FCA's findings on Customer Due Diligence processes and controls: Good and poor practices

Policies clearly distinguishing CDD from EDD measures and comprehensive, detailed control frameworks for identifying politically exposed persons (PEPs) were indicators of good practice. Firms were also able to demonstrate that policies were actively embedded in day‑to‑day onboarding and review processes, rather than operating as static or purely theoretical documents.

Poor practice included: (i) inadequate detail (i.e. no clear explanation of what additional measures are required in EDD); (ii) insufficient information regarding when periodic reviews should be undertaken and next steps; (iii) lack of alternative methods for checking and verifying customer identity; and (iv) firms failing to follow their own policies. In some cases, deficiencies in documentation created challenges in evidencing compliance to supervisors, even where firms believed risks were being managed operationally.

CDD processes that functioned well contained clear guidance for EDD measures and were tailored for the specific financial crime risks posed by individual customers. Documenting each stage of a firm’s EDD process was also a strong factor. This included maintaining clear audit trails to demonstrate why particular risk assessments were reached and how enhanced measures were applied in practice.

Poor practice in CDD processes was indicated by a clear lack of information and relevant documentation, such as evidence of the specific EDD steps taken or details on the purpose of the business relationship. There were also concerns regarding effective governance and oversight, with requirements for senior management approval not specified. The FCA noted that weaknesses in governance arrangements increased the risk of inconsistent decision‑making and insufficient challenge for higher‑risk relationships.

Firms which demonstrated good practice in terms of compliance conducted thematic reviews of their CDD processes through external audit. They also carried out regular audits of their CDD systems and controls. These firms were better able to identify systemic issues and drive continuous improvement across their control frameworks.

Firms exhibiting poor practice in this area included: lacking detail regarding how they were conducting quality control checks, having no independent reviews of CDD/EDD in place, and having no version control over their documentation. Inadequate version control and review evidence also increased the risk of outdated or inconsistent standards being applied across the business.