Discover the comprehensive services offered by Fairway Financial Crime, including compliance strategy development, risk assessments, training, and technology integration to help your business navigate financial crime risks and meet regulatory obligations with confidence. OUR SERVICES Our Services Fairway Financial Crime, supported by our extensive experience and network of specialists, suppliers, and partners, is here to guide you through every aspect of your financial crime compliance challenges. Whether you have a clear vision of your needs or are just beginning to explore your options, we’re ready to collaborate. Below, you’ll find an overview of our key services, and we invite you to contact us here to discuss how we can assist you. Sanctions Compliance | Regulatory Investigations & Remediation Support | Financial Crime Audits & Health Checks Anti-Money Laundering (AML) & Counter-Terrorist Financing (CTF) Compliance | Fraud Risk Management Bribery & Corruption Risk Management | Transaction Monitoring & Reporting Solutions Bespoke Consultancy We specialise in supporting firms by creating tailored solutions to their financial crime compliance challenges. Whether it’s conducting framework reviews, carrying out targeted assessments, implementing new tools and technologies, updating policies, or designing assurance programmes, we provide expert advice, design, and practical execution. Our approach ensures that your financial crime compliance program is both effective and aligned with your business’s unique needs and is built upon the practical experience of having lived through those transformations, and the operational challenges that such projects create. Financial Crime Risk Assessments A robust risk assessment is the cornerstone of any effective financial crime control framework. We support businesses in designing, implementing, and embedding bespoke risk assessments that are responsive to regulatory demands and operational needs. Whether you need a specific business line, product, general customer or enterprise- wide risk assessment, Fairway Financial Crime can support you to build robust, evidence based and proportionate processes, that will enable you to understand the risks you face, make informed decisions and align your resources to where they are needed most. Our approach ensures clear, actionable insights that allow you to manage risks effectively and adopt a truly risk-based approach. Financial Crime Activity Reviews This service is designed for small and medium sized enterprises looking to assess or benchmark their financial crime compliance programmes, or specific parts of it. We can review any aspect of your financial crime compliance program, for example, a review of your approach to and completeness of your sanctions screening program, review your current policies and procedures, or assess the effectiveness and efficiency of your enhanced due diligence and investigatory processes. We can help you to validate your current approach, identify improvements and efficiencies, or help you to prepare for the next phase of your business growth and evolution. We believe in the importance of building essential foundational controls, tailored to your business model, that create a strong, cost-effective base for managing financial crime risks. Our expertise helps ensure you are well-prepared to meet regulatory requirements and scale your compliance efforts, as your business grows and achieves its goals. Retained Advisory Our retained advisory service is focused on building a strategic partnership, offering expert support without the need to increase headcount. Starting from just two days per month, we can provide ongoing guidance to help you develop and maintain robust financial crime controls. This service ensures you have access to senior-level expertise while allowing you to focus on growing your business, while also managing your financial crime risk exposure. Financial Crime Learning & Development Fairway Financial Crime can provide bespoke training and coaching for senior leaders, including MLROs, executives, and board members, to help them to understand and manage the financial crime risks their organisation and they personally face. Our support includes tailored guidance to build knowledge, ensure compliance, and strengthen governance, empowering leaders to fulfil their responsibilities with confidence. We can also support the design and execution of bespoke employee training programs, whether that is in-depth expert level sessions for high-risk roles, or companywide general awareness training. Let’s Work Together Contact us today to discuss how we can support your business with tailored solutions. Contact us Would you like a free Financial Crime Risk Assessment Health Check? Our online tool combines the simplicity of a technology-led solution with the knowledge and expertise our team have built over many years helping firms manage their financial crime risks. Start your assessment now... Financial Crime Risk Assessment Health Check - Start Now RECEIVE OUR LATEST NEWS Email* Yes, subscribe me to your newsletter. Submit MENU About Services LINKS Resources Work With Us CONTACT Email LinkedIn LEGAL Terms Privacy Financial Crime Health Check – Start Now

