Preparing for an FCA AML Audit?
ComplyFactor’s specialist AML audit team helps UK payment institutions and EMIs pass FCA inspections with confidence. Our services include:
- Pre-FCA Mock Audits: Identify gaps before regulators arrive
- AML Compliance Program Development: Build robust frameworks aligned with MLR 2017
- Fractional MLRO Services: Expert oversight without full-time costs
- FCA Remediation Support: Fix findings and prevent enforcement action
The Financial Conduct Authority’s approach to anti-money laundering supervision has intensified dramatically. With payment institutions and electronic money institutions representing some of the highest-risk sectors for financial crime, FCA AML audits have become increasingly thorough, data-driven, and unforgiving. Recent enforcement actions demonstrate that inadequate preparation can result in multi-million pound fines, public censure, or even the loss of your authorisation.
If you’re an authorised payment institution (API), small payment institution (SPI), or electronic money institution (EMI), understanding how to prepare for FCA AML inspection isn’t just about compliance—it’s about protecting your business’s future. This comprehensive guide provides a detailed FCA AML audit preparation checklist that covers every critical area the regulator will examine.
Understanding the FCA’s AML Supervision Framework
The FCA supervises over 25,000 firms for anti-money laundering compliance under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). Payment institutions fall into the FCA’s enhanced supervision category due to their inherent money laundering and terrorist financing risks.
The FCA employs a risk-based supervisory approach, which means your firm’s history, business model, customer base, and jurisdictional exposure directly influence the intensity and frequency of regulatory scrutiny. Payment firms operating cross-border, serving high-risk sectors, or offering innovative payment solutions face heightened supervision.
FCA AML audits typically take three forms:
Desk-based reviews involve requesting documents and data remotely, focusing on specific risk areas identified through regulatory intelligence or your firm’s own reporting. On-site visits represent more intensive examinations where FCA teams spend days or weeks at your premises reviewing files, interviewing staff, and testing systems. Skilled person reviews (Section 166 of FSMA) require you to commission independent experts to assess specific aspects of your AML framework, with findings reported directly to the FCA.
The regulator’s examination methodology follows the three lines of defense model, scrutinizing your business operations (first line), compliance oversight (second line), and internal audit functions (third line). Understanding this framework helps you structure your preparation effectively. <div style=”border-color:#f7853399;border-style:solid;border-width:1px;border-radius:16px;color:#1e1e1e;background:linear-gradient(86deg,rgb(255,245,237) 6%,rgb(255,255,255) 100%);margin-top:16px;margin-bottom:32px;padding:24px;font-family:-apple-system,BlinkMacSystemFont,’Segoe UI’,Roboto,Oxygen-Sans,Ubuntu,Cantarell,’Helvetica Neue’,sans-serif”> <div style=”display:flex;align-items:center;gap:12px;margin-bottom:12px”> <span style=”font-size:20px”>💡</span> <p style=”color:#f78533;font-size:16px;font-weight:600;line-height:1.5;margin:0″>PRO TIP</p> </div> <p style=”color:#1e1e1e;font-size:18px;font-weight:500;line-height:1.5;margin:0″>The FCA increasingly relies on data analytics to identify outliers. If your SAR filing rates, customer exit rates, or transaction patterns deviate significantly from peer firms, expect detailed questions. Proactively analyze your own metrics against industry benchmarks before the regulator does.</p> </div>
Pre-Audit Preparation: What to Do Before FCA Contact
Effective FCA AML audit preparation begins long before you receive official notification. Leading payment institutions maintain a state of “audit readiness” through continuous compliance monitoring rather than scrambling when regulators appear.
Conduct a Comprehensive Gap Analysis
Begin by comparing your current AML framework against the Money Laundering Regulations 2017, FCA Handbook requirements (particularly SYSC 6), Payment Services Regulations 2017, and guidance from the Joint Money Laundering Steering Group (JMLSG). This analysis should identify discrepancies between regulatory expectations and your actual practices.
Your gap analysis should examine governance structures, policy documentation, risk assessment methodologies, customer due diligence procedures, transaction monitoring effectiveness, suspicious activity reporting processes, record-keeping practices, and staff training programs. Document every gap with a severity rating and remediation timeline.
Update Your Financial Crime Risk Assessment
The business-wide risk assessment (BWRA) serves as the foundation of your entire AML program. The FCA expects this document to be current, comprehensive, and genuinely reflective of your evolving risk profile. Your BWRA must address customer risk (types of customers, geographic exposure, business relationships), product and service risk (payment types, transaction characteristics, delivery channels), geographic risk (countries you operate in or transact with), and distribution channel risk (how customers are onboarded and services delivered).
The risk assessment should quantify inherent risks before controls and residual risks after control implementation. This demonstrates that your mitigation measures are actually effective. Many firms fail FCA scrutiny because their risk assessments are generic templates rather than bespoke analyses of their specific business model.
If your business has evolved since your last risk assessment—new products, markets, or customer segments—update the document immediately. The FCA views outdated risk assessments as evidence of inadequate governance.
