2025 was a landmark year for financial crime compliance: high-profile enforcement actions, the new ‘failure to prevent fraud’ offence, intensified sanctions focus, and consultations on Money Laundering Regulations kept firms on the edge. With FCA expectations evolving and emerging threats adding pressure, staying compliant felt more challenging than ever. We look back at the year’s key highlights to help firms build robust frameworks that go beyond compliance and align with the FCA’s shifting standards.
2025 saw a number of high-profile enforcement actions against household names, implementation of the failure to prevent fraud corporate offence, continued sanctions focus and consultation on the Money Laundering Regulations. For any financial crime compliance professional, it probably felt like any other year, a year where the FCA’s expectations evolved and keeping abreast of their expectations, while dealing with emerging threats and business-as-usual, felt overwhelming.
Below we capture the key highlights from 2025, to help firms stay and develop strong financial crime compliance frameworks which are not just compliant, but also meet the FCA’s continuously evolving expectations.
FCA enforcement in 2025
Looking back at 2025, one thing is clear from the FCA’s enforcement activity: most of the fines were not about firms having no controls, but about failing to stop and rethink risk when things changed.
Over the year, the FCA issued six Final Notices across retail banking, wholesale markets and retail payments, with total penalties of £109.5 million. The cases spanned very different firms, but when read together, a small number of consistent themes emerge.
Risk decisions were not re-evaluated as the risk environment evolved
One theme that stands out is how often risk decisions were allowed to remain in place even as the underlying risk changed.
This was clearly demonstrated in the Barclays Bank case. A specific corporate customer began behaving very differently from what had been initially expected. Transaction volumes increased significantly, large payments became routine, and the firm received law-enforcement intelligence pointing to potential money laundering concerns. Adverse media coverage also emerged.
Despite all these warning signs, the customer remained classified as low risk
This wasn’t due to a lack of information. Different teams could see different red flags, but they were working in silos. The information was visible, but it was never brought together to form a refreshed, consolidated view of customer risk.
The result was a heightened money laundering risk going unaddressed because the Bank never paused to reassess the customer as a whole.
Growth outpaced the effectiveness of control
Another strong theme from 2025 was that firms were growing faster than their control frameworks could keep pace.
This was evident in the Monzo case. Early on, the Firm introduced a streamlined onboarding model that worked well for speed and customer experience. As the business scaled, however, that model meant key information wasn’t always collected, such as the purpose of the account, expected activity levels and, in some cases, full ownership or controller details.
As a result, transaction monitoring teams were left without a clear benchmark for what “normal” behaviour looked like and, by extension, what should raise suspicion.
This was compounded by a misalignment with Monzo’s own stated risk appetite. The firm’s policy was to serve UK-based customers only. However, address verification controls were later removed for certain customers. It subsequently came to light that some customers had implausible UK addresses, including PO Boxes, foreign addresses with UK postcodes and even well-known landmarks.
This left the firm unable to confirm that it was operating within its own risk appetite or that its controls remained aligned to it.
A similar pattern was seen in the FCA’s enforcement against Starling Bank in 2024, where rapid growth, from 43,000 customers in 2017 to 3.6 million in 2023, outpaced the effectiveness of its financial crime controls. The FCA fined Starling Bank nearly £29 million for systemic weaknesses in sanctions screening and breaches of agreed restrictions on high-risk accounts. This case reinforces the lesson that scaling without proportionate control investment creates significant regulatory and reputational risk.
Product and customer risk were knowingly misaligned
Towards the end of 2025, the FCA issued its largest fine of the year to Nationwide.
In this case, Nationwide knowingly allowed prolonged business use of personal current accounts. The firm was aware that the product did not match the customer activity and that its controls were designed for personal banking rather than business use. Despite this, the position was allowed to continue.
The consequence was that large volumes of business activity, including Covid-related government support payments, flowed through accounts subject to controls that were not designed for that level or type of risk. This created clear opportunities for fraud and money laundering and ultimately resulted in the most significant penalty across all the cases.
What does this signal mean going forward?
Taken together, these cases reinforce a clear supervisory expectation: risk assessments and control frameworks must be actively revisited, not just maintained.
This aligns closely with the FCA’s November 2025 publication, Risk assessment processes and controls in corporate firms, which emphasised good practice in identifying and understanding risk, applying proportionate mitigation, and maintaining effective risk management as business models evolve.