Founded by Andrew Roberts, a seasoned expert with over a decade of experience in senior financial crime roles, Fairway Financial Crime brings expertise from both global institutions and smaller firms. Andrew has held regulated positions within major financial organisations, giving him unique insights into the real challenges of managing financial crime risks effectively. ABOUT FAIRWAY FINANCIAL CRIME ABOUT Fairway Financial Crime We help you to navigate and meet the ever-evolving challenge of understanding and managing your financial crime risk exposure, through advice and design services, transformation and implementation and support, as well as longer term retained advisory support. Our solutions are designed to build strong, adaptable foundations for long-term success. Fairway Financial Crime can provide you with expert resources, with real experience not only of designing and implementing solutions to compliance issues, but also having first hand experiences of the benefits of different approaches, living with the solutions that have been designed, managing a range of stakeholders, and being subject to and conducting assurance reviews and audits. We provide not only technical expertise but practical and pragmatic guidance, making us flexible to the challenges that you face, able to adapt and respond in the way that is most appropriate in the long term, and the best for your business. Meet Andrew Fairway Financial Crime was created by Andrew Roberts to provide insurance and other financial services firms with a flexible, practical and pragmatic solution to understanding and managing their financial crime risk exposures Let’s Work Together Contact us today to discuss how we can support your business with tailored solutions. Contact us RECEIVE OUR LATEST NEWS Email* Yes, subscribe me to your newsletter. Submit MENU About Services LINKS Resources Work With Us CONTACT Email LinkedIn LEGAL Terms Privacy Financial Crime Health Check – Start Now Our Work At Fairway Financial Crime, we pride ourselves on delivering expert solutions tailored to the unique challenges faced by your business. Our work spans a variety of industries and organisations, combining deep expertise with a practical approach to ensure that you have the right controls in place to be able to assess, understand, and manage your exposure to financial crime risk, within your risk appetite and with confidence. We will engage with you in the way that is right for your business and to meet your immediate needs. Whether it is a concentrated sprint or an urgent piece of advice and design or helping you to build a long-term strategy for how your control environment will develop and evolve over an extended period of months or even years. Fairway Financial Crime are committed to building long term, trust based relationships with all our clients, by focusing on their needs, so that we can deliver outstanding results again and again. Services

Get in touch with Fairway Financial Crime. Contact us for expert guidance on financial crime compliance and risk management solutions tailored to your business needs. CONTACT US Please get in touch using one of the following options or complete the form below. Email info@fairwayfinancialcrime.com Phone +44 7786 176 838 Full name* Company name Job Title Email* Phone* Services of Interest Bespoke Consultancy Retained Advisory Financial Crime Risk Assessment Financial Crime Reviews Work with Fairway Financial Crime Other (please provide details below) Message Yes, subscribe me to your newsletter. Submit RECEIVE OUR LATEST NEWS Email* Yes, subscribe me to your newsletter. Submit MENU About Services LINKS Resources Work With Us CONTACT Email LinkedIn LEGAL Terms Privacy Financial Crime Health Check – Start Now

As both regulatory complexity and geo-political uncertainty continue, the scope and scale of the challenge for insurance firms of successfully identifying and navigating the financial crime risks that they face has never been greater. Despite the dramatic increase in sanctions and other financial crime risk exposure of all financial services businesses over the past three years, many firms in the insurance sector are still treating their risk exposure as the same as it was five years ago. They are relying on incomplete and outdated risk assessments, treating financial crime as part of wider compliance risk, with no detailed considerations, resulting in impractical and ill-conceived policies and over reliance on poorly designed and overly broad controls and a rudimentary use of data and MI to evidence effectiveness and enable oversight. Andrew Roberts examines how to structure a risk assessment framework that aligns with regulatory expectations, incorporating enterprise-wide, business unit, customer, and transaction-level risk assessments. He also explores how firms can enhance their processes by making better use of technology and automation, reducing inefficiencies while improving risk coverage. 