Organize Your AML Documentation Library
FCA inspectors will request extensive documentation. Having materials organized and readily accessible demonstrates control and professionalism. Create a centralized repository (digital or physical) containing your AML policies and procedures, financial crime risk assessment, MLRO appointment documentation, board and senior management meeting minutes discussing AML matters, customer due diligence and enhanced due diligence procedures, transaction monitoring rules and scenarios, suspicious activity report filing records, training materials and attendance records, internal audit reports covering AML, previous regulatory correspondence, and third-party due diligence files for outsourced functions.
Implement a document version control system that clearly identifies current versions and maintains an audit trail of changes. The FCA will want to understand how policies evolved over time, particularly in response to regulatory changes or identified deficiencies.
Prepare Your MLRO for Detailed Questioning
Your Money Laundering Reporting Officer will face extensive questioning during any FCA examination. The MLRO should be prepared to articulate the firm’s risk appetite for financial crime, explain how the AML framework mitigates identified risks, discuss specific customer cases and SAR decisions, demonstrate knowledge of MLR 2017 requirements and FCA expectations, explain governance escalation processes for AML issues, and describe how AML effectiveness is measured and reported.
The regulator assesses whether your MLRO has appropriate seniority, independence, resources, and expertise. If your MLRO is overstretched, lacks board access, or operates without adequate support, remediate these deficiencies before the audit. Many payment institutions now utilize fractional MLRO services to ensure they have appropriate expertise without the cost of a full-time senior hire.
COMMON MISTAKE
Many payment institutions assign MLRO responsibilities to their compliance officer as an additional duty without reducing other responsibilities or providing specialized training. The FCA consistently finds this arrangement inadequate. Your MLRO needs dedicated time, resources, and genuine authority to be effective.
The Complete FCA AML Audit Checklist: 15 Critical Areas
1. Governance and Management Oversight
The FCA expects payment institution boards and senior management to take active ownership of AML compliance rather than delegating it entirely to the compliance function. Auditors will examine whether your board receives regular, detailed reports on financial crime risks and controls, approves and reviews the firm-wide risk assessment at least annually, sets clear risk appetite statements for money laundering and terrorist financing, ensures adequate resources are allocated to AML compliance, discusses significant SARs and how they inform business strategy, and reviews management information on AML control effectiveness.
Senior management meeting minutes should demonstrate substantive discussion of AML matters, not merely noting that a compliance report was “received and noted.” The FCA looks for evidence of challenge, questioning, and strategic decision-making around financial crime risk.
Your governance documentation should clearly define accountability for AML across the three lines of defense. Business units should own day-to-day compliance (first line), your compliance function provides oversight and policy development (second line), and internal audit provides independent assurance (third line). Role descriptions, reporting lines, and escalation procedures should be explicit and actually followed in practice.
2. Money Laundering Reporting Officer (MLRO) Function
The effectiveness of your MLRO function is central to FCA AML supervision. Inspectors assess whether your MLRO has appropriate qualifications and experience for your firm’s risk profile, sufficient seniority to influence business decisions, direct access to the board without filtering through operational management, adequate resources and budget to fulfill responsibilities, independence from business pressures and revenue targets, and clear authority to halt transactions or refuse customers when risks warrant.
The FCA will review your MLRO’s actual workload. If your MLRO also handles broader compliance, data protection, conduct risk, and operational resilience, the regulator may conclude they cannot effectively fulfill AML responsibilities. Documentation of MLRO time allocation, deputy arrangements during absences, and escalation to the board of resourcing concerns demonstrates appropriate governance.
For smaller payment institutions, the MLRO outsourcing model has gained FCA acceptance when structured properly. The key is ensuring the external MLRO has genuine integration with your business, appropriate oversight authority, and isn’t merely a “compliance consultant” producing documents without operational engagement.
3. Business-Wide Risk Assessment (BWRA)
Your financial crime risk assessment must be comprehensive, current, and genuinely reflective of your business. The FCA examines whether the assessment covers all required risk categories under MLR 2017, uses reliable data and intelligence sources, quantifies both inherent and residual risks, identifies specific vulnerabilities rather than generic risk statements, drives your control framework design, and is reviewed and updated when business changes occur.
Payment institutions frequently fail this area because their risk assessments are copied from templates or predecessors without customization. Your BWRA should reference specific aspects of your business model—the actual countries you transact with, the precise customer segments you serve, the exact payment instruments you offer.
Geographic risk analysis must go beyond simply listing countries as high/medium/low risk. Consider customer residence versus transaction destination, payment corridors you facilitate, and concentrations that might indicate unusual patterns. For example, if you’re a UK-based payment institution but 40% of your transactions involve Nigeria, your risk assessment must address why this is appropriate for your business model and how you mitigate associated risks.
The assessment should explicitly connect identified risks to specific controls. If you identify “risk of customers being used as money mules,” your BWRA should reference the specific CDD measures, monitoring rules, and staff training that mitigate this risk. This demonstrates that your risk assessment actually drives operational decisions rather than existing as a compliance document.
4. Customer Due Diligence (CDD) and Know Your Customer (KYC)
Customer due diligence represents one of the most scrutinized areas in payment institution AML audits. The FCA will test whether you’re applying CDD measures appropriately and consistently. Auditors typically select a sample of customer files across different risk categories and examine whether you’ve obtained and verified customer identity information, understood the nature and purpose of the business relationship, assessed the customer’s risk profile using defined criteria, applied enhanced due diligence where risks warrant, and maintained ongoing monitoring proportionate to risk.
