FCA flags gaps in insurers’ financial crime frameworks
The FCA has published the findings of its multi-firm review into the design and effectiveness of financial crime systems and controls across 38 UK retail, wholesale, and life insurers. The review forms part of the regulator’s continued strategic focus on financial crime. The FCA expects all firms, not just those reviewed, to consider the findings of their review and how it applies to their business. The review contains an important explanation of the FCA’s expectations of general insurance firms, which are outside the scope of the Money Laundering Regulations regime but are subject to the FCA’s general requirements in respect of financial crime. The FCA’s focus on insurers generally is understandable. However, some of the FCA’s statements as to its expectations of controls and governance at firms outside the scope of the Money Laundering Regulations regime may be regarded as unduly driven by the requirements applicable to firms within that regime, in circumstances where a policy choice was made by the Government to exclude general insurance from the ambit of the Regulations on the basis of the lower financial crime risk of general insurance business.
While the FCA concluded that systems and controls across the selected large firms are “mostly effective”, the FCA considered that firms continued to fall short of best practice on design implementation and governance, alongside the capability to evidence their controls.
Weaknesses identified are likely to inform how the FCA supervises firms going forward and could drive more intrusive intervention such as section 166 reviews (an old favourite of the FCA in the financial crime area) or even enforcement action. Insurance firms, whether or not they have participated in the review, should benchmark their controls against the FCA’s expectations and consider how best to address any gaps in the light of their assessment of the risk profile of their businesses.
Headline Themes
Four core areas of concern emerge from the FCA’s review:
1. Over-reliance on group frameworks and unclear accountability
The FCA found firms frequently rely on global group policies without sufficient localisation. This means there is a lack of tailoring to specific UK business units or legal entities which can lead to unclear ownership and poorly defined responsibility for oversight. Adopting group policies is not enough in the FCA’s view; firms must show how they apply to the relevant entity in practice. On this point, the FCA expects clear governance arrangements and suggests using the RACI matrix (Responsible, Accountable, Consulted, Informed) to clarify responsibilities, particularly where compliance is spread across broader teams or third-party administrators.
2. Insufficient transaction monitoring and controls monitoring and testing
Firms across the review had different levels of transaction monitoring and controls monitoring and testing. While general insurance firms are non-AML regulated, the FCA expects a proportionate approach to transaction and controls monitoring and testing as all firms remain subject to wider financial crime obligations.
In addition, firms should ensure that their approach is clearly evidenced and subject to periodic review, particularly where transaction patterns are considered predictable or risk exposure is assessed as lower. A frequent area of challenge in transaction monitoring is the need to keep monitoring tailored to the size and risk of business as it changes over time.
3. Insufficient documentation of customer due diligence (CDD)
The review identified weaknesses in Customer Due Diligence, primarily driven by undocumented processes. This was particularly acute among retail insurers (which are non-AML regulated). While simplified due diligence may be proportionate for many retail customers, some of these firms frequently failed in the FCA’s eyes to document the rationale for their limited approach. The FCA stressed that any simplified or alternative control must be risk-based, proportionate, and fully documented to maintain clear audit trails.
4. Inadequate third-party risk management
Given the sector's reliance on intermediaries and outsourcing, third-party risk management remains a significant vulnerability in the FCA’s view. Most firms recognised that outsourcing does not reduce their regulatory liability, but oversight was rarely adjusted to the actual level of risk. Only one firm in the review had implemented enhanced, risk-based oversight for higher-risk outsourced controls. Firms must categorise third-party relationships by risk, match monitoring to those categories, and generate risk-focused management information (MI).
Sector Differences
Performance varied significantly across insurance sub-sectors, with the FCA considering the weaker performance (not surprisingly) to be in areas not subject to the Money Laundering Regulations:
- Life Insurance (Rated “Moderate to Good”): The strongest overall, this sub-sector showed robust risk assessment, CDD, sanctions controls, and advanced fraud detection. However, the FCA concluded that transaction monitoring needs improvement.
- Retail Insurance (Rated “Moderate” overall): The FCA considered this sub-sector to be strong in sanctions, fraud, and anti-bribery and corruption, but rated it “weak” in risk assessment and CDD due to undocumented procedures and a lack of business-unit-specific evidence.
- Wholesale Insurance (Rated “Moderate” overall): The FCA considered this sub-sector to be strong in anti-bribery and corruption, sanctions, and people and knowledge, but fraud risk management was a distinct weakness due to poor MI and limited fraud monitoring arrangements.
Practical Takeaways
The FCA sees this review as a call to action for both the firms reviewed and the wider insurance industry. Firms should review the FCA’s findings and map them against their own controls, and consider whether they should incorporate any of the following best practices identified by the FCA into their financial crime frameworks:
- Localise Policies: Assign clear responsibility at the UK entity level for group policies, using RACI matrices to show who does what across teams and third‑party providers.
- Map Obligations: Create an obligations register linking regulatory requirements directly to controls and owners.
- Document Rationales: Formally record risk-based justifications for alternative transaction monitoring or simplified CDD.
- Calibrate Third-Party Oversight: Implement risk-focused oversight and MI for all outsourced providers, scaled to their specific risk profile.
- Align Assurance: Coordinate second and third lines of testing plans to eliminate coverage gaps.
