Anti-Money Laundering (AML) compliance teams are working in a space where expectations are well known, but execution still varies sharply across firms.
In 2025, the Financial Conduct Authority (FCA) carried out a multi-firm review of their expectations of Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and ongoing due diligence controls.
They assessed firms’ CDD systems and controls through questionnaires, desk-based reviews of policies and procedures, customer file sampling, and staff interviews, benchmarking findings against the Money Laundering Regulations 2017, FCA Financial Crime Guide (FCG), SYSC, JMLSG guidance, and FATF recommendations.
In a recent article, the FCA outlined the findings of this industry-wide review, highlighting the disparity that is emerging between what firms are getting right, and where firms continue to stumble.
What is now deemed ‘good practice’ by the regulator goes beyond minimum requirements laid out in legislation and regulatory guidance.
While rigorous expectations from the regulator are not new, the level of consistency that is now expected in terms of how firms apply AML controls, evidence them, and stand behind them when challenged is increasing.
Across recent supervisory findings, a clear pattern shows up: firms often have the right policies written down, but gaps appear when those policies are tested.
Below is a breakdown of what “good” looks like in FCA terms, where things tend to go wrong, and what this means for AML compliance teams responsible for keeping controls credible.
Clear definitions of CDD and EDD expectations
Firms that align with FCA expectations clearly distinguish between standard CDD and EDD. Firms that can demonstrate how risk is assessed and how far additional checks go when higher risk is identified.
Where firms are getting this right, policies set out exactly what extra steps are required under EDD, and how those steps change depending on risk level. There is a clear line between baseline onboarding and enhanced scrutiny.
Where firms fall short, EDD is often described in broad terms but not translated into operational detail. Staff are left unclear on what “enhanced” actually means in practice.
Another recurring issue is how firms handle identity verification when standard documents are not available. FCA expectations are not limited to rigid document sets. Firms are expected to show they can verify identity using alternative methods where needed.
Stronger firms guide staff on acceptable alternative evidence and escalation routes when standard ID cannot be provided.
However, where this guidance is missing, staff are left without clear options. That leads to either delays in onboarding or inconsistent decision-making across teams. In some cases, customers are onboarded with incomplete verification simply because there is no structured alternative pathway.
That gap can quickly become a problematic, especially when high-risk customers are onboarded without consistent escalation or additional verification.
A related issue is when firms do not follow their own policies. Procedures are written, but periodic reviews or escalation requirements are not consistently executed. This gap between policy and practice is often one of the most common findings in supervisory work.
Customer due diligence that reflects real risk
A key expectation from the FCA is that CDD is not a static checklist. It should reflect the financial crime risk posed by each customer. In what the FCA deems ‘stronger performing firms’, CDD requirements are determined based on risk indicators.
Higher-risk customers trigger deeper checks, while lower-risk relationships follow a proportionate approach. The rationale behind the level of information collected is documented and defensible.
In weaker firms however, firms collect the same information regardless of customer profile, or they fail to explain why certain data points are needed. This creates blind spots in understanding the purpose and intended nature of the relationship and weakens the ability to detect suspicious activity later in the relationship.
If initial CDD is weak or inconsistent, monitoring and ongoing reviews start from a fragile baseline.
Clarity around review cycles and compliance monitoring
The FCA places significant weight on how firms monitor and test their AML controls over time. It’s not enough to run processes, firms are expected to show those processes are regularly reviewed, challenged, and improved. Most firms have some form of compliance monitoring or audit in place, but the quality and depth of that oversight varies.
Stronger firms treat monitoring as an ongoing cycle with clear actions, tracked outcomes, and changes to how controls are applied. CDD frameworks are assessed regularly, sometimes through reviews led by internal audit or external parties, with findings documented, clear actions, tracked outcomes, and visible changes to how controls are applied.
Where issues start to show is around independence. In some firms however, there is little separation between those carrying out onboarding and those responsible for reviewing it. When the same team is effectively marking its own work, the value of assurance drops quickly. It becomes harder to identify gaps, challenge decisions, or spot patterns that point to wider control weaknesses.
In some firms however, there is little separation between those carrying out onboarding and those responsible for reviewing it. When the same team is effectively marking its own work, the value of quality assurance drops quickly. It becomes harder to identify gaps, challenge decisions, or spot patterns that point to wider control weaknesses.
How can ID-Pal help?
ID-Pal supports AML, KYC, and KYB processes through a structured, configurable rules-driven approach that helps firms apply CDD and EDD in line with FCA expectations. From onboarding through to ongoing monitoring, checks are standardised, documented, and easy to evidence when challenged.
To learn more, request your demo today.
