top of page

FCA Findings and BWRA Best Practice

26 Nov 2025

Introduction: The Regulatory Imperative


The Financial Conduct Authority (FCA) recently published the findings from its multi-firm review of financial crime risk assessment processes and controls. This review serves as a crucial reminder: the Business-Wide Risk Assessment (BWRA) is not merely a documentation exercise; it is the legal and operational foundation of a firm's entire anti-financial crime framework under the Money Laundering Regulations 2017 (MLR 2017). A meaningful BWRA allows firms to adopt the mandatory risk-based approach, tailoring their controls to the true threat landscape.


The FCA's findings highlight significant gaps where firms are failing to move beyond generic templates and manual processes.



Section 1: The Good Practice - What the FCA Wants to See


Firms that demonstrated effective control frameworks typically exhibited the following traits:

  • Holistic Risk Taxonomy: They accurately identified all required risk groups, moving beyond basic money laundering (ML) to encompass Proliferation Financing (PF), Terrorist Financing (TF), and Sanctions Evasion within their BWRA structure.

  • Granular Categorisation: Risk factors were broken down and scored across the five core pillars: Geographic, Customer, Product/Service, Transactional, and Delivery Channel. This allowed for a precise calculation of inherent risk.

  • Dynamic Linkage to Controls: The inherent risks identified were directly and demonstrably linked to corresponding mitigating controls. They clearly showed how their controls (e.g., enhanced due diligence, transaction monitoring rules) were designed specifically to address the risks identified.

  • Board-Level Ownership: Senior Management and the Board received clear, relevant Management Information (MI) on the firm's residual risk profile and the effectiveness of controls, enabling proactive oversight.



Section 2: Common Poor Practice - The Pitfalls to Avoid


The FCA noted several recurring themes of inadequacy, primarily stemming from reliance on legacy, manual systems:

  • Generic Templates & 'Copy-Paste' Risk: Firms failed to adequately tailor the BWRA to their specific business model. They used generic sector-wide templates without accurately mapping the unique products (e.g., complex derivatives, virtual assets) or delivery channels (e.g., digital onboarding) they actually use.

  • Static Annual Reviews: Assessments were treated as a static annual compliance checklist rather than a living document. There was no process to continuously integrate new regulatory intelligence, enforcement outcomes, or internal control failures back into the risk score.

  • Control Effectiveness Gaps: Firms often scored their controls as highly effective without objective, documented evidence. They failed to differentiate between the existence of a control (e.g., "We have a policy") and its actual operational effectiveness (e.g., "Our monitoring system captures 98% of high-risk transactions").

  • Insufficient Detail on Specific Risks: PF and TF risk were often addressed vaguely or omitted entirely, despite being legally required under the MLR 2017.



Section 3: The Digital Imperative - Moving Beyond Excel


The common theme in the FCA’s critique is the failure of spreadsheet-based systems to cope with the complexity and dynamism of modern financial crime.


A purpose-built digital solution, like ComplyLens, addresses these failures by:

  1. Enforcing a Regulator-Aligned Taxonomy: Ensuring all mandatory risk groups (ML, TF, PF, Sanctions, B&C) are covered, broken down by Geographical, Customer, Product, Transactional, and Channel risk factors.

  2. Providing a pre-defined detailed risk taxonomy and methodology: Ensuring a consistent and regulator-aligned framework is used across all risk groups (ML, TF, PF, Sanctions, B&C) from day one.

  3. Enabling the ability to tailor risk models to different parts of the business: Allowing risk officers to customise assessments based on the unique products, customers, and operations of specific business units (e.g., Wealth Management vs. Investment Banking).

  4. Delivering the ability to effectively manage and mitigate identified risks: Providing a centralized system to link inherent risks directly to mitigating controls, score control effectiveness, and calculate a verifiable Residual Risk.

  5. Providing an Immutable Audit Trail: Creating a clear, auditable link from the inherent risk factor to the mitigating control and the final sign-off, satisfying the FCA's scrutiny.

bottom of page