1. Key Components of a Financial Crime Risk Assessment Weak control frameworks all start from the same point, the Financial Crime Risk Assessment Framework (“FCRA”). The approach to and execution of the FCRA Framework is the foundation of the control environment. The Financial Conduct Authority (“FCA”) could not have been clearer. It expects insurers, reinsurers, brokers, and managing general agents (“MGAs”) to maintain a clear and well-structured approach to financial crime risk assessments to ensure they identify, mitigate, and monitor risks effectively, with no exceptions. The FCA Financial Crime Guide outlines the expectations for a risk-based approach, ensuring that financial crime controls are proportionate to the risks an organisation faces. For the insurance sector, this means understanding exposure across all risk typologies across all activities and operations, regardless of the distribution and servicing models used and across all customers and third-party interactions. This means understanding and assessing the sanctions risk, money laundering, fraud, bribery and corruption, and financial misconduct linked to underwriting, claims handling, premium financing, and third-party relationships. Risk assessments must cover all financial crime threats relevant to an insurance firm’s operations and must also evidence that they have been considered. The risk assessment process must consider each of the main financial crime risk typologies and then develop a greater understanding through the detailed analysis of those risks that the organisation has an exposure to. Sanctions Risk – Does the organisation have direct or indirect dealings with comprehensively sanctioned countries and the regions that surround them? Is the organisation exposed or likely to be exposed to sanctioned individuals, industries and types of activity? Is the organisation exposed to trade sanctions and export-controlled goods and services, directly or indirectly? Money Laundering Risk – Could the firm be used as a vehicle for money laundering, including trade-based money laundering particularly through high-value goods and assets, premium financing, or early surrenders? Terrorism Financing and Weapons Proliferation Risk – Could the firm be used to channel funds, technology or goods to support terrorist activities, proliferation of chemical, biological or nuclear weapons and associated technology. Fraud Risk – How well does the firm identify and prevent policy fraud, claims fraud, and misrepresentation? What are the employee and third-party fraud risk exposures through business activities? Is the business within scope of the newly created Failure to Prevent Fraud corporate offence? How connected are underwriting and claims fraud functions with wider financial crime prevention teams? Bribery & Corruption Risk – Is there potential for improper payments, particularly in commission arrangements, third-party introducers, and claims settlements? Do you provide cover to companies, activities and services in high-risk countries and regions, or high-risk industries? Ensure you also consider potentially less prevalent risks, such as modern slavery, human rights sanctions, tax evasion or market abuse risks, even if there is a perception that they are low risk. Insurers directly and indirectly deal with the full spectrum of financial crime risks, including market sensitive information, tax efficient structuring of international programs, as well as modern slavery or human rights violations. Using External and Internal Data Sources for Risk Assessments Having considered the different potential typologies, it is then crucial to consider what information is available to demonstrate and evidence, or to help inform the conclusions that will be made about the scope and scale of the exposure. A strong risk assessment process is evidence driven. Firms should not rely only on internal perspectives but incorporate external sources of data to support and validate both scope decisions, areas of focus and risk rating conclusions, such as: National and Supra-National Risk Assessments – These provide a macro-level view of financial crime threats that could impact insurance firms (e.g., UK National Risk Assessment, FATF Mutual Evaluation Reports). Governmental, Quasi-Regulatory and Interest Group Guidance – These provide both high level and, in some cases, very detailed guidance on priorities and expectations, good and bad practice and often valuable insight into different risk considerations (e.g., FCA Financial Crime Guide, JMLSG Guidance, Basel Index, FATF Country Index and Country Evaluations, Transparency International Corruption Perception Index, Global Witness reports, Wolfsberg Group Guidance, World Bank Listing of Ineligible Firms and Individuals). Dear CEO Letters – The FCA frequently highlights failings across financial services that can offer lessons to insurers, even if the focus of the communication is not insurance. Recent Dear CEO letters on AML control failures provide insights into common weaknesses in risk assessment processes. Recent Enforcement Actions – While many regulatory actions focus on banks, insurers must study and learn from them. The Starling Bank (2024) and Metro Bank (2024) cases highlighted deficiencies in risk assessment processes, risk-based monitoring, transaction surveillance, and weak overall governance, which are all relevant to control frameworks within the insurance sector.y. Internal Data: What Can a Firm Learn from Itself? A strong financial crime risk assessment also draws on internal trends that indicate where controls may be failing or where risk profiles are changing. Firms should evaluate: Internal policy breaches – How many compliance breaches occurred, and were they recurring issues in related areas? Internal and external suspicious activity reports (SARs) – How many were submitted? Are they increasing or decreasing? Which categories or types of report are the most common and what insight can this give? Regulatory and law enforcement requests – Has the firm seen an increase in specific types of police or regulatory requests for information? Were there recurring themes from Audit and Compliance Assurance