For business customers, which many payment institutions primarily serve, CDD becomes more complex. You must understand ownership structures, verify beneficial ownership (individuals owning more than 25%), assess the nature of the business and expected transaction activity, and evaluate the source of funds for the business relationship.
The FCA pays particular attention to how you handle higher-risk customers. If you serve politically exposed persons (PEPs), customers from high-risk jurisdictions, cash-intensive businesses, or money service businesses, your enhanced due diligence must be genuinely enhanced—not merely standard CDD with a different label. Enhanced measures should include senior management approval for onboarding, additional information on source of funds and wealth, increased monitoring frequency, and ongoing screening against sanctions and PEP lists.
Many payment institutions fail because their CDD procedures exist in policy but aren’t consistently applied in practice. The FCA sample-tests customer files, and even a handful of inadequate files suggests systemic weaknesses. Before an audit, conduct your own file review across a representative sample, documenting deficiencies and implementing remediation where needed.
5. Enhanced Due Diligence (EDD) Triggers and Application
Enhanced due diligence requirements extend beyond politically exposed persons. The FCA expects payment institutions to apply EDD when customers are from or transact with high-risk third countries identified by the EU or UK, transactions involve complex or unusually large amounts, business relationships lack obvious economic or lawful purpose, or the customer profile presents higher money laundering risk based on your risk assessment.
Your EDD procedures should specify what additional measures you’ll implement. Generic statements like “additional information will be obtained” don’t suffice. Define the specific documents you’ll request, the senior management approval process, the enhanced monitoring you’ll conduct, and the documentation standards you’ll maintain.
The FCA recognizes that payment institutions must balance risk management with commercial viability, but the regulator expects you to clearly articulate your risk appetite. If you’ve decided to accept certain higher-risk customer categories, your board should have explicitly approved this decision with full understanding of the implications, and your controls must be demonstrably effective for these populations.
Regulatory technology solutions can help scale EDD processes, but the FCA will assess whether you’re using technology as a genuine control or merely to process volume. Automated adverse media screening, for example, is valuable only if alerts are meaningfully investigated rather than systematically dismissed.
6. Transaction Monitoring Systems and Effectiveness
Transaction monitoring generates extensive FCA scrutiny because many payment institutions deploy systems without adequate customization, testing, or governance. The regulator examines whether you have transaction monitoring coverage appropriate to your business model, defined scenarios and rules calibrated to detect relevant typologies, thresholds set based on data analysis rather than arbitrary figures, alert investigation procedures that are thorough and documented, and periodic testing and tuning of system effectiveness.
Generic monitoring scenarios designed for retail banks often prove inadequate for payment institutions. Your monitoring should detect patterns relevant to payment services—structuring across multiple smaller transactions, sudden changes in transaction volume or value, payments to high-risk jurisdictions inconsistent with customer profile, rapid movement of funds suggestive of layering, and transactions involving sanctioned parties or PEPs.
The FCA will request evidence of monitoring effectiveness. This includes metrics like total alerts generated, alerts investigated, alerts escalated to the MLRO, SARs filed from monitoring alerts, and false positive rates. If your system generates thousands of alerts but yields minimal SARs, the regulator will question whether scenarios are properly calibrated or investigations are superficial.
Transaction monitoring tuning should occur regularly based on typology intelligence, regulatory guidance, and internal experience. Document your tuning decisions, the data analysis supporting them, and senior management or MLRO approval. The FCA views tuning as an essential governance activity, not merely a technical exercise.
Many smaller payment institutions struggle to afford enterprise monitoring systems. The FCA accepts that controls must be proportionate, but this doesn’t eliminate the monitoring obligation. Manual or semi-automated approaches can be acceptable if properly designed, documented, and executed. The critical factor is demonstrating that your methodology effectively identifies suspicious activity given your specific risk profile.
7. Suspicious Activity Reporting (SAR) Processes
The FCA assesses whether your organization has a culture that encourages SAR reporting and processes that ensure quality submissions to the National Crime Agency. Inspectors will examine whether staff understand their obligation to report suspicions, barriers to reporting (such as revenue pressures) are addressed, the MLRO has a defined process for evaluating internal disclosures, SARs submitted to the NCA meet quality standards, you maintain comprehensive records of SAR decisions, and you comply with tipping-off and prejudicing investigation prohibitions.
The regulator expects payment institutions to file SARs not just reactively when suspicious activity is detected, but proactively when risk assessments, due diligence, or monitoring reveal concerns. Unusually low SAR volumes relative to your customer base and risk profile will trigger FCA inquiry into whether you’re identifying suspicious activity effectively.
SAR quality matters as much as quantity. The FCA reviews whether your SARs contain sufficient detail for law enforcement to act, explain why the activity is suspicious rather than merely describing transactions, include relevant customer due diligence information and background, and identify the suspected predicate offense where possible.
Documentation of MLRO SAR decisions is essential. When staff escalate potential suspicious activity but the MLRO determines a SAR isn’t warranted, this decision and rationale must be recorded. The FCA will test these determinations to assess MLRO judgment and whether defensive reporting cultures exist.
For payment institutions, certain transaction patterns should almost automatically trigger SAR consideration—customer attempts to circumvent transaction limits through structuring, payments inconsistent with the customer’s stated business purpose, involvement of sanctioned jurisdictions or parties, and frequent returns or chargebacks suggesting fraudulent activity.
