The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Whilst open enforcement operations fell from 188 to 130 during the year to March 2025, there were 37 final notices, 5 criminal convictions, over £186 million in fines, 5 criminal convictions and a 7-fold increase in cancelled authorisations. 

At the same time, it has signalled it is a regulator willing to intervene earlier, move faster, and apply pressure long before issues reach formal enforcement.

The question for firms is simple: if the FCA came knocking, would your framework demonstrate control, or expose how much still depends on manual workarounds, weak challenge and stale assurance? 

What the direction of travel tells us

The message from the FCA is clear. Financial crime remains firmly on the supervisory agenda. The regulator is using a broad toolkit (information requests, deep dives, attestations, voluntary requirements, and Skilled Person reviews), moving earlier, and drawing on data and intelligenceto identify harm and intervene before issues mature into enforcement cases. Firms that still treat supervision as a periodic compliance event rather than a live business risk may find themselves tested before they are ready.

That matters because some firms still assume that if they are not under enforcement action, they are in the clear. In practice, the more likely scenario is an early supervisory challenge, followed by restrictions agreed under pressure, while remediation is undertaken. By that stage, management attention, capital and credibility are already being consumed, often at speed.

The new thematic review sharpens the point

The FCA’s newly published review of firms’ CDD controls reinforces where supervisory focus is landing. The emphasis is not just on whether firms have policies and procedures, but on the quality of them, and whether compliance monitoring and audits are capable of detecting weaknesses rather than simply reporting activity. 

Taken alongside the FCA findings on risk assessments, the direction is consistent. Many firms have assessments in place, but too few tailor them properly to their business, products and customer base. Some still struggle to explain clearly how identified risks are being mitigated in practice. 

Where firms still get caught out

The recurring weaknesses are familiar. Weak AML knowledge. Policies that read well but do not reflect operational reality. Poor CDD. Overreliance on SDD. Assurance that lacks depth or subject matter expertise. And, too often, a culture where issues are recognised late, escalated slowly, or softened before reaching decision-makers.

That is precisely why supervisory tools can bite so hard. A Skilled Person review is not just a technical exercise; it is an expensive and intrusive assessment that diverts leadership attention, pulls heavily on internal resources and often runs alongside restrictions that curb growth and revenue. Voluntary requirements may be presented as agreed measures, but in practice they can feel more like a ‘voluntary headlock’. Attestations raise the stakes further by placing personal accountability on senior individuals.

The common thread is execution. Failures are about weak implementation, poor communication, inadequate testing and overconfidence in arrangements that have never been tested. 

The practical implication is that firms need to prepare for supervision as they would for a live incident. Once intervention starts, the burden shifts quickly. Firms must evidence decisions, explain design choices, defend residual risk, and demonstrate that remediation is credible, prioritised and properly governed. 

What firms should ensure now

Risk assessments that are genuinely tailored and dynamic, supported by evidence, linked to risk appetite and translated into practical, defensible controls.

CDD and ongoing monitoring that evolves, with clear triggers for escalation and enhanced scrutiny, rather than a file opening exercise that quickly becomes static.

Credible assurance delivered by people with sufficient expertise and independence to test whether controls work in practice, not just whether policies exist on paper. 

Supervisory response playbooks so that if a VREQ, attestation or Skilled Person review arises, governance, communication, evidence management and resource planning are already thought through.

A culture of early escalation and challenge, because firms that identify issues quickly, take ownership and remediate thoroughly are consistently better placed than those that delay, minimise or obfuscate. 

Firms that build adaptive, evidence-based controls and treat supervision as a strategic risk will be far better placed to withstand that scrutiny. Those that do not may find the FCA setting the pace long before they are ready to run.