Call us +44 (0) 1534 626830
Home News FCA and its views on Business-Wide Risk Assessments (BWRA) and Customer Risk Assessments (CRA).
News
Print Article

FCA and its views on Business-Wide Risk Assessments (BWRA) and Customer Risk Assessments (CRA).

11/11/2025

The Financial Conduct Authority (FCA) has recently published several pieces of feedback and findings that highlight persistent challenges firms face in conducting

  • Business-Wide Risk Assessments (BWRA) and
  • Customer Risk Assessments (CRA).

Here's a summary of the key insights:

FCA Survey of Corporate Finance Firms (Oct 2025) Full source [fca.org.uk]

  • In a survey of 303 corporate finance firms, two-thirds may not be compliant with the Money Laundering Regulations (MLRs) in one or more areas of their anti-financial crime frameworks.
  • 11% of firms had no documented BWRA at all, including several principal firms with appointed representatives (ARs).
  • 10% lacked documented evidence of Customer Due Diligence (CDD). [fca.org.uk]
  • 66% of firms may be non-compliant with Money Laundering Regulations (MLRs).
  • 29% of principal firms failed to assess financial crime risks for their Appointed Representatives (ARs).
  • 6% did not monitor ARs’ compliance or conduct audits.

Good Practice Identified:

  • Regular updates to BWRA to reflect emerging risks.
  • Use of detailed Management Information (MI) to strengthen controls.
  • 97% of firms report financial crime concerns to senior management.

FCA’s Response:

  • Writing to potentially non-compliant firms.
  • Part of a 5-year strategy to raise standards in financial crime oversight.

FCA Report on Money Laundering Through the Markets (Jan 2025) Full PDF Report [fca.org.uk]

BWRA Observations:

  • Some firms underestimated or poorly documented financial crime risks.
  • Lack of understanding across firms about how they could be targeted by criminals.

CRA Observations:

  • Increasing use of weighted risk factors and country risk assessments.
  • Weak documentation of CRA methodology and rationale.
  • Inconsistent treatment of domestic vs foreign PEPs.

Other Key Areas:

  • KYC/CDD: Improvements noted, but over-reliance on third parties persists.
  • Governance: MI reporting improving, but oversight still varies.
  • Transaction Monitoring (TM): Automated systems often ineffective alone; integration with other controls needed.
  • SARs Reporting: Limited awareness of UKFIU glossary codes; inconsistent quality.
  • Training & Resourcing: Still not tailored to firm-specific risks and roles.

FCA Expectations:

  • Robust systems and controls at every stage of the customer and transaction journey.
  • Proactive identification, investigation, and reporting of suspicious activity.
  • Tailored training, governance, and documentation.

Disconnect Between Risk Assessments and Reality

  • Many firms struggle to connect their risk assessments to actual financial crime risks. This includes failing to consider:
    • Geographic and customer risk factors
    • Product/service delivery channels
    • Control effectiveness
    • National Risk Assessments (NRAs) [comsuregroup.com]

Common Pitfalls in BWRA Execution

According to a former FCA Skilled Person:

  • Over-complicated methodologies that confuse rather than clarify
  • Poor data quality and limited availability
  • Subjective control assessments lacking objective evidence (e.g., audit reports)
  • Inadequate documentation of methodology and findings [dcmoperations.com]

Regulatory Expectations

  • The FCA expects firms to:
    • Conduct robust, systematic BWRAs
    • Use diverse sources (e.g., FATF reports, UK NRA, press, court judgments)
    • Ensure assessments are proportionate to the firm’s size and complexity
    • Document and test control effectiveness
    • Integrate findings into the firm’s AML/CTF/PF policies and procedures [dcmoperations.com]

Case Example: Zeux Limited

The FCA declined Zeux Limited’s crypto registration due to:

  • Poor BWRA methodology
  • Lack of consideration for product, customer, and geographic risks
  • No evidence of control testing
  • Misclassification of risks and controls
  • Ignoring the UK National Risk Assessment [comsuregroup.com]

Good Practice Recommendations

  • Document everything: From methodology to control testing outcomes.
  • Use multiple data sources: Don’t rely solely on internal data.
  • Tailor assessments: Align with the firm’s business model and risk exposure.
  • Train staff: Ensure understanding of financial crime risks and assessment processes.
  • Review regularly: Update BWRAs and CRAs in response to changes in risk landscape.

Sources

 

iTRACK LEGAL UNITED KINGDOM

The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more

Gallery

View our latest imagery from our news and work

Find out more

Contact

Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.  
×

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.  

news disclaimer -

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.