The FCA has recently published its multi-firm review: Risk assessment processes and controls in firms: our findings (11 November 2025) which focuses on how regulated firms are conducting business-wide risk assessments (BWRA) and customer risk assessments (CRA).

Weak risk-assessment frameworks can invite regulatory scrutiny, so firms should consider whether the review findings warrant changes to their approach.

A range of firms participated, spanning building societies, platforms, custody and fund services, payments firms, and wealth-management. The review findings are therefore of wide application.

The review evaluated firms’ risk assessment controls against a number of regimes/guidance, including the Money Laundering Regulations 2017, the FCA’s Financial Crime Guide, the Senior Management Arrangements, SYSC rules, and Joint Money Laundering Steering Group (JMLSG) and Financial Action Task Force (FATF) guidance.

Key Findings – Good and Bad Practice

Identifying, Understanding and Assessing Risk

Firms were praised for:

  • carrying out quantitative and qualitative assessments; considering a range of internal and external factors; using weighting/sub-factors in CRAs; and identifying inherent risks, control effectiveness and residual risk.
  • Reviewing BWRAs formally and in detail on an annual basis (rather than simply “refreshing”).
  • Tailored assessments to the firm’s products/customers.
  • Integration between the firm’s risk appetite and its BWRA/CRA processes.

Examples of poor practice included:

  • Generic risk assessments.
  • Partial coverage of relevant risk areas e.g. focusing mostly on fraud and ignoring other key financial crime risks.
  • Qualitative only assessments with no quantitative dimension.
  • A lack of clarity: e.g. firms could not explain how risks were being managed and mitigation applied, or lacked evidence to support conclusions that risks were “low”.

Mitigating Risk

Good practice included:

  • Firms considering compliance function capacity alongside business growth – “plan for compliance alongside growth”.
  • BWRAs/CRAs feeding into controls-testing and having direct operational impact.
  • Tracking actions/recommendations from risk assessments, assigning ownership, and monitoring progress.

The inverse was highlighted as poor practice: firms whose CRAs and controls had not evolved in line with business growth, and a lack of records of actions or owners of actions coming out of the risk assessment process.

Managing Risk

Good practice risk management examples given:

  • Senior oversight and challenge of BWRAs/CRAs, including discussion of risk-assessment documents and summaries with senior management/committees, and MLRO involvement.
  • Detailed documentation of methodologies, changes logged, formal review processes; and regular updates of risk-assessment models.
  • Linking CRA processes into business continuity planning.

Poor practice examples:

  • A lack of documented senior management discussion and challenge of risk-assessments.
  • Senior management’s understanding being skewed towards fraud rather than covering the wider spectrum of financial-crime risks.
  • Static risk-assessment approaches that were not responsive to emerging risks/regulatory change
  • Limited testing or review.

Importance of these Findings for Firms

The FCA emphasizes that firms should already be complying with existing requirements to “understand the risks your business is exposed to” and “have robust financial crime systems and controls to manage and mitigate those risks”. There have been numerous nudges to firms on the topic of risk assessments via the FCA’s publications and many of the themes highlighted will be familiar to compliance practitioners.

Weak risk-assessment frameworks or deficiencies in governance/documentation will be readily apparent early in any engagement with the FCA and will of themselves expose firms to regulatory interventions, as well as increasing the risk of underlying systems and controls failings being identified. The review highlights “good practice” that “goes beyond the minimum regulatory requirements”, but experience suggests that today’s good practice will be tomorrow’s regulatory expectation. Although the FCA’s latest enforcement report shows that numbers of investigations have declined, financial crime continues to be a focus for many investigations opened and financial penalties have risen significantly.

The review highlights weak senior-management challenge and oversight of risk-assessment documents as a concern. Directors and senior managers (including MLROs/Heads of Compliance) may therefore be exposed to personal criticism if oversight is found to wanting.

Firms that have seen significant growth should pay particular attention to the review findings, as the FCA identified “growth outpaces risk-assessment” as a poor-practice theme.

We have seen several recent examples of risk assessments and their gestation being closely scrutinized in skilled person reviews and enforcement investigations involving firms across a range of sub-sectors. That trend can be expected to continue in 2026.