Financial Crime Controls: Building an Effective AML/CTF Framework

What It Is

A financial crime control framework is the integrated set of policies, procedures, systems, and governance arrangements that a firm deploys to prevent, detect, and report money laundering, terrorist financing, sanctions evasion, fraud, and bribery. For UK-regulated firms, this framework is mandated by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) — as amended by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 and 2022 — the Proceeds of Crime Act 2002 (POCA), the Terrorism Act 2000, the Sanctions and Anti-Money Laundering Act 2018 (SAMLA), and the FCA's Financial Crime Guide (FCG).

The core components of an effective AML/CTF framework include: a business-wide risk assessment (BWRA) under regulation 18 of the MLRs; customer due diligence (CDD) procedures encompassing simplified due diligence (SDD under regulation 37), standard CDD (regulations 28-30), and enhanced due diligence (EDD under regulations 33-35); ongoing monitoring of business relationships and transactions (regulation 28(11)); suspicious activity reporting to the National Crime Agency (NCA) under POCA sections 330-332 and the Terrorism Act section 21A; sanctions screening against the UK Sanctions List maintained by OFSI under SAMLA; and staff training under regulation 24. These components are not standalone; they must operate as an integrated system where each element informs and reinforces the others. The BWRA drives CDD design; CDD findings inform transaction monitoring parameters; monitoring generates SARs; and SAR analysis feeds back into the BWRA.

The FCA supervises firms' financial crime controls under SYSC 3.2.6R (firms must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements) and SYSC 6.1.1R (firms must establish, implement, and maintain adequate policies and procedures to detect the risk of failure to comply with regulatory obligations, including the risk of financial crime). Principle 3 (management and control), Principle 2 (skill, care and diligence), and Principle 11 (relations with regulators) further underpin the regulatory expectation. The FCA has made financial crime a permanent priority area, with a dedicated Financial Crime department conducting both proactive supervisory assessments (including unannounced visits) and reactive investigations.

Why the FCA Cares

Reducing and preventing financial crime is one of the FCA's three operational objectives under section 1B(3)(c) FSMA. The regulator views the UK financial system as a potential conduit for money laundering, terrorist financing, and sanctions evasion, and holds regulated firms as the first line of defence. This is not rhetorical — the UK's National Risk Assessment of Money Laundering and Terrorist Financing (updated 2020) consistently identifies weaknesses in the regulated sector's defences, and FATF's 2018 Mutual Evaluation of the UK, while broadly positive, highlighted areas for improvement in supervisory effectiveness and the use of SARs by the private sector.

The FCA's enforcement record demonstrates the severity with which it treats financial crime control failures. In 2022, the FCA fined Santander UK plc GBP 107.8 million for serious and persistent gaps in its anti-money laundering controls, specifically failures in its automated transaction monitoring system and failures by its business banking division to adequately verify the source of customer deposits. In 2021, the FCA fined HSBC Life (UK) Ltd GBP 63.9 million for failings in its anti-money laundering transaction monitoring systems. In 2023, the FCA fined Guaranty Trust Bank (UK) Limited GBP 7.6 million for AML systems and controls failings, including an inadequate BWRA that did not identify the specific money laundering risks faced by the firm. At the smaller firm end, in 2022, the FCA fined Al Rayan Bank PLC GBP 4 million for AML failings and in 2021 fined NatWest Group GBP 264.8 million (the UK's largest ever AML fine at the time) after the bank pleaded guilty to three offences under the MLRs for failing to conduct adequate ongoing monitoring of a high-risk customer that deposited over GBP 365 million — including GBP 264 million in cash — through its accounts.

The FCA's Dear CEO letters to the payments, wealth management, and consumer credit sectors have repeatedly emphasised financial crime as a priority concern. The FCA's letter to payment services firms (January 2023) stated that "the sector continues to present a high risk of being used for money laundering" and that the FCA "will not hesitate to take action, including removing firms' permissions, where controls are inadequate." The regulator's annual financial crime data return — which all firms with annual revenue above GBP 5 million must submit — benchmarks sector performance and identifies systemic weaknesses. Firms that cannot demonstrate effective financial crime controls face not only regulatory sanctions but also the risk of criminal prosecution of individuals — the MLRO in particular — under POCA section 331 (up to five years' imprisonment) and the MLRs regulation 86 (unlimited fine).

