FCA flags financial crime control gaps across insurance sector in new multi-firm review

The FCA found that systems and controls were generally in place, but not always sufficiently tailored or evidenced at operational level.

Why this matters

Frameworks that look robust at group level are unlikely to satisfy scrutiny without clear evidence of how they operate in specific business lines.

Risk assessment processes, particularly in retail insurance, were often underdeveloped or inadequately evidenced at business unit level.

Why this matters

Risk assessments are the foundation of the control framework. Weakness here undermines everything downstream, from CDD through to monitoring and governance.

Many firms rely heavily on group‑level policies, but these were not always translated into jurisdiction‑ or product‑specific procedures.

Why this matters

The FCA expects firms to demonstrate how policies are applied in practice—not simply that they exist.

While most firms operate a three‑lines‑of‑defence model, many lacked clear articulation of roles and responsibilities. The FCA specifically highlighted the value of RACI frameworks.

Why this matters

Unclear ownership creates gaps in accountability, something the FCA is increasingly focused on in the SMCR environment.

Most firms had not mapped regulatory obligations to specific controls and accountable individuals.

Why this matters

Without this mapping, firms may struggle to evidence compliance or demonstrate oversight across complex product and jurisdictional structures.

Retail and wholesale insurers often do not operate formal transaction monitoring, reflecting business models, but the FCA expects firms to justify and document that position.

Why this matters

A lack of monitoring is not inherently problematic, but a lack of rationale or documentation is.

While firms recognise they retain liability for outsourced activities, few demonstrated genuinely risk‑based oversight models.

Why this matters

Outsourcing does not reduce regulatory risk. In practice, it often increases scrutiny.

Some firms struggled to evidence structured, risk‑based testing plans across second and third line functions.

Why this matters

Testing programmes are a key source of assurance, and are increasingly assessed by the FCA for coherence and coverage.

Life firms showed stronger overall control frameworks, although transaction monitoring remains an area for improvement.

The FCA will continue to engage with firms and expects the wider market to assess and respond to the findings without delay.

A targeted assessment of your framework against FCA expectations, including:

• risk assessment approach
• governance and accountability
• third party oversight
• monitoring and testing

Output: Red/amber/green assessment and prioritised action plan.

A structured rebuild or enhancement of one business unit’s risk assessment:

• aligned to FCA expectations
• designed to be repeatable across the organisation

Output: Practical, working risk assessment and supporting methodology.

Development of a clear obligations mapping tool:

• regulatory requirement → control → accountable owner
• aligned to SMCR accountability

Output: Usable, governance ready obligations register.

Design of a proportionate, risk based oversight model:

• risk tiering methodology
• oversight approach and MI design
• governance and escalation

A focused review of your current position:

• assessment of whether existing approaches are defensible
• documentation of rationale
• identification of proportionate enhancements where needed