8. Screening for Sanctions and PEPs
Sanctions screening and PEP identification failures represent significant FCA enforcement risks. The regulator expects payment institutions to screen customers and transactions against current sanctions lists (UN, UK, EU, OFSI), maintain up-to-date screening databases with appropriate refresh frequencies, investigate and document all screening hits including false positives, have procedures to freeze assets and report to OFSI when required, and screen for PEPs and their family members and close associates.
Many payment institutions implement screening at onboarding but fail to conduct ongoing screening as sanctions lists and PEP databases update. The FCA expects continuous screening or, at minimum, periodic re-screening of your customer base. A customer who isn’t sanctioned today may be designated tomorrow, and you must have processes to identify this change promptly.
Screening effectiveness depends on data quality. If customer records contain misspellings, inconsistent name formats, or incomplete information, your screening system may miss matches. The FCA will examine whether you have data quality controls ensuring screening can function effectively.
PEP screening extends beyond identifying politically exposed persons themselves to include family members (spouses, partners, children, parents) and known close associates. Your screening tools must have the breadth to capture these relationships, and your staff must understand that PEP associations create risk even when the customer isn’t personally a PEP.
When screening generates hits, investigation quality is paramount. The FCA reviews whether investigations are documented, consider the nature and strength of the match, involve appropriate escalation when genuine matches are confirmed, and result in consistent decision-making about relationship continuation or enhanced monitoring.
9. Record Keeping and Data Management
The Money Laundering Regulations 2017 require payment institutions to maintain records of customer due diligence and transaction information for at least five years after the relationship ends. The FCA tests whether you maintain complete CDD documentation for current and former customers, transaction records with sufficient detail to reconstruct activities, copies of supporting identification and verification documents, records of ongoing monitoring activities and reviews, documentation of internal suspicion reports and SAR decisions, and business correspondence relevant to CDD and transactions.
Electronic record keeping is acceptable, but you must ensure documents remain accessible, unalterable (without audit trails), and protected from unauthorized access or loss. The FCA will inquire about your disaster recovery and business continuity provisions for compliance records.
Many payment institutions discover during FCA audits that their record retention practices are inadequate—customer files missing key documents, transaction records lacking required details, or historical records destroyed prematurely. Before an audit, conduct a record-keeping audit sampling files from different time periods and customer segments to verify completeness and accessibility.
Data protection considerations sometimes conflict with record retention obligations. Some payment institutions incorrectly delete customer information to comply with GDPR without recognizing that MLR 2017 provides a lawful basis for retention. Your privacy notices should explain that AML regulatory obligations require extended data retention despite relationship termination.
For payment institutions using third-party processors, payment gateways, or banking partners, establish clear agreements about who maintains which records and how you’ll access them if needed for regulatory purposes. The FCA holds you responsible for producing records regardless of where they’re stored.
10. Staff Training and Awareness
AML training effectiveness determines whether your policies translate into actual compliance. The FCA assesses whether all relevant staff receive AML training appropriate to their role, training covers MLR 2017 requirements and your firm’s specific procedures, you provide specialized training for MLRO, compliance, and customer-facing staff, training occurs at onboarding and regularly thereafter (at least annually), you test understanding and maintain training attendance records, and you update training when regulations, risks, or procedures change.
Generic online compliance training satisfies minimal requirements but doesn’t impress FCA supervisors. Leading payment institutions supplement general training with role-specific modules—customer onboarding staff receive detailed CDD training with examples from your actual business, operations teams learn to identify suspicious transaction patterns relevant to your payment types, and senior management receives governance-focused training on their AML oversight responsibilities.
The FCA increasingly expects training to incorporate real-world examples and case studies. If your firm has encountered suspicious activity, sanitized versions of these cases make excellent training materials demonstrating how theoretical risks manifest in your actual business. External case studies from FCA enforcement actions or regulatory penalties provide valuable lessons.
Training records must demonstrate that staff actually completed training, not merely that it was made available. Maintain sign-off sheets, completion certificates, or learning management system records showing who attended, when, and what topics were covered. For online training, ensure your system captures meaningful participation rather than users simply clicking through modules.
Consider whether your training addresses emerging risks and typologies. Financial crime methodologies evolve rapidly, particularly with technological innovation in payment services. Annual training updates should incorporate recent regulatory guidance, enforcement actions, and intelligence from the National Crime Agency or JMLSG.
11. Internal Audit and Independent Testing
The three lines of defense model requires independent verification that AML controls are designed appropriately and operating effectively. The FCA expects payment institutions to conduct periodic independent audits of AML compliance, document audit findings and management responses, track remediation of identified deficiencies, and ensure auditors have appropriate expertise and genuine independence.
For smaller payment institutions without dedicated internal audit functions, engaging external specialists to conduct annual AML reviews demonstrates good practice. These independent AML audits should test control design and operating effectiveness, not merely review policy documents.
The FCA will review your audit reports and management’s response. Audits that identify no deficiencies or only trivial findings suggest insufficient rigor. Credible audits find areas for improvement—the question is whether management takes findings seriously and implements timely remediation.
Audit scope should cover all critical AML components—governance, risk assessment, CDD, transaction monitoring, SAR reporting, screening, training, and record-keeping. Testing should include sample file reviews to verify that procedures documented in policies are followed in practice.
