Financial Services Compliance Blog - Thistle Initiatives

FCA scrutiny of Corporate Finance Firms: what the latest findings mean and how to respond fast

Written by Ilaria Iodice | Nov 18, 2025 11:23:17 AM
The FCA’s latest multi-firm survey, published in October and November 2025, has found that Corporate Finance Firms (CFFs) have highlighted gaps in compliance with anti-money laundering (AML) rules and oversight of Appointed Representatives (ARs), and are falling short on their financial crime controls.
The message from the Financial Conduct Authority (FCA) is clear: Corporate Finance Firms (CFFs) are falling short on financial crime controls. In October 2025 and November 2025, the FCA published its latest multi-firm survey, accompanied by a press release highlighting ‘widespread gaps’ in compliance with anti-money laundering (AML) rules and oversight of Appointed Representatives (ARs).  
The regulator identified material weaknesses across AML frameworks, including Business-Wide Risk Assessments (BWRAs), Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and oversight of Appointed Representatives (ARs).
 
The findings firms can’t ignore
  • 11% of firms had no documented BWRA.
  • 10% did not retain documented evidence of CDD.
  • 29% of firms did not perform financial crime risk assessments of their ARs, and 6% of them reported no ongoing monitoring or on-site audits.
The FCA multi-firm review also identified gaps in how firms implement COBS 3 (client categorisation) and COBS 4 (certification/financial promotions). These included superficial or undocumented assessments, blurred boundaries between FCA rules and Financial Promotions Order (FPO) exemptions, and inconsistent approaches to contacts who receive financial promotions.  
 
Where firms are stumbling – and what they should do instead
 
1. Rebuild the BWRA
Many firms were unable to demonstrate that they had a current, documented BWRA reflecting their business model, products, services, and clients. The BWRA serves as the foundation of a firm’s financial crime strategy and must function as a live risk register that reflects the firm’s unique risk profile and its mitigating controls.
 
The FCA's review of risk assessment processes reveals that although most firms possess a BWRA, few customise it to their specific business activities. The FCA's concerns primarily relate to firms that cannot explain how they manage and mitigate the identified risks.
 
What firms should do
  • Develop and maintain a dynamic, firm-wide risk framework tailored to the specific business model, products, geographies, clients, deal types, and distribution channels.
  • Update the BWRA at least annually, or after significant business changes or new regulatory guidance, taking into consideration a range of internal and external risk factors.
  • Ensure the BWRA captures all risk events and details the likelihood and impact of each risk from materialising, utilising data to support this assessment.
  • Ensure firms use their monitoring and testing framework to assess the effectiveness of mitigating controls.  
  • Use the BWRA to drive all financial crime initiatives and inform their systems and controls to ensure frameworks are risk-based.  

2. Review the approach to CDD
CDD is fundamental to understanding clients and the risks they pose. The FCA found that many firms do not retain documented CDD information, relying instead on long-standing client relationships to assess client risks.  

The FCA survey revealed that many firms did not use a Customer Risk Assessment (CRA) form to document financial crime risks posed by clients. The FCA expects firms to have documented assessments of the risks posed by their clients.
 
What firms should do
Firms should implement a rigorous, evidence-based, and risk-sensitive CDD and CRA process for all clients that includes:
  • Thorough identification and verification of customers.
  • Clear understanding of ownership and control structures.
  • Identifying and documenting the purpose and intended nature of the relationship.
  • Implementation of controls to identify higher risk factors and mechanisms to conduct enhanced due diligence.
  • Collection and review of documentation supporting the clients’ source of funds (SoF) and source of wealth (SoW), even when not holding client funds.
  • Risk assess customers individually based on the risks they pose.
Firms should establish robust systems to continuously monitor client activity and ensure timely reviews and updates of CDD information whenever risk profiles or client activities change.  
 
The expectation for firms is to:  
  • Implement systems to track when periodic reviews are due, starting the review process at least 30 days before the due date.
  • Closely monitor the periodic reviews process and timelines to avoid pitfalls and backlogs.
  • Establish a documented process to verify with clients if there have been any material changes to their main activities, beneficial owners, and relevant individuals.
  • Define specific circumstances that trigger a re-assessment and clear criteria for applying EDD measures. Ensure staff are trained to identify trigger events and apply EDD effectively, collecting additional information and documentation as needed.

3. Tighten oversight of ARs
The FCA found that many firms do not conduct financial crime risk assessments for their ARs, nor do they assess the effectiveness of their oversight and control mechanisms for financial crime risks associated with those ARs.

What firms should do
Firms should establish a comprehensive oversight framework for ARs that explicitly addresses financial crime risks.  
 
The expectation is to:
  • Conduct a thorough due diligence process before onboarding ARs. Every AR should undergo a formal risk assessment to identify and mitigate financial crime risk factors, including their business model and client base, activities performed, geographical footprint, and the quality and maturity of their internal compliance frameworks.
  • This assessment should assign a risk rating and determine the level and frequency of ongoing oversight, including the number of on-site visits, document reviews, and monitoring intensity.
  • For high-risk ARs, firms should conduct at least annual on-site visits; for medium-risk ARs, biennial visits; and for low-risk ARs, on-site visits should be triggered by red flags, unexpected high-risk factors, or material changes.
  • The scope of the on-site visits should include reviewing financial crime policies and procedures, screening and escalation mechanisms, testing the design and effectiveness of controls, and examining training, competence requirements, governance structure, management information (MI), and reporting.
  • Integrate AR oversight into the firm’s overall AML and compliance framework. The AR oversight process should feed directly into the firm’s broader BWRA and financial crime MI, and the AR’s oversight metrics should be presented to senior management to demonstrate clear accountability and oversight.
Thistle Support
At Thistle, we assist firms in responding quickly, effectively, and confidently to FCA findings. Our services include:  
  • Reviewing and improving risk assessment documents and methodologies. Including BWRAs and CRAs.
  • Strengthening financial crime frameworks and controls.
  • Designing tailored governance and oversight monitoring programmes.
  • Providing resources to conduct ongoing monitoring of clients and ARs.
To learn more, explore our financial crime services and contact our team.

Meet the Expert

Ilaria Iodice, Senior Manager

Ilaria has a deep understanding of Financial Crime Compliance and has offered valuable support to various organisations, including Tier 1 Banks across the UK, EU, and internationally.

Her expertise includes conducting Quality Control assessments to identify areas for enhancement and overseeing FCC programs to devise strategies for implementing robust internal controls. Experienced in leading diverse teams, both onshore and offshore, Ilaria has managed large-scale, complex projects across multiple jurisdictions, ensuring seamless execution and regulatory adherence.

Prior to Thistle, she gained significant experience at various consultancy firms, including a Big4 firm, and contributed to the global monitorship involving HSBC. Ilaria holds an L.L.M and L.L.B in Law.

 
View full post