Who It Affects

Every FCA-authorised and registered firm is subject to financial crime control requirements. The MLRs apply to all "relevant persons" within scope of the regulations — a list that includes credit institutions, financial institutions (which covers most FCA-regulated firms), auditors, insolvency practitioners, tax advisers, trust or company service providers, estate agents, and high-value dealers, among others (regulation 8). The FCA's SYSC requirements apply to all authorised firms regardless of whether they are also within scope of the MLRs.

The practical impact varies significantly by sector. Payment services firms and e-money issuers face the most intensive scrutiny given their transaction volumes, the speed of fund movements, and the FCA's assessment that this sector presents elevated money laundering risk — particularly through agent and distributor networks, where the firm's AML obligations extend to oversight of agent conduct under regulation 36A of the Payment Services Regulations 2017. The FCA has conducted multiple rounds of assessments of payment firms' financial crime controls and has found persistent deficiencies — its 2023 letter noted that "too many firms in this sector do not meet our expectations."

Consumer credit firms, particularly those providing lending to SMEs or operating in the debt purchase and collection space, face risks around customer identity fraud, application fraud, first-party fraud (where customers misrepresent their circumstances to obtain credit), and the use of credit products to layer illicit funds. The FCA's 2022 Financial Crime Report highlighted that consumer credit firms often have the weakest controls relative to their risk profile — partly because many entered the regulatory perimeter from the OFT regime in 2014 and have not fully adapted to FCA expectations.

Wealth management firms face high-risk customer profiles by default. PEPs, high-net-worth individuals with complex structures, trusts, family offices, and customers with connections to high-risk jurisdictions all present elevated money laundering risk requiring robust EDD processes. Insurance intermediaries, while often perceived as lower risk, must address fraud typologies specific to the insurance market (including premium fraud, claims fraud, and staged events) and ensure adequate sanctions screening of policyholders, beneficiaries, and claims payees.

What Firms Get Wrong

The most pervasive failing is treating the business-wide risk assessment as a compliance document rather than a genuine risk management tool. Firms produce BWRAs that describe risk factors in generic terms — "we face money laundering risk because we handle customer funds" — without assessing the specific risks arising from their customer base (including customer types, geographic spread, and risk profiles), product range (which products are most susceptible to misuse), delivery channels (face-to-face versus online, direct versus intermediated), geographic exposure (including both customer locations and transaction destinations), and transaction patterns (volumes, values, and typologies). A BWRA that does not identify specific, prioritised risks — scored by likelihood and impact — cannot inform the design of controls that are targeted and proportionate. The FCA's assessment of Guaranty Trust Bank in 2023 found that the bank's BWRA "did not identify the specific money laundering risks arising from its customer base and correspondent banking relationships," leading directly to inadequate controls.

The second major area of failure is customer due diligence. Firms fall into two traps. Some apply a one-size-fits-all approach, conducting the same level of CDD on every customer regardless of risk — which wastes resources on low-risk customers while under-serving high-risk ones. Others have risk-based CDD policies on paper but fail to implement them in practice — EDD is not conducted when triggers are met (particularly for existing long-standing customers who were onboarded before current standards), ongoing monitoring under regulation 28(11) does not occur, CDD records are not refreshed when risk indicators change, and beneficial ownership information under regulation 5 is not verified or is accepted at face value from the customer. The FCA found that CDD failures are particularly common for existing customers — firms rely on onboarding records from years or decades earlier without asking whether the customer relationship still matches its original risk profile.

Transaction monitoring is another area of widespread weakness. Many smaller firms lack any form of structured transaction monitoring, relying instead on staff to identify suspicious activity manually — an approach that the FCA considers inadequate for any firm processing more than minimal transaction volumes. Even where automated systems exist, they are frequently poorly calibrated — generating either excessive false positives (leading to alert fatigue, with investigation quality degrading as analysts process hundreds of low-quality alerts) or insufficient alerts (due to thresholds set too high or rules that do not reflect the firm's actual risk profile). The Santander enforcement action specifically cited that the bank's automated monitoring system had gaps that meant certain high-risk transactions were not being screened at all. The FCA expects firms to be able to demonstrate that their monitoring parameters are informed by their BWRA, calibrated to detect the specific typologies relevant to their business (as identified in the NCA's SARs Annual Report, FATF typology papers, and the FCA's own publications), and subject to regular effectiveness testing.

