Preparing for a financial crime audit: Lessons from recent reviews

Financial crime and anti-money laundering (“AML”) controls are only effective when they work as intended: to prevent and mitigate illicit activity. Regular audits are one of the most reliable ways to evaluate whether systems meet regulatory expectations, including those under the UK Money Laundering Regulations or other similar national legislation. The Financial Conduct Authority (“FCA”) recognises internal audits or independent reviews as good practice for evaluating a firm’s framework and identifying areas for remediation. 

Over the past year, Cosegic conducted around 50 financial crime audits of UK-regulated payment firms. Our aggregated findings highlighted recurring weaknesses across the sector. Below are the key themes and considerations for firms looking to strengthen their compliance programmes.

Content overview

1. Common financial crime audit findings
   - Policies and procedures
   - Business-wide risk assessments
   - Customer risk assessments
   - Technology
   - Governance
   
   
2. Why these findings matter
   
   
3. How Cosegic can help

Common financial crime audit findings

Policies and procedures

A consistent theme across audits was a gap between firms’ documented policies and actual day-to-day practices. Gaps often arise when policies and procedures are not regularly revisited as the business grows or changes. In many cases, key financial crime processes were not documented at all, particularly in the following areas:

• Due diligence and enhanced due diligence (“EDD”): Without clear documented guidance on when and how to apply EDD, including specified triggers and what information to collect and assess, firms risk leaving staff to rely on individual judgment, resulting in inconsistency and missed risks
• Screening alert handling: No documentation on how to triage, escalate, or close alerts leaves teams without a clear framework for resolution
• Risk appetite: Without a clearly defined and communicated financial crime risk appetite, firms lack a consistent framework for decision-making and setting appropriate policies and controls
• Senior management policy approval: Without formal senior management sign-off on anti-money laundering and counter terrorism financing (“AML/CTF”) policies, as required under the Money Laundering Regulations, firms risk regulatory scrutiny. Even when approval is granted, this should be formally documented or it may be considered a failing

Overall, the prevalence of inconsistent or missing policy documentation makes it difficult for firms to demonstrate compliance.

Business-wide risk assessments

A business-wide risk assessment (“BWRA”) is a critical tool for identifying and mitigating financial crime risks, yet it is frequently missing, misunderstood, or incomplete. Many firms either had no documented BWRA or wrongly treated customer risk assessments as equivalent. While customer-level insights can inform the BWRA, the FCA clarifies that they are not a substitute.

Even when a documented BWRA was in place, it often fell short of the structure and depth expected by the regulator. The most common gaps we observed included:

• A lack of a comprehensive identification and assessment of relevant financial crime risks across money laundering, terrorist financing, proliferation financing, fraud and sanctions evasion
• Inadequate evaluation of existing controls and their effectiveness
• No assessment of residual risk or clear indication of whether the firm accepts or intends to reduce that risk

The FCA also raised these concerns in a recent Dear CEO letter. Firms are reminded to assess risk across their customers, the countries or geographic areas in which they operate, their products or services, transactions, and delivery channels—using the BWRA to design proportionate policies, controls, and procedures.

Customer risk assessments

Customer risk assessments often lacked the robustness required to meet regulatory expectations. Many firms relied on just one or two static factors, such as nationality or country of residence, assigned at onboarding and not refreshed throughout the customer relationship. 

This approach falls short of the Joint Money Laundering Steering Group’s guidance, which outlines an illustrative set of risk factors firms should consider when assessing money laundering and terrorist financing risks, including the customer’s business or professional activity, reputation, behavioural patterns, and geographic exposure. Without regular updates to reflect changes in behaviour or exposure, customer risk scores can quickly become outdated and unreliable.

Technology

Many firms lacked a methodological approach to adopting and managing AML and financial crime technology, with evaluation and oversight often ad hoc or undocumented. Common issues included: 

• No documented approach to technology adoption
• Inability to explain how tools were assessed
• No evidence of regular testing or ongoing review 

While technology underpins many financial crime controls, firms remain responsible for how tools are selected, governed, and validated. Without a consistent, documented process for technology governance, firms risk relying on tools and controls they cannot demonstrate are working as intended. 

Governance 

Many firms lacked clear governance structures or consistent processes to monitor, escalate, and address financial crime risks. Common gaps included:

• No regular or structured management information (“MI”) relating to financial crime
• No minutes or records of financial crime discussions
• No tracking of actions to resolve audit or regulatory findings

When financial crime MI is unstructured or buried in broader compliance reporting,  senior management may lack the visibility needed to oversee and address risks. The FCA expects firms to maintain clear information flows to senior management to support accountability and oversight.

Why these findings matter

Left unaddressed, these weaknesses create serious regulatory and reputational risks. Gaps in documentation, unclear governance, and poor oversight of technology and controls heighten the risk of financial crime. These weaknesses also contribute to operational inefficiencies, which increase compliance costs and strain resources.

The FCA has made financial crime a clear supervisory priority. Enforcement activity has surged, with £176 million in penalties issued in 2024—a jump from £53 million in 2023. The regulator’s 2025 letter highlights continued concerns across the payments sector and signals increased supervisory activity, with ongoing emphasis on areas like sanctions systems and controls. 

Recent high-profile enforcement cases have led to heavy financial penalties and the potential loss of public trust and reputation. They have also highlighted how poor oversight of technology and delays in addressing known system weaknesses can result in regulatory breaches. 

An independent audit, conducted at least annually, provides a structured assessment of whether controls are designed effectively, operating as intended, and likely to withstand regulatory scrutiny. By identifying weaknesses early, audits help firms address risks before they develop into larger control gaps.

How Cosegic can help

As a leading UK compliance consultancy with decades of industry experience, Cosegic helps regulated firms improve their approach to managing financial crime risks. 

Here’s how we can support your firm:

Looking to enhance your financial crime programme? Explore our services below or contact us to arrange a tailored audit or consultation.

Explore our services