Customer Risk Assessments – FCA wants robust, tailored, and evidence-based CRAs

The FCA recently stated that firms’ customer risk assessments must be robust, tailored, and evidence-based, highlighting both good and poor practices in its November 2025 multi-firm review.

FCA’s Message

• The FCA’s review makes it clear: customer risk assessments must be dynamic, evidence‑based, and embedded into firms’ financial crime frameworks. Weak, generic, or outdated CRAs expose firms to regulatory breaches and financial crime risks’ [source: FCA multi‑firm review, Nov 2025]

In short, the FCA’s latest message is clear: customer risk assessments cannot be superficial. They must be dynamic, data-driven, and embedded into firms’ financial crime frameworks.

Key FCA Findings (November 2025 Review)

• Focus of the review: The FCA examined Business-Wide Risk Assessments (BWRAs) and Customer Risk Assessments (CRAs) across a range of firms, including building societies, wealth managers, payments providers, and e-money institutions.
• Expectations: Firms must not only have risk assessments in place but also ensure they are:
• Robust – comprehensive enough to capture all relevant financial crime risks.
• Tailored – adapted to the firm’s specific business model, customer base, and risk exposure.
• Evidence-based – supported by precise data, rationale, and documentation.
• Good practice examples:
• Clear methodologies for identifying and categorising customer risk.
• Regular updates to reflect changes in products, services, or customer demographics.
• Integration of risk assessments into wider compliance and governance frameworks.
• Poor practice examples:
• Generic, “tick-box” approaches that fail to differentiate between customer types.
• Outdated assessments not aligned with current business activities.
• Lack of documentation or rationale for risk ratings.

Why This Matters

• Financial crime prevention: Customer risk assessments are central to anti-money laundering (AML) and counter‑terrorist financing (CTF) obligations. Weak assessments expose firms to regulatory breaches and reputational harm.
• Senior accountability: The FCA emphasised that Money Laundering Reporting Officers (MLROs), senior managers, and boards must take responsibility for ensuring assessments are meaningful and effective.
• Strategic alignment: This review forms part of the FCA’s 2025–2030 strategy to reduce financial crime harm, showing that risk assessment quality will remain a supervisory priority.

Practical Implications for Firms

• Review and refresh CRAs regularly – especially when launching new products or entering new markets.
• Document rationale clearly – regulators expect firms to show why a customer is rated low, medium, or high risk.
• Embed assessments into wider controls – link CRA outcomes to transaction monitoring, enhanced due diligence, and escalation procedures.
• Train staff – ensure frontline and compliance teams understand how to apply CRA frameworks consistently.

In short, the FCA’s latest message is clear: customer risk assessments cannot be superficial. They must be dynamic, data-driven, and embedded into firms’ financial crime frameworks.

Sources

https://www.fca.org.uk/publications/good-and-poor-practice/risk-assessment-processes-and-controls-firms-our-findings

https://www.regulationtomorrow.com/eu/fca-publishes-findings-following-a-multi-firm-review-of-risk-assessment-processes-and-controls-in-firms/

https://www.complianceangle.co.uk/post/fca-s-2025-risk-assessment-findings-what-firms-need-to-know