SAR reporting failures carry the most severe consequences because they engage personal criminal liability. Common errors include:

• Failing to make a SAR when there are reasonable grounds for suspicion (a criminal offence under POCA section 330)
• Making SARs that are too vague to be actionable by the NCA (the FCA has noted that poor-quality SARs waste NCA resource and may not provide the legal protection intended)
• Failing to seek consent from the NCA before proceeding with a transaction where suspicion exists — a "consent SAR" or Defence Against Money Laundering (DAML) request under POCA section 335, without which the firm commits a money laundering offence by processing the transaction
• Tipping off the customer that a SAR has been filed, a separate criminal offence under POCA section 333A
• Delays in filing — the NCA's guidance states that consent SARs should be filed before the transaction proceeds, and the FCA expects internal escalation from staff to MLRO and from MLRO to NCA to happen within defined, short timeframes

The MLRO must have the authority, resources, and access to information necessary to make timely and informed reporting decisions. A common failing is firms appointing an MLRO without providing them adequate access to transaction data, customer records, or senior management. The FCA has emphasised that the MLRO function under SMF17 is one of the most consequential roles in any firm, and that the individual must have sufficient seniority and independence to discharge their obligations without interference.

What Evidence Is Expected

The FCA expects firms to maintain a current, board-approved BWRA that identifies and assesses the money laundering and terrorist financing risks the firm faces. The BWRA must cover, at minimum: customer risk (types, demographics, geographic spread, risk profiles), product and service risk (susceptibility to misuse), delivery channel risk (face-to-face, remote, intermediated), geographic risk (jurisdictions of customers, transactions, and counterparties), and any other risk factors relevant to the firm (such as new technologies, agent networks, or third-party dependencies). The BWRA must be informed by external sources including the UK National Risk Assessment, the NCA SARs Annual Report, FATF mutual evaluation findings, sector-specific risk assessments published by the FCA, and JMLSG guidance. The BWRA should document both inherent risk (before controls) and residual risk (after controls), enabling the firm and the FCA to assess whether controls are adequate.

CDD records must be complete, current, and accessible. For each customer, the firm must hold: identity verification documents (certified copies or electronic verification records meeting regulation 28(2) standards), beneficial ownership information (verified under regulation 5 and regulation 28(3)), risk assessment documentation showing the risk rating assigned and the rationale, and — for higher-risk customers — source of wealth evidence (how the customer accumulated their overall wealth) and source of funds evidence (the origin of the specific funds involved in the business relationship or transaction). The FCA expects firms to be able to produce a customer's complete CDD file within a reasonable timeframe during a supervisory visit or information request — firms that cannot locate records are in breach of regulation 40 (record keeping).

Transaction monitoring evidence includes: documentation of the monitoring methodology (rules, thresholds, scenarios, and the rationale for each — linked to the BWRA), calibration records showing how parameters were set and adjusted over time, alert investigation records demonstrating that alerts were reviewed and dispositioned within defined timescales and to an adequate standard, escalation records showing that genuine suspicions were reported to the MLRO with supporting evidence, and effectiveness review records showing that the firm has tested its monitoring system (including back-testing against known cases and sample testing of transactions that did not generate alerts). The FCA expects firms to conduct effectiveness reviews at least annually and more frequently if the business changes.

SAR records must evidence the complete internal reporting chain — from the staff member who identified the suspicion (including the date, the basis for suspicion, and the evidence relied upon) through to the MLRO's decision to file or not file with the NCA (including the MLRO's analysis and rationale). Where a decision is made not to file, the rationale must be documented in sufficient detail to demonstrate that the MLRO applied their judgment based on all available information — a bare statement of "no suspicion" is insufficient. Consent SAR records must include the date of the request, the NCA's response, the moratorium period, and confirmation that the transaction was not processed until consent was received (or the moratorium expired).

Training records must demonstrate that all relevant staff received financial crime training at induction and at regular intervals thereafter (the FCA expects at least annually), with content appropriate to their role and the risks they are likely to encounter. The firm should also maintain records of training effectiveness — for example, test scores, scenario assessments, or management reviews — and evidence that training content is updated to reflect emerging typologies and regulatory changes.