activities and were all remediation actions completed on time and on budget? Whistleblowing reports – Do they indicate concerns about financial crime risk typologies or suggest weak controls or culture? Employee disciplinary proceedings or dismissals for misconduct – What trends are emerging from internal HR cases and investigations? Risk appetite breaches – Were financial crime risks identified that exceeded the firm’s stated risk tolerance? Effectiveness of key controls – How many and which controls were marked ineffective in the last year? How many corrective action plans were delayed? A firm with multiple control failures and delayed remediations, may result in increased regulatory scrutiny and may have broader cultural and governance issues that need addressing within the risk assessment framework. Key questions to ask yourself: Are we using both external and internal data to inform our risk assessment? Have we analysed trends in internal compliance incidents, SARs, and regulatory inquiries? Are we considering broader business culture issues, such as persistent control failures or weak governance? Are controls structured in such a way to provide meaningful and measurable outputs and data points that can help inform risk management? 2. Structuring a Risk Assessment Framework How should insurers structure their financial crime risk assessments? Firms in the insurance sector take different approaches to structuring risk assessments. Considerations include: Enterprise-wide risk assessments (EWRAs) – An overarching view of financial crime risks across the business, required by the FCA and used to inform compliance strategy. Business unit risk assessments (BWRAs) – Assessing risk at the underwriting, claims, broking, or distribution level to capture the distinct risks within different functions. Consider whether commercial and retail sectors should be assessed separately, reinsurance and insurance, domestic and overseas divisions, or perhaps split according to entity. This should be thoroughly considered and the agreed approach documented with reasoning. Customer risk assessments (CRAs) – Profiling policyholders, claimants, and beneficiaries based on factors such as business line, jurisdiction, recent transaction patterns, adverse media and industry sector. Transaction risk assessments – Analysing how policies are purchased and how claims are paid and routed to identify financial crime red flags, particularly in international placements and complex structures. Considering Business Strategy and Growth Plans A risk assessment should not be static—it must evolve with business growth and strategic changes. Is the firm expanding into new markets or business lines where financial crime risks differ? Are compliance and financial crime risks included within any scenario planning undertaken by the firm to consider emerging risks or vulnerabilities to macro-economic or geo-political changes? Are new products or distribution channels being introduced, such as embedded insurance, exposure to e-money and cryptocurrency, online only distribution, or outsourced claims handling? Is the firm outsourcing major functions, increasing reliance on delegated authorities, increasing third-party risk exposure or changing reinsurance panels? Regulators expect firms to anticipate new risks before they materialise, ensuring that risk assessments remain forward-looking. Key questions to ask yourself: Does our risk assessment process reflect business growth plans and any changes in strategy or operating model? Are new distribution models, outsourcing, and market expansion risks factored into risk assessments? Are risk assessments updated frequently enough to capture evolving risks? 3. The Role of Technology, AI & Automation in Risk Assessments Financial crime risk assessments have traditionally been manual, static processes, often conducted using spreadsheets, paper-based checklists, or standalone opinion-based reports. As regulatory expectations around data, automation and technology have increased, firms are now expected to leverage technology to enhance risk identification, assessment and monitoring. While regulators do not mandate specific technology solutions, they expect firms to use appropriate tools commensurate with the size, scale, and complexity of the organisation and the risks faced. A small firm with a simple risk profile might manage with structured spreadsheets and internal dashboards, while a large, multinational insurer or MGA with a significant number of high-risk lines of business or using delegated authorities extensively for high-risk lines would be expected to have more advanced, potentially automated solutions to maintain oversight of evolving risks. Selecting the Right Platform for Risk Assessments Firms must consider how they execute, store, and analyse their risk assessments. Common approaches include: Basic Tools (Spreadsheets, Shared Documents, Static Reports) Best for : Smaller firms with simple risk profiles and limited data inputs. Advantages : Low cost, easy to use, minimal implementation effort. Challenges : Difficult to scale, version control risks, lacks automation or real-time data integration. General Business Platforms (SharePoint, MS Forms, Database Software, questionnaire and data input applications) Best for : Firms seeking more structured data collection, version control, and centralised storage. Advantages : Allows for multiple users, better audit trail, some level of