Tracking audit findings to closure demonstrates governance maturity. Maintain an issues register showing each audit finding, its severity, agreed remediation actions, responsible individuals, target completion dates, and actual completion status. The FCA will request this information to assess whether you have appropriate accountability for fixing deficiencies.
12. Third-Party and Outsourcing Risk Management
Many payment institutions rely on third parties for customer onboarding, payment processing, screening, or monitoring functions. The FCA emphasizes that outsourcing doesn’t outsource responsibility—you remain accountable for AML compliance even when functions are performed by vendors.
Regulators expect robust third-party risk management including due diligence on providers before engagement, written agreements clearly defining AML responsibilities, ongoing monitoring of vendor performance, right to audit provisions in contracts, and contingency plans if vendor relationships terminate.
Your due diligence on AML service providers should assess their expertise and track record, the adequacy of their systems and controls, their own regulatory compliance and audit results, data security and privacy protections, and whether they serve multiple clients in ways that could create conflicts.
Relying on third parties for CDD requires particular attention to the MLR 2017 requirements for such arrangements. You must ensure the third party is subject to equivalent AML regulations, obtain written agreement that they’ll provide CDD documentation upon request, and immediately obtain documentation on a risk-sensitive basis even if the third party performs the initial due diligence.
Payment institutions using banking-as-a-service (BaaS) providers or sponsor banks must clearly delineate AML responsibilities. Some institutions incorrectly assume their banking partner handles all AML obligations. The FCA will examine your agreements and operational practices to verify you understand and fulfill your distinct responsibilities under the Payment Services Regulations and MLR 2017.
13. Technology and Information Security Controls
The FCA increasingly scrutinizes whether payment institutions’ technology infrastructure adequately supports AML compliance and protects sensitive data. Inspectors assess whether your systems maintain complete, accurate records for compliance purposes, incorporate appropriate access controls limiting who can view or modify AML data, include audit trails of system access and changes, are protected against cybersecurity threats that could compromise compliance data, and have disaster recovery and business continuity provisions.
As payment institutions increasingly adopt artificial intelligence and machine learning for transaction monitoring or CDD, the FCA expects you to understand how these technologies function, validate that algorithms perform as intended, and maintain appropriate human oversight of automated decisions. Black-box AI that you can’t explain to regulators creates significant governance concerns.
Data quality directly impacts AML effectiveness. If your systems contain incomplete, inaccurate, or inconsistent customer information, your screening, monitoring, and reporting can’t function properly. The FCA will assess whether you have data governance frameworks ensuring information accuracy and completeness.
For cloud-based systems or services, you must demonstrate appropriate data protection, contractual provisions addressing regulatory access to data, and business continuity arrangements if your cloud provider experiences outages or the relationship terminates.
14. Management Information and Metrics
The FCA expects senior management and boards to receive regular, meaningful management information on AML control effectiveness. Simply reporting “no issues” doesn’t suffice. Your MI should include quantitative metrics like number of customers onboarded and risk distribution, CDD and EDD completion rates and timeliness, transaction monitoring alerts generated, investigated, and escalated, SARs filed and categories of suspicion, screening hits and false positive rates, and training completion rates.
Beyond numbers, qualitative reporting should cover emerging risks and typology intelligence, significant SARs or concerning customer behaviors, control deficiencies identified and remediation status, regulatory developments affecting your obligations, and resource adequacy for the compliance function.
The FCA will examine whether your MI prompts senior management action. If reports consistently show deteriorating control performance or increasing risks without corresponding management response, this evidences inadequate governance.
Leading payment institutions benchmark their metrics against peers to identify outliers. If your SAR filing rate or customer exit rate for AML concerns differs significantly from similar institutions, investigate why and consider whether your controls are calibrated appropriately. The FCA increasingly uses industry data to identify firms warranting enhanced supervision.
15. Regulatory Reporting and Communication
Beyond SARs, payment institutions have various regulatory reporting obligations the FCA will review. These include timely notification of significant compliance breaches under Principle 11, submission of accurate regulatory returns and data requests, reporting material changes to your business model or risk profile, disclosure of enforcement actions or regulatory issues from other jurisdictions, and cooperation with FCA information requests and supervisory activities.
The FCA assesses the candor and completeness of your regulatory communications. Institutions that proactively report concerns and seek guidance when uncertain demonstrate stronger governance than those that minimize issues or provide incomplete information to regulators.
When the FCA requests information, response quality and timeliness matter significantly. Incomplete, late, or evasive responses damage the supervisory relationship and may result in separate enforcement for failure to cooperate. If you need extensions for complex requests, communicate proactively rather than letting deadlines pass.
Maintaining a regulatory issues log tracking all FCA correspondence, requests, meetings, and commitments helps ensure nothing falls through the cracks. Assign clear ownership for FCA interactions and establish escalation procedures when requests raise complex issues requiring senior management or board involvement.
Documents the FCA Typically Requests During AML Audits
Understanding what documents the FCA requests during AML audits allows you to prepare materials in advance. While specific requests vary based on your risk profile and the audit’s focus, certain documents are almost always required.
Governance and oversight materials include board and senior management meeting minutes discussing AML matters for the past 12-24 months, MLRO reports to the board and senior management, organizational charts showing AML reporting lines and responsibilities, and role descriptions for the MLRO, compliance staff, and key business leaders.
