FCA Risk Assessment Review: What are the key actions for firms?

The identification, assessment and mitigation of risk are core to any successful financial crime compliance programme. These are not only regulatory requirements, but also critical tools in ensuring that a firm’s financial crime compliance controls are appropriate, effective and relevant to the business of that firm. 

In March 2024, the Financial Conduct Authority (FCA) issued a Dear CEO letter addressed primarily to Annex 1 firms. In the letter, the FCA highlighted the serious consequences of weak financial crime controls, stating that:

“The impact of poor Financial Crime controls can be significant. It can lead to criminals abusing the financial system to launder the proceeds of crime, supporting further criminal activity and damaging the integrity of the UK financial market.”

Among other key findings, the FCA identified weaknesses in Business Wide Risk Assessments (BWRAs) and Customer Risk Assessments (CRAs) at a number of firms reviewed.  The FCA made its expectation clear that Annex 1 firms undertake a gap analysis against the issues raised in the letter, including those related to risk, and close any gaps within a six-month timeframe.

In this article, Bruce Viney, Director of Financial Crime Compliance Training, outlines the FCA’s expectations, key findings from the reviews, and the practical actions firms should take now to strengthen risk assessment processes and remain aligned with regulatory standards.

Building on the Dear CEO letter highlighted above, in November 2025, the FCA published its findings of a multi-firm review focusing on BWRA's and CRA's.

The review identified several significant weaknesses in how firms assess and manage financial crime risk. In particular, this included the following key themes:

• Failure to identify relevant risks and tailoring the BWRA to the specific business risks

  Each firm faces financial crime risks that are specific to their business. The risks are affected by the products and services issued by the firm, the types and locations of their customers, the methods of interaction with new and existing customers and other factors.
  
  Failure to identify and assess risks that are specific to a firm’s business leaves it vulnerable to criminal activities including money laundering. Focusing on generic risks is less helpful and may miss key risks relating to the specific nature of a firm’s business.
  
  

• Larger firms integrating risk assessment activities into business functions and forming aggregated views of risk across the firm

  Senior management may find it helpful to have a consolidated view of risk across the firm.  However, consolidation of risk events and methodologies can obscure the specific issues relating to financial crime risk identification and mitigation, which in turn may have a negative impact on customer risk assessments and controls.  It is important to maintain a clear and separate view of financial crime risks.

• Firms being unable to explain sufficiently how they are managing and mitigating identified risks

  It is important for the BWRA to be built upon a strong, methodological approach. This should involve both quantitative and qualitative data, and provide a systematic identification, assessment and mitigation of risk.  We have seen examples of risk assessments that were unsystematic, and which did not follow a set methodology.  This may result in failures to identify risk, inconsistency in developing inherent risk, and a lack of understanding of the effectiveness and appropriateness of mitigating controls.

  An effective BWRA should feed into the firm’s risk appetite, and CRAs should link to the firm’s risk management processes, such as due diligence and transaction monitoring.

These draw upon the examples of good practice set out in the FCA paper.

Identifying, understanding and assessing risk

• Make use of both quantitative and qualitative data. Quantitative data provides the hard information while qualitative data draws upon the knowledge and experience of relevant staff.
• Identification of external factors should be broad enough to encompass the full scope of financial crime risks facing a firm. This should include information from external sources, including the FATF, the UK’s National Risk Assessment and information from other relevant sources.
• Identification of internal factors should be methodological and categorised around risks relating to customers, products and services, distribution channels, jurisdictions, transactions and technologies.
• As well as identifying inherent risks, the BWRA should include a systematic evaluation of the effectiveness of controls and a measurement of residual risk against the firm’s risk appetite. Any residual risk exceeding the firm’s risk appetite may require further controls.
• As stated above, the BWRA should be tailored to the specifics of the individual firm, including its products and customers.
• The BWRA should be fully re-assessed annually, and all aspects of the risk assessment should be fully documented.

Mitigating risk

• The BWRA should be linked to the firm’s risk appetite. In our experience, these can be used together as a tool to measure effectiveness of the compliance regime in the firm.  For example, the adequacy and appropriateness of people, technology and training.
• Where the BWRA leads to actions for the firm, these should be fully documented including what was done, why and how.
• The BWRA must be reflected in the firm’s approach to customer risk. The level of Customer Due Diligence (CDD) and monitoring must reflect the conclusions from the BWRA.  To put it another way, the level of risk assigned to a client must be aligned with the level of risk for that type of client as laid out in the BWRA.
• Financial crime risk should be considered in all new aspects of the firm’s business, including new products or strategies. The FCA’s March 2024 Dear CEO letter highlighted the risk of a business growing faster than its management of financial crime risks, and cautioned that new growth should be matched with new compliance and controls.
• The Money Laundering Reporting Officer (MLRO) is key to the BWRA and CRA controls, and should be represented on relevant committees.

Managing risk

• Senior management, including the MLRO, are responsible for ensuring that the firm is fully compliant with all laws, regulations and regulatory requirements. This requires senior management to review and challenge the BWRA, including any trends or conclusions reached. Challenges should be documented.
• CRA processes should be considered in business continuity plans.
• The risk assessment methodologies used must be appropriate, relevant and consistently applied. Accordingly, these need to be fully documented, logged, discussed, challenged and signed off at an appropriate level.
• The BWRA and CRAs should be subject to regular review. Criminal techniques and typologies are rapidly evolving , regulations are constantly updated, and business models and strategies change. Firms must ensure that the BWRA reflects these changes, and that it remains current and effective.  In addition to an annual review, there should be procedures to update the BWRA quarterly or as triggered.
• The BWRA should be adjusted as appropriate, using weightings to measure significance, or through sub-factors to provide granularity.

The BWRA and the CRAs form the foundation of an effective financial crime compliance programme.  Many enforcement actions reflect failures in a firm’s assessment and management of relevant risks, both at the BWRA level and, as CRAs drive effective mitigating controls in relation to customer risk, at the CDD level.

The FCA paper reflects the regulator’s ongoing focus on ensuring that firms systematically, effectively and proactively identify, mitigate and manage risks.

To ensure your firm’s BWRA and CRAs are aligned with regulatory expectations, it is vital to:

• Carry out a gap analysis against the FCA paper to ensure that your assessments are fully in line with expected best practice.
• Ensure that the BWRA is fully implemented across the firm, and drives the firm’s risk mitigation controls.
• Ensure that senior staff ‘walk the talk’ by reinforcing the findings and messages arising from the assessment.
• Ensure that relevant staff are fully trained in the identification of risks.
• Maintain the BWRA as a ‘live’ document – avoid a ‘file and forget’ mentality.

Our training solutions include live, focused, in-depth training that provide a deeper understanding of the FCA and international requirements related to BWRAs. See our range of related courses below and get in touch to find out more.

Bruce has been working in financial services for nearly 40 years, 25 of these as a learning professional focusing on compliance for a wide range of financial services companies, mainly through the analysis, design, creation and implementation of global training programmes for Tier 1 Banks and FTSE 100 companies. He has been Global Head of Compliance Learning for such firms three times and has provided compliance learning consultancy to similar companies many times. 

Bruce has also provided compliance training and consultancy in other fields such as real estate, industrial supply chains, charities, payment services providers, gambling and casinos and many others.  

A former Director of Training for CISI, Bruce has extensive experience of compliance and financial services-related qualifications and qualified as a Chartered Accountant with Price Waterhouse (as it was then known).

Bruce provides excellent training events on compliance, with a specific focus on financial crime, including all aspects of anti-money laundering, anti-bribery and corruption, fraud and sanctions.