The FCA has just published the results of its multi-firm review into insurers' financial crime controls. The findings won't have surprised many compliance professionals; most of the weaknesses identified reflect longstanding challenges across financial crime frameworks. What is new is what the review tells us about the regulator's supervisory approach and priorities.
It's worth noting that the FCA found that most firms' systems and controls were broadly effective. This isn’t about widespread failings, more about the granularity and precision the regulator now expects, even in a sector traditionally viewed as lower risk.
Why the 'low risk' assumption no longer holds
For years, many insurance firms have taken comfort in the fact that their money-laundering exposure is generally lower than that of banking or payment firms. Some parts of the sector fall outside the Money Laundering Regulations altogether. The assumption has often been that a proportionate approach means a lighter approach.
The FCA’s new review demonstrates that, despite the lower risk, insurance firms are firmly within its supervisory focus on financial crime. Firms are expected to understand their risks, demonstrate their rationale, and evidence that their controls work in practice.
Documentation issues, or something deeper?
At first glance, many of the FCA's findings appear to be documentation issues. Policies weren't sufficiently tailored, risk assessments weren't evidenced, client due diligence approaches weren't fully documented, and roles and responsibilities weren't always clearly defined.
However, that misses the point; the FCA is really concerned with whether firms genuinely understand their financial crime risks and whether their control framework has been consciously designed around those risks rather than inherited from a group template or copied from a generic compliance manual.
The bigger picture: operational effectiveness over policy completeness
This review is consistent with the FCA's broader regulatory direction. Across multiple sectors, the regulator has moved away from assessing whether firms simply have policies in place towards asking whether those policies operate effectively in practice. Insurance firms shouldn't assume they're somehow outside that trend.
The FCA has made it clear that financial crime risks in insurance are real, even where they differ from those in banking or payments. Firms are expected to understand those risks, implement controls that are proportionate to them, and – critically, - be able to demonstrate why those controls are appropriate.
Key findings from the FCA's multi-firm review
Risk assessments that reflect the reality of the business
The review highlights something many firms underestimate: "insurance" is not a single risk category. The financial crime risks associated with life insurance, wholesale broking, retail distribution or delegated authority models can differ significantly. A proportionate approach, therefore, requires firms to be granular in how they assess risk across products, channels and customer types, rather than relying solely on a high-level sector view.
Tailored policies and procedures
Another recurring theme is over-reliance on group frameworks. Many firms had comprehensive group-level financial crime policies, but these often failed to explain how the controls applied to individual legal entities, jurisdictions or business units.
A global policy might be technically accurate, but it rarely explains how a UK insurance intermediary should apply those requirements in day-to-day operations, who owns each control, what local regulatory obligations apply or how outsourced providers fit into the picture.
Controls that are proportionate, justified and evidenced
A common theme throughout the review is that firms often had controls in place, but couldn't clearly explain why they had chosen that approach or demonstrate that it remained appropriate for their business.
One area of focus is transaction monitoring. The FCA acknowledges that many retail and wholesale insurance firms do not operate formal AML transaction monitoring due to their business models and regulatory status, which is consistent with a risk-based approach; however, the takeaway is that the FCA expects firms to document why transaction monitoring is or isn't appropriate for their business. It expects firms to explain how suspicious activity would instead be identified, how sanctions risks are managed and how wider financial crime obligations continue to be met.
Governance
The biggest takeaway isn't any individual control weakness; it’s governance. The FCA repeatedly highlights issues of ownership, accountability and oversight.
Examples include:
Firms lacking a formal RACI for financial crime responsibilities
Limited evidence of structured control testing
Insufficient oversight of outsourced activities, despite firms retaining full regulatory responsibility.
Individually, none of these issues would necessarily indicate ineffective financial crime controls, particularly given the FCA's overall finding that most firms' frameworks were broadly effective; however, collectively, they make it harder for firms to demonstrate that their frameworks are operating effectively. That distinction matters because the FCA increasingly appears to be supervising firms on operational effectiveness rather than policy completeness.
Third-party and outsourcing oversight
The FCA also devotes considerable attention to third-party oversight. Many insurers rely on delegated authorities, TPAs, claims handlers and outsourced service providers. The FCA accepts this, but stresses that firms still maintain ultimate responsibility and can’t assume contractual arrangements provide sufficient oversight.
Only one firm reviewed had developed enhanced, risk-based oversight for higher-risk outsourced controls. The expectation is increasingly that firms should differentiate oversight based on risk, supported by meaningful MI, escalation processes and documented governance. As operational models become more complex, this is likely to become an increasingly important area of supervisory scrutiny.
What should insurance firms be doing now?
Firms should treat this review as an opportunity to test whether their framework would stand up to regulatory scrutiny. While it doesn’t provide a checklist, there are some practical questions that can be teased out that all insurance firms should consider asking:
Can we clearly articulate our financial crime risk assessment, including why certain controls are or aren't appropriate across different products and business lines?
If operating globally, are our policies genuinely tailored to our UK business, rather than copied from group documentation?
Can we map each regulatory obligation to an owner and the controls that manage it?
Is there clear accountability across all three lines of defence?
Do we have evidence that our controls are independently tested?
Are outsourced financial crime controls subject to oversight that reflects their level of risk?
If any of those questions produce uncertain answers, the FCA's review provides a useful starting point for improvement.
How can FINTRAIL help?
The themes identified by the FCA from risk assessments that lack sufficient granularity to address governance gaps and outsourcing oversight challenges are areas in which FINTRAIL regularly supports insurance firms.
FINTRAIL and Cosegic work together to give firms a genuinely joined-up response to these challenges. That might mean an independent review of your financial crime framework to see how it holds up against the FCA's expectations, support redesigning your risk assessment to reflect your actual business model, help with building the governance and accountability structures that make a framework demonstrably effective, or simply a conversation to sense-check where you stand.
The FCA's findings are a useful prompt. If any of the questions raised in this piece produced uncertain answers, it's worth taking a closer look before your regulator does.
Get in touch with our team to find out how we can help.

