What the FCA actually checks in an AML programme review
Compliance14 May 2026·3 min read

What the FCA actually checks in an AML programme review

Your AML programme passed internal review. Your policies reference MLR 2017 and cite JMLSG guidance. Then the FCA shows up and issues a fine.

The gap isn't usually your policies. It's the evidence you can't produce when they ask how those policies work in practice.

The three things FCA enforcement teams demand first

The FCA starts with your business-wide risk assessment. They want to see that you identified specific risks tied to your actual customers, products, and jurisdictions. Generic templates copied from JMLSG guidance won't cut it.

Next comes customer due diligence records. They'll sample 20 to 30 client files and check if your CDD matches the risk levels you assigned. If you rated a client as high risk but only have basic identification documents, that's a problem.

Third is governance evidence. Meeting minutes. Training records. Audit trails showing someone actually reviewed suspicious activity. The FCA wants proof your MLRO has authority and resources, not just a title.

Where JMLSG guidance helps and where it doesn't

JMLSG guidance gives you a framework. It explains how to interpret MLR 2017 for your sector. But it's not a safe harbour.

The FCA has said repeatedly that following JMLSG doesn't guarantee compliance. You still need to apply the guidance to your specific risk profile. A small wealth manager in Leeds faces different risks than a London-based corporate service provider handling overseas entities.

The guidance is 400 pages. Most firms skim parts relevant to their immediate question. That creates blind spots, especially around beneficial ownership verification and PEP screening.

FATF recommendations sitting behind everything

MLR 2017 implements the UK's FATF obligations. When the FCA writes enforcement notices, they often reference both.

FATF Recommendation 10 covers customer due diligence. Recommendation 24 addresses beneficial ownership transparency. If your AML programme fails on beneficial ownership, you're not just breaching UK regulations. You're out of step with the international standard the FCA uses as its benchmark.

In 2023, the FCA fined a payment institution £1.8 million partly because it couldn't demonstrate adequate CDD on beneficial owners. The enforcement notice cited MLR 2017 but framed the failure against FATF's risk-based approach.

Building a programme the FCA won't tear apart

Start with your risk assessment. Make it specific. List actual customer segments, transaction types, and geographic exposures.

Document your CDD decisions. Why did you accept this evidence? Why did you escalate that client? Create a trail that shows thinking, not just box-ticking.

Test your controls quarterly. Sample your own files the way the FCA would. Find the gaps before they do.

Your MLRO needs time and access. If they're also handling three other compliance functions, that's a red flag the FCA will spot immediately.

When you're investigating complex ownership structures or cross-border entities, Deepheem helps you trace connections and verify information across multiple jurisdictions without manually checking dozens of sources.

← All postsTry Deepheem free →