Policy and procedure documentation encompasses your complete AML policy and procedures manual, customer due diligence and enhanced due diligence procedures, transaction monitoring procedures and scenario descriptions, suspicious activity reporting procedures, screening procedures for sanctions and PEPs, record-keeping and retention policies, and training materials and curricula.
Risk assessment materials include your current business-wide risk assessment, previous versions to show evolution, supporting data and intelligence sources used in the assessment, risk appetite statements or frameworks, and board approval of the risk assessment.
Customer due diligence files typically include a sample of customer files across different risk categories (the FCA usually selects the sample themselves), evidence of identity verification and beneficial ownership determination, risk assessments and scoring for sampled customers, enhanced due diligence documentation for higher-risk customers, and ongoing monitoring reviews and updates.
Transaction monitoring evidence includes transaction monitoring system documentation and configuration, scenario descriptions with parameters and thresholds, alert investigation records and disposition rationales, evidence of monitoring testing and tuning, and metrics on alerts, investigations, and escalations.
SAR documentation encompasses internal suspicious activity reports and MLRO evaluations, SARs submitted to the NCA (redacted as appropriate), documentation of decisions not to file SARs when suspicious activity was considered, and evidence of staff understanding of reporting obligations.
Screening records include sanctions and PEP screening results and match investigations, evidence of screening frequency for customers and transactions, false positive management documentation, and procedures for handling confirmed matches.
Training records include training curricula and materials, attendance records and completion certificates, evidence of role-specific training, and testing or assessments of understanding.
Audit and testing reports encompass internal audit reports on AML compliance, management responses and remediation tracking, independent reviews or consultant reports, and regulatory skilled person reviews if previously conducted.
Regulatory correspondence includes all previous FCA correspondence regarding AML matters, responses to regulatory information requests, notifications of breaches or issues, and any other regulator communications.
Having these materials organized, current, and readily accessible demonstrates control and allows you to respond efficiently when the FCA makes requests. Scrambling to locate documents or discovering gaps during an audit creates unnecessary risk and stress.
How to Prepare for FCA AML Inspection: The 90-Day Action Plan
If you’ve received notice of an upcoming FCA AML audit, intensive preparation should begin immediately. While the ideal is maintaining continuous audit readiness, this 90-day plan helps firms strengthen their position when time is limited.
Days 1-30: Assessment and Priority Identification
Immediately conduct a rapid gap analysis comparing your current state to regulatory requirements and the checklist in this guide. Engage external AML compliance specialists to provide objective assessment if internal resources lack experience with FCA audits. Their fresh perspective often identifies blind spots that internal teams miss.
Prioritize findings by severity—critical deficiencies that could result in enforcement action receive immediate attention, moderate issues that demonstrate control weaknesses but aren’t immediately dangerous, and minor gaps that represent opportunities for improvement. Focus your limited time on critical and moderate issues.
Review a sample of customer files across different risk categories to identify CDD deficiencies. Don’t wait for the FCA to select files—proactively identify problematic cases and remediate them. If you discover systemic issues affecting broad customer populations, develop and implement remediation programs immediately.
Test your transaction monitoring system by reviewing recent alert investigations. If investigations are superficial, alerts are systematically dismissed without genuine analysis, or the system generates very few alerts relative to your volume, address these deficiencies urgently.
Days 31-60: Remediation and Enhancement
Implement remediation for critical findings identified during your gap analysis. Update policies and procedures to address regulatory requirements you’ve missed. Enhance your business-wide risk assessment if it’s outdated or inadequate.
Conduct customer file remediation for deficient accounts. This might involve contacting customers for additional documentation, conducting enhanced due diligence where previously only standard CDD was performed, or exiting relationships where adequate due diligence cannot be achieved.
If your transaction monitoring requires recalibration, implement scenario adjustments based on data analysis and typology intelligence. Document the rationale for changes and obtain MLRO or senior management approval.
Enhance your MLRO’s position if the current arrangement is inadequate. This might mean reducing other responsibilities to create capacity, hiring additional compliance staff, or engaging fractional MLRO support to supplement internal capabilities.
Implement or enhance management information reporting to the board and senior management. Ensure MI is data-driven, identifies trends and emerging risks, and prompts appropriate governance responses.
Days 61-90: Testing, Documentation, and Final Preparation
Conduct a mock audit using the checklist in this guide. Have your compliance team or external advisors assume the role of FCA inspectors, requesting documents and testing controls. This exercise identifies remaining gaps and helps staff become comfortable with the examination process.
Update all training materials and conduct refresher training for staff across all three lines of defense. Ensure customer-facing staff understand CDD requirements, operations teams recognize suspicious activity indicators, and senior management understand their governance responsibilities.
Prepare your MLRO and senior management for regulatory questioning. Develop clear, concise talking points about your AML framework, control effectiveness, risk appetite, and governance approach. The MLRO should be prepared to discuss specific customer cases, SAR decisions, and how the firm has evolved its AML program over time.
Organize your document repository ensuring all materials the FCA might request are readily accessible. Create an index or catalog so you can quickly locate specific documents when requested.
Conduct a final senior management or board discussion reviewing audit preparation, control enhancements implemented, remaining areas of concern, and the strategy for the regulatory engagement. This meeting demonstrates governance ownership of AML compliance.
