Find a lawyerOur capabilitiesYour career
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  2. Blogs
  3. Risk and Compliance
  4. FCA flags gaps in insurers’ financial crime frameworks
4MIN

FCA flags gaps in insurers’ financial crime frameworks

Jul 1 2026

The FCA has published the findings of its multi-firm review into the design and effectiveness of financial crime systems and controls across 38 UK retail, wholesale, and life insurers. The review forms part of the regulator’s continued strategic focus on financial crime. The FCA expects all firms, not just those reviewed, to consider the findings of their review and how it applies to their business. The review contains an important explanation of the FCA’s expectations of general insurance firms, which are outside the scope of the Money Laundering Regulations regime but are subject to the FCA’s general requirements in respect of financial crime. The FCA’s focus on insurers generally is understandable. However, some of the FCA’s statements as to its expectations of controls and governance at firms outside the scope of the Money Laundering Regulations regime may be regarded as unduly driven by the requirements applicable to firms within that regime, in circumstances where a policy choice was made by the Government to exclude general insurance from the ambit of the Regulations on the basis of the lower financial crime risk of general insurance business. 

While the FCA concluded that systems and controls across the selected large firms are “mostly effective”, the FCA considered that firms continued to fall short of best practice on design implementation and governance, alongside the capability to evidence their controls. 

Weaknesses identified are likely to inform how the FCA supervises firms going forward and could drive more intrusive intervention such as section 166 reviews (an old favourite of the FCA in the financial crime area) or even enforcement action. Insurance firms, whether or not they have participated in the review, should benchmark their controls against the FCA’s expectations and consider how best to address any gaps in the light of their assessment of the risk profile of their businesses. 

Headline Themes

Four core areas of concern emerge from the FCA’s review:

1. Over-reliance on group frameworks and unclear accountability

The FCA found firms frequently rely on global group policies without sufficient localisation. This means there is a lack of tailoring to specific UK business units or legal entities which can lead to unclear ownership and poorly defined responsibility for oversight. Adopting group policies is not enough in the FCA’s view; firms must show how they apply to the relevant entity in practice. On this point, the FCA expects clear governance arrangements and suggests using the RACI matrix (Responsible, Accountable, Consulted, Informed) to clarify responsibilities, particularly where compliance is spread across broader teams or third-party administrators.

2. Insufficient transaction monitoring and controls monitoring and testing

Firms across the review had different levels of transaction monitoring and controls monitoring and testing. While general insurance firms are non-AML regulated, the FCA expects a proportionate approach to transaction and controls monitoring and testing as all firms remain subject to wider financial crime obligations. 

In addition, firms should ensure that their approach is clearly evidenced and subject to periodic review, particularly where transaction patterns are considered predictable or risk exposure is assessed as lower. A frequent area of challenge in transaction monitoring is the need to keep monitoring tailored to the size and risk of business as it changes over time. 

3. Insufficient documentation of customer due diligence (CDD)

The review identified weaknesses in Customer Due Diligence, primarily driven by undocumented processes. This was particularly acute among retail insurers (which are non-AML regulated). While simplified due diligence may be proportionate for many retail customers, some of these firms frequently failed in the FCA’s eyes to document the rationale for their limited approach. The FCA stressed that any simplified or alternative control must be risk-based, proportionate, and fully documented to maintain clear audit trails.

4. Inadequate third-party risk management

Given the sector's reliance on intermediaries and outsourcing, third-party risk management remains a significant vulnerability in the FCA’s view. Most firms recognised that outsourcing does not reduce their regulatory liability, but oversight was rarely adjusted to the actual level of risk. Only one firm in the review had implemented enhanced, risk-based oversight for higher-risk outsourced controls. Firms must categorise third-party relationships by risk, match monitoring to those categories, and generate risk-focused management information (MI).

Sector Differences

Performance varied significantly across insurance sub-sectors, with the FCA considering the weaker performance (not surprisingly) to be in areas not subject to the Money Laundering Regulations:

  • Life Insurance (Rated “Moderate to Good”): The strongest overall, this sub-sector showed robust risk assessment, CDD, sanctions controls, and advanced fraud detection. However, the FCA concluded that transaction monitoring needs improvement.
  • Retail Insurance (Rated “Moderate” overall): The FCA considered this sub-sector to be strong in sanctions, fraud, and anti-bribery and corruption, but rated it “weak” in risk assessment and CDD due to undocumented procedures and a lack of business-unit-specific evidence.
  • Wholesale Insurance (Rated “Moderate” overall): The FCA considered this sub-sector to be strong in anti-bribery and corruption, sanctions, and people and knowledge, but fraud risk management was a distinct weakness due to poor MI and limited fraud monitoring arrangements.

Practical Takeaways

The FCA sees this review as a call to action for both the firms reviewed and the wider insurance industry. Firms should review the FCA’s findings and map them against their own controls, and consider whether they should incorporate any of the following best practices identified by the FCA into their financial crime frameworks:

  • Localise Policies: Assign clear responsibility at the UK entity level for group policies, using RACI matrices to show who does what across teams and third‑party providers.
  • Map Obligations: Create an obligations register linking regulatory requirements directly to controls and owners.
  • Document Rationales: Formally record risk-based justifications for alternative transaction monitoring or simplified CDD.
  • Calibrate Third-Party Oversight: Implement risk-focused oversight and MI for all outsourced providers, scaled to their specific risk profile.
  • Align Assurance: Coordinate second and third lines of testing plans to eliminate coverage gaps.

 

Tags

financial institutionsfcainsurancefinancial crimefinancial servicesinvestigations and enforcementregulatory frameworkthe financial conduct authority

Authors

London

Christopher Robinson

Partner
London

Anthea Bowater

Counsel
London

Harry White

Associate

Kalam Miah

Trainee Associate
Latest Insights

Latest Insights

NAVIGATE TO
About usLocations and officesYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

Select language:
Select language:
© 2026 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome