Lack of independent second-line oversight

  • Conflicts of interest between onboarding and review functions

  • Poor documentation and audit trails

  • Weak version control across policies and procedures

From an FCA perspective, this undermines the effectiveness of the firm’s overall FCA compliance framework and raises concerns about the reliability of its controls.


Key Themes from the FCA Review


Across all areas, the FCA’s message is consistent: firms must ensure their frameworks are not only well-designed but fully operational.


Key themes include:

  • Policies must be clear, detailed, and usable in practice

  • Firms must evidence their customer due diligence processes

  • Risk assessments must translate into real controls

  • Independent monitoring is essential

  • Ongoing due diligence is just as important as onboarding


These elements form the foundation of an effective regulatory compliance framework.


What Firms Should Do Now


Firms should use this review as an opportunity to assess and enhance their frameworks, particularly where there are gaps between policy and practice.


Practical next steps include:

  • Reviewing and enhancing AML policies and procedures

  • Strengthening the link between the business wide risk assessment and CDD processes

  • Implementing a clear and structured compliance monitoring plan

  • Improving documentation and audit trails across onboarding and EDD

  • Ensuring appropriate governance and senior management oversight

  • Introducing independent review through internal audit or external support


For many firms, this may require external compliance consulting support or targeted regulatory health checks to identify and remediate weaknesses.


How Compliance Angle Can Help


The FCA’s latest findings on Customer Due Diligence and Enhanced Due Diligence highlight a common challenge across the industry: firms often have the right frameworks in place, but struggle with practical implementation, documentation, and ongoing monitoring.


In an environment where regulators expect firms to demonstrate a fully operational compliance framework, it is no longer enough to rely on high-level policies. Firms must ensure their CDD processes, compliance monitoring frameworks, and financial crime controls are embedded, evidenced, and regularly tested.


At Compliance Angle, we work with firms to bridge the gap between regulatory requirements and real-world execution, providing practical, hands-on support tailored to your business model and risk profile.


We support firms with:

  • FCA authorisation support and FCA application support: Helping firms navigate the process of applying for FCA authorisation, including building compliant financial crime and CDD frameworks from the outset

  • Development of compliance monitoring frameworks and compliance monitoring plans: Designing and implementing robust compliance monitoring programmes that align with FCA expectations and provide effective oversight of CDD and EDD controls

  • Business-wide risk assessments: Conducting and enhancing business wide risk assessments to ensure risks are clearly identified and translated into proportionate customer due diligence measures

  • Compliance gap analysis and regulatory health checks: Identifying weaknesses across your AML compliance framework, CDD processes, and governance structures, with clear, practical remediation steps



 
 
bottom of page