Good Implementation Looks Like

A firm with effective financial crime controls starts with a BWRA that genuinely drives its control design. The BWRA is not a standalone document filed in the compliance folder — it is the reference point for every decision about CDD requirements, monitoring parameters, staffing levels, training content, and resource allocation. When the firm launches a new product, enters a new market, onboards a new agent or distributor, or identifies an emerging typology, the BWRA is updated first, and control changes follow. The BWRA is reviewed by the board at least annually, and the board can evidence that it has challenged the assessment — not merely rubber-stamped it.

CDD is risk-based in practice, not just policy. Simplified due diligence under regulation 37 is applied where appropriate — for example, for regulated entity customers presenting low risk — freeing resource for enhanced due diligence where it is genuinely needed. EDD for PEPs, high-risk countries (as listed in the UK's high-risk third country list under regulation 33(1)(b) and the FATF grey/black lists), and complex ownership structures is thorough and documented, with source of wealth and source of funds verified through independent sources — not merely accepted based on the customer's declaration. CDD is refreshed on a risk-based cycle: annually for high-risk customers, every three years for standard risk, and event-triggered for all customers when indicators of change arise (such as significant changes in transaction patterns, adverse media, or changes in beneficial ownership). The firm maintains a CDD remediation tracker to ensure that overdue reviews are identified and completed.

Transaction monitoring is calibrated to the firm's specific risk profile. The monitoring system — whether automated or, for smaller firms, structured manual processes with documented procedures and supervisory oversight — is designed to detect the typologies identified in the BWRA and referenced in NCA and FATF publications. Alerts are investigated promptly by trained staff (the FCA's expectation for investigation timescales varies by firm size but typically expects high-priority alerts to be reviewed within 24 hours), and investigation records are detailed enough to demonstrate the rationale for each disposition. Threshold reviews are conducted at least annually, informed by the firm's SARs filing history, new industry typologies (from NCA SARs Reporter Booklets and FATF publications), the results of effectiveness testing, and any regulatory feedback.

The MLRO has genuine authority and independence. They have direct access to the board, a dedicated budget, the ability to escalate concerns without interference, and access to all customer and transaction data needed to assess suspicions. SAR filing decisions are made promptly — the firm maintains internal SLAs for escalation from frontline to MLRO and from MLRO to NCA, and tracks performance against those SLAs. Consent SARs are requested before the relevant transaction is processed, and the moratorium period is managed centrally to prevent inadvertent breaches. The MLRO reports to the board at least quarterly on SARs filed (volumes, types, and outcomes), typology trends, the results of monitoring effectiveness reviews, the status of CDD remediation, training completion rates, and the firm's overall financial crime risk posture.

Related Tool

The MEMA financial crime assessment tool provides a structured framework for building, documenting, and maintaining your AML/CTF control framework. It includes a guided BWRA module that walks through each risk category — customer, product, channel, geographic, and emerging risks — with sector-specific prompts informed by FCA Dear CEO letters and enforcement themes, generating a formatted, board-ready risk assessment that can be updated incrementally as your business evolves. The BWRA module tracks version history and can produce a comparison showing what has changed since the last board-approved version.

The CDD workflow module standardises your onboarding and ongoing due diligence processes, ensuring that risk-based triggers for SDD, standard CDD, and EDD are consistently applied based on the firm's risk appetite and regulatory requirements. Automated reminders drive CDD refresh cycles on a risk-based schedule, overdue reviews are escalated to the MLRO, and the audit trail provides the evidence of compliance the FCA expects during supervisory reviews. The module supports beneficial ownership verification workflows, including integration with Companies House and international registries, and maintains a complete record of all identity verification documents and risk assessment decisions.

The tool's monitoring dashboard tracks key financial crime indicators — SARs filed (with type classification), alerts generated and dispositioned (with investigation quality metrics), CDD reviews completed and overdue (by risk tier), sanctions screening matches and dispositions, and training completion rates — giving the MLRO and the board a real-time view of the firm's financial crime control posture. Reporting modules generate the MI needed for board papers, the FCA's annual financial crime data return, audit committee reviews, and external audit support.

