On 8 April 2026, the Financial Conduct Authority (FCA) published the results of its multi-firm review of Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and ongoing due diligence controls. The FCA’s objective in publishing the findings is to “raise standards and share practical insights”.

Financial crime remains a top priority for the FCA. The publication of these findings gives firms an opportunity to self-assess their controls and practices against the examples of good and poor practice provided by the FCA, and to target enhancements in areas of focus for the regulator.

1. Policies and Procedures

Good practice identified by the FCA includes policies that clearly distinguish between EDD and standard CDD, and what measures should be carried out in relation to each using a risk-based approach, as well as “comprehensive and detailed control frameworks” for identifying PEPs.

Shortcomings identified by the FCA include:

• A lack of detail or practical guidance for staff identifying a customer and verifying their identity, including insufficient explanation of what alternative evidence can be obtained and used when a customer lacks standard forms of identification.
• Policies that fail to explain what additional measures should be taken for the purposes of EDD.

2. CDD and EDD

The FCA found that “stronger performing firms” document each stage of the EDD process and were able to demonstrate clear governance and oversight arrangements, including clear requirements for senior management sign-off (e.g. through compliance committees) in specific scenarios or for specified customer types.

Failure to gather or record information on the purpose and intended nature of business relationships is cited as an example of poor practice.

3. Ongoing Monitoring

Failures to define review cycles and to conduct periodic reviews of customers are identified as examples of poor practice. The FCA also observed that some firms failed to clarify when event-driven reviews are required.

The requirements in the Money Laundering Regulations regarding ongoing monitoring were articulated in the FCA’s Nationwide Final Notice (December 2025):

“Periodic reviews involve a firm reviewing customer relationships at defined intervals, with the frequency dictated by the customer’s risk assessment. Event-driven or trigger reviews involve customer reviews occurring outside of this set schedule, when events take place impacting on the risk presented by the customer. It is for firms to determine what events should trigger such a review as part of an overall effective framework.”

4. Compliance Monitoring and Audit

Perhaps most interesting is the FCA’s findings on the depth and independence of compliance monitoring and audit.

The FCA notes that “stronger performing firms operate independent third line testing that assessed controls across customer onboarding and due diligence”, with documented findings that were acted upon. Examples of good practice include thematic reviews carried out using external parties or internal audit functions, and clear cycles for ongoing assessment. 

Where there is “no independent second line assurance, with the same staff responsible for both onboarding and reviewing customers”, the FCA raised “questions about impartiality and effectiveness of testing”.

Further examples of poor practice identified by the FCA include a lack of detail on how firms were checking for quality control and no version control of documents, meaning a firm could not provide an audit trail of reviews or changes made.