FCA Highlights Good and Poor CDD Practices
In April 2026, the FCA published new insights into how firms are meeting their obligations under anti money laundering regulations, with a particular focus on Customer Due Diligence and onboarding controls.
The findings are based on multi firm supervisory engagement across a range of FCA authorised firms and highlight examples of both good and poor practices. While the review spans multiple sectors, the implications are particularly relevant for insurers and intermediaries, given their exposure to AML risks through third party introducers and high volume onboarding models.
The FCA’s message is clear: AML responsibilities cannot be outsourced. They must be embedded in a proportionate yet robust manner within firms’ operational frameworks.
Key FCA Findings:
Risk Assessments Must Be Tailored
The FCA identified instances where firms relied on generic AML risk assessments that were disconnected from the firm’s actual business model, customer profiles, and risk exposure.
Stronger firms demonstrated a more granular approach, using data and analytics to inform risk based onboarding and ongoing monitoring. This reflects a broader expectation that risk frameworks must be dynamic and evidence led.
Over Reliance on Introducers or Third Parties
Several firms were found to rely too heavily on introducers or third parties to carry out due diligence, without sufficient oversight or verification.
The FCA has reinforced that responsibility remains with the regulated firm. Reliance on third parties does not remove accountability and must be supported by robust oversight frameworks.
Inadequate EDD and Ongoing Monitoring
Weaknesses were identified in Enhanced Due Diligence and ongoing monitoring, particularly for higher risk customers or more complex distribution chains.
Firms demonstrating good practice had implemented automated triggers, risk based review cycles, and escalation mechanisms aligned to customer risk profiles.
Poor Record Keeping and Governance
In some cases, AML documentation was incomplete, inconsistent, or difficult to retrieve. This raises concerns around auditability and regulatory readiness and can result in regulatory breaches and reduce audit trail defensibility in enforcement scenarios.
More effective firms maintained centralised, accessible records, supported by clear governance structures, regular reporting, and defined SMF accountability.
Positive Practices Identified
Other examples of strong practice the FCA identified include structured onboarding frameworks aligned to risk ratings, comprehensive staff training, and management information dashboards tracking completion of AML checks.
Good vs Poor Practice Highlights
| Area | Good Practice | Poor Practice |
| CDD Onboarding | Tiered onboarding based on customer risk profile | One-size-fits-all onboarding regardless of customer type |
| Use of Introducers | Verification of introducers’ credentials and regular audits | No due diligence on introducers and blind reliance on external checks |
| EDD & Monitoring | Proactive flagging of red flags, dynamic risk scoring | Infrequent reviews, no escalation mechanisms |
| Record Keeping | Digital audit trail with accessible CDD records | Fragmented documentation and reliance on individual team members |
| Training & Oversight | Annual AML training and SMF-level ownership | Outdated training and unclear lines of accountability |
What Should Firms Do Next
Review Your CDD Risk Framework
Reassess whether your AML risk assessment reflects your actual customer base, products, and distribution model. Avoid generic templates and ensure the framework is evidence based.
Audit Introducer Relationships
Review all introducer arrangements and implement formal due diligence processes, including regular oversight and validation of third party controls.
Enhance EDD and Monitoring
Define clear thresholds for Enhanced Due Diligence and ensure monitoring is risk based, supported by appropriate management information and escalation routes. Ensure trigger events and thresholds are clearly defined and periodically reviewed.
Strengthen Governance and Accountability
Ensure AML risks are visible at board level, with clearly defined ownership under a Senior Management Function. Governance frameworks should support effective oversight and challenge.
Invest in Staff Training
Embed AML and CDD awareness across the business. Frontline and operational teams should understand their role in identifying and managing risk, not just compliance functions. Include scenario based training and regular refreshers to maintain frontline awareness.
Key Messages
The FCA’s review reinforces a consistent message: effective AML controls are not about documentation alone, but about how well frameworks operate in practice.
For insurers and intermediaries, this means ensuring that CDD processes are tailored, oversight is robust, and monitoring is continuous and risk driven. Weaknesses in introducer management, data quality, or governance will increasingly come under scrutiny.
Firms that take a proactive approach, strengthen their control frameworks, and embed accountability across the business will be better positioned to meet regulatory expectations and manage financial crime risk effectively.
