In 2025, we conducted a multi-firm review of Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and ongoing due diligence controls.
This is a summary of our main findings, the good and poor practice we observed, and our expectations for firms.
The findings centre around the firms' approaches to:
- Policies and procedures
- CDD and EDD processes
- Compliance monitoring and audit
This review is part of our wider financial crime supervisory work in support of our 2025-30 strategy (PDF). It covered a range of portfolios and firm types, aiming to raise standards and share practical insights.
Who this applies to
- Authorised and registered firms.
- Money Laundering Reporting Officers (MLROs).
- Senior managers with oversight of financial crime controls.
- Industry practitioners working in financial crime prevention roles and responsible for CDD.
What we looked at
We assessed CDD systems and controls through a questionnaire, a desk-based review of policies and procedures, customer file reviews and interviews with staff at firms.
We evaluated firms’ controls against:
- Money Laundering Regulations 2017.
- FCA Financial Crime Guide (FCG).
- Senior Management Arrangements, Systems and Controls (SYSC).
- Joint Money Laundering Steering Group (JMLSG) guidance.
- Financial Action Task Force (FATF) guidance.
Good practice often goes beyond the minimum regulatory requirements but demonstrates how firms approach these control areas.
Firms involved in this review came from the following sectors, however the findings apply to all firms undertaking CDD (including EDD):
- Asset Management
- Crowdfunding
- Wholesale banking
- Contracts for difference
- Non-bank lenders
What we found
Policies and procedures
Several firms distinguished between standard CDD and EDD, specifying when the latter is required for higher-risk customers, such as Politically Exposed Persons (PEPs). These same firms had incorporated the changes introduced on 10 January 2024 regarding domestic PEPs.
Most firms had documented procedures for verifying customer identity, but few had enough detail or practical guidance for staff.
Some firms’ policies and procedures did not explain what alternative evidence can be used and should be obtained when customers lack standard forms of identification.
We observed that some firms didn’t have enough detail on how often periodic reviews should take place, and a lack of clarity over what they should do if an event-driven review happens.
Some firms have approval matrices and governance tools to help with CDD, but others lacked detail on when senior management sign-off was needed or failed to maintain document version control.
Examples of good practice
Clear distinction between CDD and EDD
Policies clearly distinguish between EDD and standard CDD and outline what measures should be taken for each of these, under a risk-based approach.
Frameworks for identifying PEPs
Firms had comprehensive and detailed control frameworks for identifying PEPs.
Examples of poor practice
Insufficient detail in firms’ policies and procedures
Policies and procedures didn’t explain what additional measures should be taken for the purposes of EDD.
Undefined cycle for customer reviews
Not enough detail on how often periodic reviews should take place and what firms were expected to do in the case of event driven reviews.
Lack of alternative ways to check customer identity and verify this
Policies and procedures lacked information for staff on how they could identify and verify a customer if the latter couldn’t provide the usual forms of identification.
Firms not following their own policies
Firms failed to follow their own policies and procedures such as when to conduct periodic reviews of customers.
CDD processes
Most firms tailored their CDD approach to the risk profile of each customer, ensuring that higher-risk customers were subject to enhanced checks and more frequent reviews.
We observed that stronger performing firms documented each stage of the EDD process, including clear requirements for senior management approval and strong oversight, such as through compliance committees.
We were concerned that some firms did not gather or record relevant information, such as the purpose and intended nature of the business relationship.
Other firms failed to evidence and document EDD measures taken for high-risk customers. In some cases, there was limited evidence indicating how the approach differed between low and high-risk customers, and firms weren’t always conducting periodic reviews as required.
Examples of good practice
Clear guidance for EDD requirements
Firms had clearly documented steps for EDD measures.
CDD processes tailored to each customer
CDD information collected was determined by the financial crime risks posed by each customer.
Examples of poor practice
No documentation of EDD measures taken
Firms failed to produce any evidence of what EDD measures had been taken and recorded.
Key information not recorded
No details on purpose and intended nature of the business relationship to assist with ongoing monitoring.
Requirements for senior management approval not specified
No examples of scenarios or types of customers that require senior management approval, to demonstrate effective governance and oversight.
Compliance monitoring and audit
Most firms had some form of compliance monitoring and audit in place, but the level and depth of reviews and independence of these arrangements differed.
Several firms reviewed their CDD framework regularly, including thematic reviews by external parties or internal audit functions, and they maintained clear cycles for ongoing assessment.
Some firms used sample-based compliance monitoring and maintained proportionate review cycles, ensuring that CDD processes remained effective and up to date.
We saw stronger performing firms operate independent third line testing that assessed controls across customer onboarding and due diligence. They then documented and acted upon the findings.
But in some cases, there was no independent second line assurance, with the same staff responsible for both onboarding and reviewing customers. This raises questions about impartiality and effectiveness of testing.
Examples of good practice
External CDD audit
A firm conducted a thematic review of its CDD processes using external audit.
CDD in regular audit review
A firm operated a regular audit review cycle of its CDD systems and controls.
Examples of poor practice
No detail on compliance monitoring
Some firms lacked detail on how they were checking for quality control.
No independent review of CDD/EDD
One firm's staff onboarded customers as well as performed second line assurance work on those customers.
Lack of version control
Firms had no version control of their documentation, so could not demonstrate an audit trail of reviews or changes made.
Next steps
We encourage firms to consider our findings and suggestions in the context of their own firm and continue to review their CDD controls.
Where we identified weaknesses, we are working with those firms to strengthen their controls.
We will continue to monitor firms through our supervisory work, to make sure they are considering the points raised here. In this way, they can help to protect consumers, support growth and fight financial crime.
Useful papers to read alongside this review
- Risk assessment processes and controls in firms: our findings (November 2025)
- Financial crime controls in corporate finance firms: survey findings (October 2025)
- Money laundering through the markets (January 2025)
- The treatment of politically exposed persons (July 2024)
- Annex 1 Dear CEO letter (March 2024)