FCA findings report on CDD, EDD and ongoing due diligence controls
13/04/2026
Executive Briefing
The FCA published its long-awaited multi-firm review GOOD/BAD findings on customer due diligence (CDD), enhanced due diligence (EDD), and ongoing due diligence controls on 8 April 2026.
- The review, conducted in 2025 across sectors including asset management, wholesale banking, crowdfunding, contracts for difference, and non-bank lenders, assessed firms through questionnaires, desk-based policy reviews, customer file sampling, and staff interviews.
- The FCA’s overarching message is clear: having a CDD framework on paper is no longer enough; firms must prove it works effectively in practice through consistent execution, robust documentation, independent monitoring, and clear governance.
- While some good practices were identified (e.g., risk-based tailoring of CDD/EDD, clear documentation of EDD steps, independent thematic reviews, and detailed PEP controls), the review highlighted widespread weaknesses that we at COMSURE have observed for years.
Key themes from the FCA (which align with the gap analysis below, Appendix 1) include:
- Policies and procedures
- Often lack sufficient operational detail and practical guidance (e.g., alternative ID verification methods, EDD measures, periodic/event-driven review triggers, senior management approval scenarios, and version control).
- CDD/EDD processes
- Frequently fail to collect/record essential information (especially the purpose and intended nature of the business relationship), provide inadequate evidence of EDD for high-risk customers, or differentiate meaningfully between low- and high-risk customers.
- Compliance monitoring
- Often lacks independence (same staff handling onboarding and assurance), depth, or structured frameworks.
- Record-keeping issues include
- Absent version control and poor audit trails.
- Governance and oversight weaknesses
- Around senior management approval, escalation, and clear control of ownership.
This won’t come as a surprise to most firms -
- Risk ratings aren’t consistently justified.
- CDD and EDD decisions lack clear rationale.
- Documentation is incomplete or unclear.
- Periodic reviews don’t evidence meaningful reassessment.
What does this mean for your firm?
- The FCA expects firms to review their CDD controls in light of these findings and strengthen them where necessary.
Recommendations and Next Steps
- Independent Testing
- Conduct targeted file sampling and thematic testing (onboarding, periodic reviews, high-risk/EDD cases) to validate self-assessment.
- We strongly recommend that independent review firms that have used us for this have identified material gaps they were previously unaware of.
- Targeted Remediation Priorities (
- Refresh policies/procedures with practical, operational guidance and examples.
- Automate/enforce risk-rating justification, EDD evidence requirements, and audit trails.
- Implement independent compliance monitoring (second/third line).
- Strengthen governance (approval matrices, escalation, senior management reporting).
- Deliver targeted training to reduce “judgment calls” and drive consistency.
COMSURE
- We're already addressing the identified weaknesses with the individual firms through supervisory engagement, and the regulator will continue to monitor them as part of its ongoing financial crime supervisory work.
- In our experience, firms often don’t know how good (or poor) their CDD really is until an independent party tests it properly, which is exactly why many engage us for gap assessments, remediation support, or Skilled Person reviews.
APPENDIX 1 Gap Analysis
Below is an FSA key observations Gap Analysis and self-assessment questions. These are not firm-specific assessments; they reflect patterns we (and the FCA) see repeatedly.
Your firm should complete a similar Gap Analysis using its own evidence (policies, file samples, monitoring outputs, etc.).
COMPLIANCE MONITORING
RECORD KEEPING
GOVERNANCE AND OVERSIGHT
Useful papers to read alongside this review
- Risk assessment processes and controls in firms: our findings (November 2025)
- Financial crime controls in corporate finance firms: survey findings (October 2025)
- Money laundering through the markets (January 2025)
- The treatment of politically exposed persons (July 2024)
- Annex 1 Dear CEO letter (March 2024)
Primary FCA Source Official FCA Publication (main findings, good and poor practice):
- https://www.fca.org.uk/publications/good-and-poor-practice/firms-customer-due-diligence-processes-and-controls-our-findings (Published 08/04/2026 – this is the definitive source referenced in the gap analysis template you provided.)
Secondary Analysis and Commentary Articles. These summarise and interpret the FCA’s findings (all published shortly after 8 April 2026):
- Regulation Tomorrow: FCA publishes findings in relation to firms' customer due diligence processes and controls https://www.regulationtomorrow.com/2026/04/fca-publishes-findings-in-relation-to-firms-customer-due-diligence-processes-and-controls/
- Allen & Overy (Shearman): UK FCA findings from multi-firm review on customer due diligence https://finreg.aoshearman.com/uk-fca-findings-from-multi-firm-review-on-customer-due-diligence
- Paul Hastings: FCA Puts Firms on Notice Over Anti-Money Laundering Shortfalls https://www.paulhastings.com/insights/client-alerts/fca-puts-firms-on-notice-over-anti-money-laundering-shortfalls
- First AML: How First AML addresses the CDD failures identified in the FCA’s 2025 review https://www.firstaml.com/resources/how-first-aml-addresses-the-cdd-failures-identified-in-the-fcas-2025-review/
- CMS Law: FCA: Firms' customer due diligence processes and controls https://cms.law/en/gbr/regulatory-news/fca-firms-customer-due-diligence-processes-and-controls-our-findings
- Financial Institutions News: FCA publishes multi-firm, multi-sector CDD/EDD review https://www.financialinstitutionsnews.com/2026/04/08/fca-publishes-multi-firm-multi-sector-cdd-edd-review/
- CCTA Regulatory News (9 April 2026) https://www.ccta.co.uk/regulatory-news-9-april-2026/
- First AML (additional article): What the FCA's 2025 CDD review really tells us about compliance maturity https://www.firstaml.com/resources/what-the-fcas-2025-cdd-review-really-tells-us-about-compliance-maturity/
POLICIES AND PROCEDURES
CDD & EDD PROCESSES
The Team
Meet the team of industry experts behind Comsure
Find out moreLatest News
Keep up to date with the very latest news from Comsure
Find out moreGallery
View our latest imagery from our news and work
Find out moreContact
Think we can help you and your business? Chat to us today
Get In TouchNews Disclaimer
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.