Consider whether engaging external support for the audit itself would be beneficial. Some firms retain compliance consultants to assist with document provision, coordination, and regulatory interaction during examinations, particularly if internal teams lack experience with FCA audits.
Common FCA AML Audit Findings and How to Avoid Them
Understanding common deficiencies the FCA identifies in payment institution AML audits helps you proactively address these issues before they become findings in your examination.
Inadequate business risk assessments remain one of the most frequent findings. Many payment institutions use generic templates without customization to their specific business model, fail to update assessments when business changes, or don’t connect identified risks to specific control measures. Your risk assessment should be a living document that genuinely drives your AML program design.
Insufficient customer due diligence manifests in various ways—identity verification that doesn’t meet MLR 2017 standards, failure to understand the purpose and intended nature of business relationships, inadequate beneficial ownership identification for business customers, and standard CDD applied to customers who clearly warrant enhanced due diligence. Systematic file reviews and staff training address these issues.
Ineffective transaction monitoring frequently results from deploying systems without proper calibration, using scenarios designed for different business models without adaptation, generating excessive false positives that staff can’t investigate thoroughly, or monitoring that produces very few alerts despite higher-risk business activities. Monitoring effectiveness requires ongoing attention, not merely system deployment.
Poor SAR decision-making and documentation includes failure to file SARs when suspicious activity is identified, defensive filing of SARs for all ambiguous situations without genuine suspicion, insufficient documentation in SAR submissions preventing law enforcement action, and inadequate documentation of MLRO decisions not to file SARs when internal reports are escalated. Quality matters as much as quantity.
Weak MLRO function encompasses MLROs without appropriate seniority or authority, MLROs with excessive responsibilities beyond AML creating capacity constraints, MLROs lacking direct board access or being filtered through business leadership, and inadequate resources or budget for the MLRO function. The MLRO’s effectiveness determines your entire AML program’s success.
Inadequate senior management and board oversight manifests as AML treated as a compliance checkbox rather than a core business risk, board minutes showing minimal discussion of AML matters, management information that doesn’t prompt action when control performance deteriorates, and failure to provide adequate resources when deficiencies are identified. Governance tone from the top shapes your entire control culture.
Training deficiencies include generic training that doesn’t address your specific risks and procedures, failure to provide role-specific training for customer-facing and operations staff, training completion not tracked or enforced, and no refresher training when regulations or procedures change. Investment in comprehensive, tailored training programs prevents these issues.
Record-keeping failures result from incomplete CDD files missing required documentation, transaction records without sufficient detail to reconstruct activity, records destroyed before the five-year retention period expires, and inability to access historical records because of system changes or vendor relationship terminations. Periodic record-keeping audits identify these issues before regulators do.
Proactively addressing these common findings through the preparation checklist in this guide significantly reduces the likelihood they’ll appear in your FCA audit results.
What Happens After an FCA AML Audit
Understanding the post-audit process helps you prepare for potential outcomes and respond appropriately to regulatory feedback.
Following an FCA AML audit, the examination team compiles their findings and prepares a report. For on-site visits, you may receive an exit meeting where preliminary findings are discussed, though the FCA emphasizes these are initial observations subject to refinement.
The formal regulatory feedback typically arrives weeks or months after the examination concludes, depending on complexity. The FCA categorizes findings by severity—requirements that must be addressed immediately due to serious deficiencies, recommendations for improvement that aren’t immediately critical but strengthen your framework, and observations about areas to consider but that don’t require specific action.
Your response to FCA findings significantly influences the regulatory relationship and potential enforcement consideration. Acknowledge findings clearly without being defensive, propose specific remediation actions with timelines, assign clear accountability for addressing each issue, and commit to reporting progress at defined intervals.
The FCA expects remediation plans that address root causes rather than superficial fixes. If monitoring deficiencies are identified, simply tweaking scenario thresholds doesn’t suffice—the FCA wants to see comprehensive monitoring effectiveness reviews, system validation, staff training, and governance oversight enhancements.
For serious deficiencies, the FCA may require skilled person reviews under Section 166 of FSMA, allowing the regulator to commission independent experts to assess specific aspects of your AML framework. These reviews occur at your expense and can be extensive. Alternatively, the FCA might require attestations from senior management or the board confirming remediation completion.
In the most serious cases, FCA AML audit findings can lead to enforcement action including public censure, financial penalties, restrictions on business activities, or even authorization withdrawal. Recent enforcement actions against payment institutions demonstrate the FCA’s willingness to use these powers when deficiencies are severe or firms fail to remediate issues.
Maintaining open, honest communication with your FCA supervisor throughout the remediation period demonstrates good governance. Proactively report if timelines will slip, explain challenges you’re encountering, and seek guidance when remediation approaches require regulatory input.
Many payment institutions engage compliance specialists to support remediation efforts, particularly for complex deficiencies requiring expertise they lack internally. ComplyFactor’s AML compliance program development services help firms build robust frameworks that address regulatory findings comprehensively rather than implementing quick fixes that don’t resolve underlying issues.
The Value of Independent AML Reviews Before FCA Contact
Rather than waiting for the FCA to identify deficiencies through enforcement-focused audits, leading payment institutions proactively commission independent AML reviews that identify and remediate gaps before regulatory scrutiny intensifies.
