Insurance financial crime controls – multi-firm review

Multi-firm reviews Published: 23/06/2026 Last updated: 23/06/2026

We set out our findings and what insurance firms can do to improve their financial crime systems and controls.

1. Summary of main content

We expect firms to maintain adequate and proportionate policies and procedures to counter the risk that they might be used to further financial crime. They should remain vigilant to evolving risks and invest in appropriate financial crime systems, controls and resources.

We reviewed the design of financial crime systems and controls across a selection of large insurance firms to see how effective they are. We found that they are mostly effective. There are areas, however, for some improvement and firms should follow good practice on risk assessments, client due diligence arrangements and transaction monitoring.

Life insurance firms generally had stronger controls than retail and wholesale insurance firms, possibly reflecting differences in the relevant regulations and products in each sector. 

These are our headline comparative observations for each insurance sector. 

 

SectorMeets expectationsAreas for improvement
Retail insuranceStrengths in systems and controls for sanctions, fraud risk management, and anti-bribery and corruptionRisk assessment and policies and procedures
Wholesale insuranceSystems and controls were typically either moderate or strong. There was strong effectiveness in anti-bribery and corruption, people and knowledge and sanctionsFraud risk management
Life insuranceOverall the strongest portfolio. Risk assessment, people and knowledge, third party risk, client due diligence and sanctions were generally strongTransaction monitoring 

 

2. Who this applies to

Our findings will be of interest to all insurers and insurance intermediaries operating in the UK insurance market, including retail, wholesale and life insurance firms.

3. What firms need to do

We will give individual feedback to the firms that took part in our review and will engage with them further if they need to improve. We expect other firms to consider the findings and how they relate to their businesses and make any improvements they need to. 

4. Why we did this work

Insurance firms are a vital line of defence in fighting financial crime[2]. In our Insurance Regulatory Priorities[3] report, we said we would review the effectiveness of financial crime systems and controls across a selection of larger insurance firms. We chose them to provide a broad spread of large firm business models and markets. We wanted to understand how well firms are mitigating the risks of being used to further financial crime. We focused on the design of financial crime frameworks.

We asked the firms to send us documents in response to 38 questions across ten key groups of financial crime controls:

  1. Governance and oversight
  2. Risk assessment
  3. Regulatory reporting and issue management
  4. People and knowledge
  5. Third party risk
  6. Client due diligence
  7. Sanctions
  8. Anti-money laundering (AML) transaction monitoring
  9. Fraud
  10. Anti-bribery and corruption

We evaluated the design of firms’ controls against:

We gave firms a rating for how effectively they had designed their systems and controls:

  • Strong: Well-designed controls which fully address risks, alongside clear structures and ownership. This was particularly evident where firms had made significant investments in strengthening their financial crime frameworks and controls.
  • Moderate: Controls addressed the risk in question but had some gaps, partial or outdated documents, or reliance on manual processes. 
  • Weak: Controls did not appear to be adequately designed to mitigate the risks in question, there was unclear ownership, or documents were inconsistent or missing.

Our observations and comments are based on the documents firms provided and the insights we gathered through follow-up meetings.

5. What we found

5.1. Cross-sector findings

We found the following cross-sector themes in six of the ten control groups.

AML transaction monitoring

Transaction monitoring may be less developed in non-AML regulated insurance firms and where transaction patterns are predictable. Across the wholesale and retail insurance portfolios, most firms did not carry out formal transaction monitoring and, as a result, this area was not subject to detailed assessment in our review. This reflected firms’ regulatory status and the nature of their transaction patterns.

However, best practice is for firms to consider the risks and benefits of their approach to transaction monitoring and to document their rationale. All firms remain subject to obligations relating to suspicious activity reporting, sanctions compliance, and wider financial crime risk management. Any reduction or simplification in controls should therefore be risk-based, proportionate, and clearly evidenced.

Controls monitoring and testing

Firms’ monitoring and testing activity was consistent across the second and third lines of defence. However, some firms only had limited evidence that they had structured, risk-based monitoring and testing plans. 

We expect firms to have risk-based testing plans for second and third-line activities. They should clearly coordinate their monitoring and testing to avoid duplication or gaps in coverage. If firms don’t have dedicated financial crime assurance expertise, firms should show how they have considered financial crime risks and assessed the need for specialist or outsourced reviews.

