Common FCA Compliance Audit Findings and How to Remediate Them

Introduction

Compliance audits consistently reveal similar categories of weakness across FCA-regulated firms. Understanding these common findings — and the remediation approaches that work — enables firms to proactively strengthen their frameworks before issues escalate into regulatory action. This article analyses the most frequently identified findings and provides practical guidance on how to address them.

AML and KYC Deficiencies

Anti-money laundering failures remain the single most common category of compliance audit finding. Typical issues include:

• Inadequate customer due diligence (CDD): Missing or incomplete identification and verification documents, failure to verify beneficial ownership, and CDD files that do not evidence the firm's risk assessment of the customer relationship.
• Outdated CDD records: Firms failing to refresh CDD in line with their risk-based approach — particularly for higher-risk customers where annual or event-triggered reviews are expected.
• Weak enhanced due diligence (EDD): EDD measures that are generic rather than tailored to the specific risk factors identified. The FCA expects EDD to go beyond collecting additional documents and include a meaningful assessment of the risk the customer presents.
• Transaction monitoring gaps: Monitoring rules that are not calibrated to the firm's risk profile, failure to investigate alerts in a timely manner, and insufficient documentation of investigation outcomes.
• SAR filing failures: Delayed submission of suspicious activity reports, failure to file SARs where there are reasonable grounds for suspicion, and tipping off risks where staff inadvertently alert customers to the existence of a SAR.

Remediation approach: Conduct a comprehensive review of all CDD files against current policy requirements. Implement a risk-based refresh programme prioritising higher-risk customers. Recalibrate transaction monitoring rules based on a documented risk assessment. Provide targeted training on SAR obligations and escalation procedures. Assign a named individual with responsibility for monitoring remediation progress.

Consumer Duty Gaps

Since the Consumer Duty came into force on 31 July 2023, compliance audits have increasingly identified gaps in firms' implementation. Common findings include:

• Insufficient evidence of fair value assessments: Firms that have not documented how they have assessed whether their products and services provide fair value, or that have conducted only superficial assessments.
• Weak customer outcomes monitoring: Lack of defined metrics or KPIs for measuring customer outcomes, or monitoring that focuses on process compliance rather than actual outcomes.
• Inadequate customer communications: Communications that do not meet the Duty's requirements for clarity, timeliness and accessibility. The FCA expects communications to be tested with target audiences and to be comprehensible to customers with characteristics of vulnerability.
• Insufficient board-level engagement: Boards that have not received or engaged with Consumer Duty reporting, or that cannot evidence how they have considered customer outcomes in strategic decision-making.

Remediation approach: Develop a structured fair value assessment framework with documented methodology and evidence. Define measurable customer outcomes KPIs across all four Duty outcomes (products and services, price and value, consumer understanding, consumer support). Implement customer communication testing. Establish regular board reporting on Consumer Duty outcomes with defined escalation triggers.

Safeguarding Failures

For payment institutions and electronic money institutions, safeguarding findings are among the most serious because they directly affect customer fund protection. Common issues include:

• Delayed safeguarding: Funds not safeguarded by the end of the business day following receipt, as required by the PSRs and EMRs.
• Reconciliation failures: Safeguarding reconciliations not performed daily, or reconciliations that do not adequately identify and resolve discrepancies.
• Commingling of funds: Relevant funds mixed with the firm's own operational funds or held in accounts that are not properly designated as safeguarding accounts.
• Inadequate safeguarding records: Inability to identify at any point in time which customer funds are safeguarded and where they are held.
• Acknowledgement letter gaps: Missing or outdated acknowledgement letters from safeguarding banks confirming the nature and terms of the safeguarding arrangement.

Remediation approach: Implement automated safeguarding processes to ensure funds are segregated within the required timeframe. Establish daily reconciliation procedures with documented exception handling. Ensure all safeguarding accounts are properly designated and that acknowledgement letters are current. Maintain a real-time safeguarding ledger that enables the firm to identify customer funds at any point.

Governance and SM&CR Weaknesses

Governance findings often underpin other categories of compliance failure. Common issues include:

• Unclear allocation of responsibilities: Senior management functions (SMFs) and prescribed responsibilities that are not clearly allocated, or statements of responsibilities (SoRs) that are vague or out of date.
• Insufficient management information: Boards and committees that do not receive adequate MI to discharge their oversight responsibilities, or MI that is not acted upon.
• Weak certification regime processes: Firms that have not implemented annual fitness and propriety assessments for certified persons, or that treat assessments as a tick-box exercise.
• Inadequate conduct rules training: Staff who are subject to the Individual Conduct Rules but have not received appropriate training or are unable to demonstrate understanding.

Remediation approach: Review and update all SoRs and management responsibilities maps to ensure clarity. Establish a board MI pack that includes key compliance metrics, regulatory developments, complaint trends and audit findings. Implement a structured certification regime process with documented annual assessments. Deliver Conduct Rules training with assessment and record retention.

Financial Promotions Non-Compliance

Financial promotions remain a persistent area of audit findings. Common issues include:

• Missing risk warnings: Promotions that do not contain required risk warnings or disclosures.
• Misleading claims: Marketing materials that overstate returns, understate risks or create unrealistic expectations.
• Inadequate approval processes: Firms that do not have a clear process for reviewing and approving financial promotions before publication, or where the approval process is not documented.
• Social media compliance: Promotions on social media that do not meet the same standards as traditional marketing, or that are published by staff without appropriate oversight.

Remediation approach: Implement a financial promotions review and sign-off process with documented criteria. Maintain a register of all financial promotions. Provide specific training to marketing teams on FCA requirements. Establish social media guidelines and monitoring processes.

Complaints Handling Deficiencies

Common complaints handling findings include:

• Failure to identify complaints: Staff not recognising expressions of dissatisfaction as complaints that should be logged and handled under the firm's complaints procedure.
• Missed response deadlines: Final response letters not issued within the eight-week deadline, or holding responses not sent within the initial acknowledgement period.
• Inadequate root cause analysis: Firms that resolve individual complaints without investigating whether they indicate systemic issues.
• FOS referral failures: Final responses that do not adequately inform customers of their right to refer the matter to the Financial Ombudsman Service.

Remediation approach: Train all customer-facing staff on complaint identification and escalation. Implement automated deadline tracking. Establish a quarterly root cause analysis process with reporting to senior management. Review template response letters to ensure compliance with DISP requirements.

Building an Effective Remediation Programme

Effective remediation is not simply about fixing individual findings — it requires a structured programme that addresses root causes and prevents recurrence:

• Root cause analysis: For each finding, identify why the control failed — not just what went wrong. Root causes often relate to training, resource, technology or governance gaps.
• Risk-rated action plans: Assign risk ratings to findings and prioritise remediation accordingly. Critical and high-risk findings should have short remediation timelines with interim mitigating controls.
• Named ownership: Each action should have a named owner at an appropriate level of seniority.
• Progress tracking: Maintain a remediation tracker and report progress to the board or relevant committee regularly.
• Validation testing: Once remediation is complete, conduct follow-up testing to verify the fix is effective and sustainable.

Regulatory Outlook

The FCA's approach to supervision continues to evolve towards outcomes-based assessment. Firms that proactively identify and remediate compliance weaknesses through robust audit programmes demonstrate the kind of culture the FCA expects. Conversely, firms that fail to address known issues — or that repeatedly identify the same findings without effective remediation — face heightened supervisory scrutiny and potential enforcement action.