Financial Regulation - In the know: Financial Crime – December 2025

Background to the proposals

Currently, AML/CTF supervision for legal, accountancy, and TCSPs is shared between 22 professional body supervisors and HMRC. The consultation explains that “sometimes with multiple entry points into AML/CTF-regulated services for the same types of firms - creates gaps and inconsistencies that corrupt actors may exploit”, and “where applicable, existing duties and powers in the MLRs may be extended and may need to be strengthened to address gaps or inconsistencies in the MLRs”. The government’s solution is a single public sector supervisor, the FCA. Since its last evaluation in 2018 by the Financial Action Task Force (FATF), the UK has prioritised the strengthening of its AML/CTF supervision regime. The consultation seeks to respond to areas identified from the FATF’s UK evaluation. The FCA’s appointment as SPSS is intended to protect the UK’s reputation as a global financial centre and deliver a more transparent regulatory framework under public oversight by aiming to simplify a complex multi-regulatory system.

The change in supervisor would not affect firms’ obligations under the MLRs, and the consultation indicates that firms already in full compliance should not be required to amend their AML/CTF controls. Nonetheless, firms may observe differences in the way the FCA operates or supervises a much larger population, if the reforms go ahead.

In relation to the FCA’s expanded supervisory responsibilities, the consultation indicates that the FCA will:

• implement a risk-based approach, enabling the targeted allocation of resources to those accountancy, legal, trust, and company service providers assessed as presenting the highest risk within the UK;
• develop and maintain sector-specific expertise to address the distinct characteristics and regulatory requirements of each sector under its supervision;
• receive dedicated funding to support its enhanced role, facilitating the recruitment and training of specialist personnel, investment in advanced technology, and effective preparation for its additional functions; and
• possess the capability to undertake robust enforcement action, where appropriate, thereby promoting compliance and ensuring that decisive measures are taken against the minority of firms found to be wilfully negligent or complicit.

The FCA is likely to adopt a supervisory model for professional services firms similar to the standards applied to financial services firms to demonstrate its effectiveness in carrying out its new role.

The change is likely to warrant, among other things, an assessment and potential adjustments to internal processes, management information and governance arrangements and the need to understand and adapt to new registration, supervisory approaches, and reporting obligations. 

AML/CTF Supervision Report 2024-2025

The latest data in HM Treasury’s thirteenth statutory overview of UK supervisory activity highlights some of the differences in approach between supervisors, in terms of different methodologies, metrics and enforcement approaches. Overall, it supports a conclusion that there is divergence in risk categorisation, monitoring intensity and sanctions. Gatekeeping checks differ, creating uneven entry standards and it goes without saying that enforcement outcomes also show variances. Although, the report describes commonalities, especially in terms of the common failings identified such as weak policies, inadequate CDD/EDD, and poor client risk assessment and record-keeping. These remain issues across all supervised populations. It is also of note that supervisors have found measurable inadequacy rates across suspicious activity reports (SARs) and unregistered activity has triggered enforcement by supervisors, and that all have been active in imposing fines, prosecutions and cancellations, among other sanctions.

Firms should proactively engage with the HMT consultation on reforms that aim to simplify oversight across professional services by appointing the FCA as the SPSS, review their compliance readiness, and prepare for a new supervisory regime that is expected to result in changes to supervisory approaches and transparency requirements. The consultation closes on 24 December 2025, and timely, informed responses will be critical in shaping the final legislative and operational framework. Our team are here to help.

Background and context 

Previously, FCA reviews have consistently identified significant weaknesses in firms’ financial crime prevention controls. 

In March 2024, the FCA issued a "Dear CEO" letter to around 1,000 Annex 1 firms, which warned about weaknesses in their AML frameworks and gave firms six months to conduct a gap analysis of their financial crime controls and remediate any failings. Eighteen months later, in October 2025, the FCA published its Annex 1 questionnaire, which marks a clear shift from advisory guidance to supervisory intervention, requiring firms to evidence their controls. Firms that treated the “Dear CEO” letter as optional must now prove that improvements have been made.

Against this backdrop, on 20 October 2025, the FCA published the results of its corporate finance firms’ financial crime controls survey, which revealed that: 

• 11% of firms lacked documented Business-Wide Risk Assessments (BWRA); 
• 10% lacked evidence of CDD checks; and 
• 27% did not use a Customer Risk Assessment (CRA) form. 

On 11 November 2025, the FCA published its multi-firm review on risk assessment processes and controls, revealing weaknesses in how firms identify and manage financial crime risks. It found that, while some firms demonstrate strong governance and data-driven approaches, many rely on generic templates, fail to link risk assessments to business strategy, and neglect to reassess controls as their operations evolve.

The FCA’s survey findings paints a picture of inconsistency across the industry.

Reliance on generic, template-driven processes that fail to reflect the nuances of a particular firm’s business model is not considered sufficient. Risk assessments that lack depth, with little evidence of integration into broader governance frameworks, will likely expose the firm to criticism and regulatory scrutiny. Over-reliance on qualitative judgement, and a lack of quantitative techniques such as risk scoring or weighted factors, are recurring weaknesses. Firms rarely articulate why risks are rated as high, medium, or low, nor do they record residual risk—indicating that risk assessment remains a compliance tick-box rather than a strategic tool.

