The regulatory bar is rising. Financial services firms across all sectors are under increasing pressure to demonstrate that their financial crime frameworks are not only fit for purpose but effective, dynamic, and aligned with their business risks.
In January 2024, the Financial Conduct Authority (FCA) refused an application from a crypto-firm for registration under the Money Laundering Regulations 2017. The applicant, an Electronic Money Institution offering e-wallet and crypto-asset services, was operating under the Temporary Permissions Regime. What makes this case especially noteworthy is that the FCA has now chosen to publish its detailed reasons for refusal—one of the first such public disclosures for a crypto firm.
While this may seem like a crypto-specific matter, it isn’t. The decision reflects core regulatory expectations that apply across sectors. For insurance firms—including MGAs, brokers, Lloyd’s syndicates, and reinsurers—the lessons are direct and urgent. The FCA’s scrutiny of financial crime risk frameworks, governance, and control effectiveness is now sector-agnostic. Understanding and acting on the lessons from this case could help your firm avoid costly remediation or reputational damage.
Public Enforcement is a Strategic Choice – Take Note
69% of crypto firms applying for FCA AML registration since March 2020 withdrew their applications. Only 4% received a formal Decision Notice. The findings in this case, published in full, represents the FCA’s shift towards using enforcement transparency as a compliance driver.
This is consistent with FCA speeches in late 2024 calling for “proactive remediation and cultural change” in financial crime compliance. Insurance firms are not exempt. The FCA’s public messaging increasingly positions financial crime failings as firm-wide governance failures, not just compliance issues.
What Went Wrong – FCA Findings In This Case
The FCA decision highlights a number of issues – all of which could equally occur in any financial services organisation, including insurance firms. They covered:
- Outdated and incomplete Business-Wide Risk Assessment (BWRA) and Customer Risk Assessment (CRA) processes.
- Lack of operational Enhanced Due Diligence (EDD) procedures.
- Absence of internal escalation or review mechanisms for Suspicious Activity Reports (SARs).
- Policies and controls unaligned with business risks and regulatory change.
- Governance gaps, with minimal senior oversight or Board engagement; and
- Poor data management—the applicant could not provide requested information reliably.
These failings mirror themes seen in recent FCA enforcement against Metro Bank (2024), where risk assessments and MI were insufficiently aligned with the firm’s actual risk exposure, and in Starling Bank (2024) where risk governance and control testing were inconsistent.
What This Means for Insurance Firms – Practical Risk Scenarios
Insurers face unique risks, particularly when underwriting, claims handling, or customer onboarding are delegated to third parties. In such models, regulators expect insurers to demonstrate oversight and control over outsourced activities. The following scenarios demonstrate how the same issues could easily arise for insurance firms.
Delegated Authority (DA) Risk
An MGA writes high-risk property policies via third-party agents in high-risk regions. Have you verified the coverholder’s sanctions screening processes? Are claims payments routed through compliant channels? Is there regular audit or assurance? How and how quickly are high risk transactions escalated to the insurer?
Reinsurance Risk (Treaty and Facultative)
A reinsurer underwrites facultative marine hull and cargo risks globally. Are ownership and cargo origins checked for sanctions evasion techniques? Are counterparties’ financial crime controls understood? Are ownership structures clearly understood and risk factors such as potential flags of convenience identified? Are reinsurance claims vetted against risk assessments? Are vessels monitored for indicators of involvement in circumvention activities?
Broker Intermediation Risk
A broker introduces commercial clients that formerly had extensive dealings with Russia and Belarus. The clients have complex ownership structures including use of potential secrecy jurisdictions. Have you conducted adequate due diligence yourself or is reliance being placed on the broker? How confident are you that the corporate structure is accurately mapped? Are you confident the insured activity does not involve sanctions circumvention? Is any reliance placed upon the broker justified, evidenced, and subject to oversight?
In all cases, failure to identify, assess, and mitigate these risks through a structured and evolving framework could invite regulatory attention.
Challenge Your Framework – Expanded Questions for Insurance Firms
- Is your Business Wide Risk Assessment reviewed annually and tailored to underwriting, claims, and distribution risks?
- Are risk assessments updated when you enter new markets or deploy new products (e.g., embedded insurance)?
- Does your Customer Risk Assessment incorporate emerging threats, such as sanctions evasion in shipping or dual use product risks in product liability?
- Are high risk transactions and enhanced due diligence cases escalated, documented, and signed off by senior management?
- How do you test the effectiveness of SAR processes across underwriting, claims, and third-party handlers?
- Can you provide evidence of a complete and up to date frozen assets register, comprehensive sanctions screening performance metrics, and a documented audit trail of decisions in high-risk scenarios within 5 working days or less?
Governance is in the Spotlight – FCA Expectations
Regulators expect senior management to own and oversee financial crime compliance. Inadequate governance was a key failing in the the refusal of this application.
Insurance firms should ask:
- Is financial crime MI provided regularly and tailored to your risk exposure?
- Are breaches of risk appetite escalated and tracked?
- Do your Board and ExCo challenge the adequacy of controls and risk responses?
The FCA’s 2025 strategy has been well sign-posted and is expected to call for firms to “embed effective governance structures that promote accountability and responsiveness.” Compliance culture must be demonstrable—not just claimed.
Data Readiness and Technology – Are You Audit-Proof?
Can your firm respond quickly and accurately to a regulatory request? Can you:
- Retrieve screening logs and exception reports?
- Provide complete, up-to-date EDD documentation for increased risk customers?
- Show that controls were tested and findings acted upon?
Firms must use technology commensurate with complexity:
- Centralised risk dashboards
- Automated MI generation
- Auditable control records
- Real-time monitoring capabilities
AI tools can support many aspects of your compliance framework, including fraud detection and sanctions evasion monitoring, but they must be well governed, explainable, and risk appropriate. Firms that rely on third parties must evidence oversight—not just contractual reliance.
This article has been authored by Andrew Roberts, a Financial Crime and AML specialist and part of the ICSR Talent Pool. If you would like to discuss any aspect of your own firm’s approach to financial crime frameworks, please speak with your usual ICSR contact.
