ARTICLE
22 December 2025

FCA Publishes Findings On Firms' Risk Assessments And Criticises Poor Practice

KG
K&L Gates LLP

Contributor

K&L Gates LLP logo
At K&L Gates, we foster an inclusive and collaborative environment across our fully integrated global platform that enables us to diligently combine the knowledge and expertise of our lawyers and policy professionals to create teams that provide exceptional client solutions. With offices worldwide, we represent leading global corporations in every major industry, capital markets participants, and ambitious middle-market and emerging growth companies. Our lawyers also serve public sector entities, educational institutions, philanthropic organizations, and individuals. We are leaders in legal issues related to industries critical to the economies of both the developed and developing worlds—including technology, manufacturing, financial services, healthcare, energy, and more.
Explore Firm Details
On 11 November 2025, the Financial Conduct Authority (FCA) shared its findings following its review of risk assessment processes and controls in firms subject to its regulation.
United Kingdom Government, Public Sector
Michael E. Ruck,Rosie Naylor,Hanna Walczak
+1 Authors
Michael E. Ruck’s articles from K&L Gates LLP are most popular:
  • within Government and Public Sector topic(s)
K&L Gates LLP are most popular:
  • within Law Practice Management topic(s)

On 11 November 2025, the Financial Conduct Authority (FCA) shared its findings following its review of risk assessment processes and controls in firms subject to its regulation. The FCA's review considered both business-wide risk assessments (BWRA) and customer risk assessments (CRA).

The FCA's findings highlight examples of good and bad practices which can be adopted when identifying, mitigating and managing risk. They are particularly important to firms, money laundering reporting officers (MLROs), senior managers and professionals in the risk assessment and financial crime prevention areas.

The BWRA and CRA systems were assessed against the regulatory backdrop comprising of Money Laundering Regulations 2017, Financial Crime Guide, Senior Management Arrangements, Systems and Controls, Joint Money Laundering Steering Group guidance and Financial Action Task Force guidance.

FCA's Findings

The FCA found that many firms' BWRAs and CRAs are unsatisfactory. BWRAs were identified as untailored to the specific business circumstances and focussed on generic risks. The FCA found that senior management often had a limited awareness of financial crime risks–for example, focusing on fraud but omitting money laundering, sanctions or bribery risks.

Further, the FCA found that many firms were unable to explain how they managed risk, as well as not updating processes in line with business growth.

Below, we discuss how businesses can comply with the regulatory requirements and adopt 'good practice' as set out by the FCA.

Good Practice: Understanding, Mitigating and Managing Risk

Understanding and Identifying Risk

  • Risk assessments should consider both internal and external factors.
  • Risks are to be assessed by business area. Firms should take account of their business model, industry and key stakeholders, including customers. The latter is particularly important considering the FCA's focus on conducting a separate CRA alongside the BWRA.
  • To maintain an accurate assessment, a BWRA should be conducted on a regular basis, ideally annually.
  • It is crucial that senior managers have a sound understanding of the various forms of financial crime risks and appropriate legal advice can help firms guard against a broad range of risks.

Mitigating Risk

  • Keeping a record of informed actions is key. Firms should document measures which resulted from identifying risks – firms should be able to show a clear link between risk assessment and decision making.
  • To mitigate future risks, firms should develop a compliance plan which accurately reflects their growth strategy. Businesses which quickly expand their product offering and client base should make sure that their controls and processes continue to remain appropriate throughout their growth.
  • Customer risks identified in a CRA can be mitigated by undertaking customer due diligence and transaction monitoring. It may be helpful to critically assess the business's broader value chain.

Managing Risk

  • The FCA places a strong emphasis on governance and oversight. Accordingly, senior management should review the BWRA and CRA and play an active role in related discussions. It is also beneficial to document input from the firm's MLRO.
  • Appropriate governance extends to formally documenting risk assessment methodologies, followed by a discussion between the key decision-makers. These models and methodologies should be regularly assessed to make sure they address the dynamic regulatory and risk landscape.
  • Having made the necessary updates to keep the BWRA and CRA up to date, it is important to carry out reviews and testing of the new, enhanced assessments.

Concluding Remarks

The risk landscape is becoming increasingly complex, whether firms operate domestically or internationally. The FCA has set out a clear expectation that firms should be proactive in identifying risks unique to their business, as well as taking appropriate steps to mitigate them.

In addition, the singling-out of the CRA suggests that the FCA expects firms to place significant weight on customer risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Michael E. Ruck
Michael E. Ruck
Photo of Rosie Naylor
Rosie Naylor
Photo of Jordan Hawthorne
Jordan Hawthorne
Photo of Hanna Walczak
Hanna Walczak
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More