For firms, the message is simple. When the business changes, risk decisions must change with it.
Sanctions in 2025: how the landscape shifted
By the end of 2025, sanctions compliance had clearly moved beyond a narrow regulatory exercise. Activity across the year showed sanctions being treated as a core part of the UK’s national security and economic crime response, closely linked to money laundering, trade controls, crypto and hostile state activity.
What stood out was not enforcement alone, but how consistently different authorities moved in the same direction. Activity from the Office of Financial Sanctions Implementation, HM Revenue & Customs and the National Crime Agency reflected a shared view of where sanctions risk actually materialises in practice.
A few clear patterns emerged over the year
One was the concentration of sanctions risk during exits and wind-downs. Cases involving Herbert Smith Freehills Moscow and Colorcon both arose as firms were exiting Russia and processing what appeared to be routine payments, salaries to local staff, professional fees and other wind-down costs. The issue was not the purpose of the payments, but the routes they took. Funds were processed through sanctioned Russian banks, resulting in direct breaches. OFSI’s message was clear: pressure to exit quickly does not remove sanctions obligations, and payment channels matter as much as intent.
Another shift was the widening of the scope of sanctions enforcement. The Markom Management case reinforced that exposure is not limited to banks or regulated financial firms. In that case, the provision of corporate and professional services to a designated person was enough to trigger action. What mattered was not regulatory status, but whether services created economic benefit for a sanctioned individual.
Engagement with authorities also moved up the agenda. OFSI’s penalty against Svarog Shipping & Chartering Ltd, its first monetary fine for failing to respond to a statutory Request for Information, signalled that cooperation and timely information provision are now enforceable expectations in their own right, not administrative formalities.
Outside OFSI, HMRC enforcement highlighted persistent weaknesses in trade compliance. A £1.16 million settlement involving exports to Central Asia showed how firms continue to rely on geography for comfort, while missing ownership and control links to Russian-incorporated entities operating outside Russia. That gap alone was enough to result in a sanctions breach.
These firm-level cases sat alongside a broader intelligence picture. The NCA’s disclosure of Operation Destabilise linked sanctions evasion to cash-to-crypto laundering, payment service providers, and organised crime networks supporting the Russian state. The implication was difficult to ignore: sanctions risk does not sit in isolation. It directly intersects with AML, crypto, and trade risk.
At the same time, supervisory bodies were setting expectations in advance. OFSI’s sectoral threat assessments, covering areas such as cryptoassets, legal services, property and high-value goods, described how sanctions are being circumvented in practice. The updated Maritime Services Ban and Oil Price Cap guidance did the same for high-risk energy and shipping sectors. Overlaying this, OFSI’s 2025 consultation on civil enforcement pointed towards faster outcomes, stronger deterrence and less tolerance for poor engagement.
Taken together, 2025 marked a clear shift. Sanctions compliance is now being judged as an operational capability rather than a policy framework. Risk consistently surfaced where firms treated sanctions as static rules rather than live, evolving exposure, particularly during exits, in third-country trade routes and when information requests were not prioritised.
Fraud in 2025: Enough talk, time for action
In 2025, fraud has remained one of the most prevalent financial crime risks across financial services, with a clear message from the FCA that fraud detection and prevention of fraud should be a top priority for firms, stemming from strong governance and accountability. Developments over the past year, including the go-live of the corporate offence of failure to prevent fraud and a full year of experience under the APP fraud reimbursement regime, have reshaped how the FCA assess firms’ fraud risk management frameworks and control effectiveness.
Read our insights on the APP Fraud Reimbursement - What Have We Learnt From the First Year
Fraud has also increasingly intersected with other financial crime risks. Scam proceeds continue to flow rapidly across borders, often through mule networks, crypto-assets, and payment platforms, increasing exposure to money laundering and sanctions risks. The FCA has been clear that firms cannot treat fraud in isolation from their AML and sanctions obligations.
Key themes and trends
A central theme in 2025 has been the continued professionalisation of fraud. Fraud is increasingly conducted by organised networks rather than opportunistic individuals, with clear role separation between social engineers, mule recruiters, and money movers. These networks are agile, international, and highly adaptive to control changes.
Another major trend is the blurring of lines between authorised and unauthorised fraud. Victims are being manipulated into initiating transactions themselves, challenging traditional detection models that rely heavily on transaction anomalies alone. Behavioural indicators, contextual intelligence, and real-time intervention are becoming far more important.
