FCA Review: Insights into Business-Wide and Customer Risk Assessments

The Financial Conduct Authority (FCA0 recently conducted a multi-firm review focusing on risk assessment processes and controls in firms. . The review provides valuable insights and practical examples of both good and poor practices for firms across the financial services sector. It forms part of the FCA’s broader financial crime supervisory work, underpinning its 2025–2030 strategy.  

The FCA assessed Business-Wide Risk Assessment (BWRA) and Customer Risk Assessment (CRA) processes through questionnaires, desk-based reviews of policies and procedures and firm interviews. The findings are relevant to all regulated firms, including Money Laundering Reporting Officers (MLROs), Senior Managers with oversight responsibilities and industry practitioners working in financial crime prevention, particularly those responsible for assessing risk and setting strategy. 

Identifying, Understanding and Assessing Risk 

While most firms maintain a BWRA, few tailor it specifically to their business model. Some firms utilise both qualitative and quantitative data to assess inherent risks, mitigating controls and residual risks. Larger firms often integrate risk assessment activities across business functions to create a consolidated, firm-wide view.  

However, the FCA found that many firms are unable to adequately explain how identified risks are managed or mitigated. Some firms have successfully tailored their CRA processes using sub-factors and weightings to reflect the specific risks their business faces. Firms that effectively link their risk appetite, BWRA and CRA processes demonstrate the strongest approach to identifying and assessing risk. 

Examples of Good Practice 

1. Comprehensive Risk Assessments: Incorporate both qualitative and quantitative measures. Consider a broad range of internal and external factors, appropriately weighted. Conduct assessments at the business unit level and aggregate into the BWRA. These should consider inherent risks, control effectiveness and residual risks. 
2. Annual Detailed Review: Firms conduct a formal annual review of the BWRA, rather than merely refreshing it. 
3. Tailored Assessments: Risk assessments are tailored to the firm, products and customers. Firms clearly document how risks are being managed. 

Examples of Poor Practice 

1. Lack of Detail: Some BWRAs focus mainly on fraud or generic risks, neglecting areas such as money laundering, sanctions, anti-bribery and corruption, proliferation financing and terrorist financing risks. The FCA observed firms oversimplify the risks they are exposed to and failing to explain how each risk affects the firm. 
2. No Quantitative Analysis: Risk assessments are exclusively qualitative. 
3. Unclear Processes: Some BWRAs lack clarity on how the firm identifies and assesses inherent risks. 
4. Unsupported Conclusions: Firms conclude that their business is low-risk, or that their controls are effective or mature, without appropriate evidence to support this. 

Mitigating and Managing Risk 

Although firms typically consider financial crime risk in business planning, the FCA observed that the connections between risk assessments, decision-making and ongoing monitoring are often weak. As firms grow, their personnel, systems and training must scale appropriately to maintain control effectiveness. Strong governance requires informed senior oversight of all financial crime risks, not just fraud. Leading firms integrate updated risk assessments into their broader financial crime frameworks and ensure that outcomes from BWRA and CRA processes are shared with senior management to foster accountability. 

Examples of Good Practice 

1. Compliance Aligned with Growth: Firms consider capacity of their compliance and financial crime functions to support the current and future growth strategy. 
2. Integrated Risk Framework: The BWRA feeds into the firm’s risk appetite, controls testing, and overall risk-based approach. The CRA directly informs Customer Due Diligence (CDD), transaction monitoring, and other control processes. 
3. Formal Tracking of Actions: Firms maintain records of BWRA-related actions and recommendations, including plans to mitigate identified risks. 
4. Enterprise-Wide Risk Consideration: Financial crime risks are factored into product development, business strategy, sales planning, and growth initiatives. The MLRO participates in relevant committees to articulate risks and recommend financial crime framework enhancements. 
5. Senior Oversight and Challenge: Firms share BWRA document and summary with Senior Management and committees for review and approval, highlighting trends, conclusions, recommendations and actions. CRA management information is provided to Senior Management committees for discussion. Evidence of MLRO and committee challenge on risk assessments. 
6. Continuity Plans: CRA processes are integrated into business continuity plans. 
7. Documented Risk Methodologies: Firms detail risk assessment methodologies and document any updates formally through governance channels. 
8. Ongoing Reviews: Firms review their risk assessment models and processes. Quarterly or triggered updates to risk assessments to make sure they are responsive to emerging risks and changes in regulatory requirements. 
9. Consistent BWRA and CRA Alignment: CRA processes reflect the risks identified in the BWRA, using aligned weightings and sub-factors. 

Examples of Poor Practice 

1. Risk Framework Lags Behind Growth: Some firms have not developed their CRAs in line with business growth to ensure scalability, consistency and accuracy.  
2. Lack of Action Tracking: Firms do not assign ownership or maintain records for BWRA-related actions. 
3. Rapid Expansion: Firms expand product lines or customer types without adequately assessing or adjusting risk controls. 
4. Insufficient Senior Oversight: Senior management discussion, challenge, and approval of BWRAs is not documented.  
5. Limited Understanding of Risk: Senior oversight focuses predominantly on fraud, neglecting broader financial crime risks. 
6. Lack of Testing: Some firms carry out limited or no testing and reviews of risk assessment processes when they make enhancements, upgrades or automation. 
7. Static Risk Assessments: Firms do not regularly update their risk assessments, leading to outdated profiles that negatively impact strategic decisions and control designs. 

How Complyport Can Help 

Complyport can help your firm navigate the compliance challenges arising from these regulatory developments by providing: 

• Regulatory Guidance: Expert support on the FCA’s expectations across areas such as governance, ICARA, Consumer Duty and conflict-of-interest management. 
• BWRA Preparation and Enhancement: Developing or enhancing BWRA, to ensure they are risk-based, tailored, and aligned with FCA expectations. 
• Ongoing Compliance Support: Continuous assistance to ensure your firm’s frameworks remain aligned with evolving FCA requirements. 
• Policy and Documentation Review: Review and enhancement of compliance manuals, governance structures, and internal processes. 
• Training and Workshops: Bespoke sessions to embed best practices, strengthen oversight, and foster a strong culture of consumer-focused compliance. 

Contact Us 

To understand how these developments may impact your business and discuss your compliance needs, contact Complyport today to speak with one of our Subject Matter Experts. 

Ask ViCA, your Virtual Compliance Assistant – claim your complimentary 20 queries today.
Register here: https://vica.chat