The FCA's updated (2025) paper on MLTM is based on reviews of a sample set of wholesale broker firms, with the firms in question apparently having been identified using the FCA's own data analysis to cover a range of sizes and business models. Involvement in previous FCA supervisory work and perceived financial crime risk were also factors in the FCA's selection.

In its last Thematic Review of the area (back in 2019, TR19/4), the FCA identified a series of risk typologies for MLTM.  Its updated paper records that firms considered these risk typologies to have 'remained fairly static' since that time, with some types of risk rarely seen, however firms had found that risk typologies were 'often difficult to spot in isolation'.  The FCA's updated paper contains (p9) thirteen case studies with real world examples provided by industry (or identified by the FCA through its supervision work), with firms encouraged to consider them to help develop and calibrate their relevant policies, processes, and training.

The FCA's updated paper also contains (p15) a list of money laundering risk indicators.  Many of these will be familiar, as they align with areas in which the UK's Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) already require enhanced customer due diligence.  Some, however, for example those commenting on funding patterns or trade structures, provide useful further colour.

The FCA's updated paper considers briefly (in Chapter 4) suspicious activity reporting to the NCA.  In short, the FCA's paper identified that while there had been an increase in such reporting from wholesale firms since 2019 (and a significant increase since the ‘XXMLTMXX’ glossary code was introduced in 2021), there was poor understanding of that code and some firms were not using it correctly.  This has the potential to skew data available to the authorities.

This is an area in which firms would be well advised to review their processes quickly, as it seems likely that this, potentially with work to look at the quality of SARs reporting, will form an area of focus in future supervision.

Part 2 of the FCA's updated paper is likely to be the section of greatest interest to wholesale brokers and other capital markets firms reviewing their financial crime controls.  It sets out areas where, in the FCA's assessment, firms need to do more in order to achieve compliance together with examples of good and poor practice.  While the FCA's paper does identify a series of positive developments since 2019, for brevity this article focuses on areas in which the FCA considered some firms were not meeting expected standards.

Business-wide risk assessments (BWRAs)

• In the FCA's assessment, many firms failed to document their BWRAs appropriately, and often did not 'identify the scenarios that would trigger an updated assessment'.
• Terrorist financing and proliferation financing risks were also not always appropriately considered.
• The FCA found 'several instances where senior management was unable to adequately explain the financial crime risks facing their firm' and how their controls mitigated those risks.
• Sometimes, business-wide risks were assessed and defined too broadly, were insufficiently tailored to the specific firm and business, and were based on an insufficiently clear methodology.

Customer risk assessments (CRAs)

• The FCA found that most assessed firms did not document their CRA methodology in the policies and procedures.
• At the point of assessing the risk posed by a customer, some firms focused inappropriately on one risk factor, regardless of the presence of other risk factors, for example by automatically classifying customers that were regulated entities as low risk (and carrying out only simplified due diligence on them).
• In one case, a firm had not carried out individual CRAs at the time of the FCA's visit.
• Some firms were determining a customer's risk rating upon completion of customer due diligence, rather than using the CRA to determine the level of due diligence that was required.
• The FCA considered that few firms adequately documented an appropriate rationale for risk-rating a customer.
• Despite recent changes in law and regulation in this area, some firms were not adequately distinguishing between domestic and foreign PEPs, but were considering all PEPs high risk 'as a starting point'.

Know your customer (KYC) / customer due Diligence (CDD)

• The FCA considered that a significant proportion of firms reviewed did not record their assessment of the nature and purpose of the account (transaction size, frequency, etc).  This then limited their ability to carry out transaction monitoring at a later stage.
• There were clear differences in how firms used customer risk ratings to determine the level of CDD.  Some firms determined the level of CDD based on their understanding that their customers and business models were predominantly low risk, rather than on CRA ratings.
• Some firms onboarded customers through non-UK entities, but over time those customers later appeared on UK registers without further CDD being carried out.
• Low numbers of customers were refused accounts for financial crime-related reasons.
• Some firms were inappropriate relying on CDD carried out by other entities where this is not permitted by the MLRs.
• Some firms were inappropriately relying on CDD carried out by other entities where this was not permitted by the MLRs.
• FCA reviews of customer files indicated that there were sometimes issues or inconsistencies with records / audit trails, for example in documentation received, allocation of customer risk ratings, account reviews and sign-offs, completion of verification checks, completion of transaction monitoring and the periodic review of CDD.

Governance and oversight

• The FCA indicates it found considerable evidence of good practice in this area (perhaps unsurprising given its focus and work since 2019), including the use of appropriate governance structures, Board escalation and reporting, good management information and well-constructed / detailed MLRO reports.
• Some smaller firms had, however, sometimes experienced challenges with assigning senior management function (SMF 16 and SMF 17) roles concerning financial crime.  In one case, a firm had not appropriately managed conflicts of interest between business oversight and financial crime roles.
• In some cases, the FCA considered some SMF role holders did not have sufficient money laundering and financial crime knowledge and awareness, nor were relevant management discussions appropriately documented.

Transaction monitoring (TM)

• Some firms found it difficult to identify suspicious activity due to a range of factors.  Apart from a lack of transparency in the transaction chain, this was sometimes due to issues with resourcing and the calibration of automated processes (sometimes too many alerts, sometimes too few).
• Firms that monitored transactions in isolation did not regularly identify suspicious activity; a combination of factors is necessary, including the availability of KYC and intelligence-led analysis.
• Some firms found it easier to identify instances of market abuse than instances of money laundering and need to give this issue further consideration.  In larger firms, closer collaboration between teams monitoring each may be part of the solution.
• The FCA's comments indicate that it sees the use of technology as key in this area.  It considered that firms which used only manual (as opposed to automated) transaction monitoring processes may face issues with their assessments, the scalability of their approach and resourcing.  Further, FCA commented: 'none of the firms we observed had made significant progress in understanding how AI (artificial intelligence) could be used for both TM and onboarding processes'; noting that a separate survey on AI in financial services is being launched.

Suspicious activity reporting

• As well as incorrect use of the MLTM glossary code (see above), the FCA identified that wholesale brokers submit low numbers of external SARs (aligned with data the FCA had received via the REP-CRIM process).

Training

• The FCA expressed concerns about under-resourcing in some firms' AML / financial crime functions, relative to the number of customers the firm supported, and about over-reliance on some individuals' knowledge and experience rather than documentation of policies and procedures.
• In some firms, trainings were not completed on time, were not escalated to management for action, and amendments to policies and procedures were not always appropriately cascaded and acknowledged.

The FCA's 'Dear CEO' letter for wholesale brokers, published a day after the updated MLTM paper, noted that its findings from the MLTM review were 'mixed', highlighting a general concern that 'too often, firms underestimate the money laundering risks to which they are exposed', and that weaknesses in AML controls often go hand in hand with market abuse.  The letter goes on to set out a series of areas of focus in the FCA's supervision work for the next two years:

• broker conduct, including the need for adequate oversight of front office activity to prevent financial crime-related issues (insider trading, market abuse, a risk of overcharging clients for order execution, abuse of gifts and entertainment) and non-financial misconduct;
• culture, including firms governed by diverse boards with a suitable mix of skills and experience and work to tackle non-financial misconduct;
• business oversight, including the need for a robust control environment, with the FCA suggesting a particular focus on 'use of remuneration tools such as deferrals, clawback or malus in cases of proven misconduct'; and
• financial resilience.