Financial Services Compliance Blog - Thistle Initiatives

FCA Multi-Firm Review of Insurance Financial Crime Controls: Key Takeaways

Written by Nikki Bennett | Jul 3, 2026 12:01:58 PM

The FCA’s latest multi-firm review finds insurance firms’ financial crime controls are “mostly effective”, but the detail tells a different story. James Dodsworth and Nikki Bennett examine what insurers, brokers and MGAs should do to close the gap between design and real-world effectiveness.

The FCA just told large insurers their financial crime controls are "mostly effective." If you're a broker, an intermediary or an MGA, that's not the reassurance it sounds like.

On 23 June, the FCA published its multi-firm review looking into the effectiveness of financial crime systems and controls across large UK insurance firms. While the headline is reassuring that the regulator found that overall frameworks are mostly effective, there are distinct regulatory expectation gaps that firms, insurers and intermediaries alike, must address.

Here we reflect on the multi-firm review and highlight some considerations all insurers should be aware of, and intermediaries should also consider.

The FCA Multi-Firm Review of Insurance Financial Crime Controls

Sector-Specific Themes

The FCA evaluated firms against ten key control groups, awarding ratings of Strong, Moderate, or Weak. Performance varied significantly by insurance type:

  • Life Insurance: The strongest performer overall. Risk assessments, due diligence, and sanctions controls were generally robust, though transaction monitoring requires work.

  • Wholesale Insurance: Rated moderate overall. Strengths were found in anti-bribery and sanctions, but fraud management fell short due to poor management information.

  • Retail Insurance: Rated moderate overall. Sanctions and fraud management were solid, but risk assessments and customer due diligence (CDD) controls were flagged as weak due to poor documentation.

Cross-Sector Themes

The review highlighted several common areas where firms must tighten their risk management frameworks:

  • Transaction Monitoring: Non-AML regulated firms often lacked formal monitoring. The FCA stresses that any reduction in controls must be risk-based and clearly documented.

  • Testing and Monitoring: Many firms lack structured, risk-based testing plans across their second and third lines of defence.

  • Policy Customisation: Overarching group policies are frequently failing to address specific business unit or jurisdictional risks.

  • Unclear Accountability: A lack of formal RACI matrices means responsibilities across compliance and third-party administrators are often blurred.

  • Obligations Management: Most firms are not maintaining an ‘obligations register’ to map legal requirements directly to internal controls.

  • Third-Party Outsourcing: Even when outsourcing financial crime activities, firms retain ultimate liability. Oversight must be risk-rated, proportionate, and backed by robust management information.

Key Takeaways from the FCA Review on Financial Crime Controls

The FCA through this review has published a framework for insurers and intermediaries to benchmark their current financial crime frameworks against. There are four areas to consider as a result:

Owning the tools isn’t the same as using them

Plenty of firms have invested in good screening and MI. However, the FCA tested how controls are designed not whether anyone acts on what they produce. Alerts that are generated by systems need to be worked. MI packs no one reads into a decision is not a control - it's false comfort.

Ensure that tools are appropriate to your firm, and utilise their outputs to demonstrate effective implementation of your control framework.

Financial Crime isn’t just a retail problem

If you undertake commercial business, "commercial = lower risk" is a dangerous default. Beneficial ownership, control structures, source of funds, sanctions and PEP exposure sit through the whole ownership chain.

An opaque corporate structure is a higher risk than a simple retail policyholder, not a lower one. And where your due diligence is lighter, you need to evidence why as part of a risk-based approach.

Your Appointed Representatives (AR) are your risk

Principal firms with appointed representatives; their financial crime exposure is yours. The responsibility doesn't transfer with the activity they conduct. It’s the continuing oversight and monitoring that matters, not simply onboarding without reviewing that their controls are as robust as your own.

Consider and review every third party

The surprising statistic from the review - of all the large insurers reviewed, only one had risk-based oversight of its higher-risk outsourced controls.

For intermediaries, this runs far wider than binders; introducers who own the customer before you see them; claims handlers; IT and data suppliers. Each one is a possible risk and accountability concern.

Next Steps for Strengthening Insurance Financial Crime Frameworks

The reassuring headline is exactly what should stop intermediaries getting comfortable. The best-resourced firms in the market still had gaps in their frameworks. Smaller intermediaries have no reason to assume they'd score better but every reason to check how they would compare against the FCA’s review criteria.

Benchmarking against the FCA's ten control groups, mapping your ARs and third parties by risk, and actually using the MI you already pay for aren't a transformation programme. They're finite, practical actions, and they make you a firm your capacity providers can trust.

"Mostly effective" is a starting point. Not a finish line.

How confident are you that your controls would hold up not on paper, but in practice? How robust is your Board reporting on this aspect of the business model?

How Thistle Initiatives Can Help

Thistle Initiatives supports Insurance firms by providing independent review and challenge across fraud risk management, sanctions, AML, and market abuse frameworks. This includes assessing governance arrangements, robustness of policies and procedures, financial crime risk assessments, control effectiveness, management information, quality assurance and wider oversight arrangements.

We also have significant experience in supporting firms that have, either proactively or via the FCA, identified weaknesses in their control frameworks and enhanced systems and controls to meet regulatory expectations. Our approach is practical, proportionate, and focused on helping firms understand not only where risks exist but also how to manage them more effectively.

Should you wish to discuss any aspect of your financial crime compliance framework, please get in touch.

Meet the Expert

Nikki Bennett, Partner 

Nikki Bennett is Partner and lead in our Insurance team, working alongside Matthew Williamson. Formerly Managing Director at UKGI, she brings extensive expertise in Delegated Authority markets, MGAs, InsurTech and product development, with a proven record of delivering practical, solutions-driven outcomes for insurance firms. Nikki also continues to serve as a Director at the Association of Professional Compliance Consultants (APCC).

 

James Dodsworth, Senior Manager  

James has worked in financial crime compliance across a range of sectors and firms for over 20 years.

As a certified fraud investigator, James has experience in all three lines of defence: conducting investigations, designing and delivering fraud controls and risk assessments, as well as creating and reviewing policies and procedures.