Missing documentation and governance shortcomings further compound these weaknesses, with inconsistent senior management engagement and weak challenge processes. Risk assessments should not operate in silos, disconnected from governance or risk and compliance frameworks.

The FCA expects firms it regulates for AML/CTF to adopt tailored and evidence-based methodologies to risk assessments, integrate risk outcomes into decision-making, and ensure senior management accountability. Failure to act could lead to supervisory intervention (such as skilled person reviews) and reputational damage from regulatory intervention as well as enforcement under the MLRs. 

However, unregistered Annex 1 financial institutions that have failed to appreciate their need to have such controls in place may be several steps behind and face a greater challenge. The core issue is often a misunderstanding of regulatory scope. These institutions are usually conducting specific, unregulated financial services activities, but must nevertheless be registered for AML/CTF supervision under the MLRs if they fall within scope of the MLRs. Activities such as certain types of lending, factoring (with or without recourse) financing of commercial transactions (including forfeiting) fall within the "Annex 1" definition. The FCA has also noted discrepancies between firms' registered and actual activities, and highlighted the issue of firms expanding into activities that require registration without realising.

The FCA’s enhanced monitoring of Annex 1 firms and its focus on their financial crime controls make it imperative for all such firms to regularly assess the scope of the MLRs and determine whether they are (or need to be) registered. Where the answer to that is yes, they must align their risk assessments against the standards expected by the regulator.

Annex 1 firms can demonstrate good practice by integrating risk assessments into strategic planning, applying structured methodologies, and maintaining clear audit trails. By adopting a data-driven approach that combines qualitative insights with quantitative modelling, and by regularly reviewing and refreshing their assessments, firms can evidence their commitment to robust financial crime prevention.

Our team is happy to share our findings and highlight good and poor practice to help our clients reflect on how they are meeting the existing risk assessment requirements.

The survey (click here) conducted by Ipsos for the Home Office is the first to examine fraud, corruption (bribery), money laundering, and financial sanctions across all categories of businesses with employees in the UK. It builds on the similarly named 2020 survey, but introduces a new methodology, focusing on incidents within the past 12 months. 

• 27% of businesses experienced fraud in the past year, with an estimated 6.04 million incidents. Costs averaged £2,090 per business, rising to £4,890 for medium/large firms. Fake invoice fraud (11%), mandate fraud (7%), and investment fraud (6%) were most frequent. Cyber-facilitated fraud accounted for 40% of the most recent cases. 
• 3% of businesses experienced bribery, with an estimated 117,000 bribes offered and 64,900 given. Only 5% were reported externally.
• 2% of businesses experienced money laundering incidents, totalling 225,000 cases. Detection relied heavily on informal methods.
• awareness of financial sanctions was only put at 17%, creating compliance blind spots. This figure rises to 58% among regulated firms. 

Underreporting clearly remains an issue, particularly for bribery and money laundering and the true economic impact may be higher than the findings reveal. 

For regulated firms, the message is unequivocal: strengthen governance, streamline reporting, and embed a culture of vigilance. The survey underscores the need to challenge assumptions of low risk and invest in proportionate controls. Practical takeaways include enhancing cyber resilience, updating anti-bribery controls, ensuring AML, CTF and CPF compliance, and implementing systematic sanctions checks. 

Economic crime is not static; neither should the response be. Our experts are here to help. 

Key shadow fleet money laundering and sanction risks

The latest Amber Alert builds on a Red Alert issued in July 2025, which focused specifically on Russian shadow fleet operations, now adding Iran and North Korea. 

Financial flows linked to typical shadow-fleet style operations appear to follow discernable patterns. For instance, payments are routed through layered transactions involving multiple intermediaries, often in high-risk jurisdictions or use non-transparent payment methods. Front companies and complex trade finance arrangements are common, as is reliance on insurers and brokers who fail to conduct adequate due diligence.

Red flags include sudden changes in payment instructions, counterparties with no clear business rationale, and links to entities previously associated with sanctions breaches.

• Verify beneficial ownership and identify links to sanctioned entities.
• Review vessel history for frequent reflagging, renaming, or changes in ownership.
• Check for registration in high-risk or permissive jurisdictions.
• Validate cargo documentation (bills of lading, certificates of origin) for authenticity.
• Assess payment flows for layering, use of intermediaries, or sudden changes in instructions.
• Confirm counterparties’ legitimacy and business rationale.
• Ensure insurers and brokers are known to undertake robust sanctions screening.

Common red flag indicators

• Reluctance to disclose beneficial ownership or vessel history.
• Unusually favourable freight or insurance terms.
• Incomplete or inconsistent documentation.

Overall, as the regulatory supervisory environment is consolidating, there is a clear cross-industry shift towards more data-driven and transparent approaches to financial crime prevention. Firms should engage with consultations, and proactively review their risk management and compliance frameworks, conduct gap analyses and assurance reviews and be prepared for changes in supervisory approaches by understanding the breadth and depth of supervisory and enforcement powers.

For support with sanctions compliance, please contact us.