Technology-enabled deception has also become mainstream. AI-generated voices, spoofed communications, and realistic fake documentation are undermining traditional verification methods. Firms relying solely on static controls or manual checks are finding those controls increasingly ineffective.
Finally, regulatory expectations around fraud governance have increased. The FCA expects senior management to treat fraud as a strategic risk, with clear ownership, proactive prevention measures, and effective customer protection frameworks.
What firms should be focusing on as a result
In response to these developments, firms should prioritise a number of actions to ensure their fraud risk management framework continues to meet regulatory expectations. Central to this is the need to maintain fraud risk assessments that are dynamic, forward-looking, and grounded in real-world and proportionate threat activity. Static, generic, or compliance-driven assessments are no longer sufficient. Firms are increasingly expected to evidence how evolving risks, such as AI-enabled impersonation, social engineering, and the use of mule networks, are actively identified, assessed, and incorporated into control design and decision-making.
In parallel, firms should place greater emphasis on the effectiveness of preventative controls, rather than relying predominantly on downstream detection and recovery. This includes the implementation of proportionate customer education initiatives, the use of payment friction where risk indicators are present, robust confirmation-of-payee arrangements, and enhanced verification processes for payment changes and high-risk instructions. Preventative measures should be designed to intervene at meaningful points in the customer journey, reducing the likelihood of fraudulent payments being authorised in the first instance.
Greater integration between fraud and AML functions is also critical. The increasing convergence between fraud and wider financial crime risks means that siloed operating models can create material control gaps and lead to ineffective escalation. Firms should ensure that, where separated, fraud and AML teams share intelligence, adopt aligned risk assessments where appropriate, and operate clear and consistent escalation pathways. Integrated monitoring and coordinated oversight are becoming regulatory expectations rather than good practice enhancements.
Firms should also continue to evolve their detection capabilities by investing in behavioural and contextual monitoring, rather than relying solely on traditional rules-based transaction monitoring. A deeper understanding of customer behaviour, device usage, transaction context, and interaction patterns is increasingly necessary to identify fraud in real time, particularly in scenarios where payment instructions appear superficially legitimate. These capabilities are especially important in addressing sophisticated social engineering and authorised payment fraud.
Finally, strong governance and accountability arrangements remain fundamental. The FCA continues to place significant emphasis on clear senior management oversight, well-defined roles and responsibilities across the three lines of defence, and demonstrable ownership of fraud risk. Firms should be able to evidence that lessons learned from fraud incidents are systematically captured, reported, and used to enhance controls and decision-making. An effective feedback loop between incidents, risk assessments, and control enhancements is a key indicator of a mature and robust fraud risk framework.
Conclusion
In 2025, the FCA’s expectations continued to evolve, especially across fraud and sanctions.
The FCA’s enforcement actions have made it clear that static and siloed controls are not sufficient; firms must demonstrate agility, integrated risk management, and a willingness to revisit decisions as business models and external threats evolve.
The shift in sanctions enforcement underlines the need for robust, real-time controls and senior management engagement.
Fraud risk management has similarly moved from a number of key policy enhancements to operating in practice, with the FCA demanding evidence of effective prevention, detection, and governance.
Meet the Expert
Eva Koreskova, Senior Consultant 
Eva is a Senior Financial Crime Consultant, bringing over seven years' experience in financial crime management, regulatory compliance, and risk assessment. Previously, she led financial crime initiatives at an asset financing firm, where she presented insights to senior leadership and implemented robust control measures across the firm. Eva’s background includes roles at a bank and a brokerage firm, where she drove compliance initiatives, managed high-risk clients, and advanced financial crime systems and controls. As an ICA-certified MLRO, Eva is dedicated to safeguarding organisations against financial crime through strategic compliance frameworks and industry best practices.
Michael Knight-Robson, Financial Crime Partner
Michael has joined as a Partner in the Financial Crime team, working alongside Jessica Cath. With over 15 years’ experience in financial crime compliance, he was most recently a Director at BDO, where he built a strong reputation for leading s166 Skilled Person reviews and providing firms with proportionate, risk-based advice to stay compliant. His career also includes senior roles at Bovill, Lloyds Banking Group and Investec, giving him practical, well-rounded expertise to help firms strengthen their financial crime compliance frameworks.