Related Service

Our financial crime consultancy provides practical, hands-on support for firms building or strengthening their AML/CTF framework. We conduct independent assessments of your current financial crime controls, benchmarked against the FCA's Financial Crime Guide, the JMLSG Guidance, and the findings of recent enforcement actions and thematic reviews. Our assessments follow the same methodology the FCA uses in its own supervisory assessments — examining BWRA quality, CDD design and execution, transaction monitoring effectiveness, SAR reporting processes, sanctions screening, governance and MI, and training adequacy. We identify specific, prioritised gaps — rated by regulatory and criminal risk — and deliver a remediation plan that your firm can implement with confidence.

For firms establishing a new financial crime framework — whether as part of FCA authorisation preparation, in response to regulatory findings, or as part of business expansion — we design the complete control architecture: BWRA, CDD procedures (including SDD, standard, and EDD workflows), transaction monitoring methodology (including rule design and threshold calibration), SAR reporting process (including internal escalation timescales and MLRO decision framework), sanctions screening protocol (including OFSI list management and match disposition procedures), and training programme (including role-specific content and effectiveness testing). Our designs are proportionate to your firm's size and risk profile, avoiding both under-engineering (which creates regulatory and criminal risk) and over-engineering (which creates operational burden without corresponding risk reduction).

We also provide MLRO support services for firms where the MLRO role requires external expertise or independent challenge. This includes MLRO coaching for newly appointed individuals, SAR file reviews (assessing whether filed SARs are complete and whether decisions not to file are defensible), annual control effectiveness assessments (including monitoring back-testing and alert sample reviews), and preparation for FCA financial crime assessments — including mock supervisory visits that simulate the FCA's assessment methodology. Where firms face regulatory engagement on financial crime — including section 166 skilled person reviews or FCA supervisory assessments — we provide expert support throughout the process, from initial document production through to remediation programme design and implementation oversight.

Related Sectors

Payment services firms and e-money issuers face the most intensive financial crime control expectations in the regulated sector. The FCA's assessments of payments firms have repeatedly identified inadequate BWRAs that do not reflect the specific risks of the payments business model, insufficient CDD for agents and distributors (where the firm's obligations under PSR 2017 regulation 36A extend to ensuring agent compliance), weak transaction monitoring (including monitoring gaps where high-value or high-frequency transactions pass through without scrutiny), and poor SAR filing practices (including delays and quality issues). The speed and volume of transactions in this sector, combined with complex agent and distributor networks, create significant money laundering and terrorist financing risks — including risks of payable-through accounts, nested relationships, and agent misuse. Firms must demonstrate that their controls are designed for the specific risks of the payments business model — not borrowed from banking frameworks that do not fit.

Consumer credit firms face financial crime risks that are often underestimated. Identity fraud in lending applications (where criminals use stolen or synthetic identities to obtain credit), the use of credit facilities to layer funds (particularly through rapid draw-down and repayment cycles), first-party fraud (misrepresentation of income, employment, or affordability), and the risk of firms being used as vehicles for fraud against customers (including impersonation fraud and authorised push payment scams) all require specific controls. The FCA has highlighted concerns about consumer credit firms' AML controls in multiple Dear CEO letters, noting that many firms entered the FCA perimeter from the OFT in 2014 and have not upgraded their controls to FCA standards. The sector has seen enforcement action for failures in CDD and transaction monitoring — including cases where firms failed to conduct any meaningful ongoing monitoring of existing customer relationships. Firms providing credit to SMEs face additional risks around corporate identity fraud, misuse of business lending facilities for personal benefit, and the layering of illicit funds through business accounts.

Wealth management firms handle high-risk customer relationships by default. PEPs (both domestic and foreign), high-net-worth individuals, trusts, family offices, offshore structures, and customers with complex multi-jurisdictional arrangements all present elevated money laundering risk. The FCA expects wealth managers to have sophisticated EDD processes, including independent verification of source of wealth and source of funds through documentary evidence (not just customer declarations), enhanced ongoing monitoring of transaction patterns that goes beyond automated threshold alerts to include relationship manager assessments and periodic reviews, and senior management approval for PEP relationships under regulation 35(3). The sector has seen significant enforcement action — the FCA fined Julius Baer International Limited GBP 18 million in 2022 (in a case related to bribery and corruption risks) and has taken action against multiple firms for failures in PEP due diligence and for facilitating the movement of potentially illicit funds through investment products and offshore structures. The key lesson from these cases is that high-quality EDD at onboarding is not sufficient — ongoing monitoring must be equally rigorous, and relationship managers must be trained and empowered to escalate concerns.