Firms' Customer Due Diligence Processes and Controls: FCA Multi-Firm Review Findings
Summary
The FCA published findings from its 2025 multi-firm review of Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and ongoing due diligence controls across authorized firms. The review assessed policies and procedures, CDD/EDD processes, and compliance monitoring against the Money Laundering Regulations 2017. The FCA identified both good and poor practices across the sector and set out its expectations for firms.
What changed
The FCA conducted a multi-firm review in 2025 examining CDD, EDD, and ongoing due diligence controls across authorized firms. The assessment covered three areas: policies and procedures, CDD/EDD processes, and compliance monitoring and audit. Firms were evaluated against the Money Laundering Regulations 2017.
MLROs, senior managers, and compliance teams should review the FCA's findings and benchmark their firm's CDD/EDD controls accordingly. Firms with practices identified as poor practice should prioritize updates to align with FCA expectations. The FCA expects all authorized firms to maintain robust CDD/EDD processes and effective compliance monitoring as part of their financial crime controls.
What to do next
- Review CDD and EDD policies and procedures against FCA expectations
- Assess compliance monitoring and audit functions for adequacy
- Benchmark firm practices against identified good and poor practices
Archived snapshot
Apr 8, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
In 2025, we conducted a multi-firm review of Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and ongoing due diligence controls.
This is a summary of our main findings, the good and poor practice we observed, and our expectations for firms.
The findings centre around the firms' approaches to:
- Policies and procedures
- CDD and EDD processes
- Compliance monitoring and audit This review is part of our wider financial crime supervisory work in support of our 2025-30 strategy (PDF). It covered a range of portfolios and firm types, aiming to raise standards and share practical insights.
Share
Quick tip Highlight content for instant shareFirms’ customer due diligence processes and controls: our findings
In 2025, we conducted a multi-firm review of Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and ongoing due diligence controls.
This is a summary of our main findings, the good and poor practice we observed, and our expectations for firms.
The findings centre around the firms' approaches to:
- Policies and procedures
- CDD and EDD processes
- Compliance monitoring and audit This review is part of our wider financial crime supervisory work in support of our 2025-30 strategy (PDF). It covered a range of portfolios and firm types, aiming to raise standards and share practical insights.
Who this applies to
- Authorised and registered firms.
- Money Laundering Reporting Officers (MLROs).
- Senior managers with oversight of financial crime controls.
- Industry practitioners working in financial crime prevention roles and responsible for CDD.
What we looked at
We assessed CDD systems and controls through a questionnaire, a desk-based review of policies and procedures, customer file reviews and interviews with staff at firms.
We evaluated firms’ controls against:
- Money Laundering Regulations 2017.
- FCA Financial Crime Guide (FCG).
- Senior Management Arrangements, Systems and Controls (SYSC).
- Joint Money Laundering Steering Group (JMLSG) guidance.
- Financial Action Task Force (FATF) guidance. Good practice often goes beyond the minimum regulatory requirements but demonstrates how firms approach these control areas.
Firms involved in this review came from the following sectors, however the findings apply to all firms undertaking CDD (including EDD):
- Asset Management
- Crowdfunding
- Wholesale banking
- Contracts for difference
- Non-bank lenders
What we found
Policies and procedures
Several firms distinguished between standard CDD and EDD, specifying when the latter is required for higher-risk customers, such as Politically Exposed Persons (PEPs). These same firms had incorporated the changes introduced on 10 January 2024 regarding domestic PEPs.
Most firms had documented procedures for verifying customer identity, but few had enough detail or practical guidance for staff.
Some firms’ policies and procedures did not explain what alternative evidence can be used and should be obtained when customers lack standard forms of identification.
We observed that some firms didn’t have enough detail on how often periodic reviews should take place, and a lack of clarity over what they should do if an event-driven review happens.
Some firms have approval matrices and governance tools to help with CDD, but others lacked detail on when senior management sign-off was needed or failed to maintain document version control.
Examples of good practice
Clear distinction between CDD and EDD Frameworks for identifying PEPs
Clear distinction between CDD and EDD
Policies clearly distinguish between EDD and standard CDD and outline what measures should be taken for each of these, under a risk-based approach.
Frameworks for identifying PEPs
Firms had comprehensive and detailed control frameworks for identifying PEPs.