Independent reviews conducted by external specialists offer several advantages over purely internal assessments. External reviewers bring fresh perspectives unburdened by organizational groupthink, have experience with FCA expectations across multiple firms providing benchmark insights, can provide objective assessments without internal political considerations, and identify blind spots that internal teams miss because of familiarity.
The scope of independent AML reviews should align with the FCA audit checklist—comprehensive assessment of governance, risk assessment, CDD, monitoring, SARs, screening, training, and record-keeping. Reviews should include both policy and procedure evaluation and testing of operational effectiveness through file sampling and staff interviews.
Quality independent reviews don’t merely identify deficiencies but provide actionable remediation recommendations with implementation guidance. Rather than simply noting “transaction monitoring is inadequate,” effective reviews specify which scenarios require adjustment, how thresholds should be recalibrated, what additional staff training is needed, and how monitoring effectiveness should be measured going forward.
For payment institutions considering independent AML audits, timing matters. Conducting reviews well before anticipated FCA contact allows adequate time for remediation. Reviews conducted under FCA pressure serve primarily to identify the full scope of problems rather than prevent regulatory findings.
The cost of independent reviews represents a fraction of potential FCA enforcement penalties. Recent actions against payment firms have resulted in fines exceeding £1 million for AML failures, making proactive investment in compliance extremely cost-effective by comparison.
Building Long-Term AML Audit Readiness
While intensive preparation before an FCA AML audit helps firms survive regulatory scrutiny, the superior approach is maintaining continuous audit readiness through embedded compliance practices.
Implement continuous monitoring of your AML framework rather than point-in-time assessments. This includes regular management information tracking control effectiveness metrics, periodic sample testing of customer files to verify CDD quality, ongoing transaction monitoring effectiveness reviews and tuning, regular review of SAR quality and decision-making, systematic tracking of training completion and effectiveness, and quarterly compliance self-assessments identifying emerging issues.
Establish a compliance calendar scheduling all required AML activities—monthly or quarterly file sampling and review, semi-annual transaction monitoring effectiveness assessment, annual risk assessment update and board approval, annual training for all staff with role-specific supplements, and quarterly management information reporting to the board. This calendar ensures activities occur systematically rather than reactively.
Create a regulatory horizon scanning process monitoring FCA consultations, policy statements, and enforcement actions to identify emerging expectations before they become formal requirements. The FCA’s approach to AML supervision evolves continuously, and firms that anticipate changes position themselves advantageously.
Invest in your compliance team’s professional development. The regulatory environment’s complexity requires specialized expertise that generic compliance backgrounds don’t provide. Support MLRO and compliance staff obtaining professional qualifications, attending relevant conferences and training, and participating in industry groups like the JMLSG.
For smaller payment institutions where full-time specialist compliance teams aren’t economically viable, the fractional compliance model has proven effective. Outsourced MLRO services provide access to experienced professionals who maintain current knowledge across multiple clients, offering both expertise and cost efficiency.
Foster a compliance culture where AML isn’t merely a regulatory obligation but a core business value. This culture emerges from tone at the top, with senior management and boards demonstrating genuine commitment to financial crime prevention, resource allocation that prioritizes compliance appropriately rather than treating it as a cost center, and recognition that sustainable business growth requires robust controls, not merely aggressive customer acquisition.
Regular engagement with your FCA supervisor outside of formal examinations builds productive relationships. While firms shouldn’t create unnecessary contact, proactively discussing significant business changes, seeking guidance on novel situations, and reporting concerns candidly demonstrates governance maturity that supervisors appreciate.
Turning Audit Preparation into Competitive Advantage
FCA AML audit preparation shouldn’t be viewed merely as a compliance burden but as an opportunity to strengthen your payment institution’s foundation. Firms with robust AML frameworks enjoy several strategic advantages beyond regulatory compliance.
Strong financial crime controls reduce operational losses from fraud and money laundering, protecting your bottom line. They enhance your reputation with banking partners, correspondent banks, and customers who increasingly value security and compliance. They facilitate market expansion by demonstrating to regulators in other jurisdictions that you maintain high standards. And they create competitive differentiation in a market where many payment providers struggle with compliance.
The investment in comprehensive AML compliance pays dividends through fewer customer losses to fraud, reduced regulatory risk and potential enforcement costs, stronger banking relationships providing better terms and services, and enhanced ability to attract investors and partners who conduct thorough due diligence.
As payment services regulation intensifies globally and the FCA’s supervisory capabilities become increasingly sophisticated, the gap between well-controlled institutions and those with deficient frameworks continues widening. Firms that view compliance as strategic infrastructure rather than a necessary cost will increasingly dominate the market.
If your payment institution faces an upcoming FCA AML audit, needs to strengthen its compliance framework, or simply wants to ensure audit readiness, ComplyFactor’s specialist team provides comprehensive support. Our services include mock audits identifying gaps before regulators arrive, remediation planning addressing deficiencies systematically, MLRO support providing expert guidance for your compliance function, and ongoing compliance program maintenance ensuring continuous effectiveness.
The regulatory environment’s complexity shouldn’t be navigated alone. Contact ComplyFactor to discuss how our team can help your payment institution achieve and maintain FCA AML audit readiness, protecting your business while supporting sustainable growth.