What the FCA’s Customer Due Diligence Review Really Signals

The FCA’s latest review of customer due diligence (CDD) processes doesn’t introduce new regulatory expectations; but it does reinforce a message that has been building for several years.

The question is no longer simply whether firms have the right frameworks in place. The FCA is increasingly focused on whether those frameworks work in practice and whether they are applied consistently, operate effectively, and remain robust under pressure.

The review also underlines that CDD frameworks are only as strong as the processes that support them, which in turn are reliant on the capability, judgement, and consistency of the people operating them. Weaknesses should not only be identified by the regulator, but proactively surfaced through effective, credible assurance.

What the FCA found

The FCA review highlights a number of familiar themes:

Strong frameworks, weak execution – CDD policies and procedures are generally well documented, but lack clear, practical guidance on real world scenarios.
Insufficient operational detail – procedures that didn’t define processes for periodic customer due diligence review cycles, or what to do if an event driven review is needed. This makes it difficult for front line teams to interpret and apply consistent standards.
Lack of evidence and documentation – some firms couldn’t provide evidence of enhanced due diligence while in other cases, core information about the customer was not recorded. As we all know, if it isn’t written down it didn’t happen and without this information, the effectiveness of ongoing monitoring will be undermined.
Unclear governance and escalation – firms struggled to demonstrate when issues should be escalated, who had authority to approve higher risk relationships and how senior management oversight was applied. This again led to an inconsistent approach by staff.
Assurance that misses the point – the level and depth of compliance monitoring and audit reviews varied, as did the level of independence of the 2^nd and 3^rd For some firms, there was too much focus on file checking rather than assessing control effectiveness
Over-reliance on process over judgement – for some, CDD is a tick-box exercise rather than a purposeful control. There was evidence of CDD/EDD being undertaken without due consideration of what the findings told the user about the risk the customer posed and what mitigation was needed.

The thread that connects all these is that CDD frameworks are often built to satisfy policy requirements, not to support people making consistent risk-based decisions under pressure.

What does this mean for firms?

The FCA’s findings reinforce the clear direction of travel that baseline compliance is no longer enough.

Having a CDD framework which meets regulatory requirements is meaningless if you can’t demonstrate that it works consistently in practice.

The findings also show that the FCA wants to see how CDD frameworks operate on practice from start to finish. They are assessing whether:

Risk assessments genuinely drive the right outcomes
Escalation and EDD are used purposefully
Governance and assurance identify weaknesses early
and teams are supported to exercise good judgement, not just follow steps

Perhaps most importantly, the review reinforces that regulators increasingly expect firms to know where they have weaknesses and to make improvements. This illustrates the need for meaningful 2^nd and 3^rd line reviews, whether carried out internally or using external partners.

What should firms do in response?

Stress test CDD/EDD in practice using real customer journeys. Are your teams equipped to deal with something that doesn’t exactly match the process? Is more scenario-based training needed to ensure team members are able to make consistent case-by-case decisions?
Review how well CDD outputs are documented and assess how well they demonstrate a clear rationale for the customer rating, and evidence that appropriate controls were used to manage that risk exposure.
Assess governance arrangements to determine whether senior management are involved in a meaningful way when needed and that escalation routes are clear to all involved.
Re-think assurance – are oversight controls meaningful, and do they assess whether the outcome makes sense in the context of the business? Is the team sufficiently independent and knowledgeable to give the required challenge?
Make sure that support is in place for the people doing the work – ultimately, CDD is delivered by people. Frameworks need consistent judgement, supported by practical guidance, training and escalation routes.

The FCA is not looking for perfection. But it is seeking credibility across risk assessments, decisions, governance, and assurance. Firms that can demonstrate they understand where their CDD frameworks work well, and where they need to do more, will be far better placed to navigate supervisory engagement than those relying on compliance by design alone.

How can Square4 help?

Square 4 works with firms to move CDD and EDD beyond policy and framework and into consistent, defendable execution of controls.

We support clients to:

Evaluate CDD frameworks as they operate in practice, through end‑to‑end reviews of real customer journeys, escalation points and decision‑making.
Strengthen risk‑based judgement, translating regulatory expectations into practical guidance, decision tools and training for frontline and oversight teams.
Enhance governance and assurance, including outcome‑focused second‑line reviews, thematic testing and independent health checks to identify issues before they become supervisory findings.
Prepare for regulatory engagement, helping firms’ evidence not just compliance, but understanding, including clearly articulated risks, known weaknesses and proportionate remediation plans.

Whether firms are responding directly to this review, preparing for future supervisory scrutiny, or looking to future‑proof their CDD approach, Square 4 helps turn regulatory signals into practical, actionable improvements.