Examples of poor practice
Insufficient detail in firms’ policies and procedures Undefined cycle for customer reviews Lack of alternative ways to check customer identity and verify this Firms not following their own policies
Insufficient detail in firms’ policies and procedures
Policies and procedures didn’t explain what additional measures should be taken for the purposes of EDD.
Undefined cycle for customer reviews
Not enough detail on how often periodic reviews should take place and what firms were expected to do in the case of event driven reviews.
Lack of alternative ways to check customer identity and verify this
Policies and procedures lacked information for staff on how they could identify and verify a customer if the latter couldn’t provide the usual forms of identification.
Firms not following their own policies
Firms failed to follow their own policies and procedures such as when to conduct periodic reviews of customers.
CDD processes
Most firms tailored their CDD approach to the risk profile of each customer, ensuring that higher-risk customers were subject to enhanced checks and more frequent reviews.
We observed that stronger performing firms documented each stage of the EDD process, including clear requirements for senior management approval and strong oversight, such as through compliance committees.
We were concerned that some firms did not gather or record relevant information, such as the purpose and intended nature of the business relationship.
Other firms failed to evidence and document EDD measures taken for high-risk customers. In some cases, there was limited evidence indicating how the approach differed between low and high-risk customers, and firms weren’t always conducting periodic reviews as required.
Examples of good practice
Clear guidance for EDD requirements CDD processes tailored to each customer
Clear guidance for EDD requirements
Firms had clearly documented steps for EDD measures.
CDD processes tailored to each customer
CDD information collected was determined by the financial crime risks posed by each customer.
Examples of poor practice
No documentation of EDD measures taken Key information not recorded Requirements for senior management approval not specified
No documentation of EDD measures taken
Firms failed to produce any evidence of what EDD measures had been taken and recorded.
Key information not recorded
No details on purpose and intended nature of the business relationship to assist with ongoing monitoring.
Requirements for senior management approval not specified
No examples of scenarios or types of customers that require senior management approval, to demonstrate effective governance and oversight.
Compliance monitoring and audit
Most firms had some form of compliance monitoring and audit in place, but the level and depth of reviews and independence of these arrangements differed.
Several firms reviewed their CDD framework regularly, including thematic reviews by external parties or internal audit functions, and they maintained clear cycles for ongoing assessment.
Some firms used sample-based compliance monitoring and maintained proportionate review cycles, ensuring that CDD processes remained effective and up to date.
We saw stronger performing firms operate independent third line testing that assessed controls across customer onboarding and due diligence. They then documented and acted upon the findings.
But in some cases, there was no independent second line assurance, with the same staff responsible for both onboarding and reviewing customers. This raises questions about impartiality and effectiveness of testing.
Examples of good practice
External CDD audit CDD in regular audit review
External CDD audit
A firm conducted a thematic review of its CDD processes using external audit.
CDD in regular audit review
A firm operated a regular audit review cycle of its CDD systems and controls.
Examples of poor practice
No detail on compliance monitoring No independent review of CDD/EDD Lack of version control
No detail on compliance monitoring
Some firms lacked detail on how they were checking for quality control.
No independent review of CDD/EDD
One firm's staff onboarded customers as well as performed second line assurance work on those customers.
Lack of version control
Firms had no version control of their documentation, so could not demonstrate an audit trail of reviews or changes made.
Next steps
We encourage firms to consider our findings and suggestions in the context of their own firm and continue to review their CDD controls.
Where we identified weaknesses, we are working with those firms to strengthen their controls.
We will continue to monitor firms through our supervisory work, to make sure they are considering the points raised here. In this way, they can help to protect consumers, support growth and fight financial crime.
Useful papers to read alongside this review
- Risk assessment processes and controls in firms: our findings (November 2025)
- Financial crime controls in corporate finance firms: survey findings (October 2025)
- Money laundering through the markets (January 2025)
- The treatment of politically exposed persons (July 2024)
- Annex 1 Dear CEO letter (March 2024)
Was this page useful? Yes No What can we do to improve pages like this? What did you find helpful? Submit Feedback
Related changes
Get daily alerts for FCA Publications
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from FCA.
The plain-English summary, classification, and "what to do next" steps are AI-generated from the original text. Cite the source document, not the AI analysis.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when FCA Publications publishes new changes.