Policies and procedures

Firms generally had comprehensive group-level policies and procedures, but they were often not specific enough at business unit or jurisdictional level. 

Firms should consider supplementing their overarching frameworks with documented procedures for specific business units and jurisdictions. These may be linked to group policies but should clearly show how the firm applies them in practice within individual business units to mitigate the risk of gaps or misinterpretation.

Roles and responsibilities

Most firms have a three-lines-of-defence model though many did not have a formal RACI (Responsible, Accountable, Consulted, Informed) matrix to clarify responsibilities across the financial crime framework.

Although not mandatory, firms should consider using a RACI matrix to clearly define roles and responsibilities across their financial crime framework. This supports accountability, transparency, and effective governance. It is particularly useful if there are broader compliance teams working on financial crime activities, including in third-party administrators.

Obligations management

Most firms did not maintain an obligations register that mapped legal and regulatory requirements to internal controls and assigned accountable owners. Obligations registers support clear accountability and oversight of different products and jurisdictions and across regulated and non-regulated activities.

Best practice is to clearly articulate the firm’s legal and regulatory obligations and map them to specific controls, processes, and responsible roles to ensure clear accountabilities and compliance.

Third-party outsourcing

Where firms have outsourced financial crime activities, they consistently recognised that they retain liability. However, while firms can have differing degrees of oversight of third parties, it is important that this is proportionate to the risks and materiality of the outsourced activities. Only one firm in our review had enhanced, risk-based levels of third-party oversight for higher risk controls. Firms should categorise third-party relationships by risk, with oversight matched to the risk category.

We expect firms to produce and review risk-focused management information to monitor third-party performance, identify emerging risks, and support timely escalation. They should have clear governance structures and escalation pathways, and document oversight activities and decisions appropriately.

5.2. Sector specific findings

When comparing cross-sector findings, consideration was given to the AML regulated status of the entities.  

Retail insurance 

  • The effectiveness of financial crime systems and controls across large retail firms is moderate overall.
  • We found strengths in sanctions, fraud risk management, and anti-bribery and corruption control. This is consistent with the lower inherent anti-money laundering risks of these products, where financial crime exposure is more likely to arise from fraud and sanctions breaches.
  • Some large retail firms operate within wider group structures and rely on group-level policies and frameworks. Their policies are less specific to these firms or business units and roles and responsibilities are often distributed across multiple teams. This can make it unclear who owns or implements policies at the firm or business unit level.
  • Risk assessment controls were assessed as weak, primarily due to limitations in evidence provided specific to individual business units.
  • Client due diligence controls were weak across most large firms, largely because they had not fully documented their approach. As non-AML regulated entities, the extent of due diligence may be more limited, but best practice is to clearly document the rationale for any differentiated approach.

Wholesale insurance 

  • The effectiveness of financial crime systems and controls across large wholesale firms is moderate overall. 
  • Design effectiveness was strongest across people and knowledge, anti-bribery and corruption, and sanctions. 
  • This is consistent with the inherent risk profile of wholesale insurance activities, where exposure to financial crime is more likely to arise through these channels.
  • Fraud management was generally weaker, reflecting limitations in management information and detail provided on firms' fraud monitoring arrangements. 
  • Transaction monitoring is not consistently embedded across these entities, which reflects the nature of business models, risks and transaction flows. However, best practice is for firms to clearly document the rationale for their approach, including how they mitigate financial crime risks. Where they have reduced or alternative procedures, they should be risk-based and proportionate, and supported by appropriate documents. 

Life insurance

  • Design effectiveness was the strongest across the life insurance firms, where effectiveness of financial crime systems and controls was assessed as moderate to good, except in transaction monitoring where some improvements are needed. 
  • Areas of strength were risk assessment, client due diligence, people and knowledge, third party risk and sanctions.
  • Some firms demonstrated strong design effectiveness in fraud risk management, including automated fraud surveillance tools and highly actionable management information.

6. Next steps

We will continue to monitor how all firms are meeting the requirements to prevent and detect financial crime.


Source URL: https://www.fca.org.uk/publications/multi-firm-reviews/insurance-financial-crime-controls-multi-firm-review

Links