automation possible. Challenges : Requires configuration, still lacks deeper analytics and automation. Bespoke Risk Management Systems (Commercial Risk Assessment Platforms) Best for : Large firms with complex risk exposure, high transaction volumes, or extensive third-party relationships. Advantages : Real-time updates, automation, integration with transaction monitoring and sanctions screening, enhanced auditability. Challenges : Higher setup and maintenance costs, require careful implementation and ongoing maintenance. The FCA, JMLSG, and FATF do not prescribe a specific tool or system but expect firms to scale their approach appropriately. Firms with high financial crime exposure, international reach, or complex underwriting and claims processes should invest in scalable and automated solutions, while smaller firms may still meet regulatory expectations with structured but simpler technology. Regulatory Expectations on Technology Use in Risk Assessments Appropriateness to the Firm’s Risk Profile – The FCA expects firms to use tools that match their complexity. A market leading global insurer using basic spreadsheets to manage enterprise-wide risk assessments would likely face regulatory scrutiny. Auditability & Documentation – Risk assessments should be well-documented, version-controlled, and traceable, with evidence of regular review and updates. Integration with Financial Crime Frameworks – Risk assessments should not be standalone. There should be a clear link through to the structure and operational processes and controls in place. Consider how transaction monitoring, sanctions screening, and control testing to provide a full and on-going risk picture. A further factor for consideration is how the financial crime risk assessment process and the platform(s) used are integrated into or alongside other compliance and risk frameworks and platforms, to balance efficiency and effectiveness, with resources and duplication and dilution risks. The existence and capabilities of these platforms will help to dictate the structure and approach to implementing a financial crime risk assessment process. Using AI & Machine Learning for Continuous Risk Assessment The shift from static, point-in-time risk assessments to dynamic, continuous monitoring is a key evolution in financial crime compliance. AI and machine learning provide firms with the ability to detect emerging risks, analyse vast data sets, and refine risk assessments in real time. The advent and development of artificial intelligence and machine learning does mean that it is easier than ever to cost effectively develop integrated and intelligent risk assessment platforms, that are affordable and can be scaled. As ever with any AI use case, it is important to be clear on what it will and won’t do, how it will achieve its goals, using what sources and how it will be overseen and governed. How AI & Machine Learning Can Enhance Risk Assessments Automated Risk Scoring AI can continuously update risk scores for specific or groups of customers, policies, transactions, and third parties based on behavioural patterns, jurisdictional risks, and new data inputs, as well as a range of other relevant factors. Example : If a specific policyholder starts making high-risk claims or overall claims connected to high-risk sanctions regions increase, their risk profile updates automatically rather than waiting for the next periodic review. Data Integration for Real-Time Updates AI systems can pull external regulatory changes, law enforcement reports, national risk assessments, and geopolitical developments into the risk model. Example : If the OFSI or OFAC updates a sanctions list, or if a country is placed on the FATF Grey List, the risk assessment updates automatically for impacted jurisdictions, products, or business lines. Identifying Trends & Emerging Risks Machine learning can analyse patterns in suspicious activity reports (SARs), sanctions referrals and alerts, fraud cases, internal policy breaches, and regulatory inquiries to highlight where risks are increasing. Example : A sharp rise in claims or payments to heavily sanctioned regions or linked to regularly sanctioned industries and activities in a specific jurisdiction could indicate increased sanctions or potentially fraud risks, that may warrant triggering deeper reviews into the transactions and trends. Enhancing Transaction & Claims Monitoring AI-powered tools can help identify anomalies versus expected shipping routes and port callings, fraudulent shipping registry use or false flagging activity to disguise sanctioned vessel use within underwriting or claims data, match experiences from information provided at underwriting to claims, spot patterns that might indicate potential money laundering, fraud rings, or sanctions evasion attempts. Example : If an insurer starts seeing irregular port calls, transponder black-outs and unexpected shipping routes or changes in vessel names and flags, an increase in claims payments linked to certain banks and countries known to route payments to sanctioned countries or sanctioned trading activities, claims using the same circumstances and characteristics, AI can flag the transactions or patterns for review. Building a Continuous Risk Assessment Process Firms can build a more adaptive and proactive risk assessment process by: Integrating Internal & External Data Sources Link transaction monitoring systems, claims fraud detection, underwriting risk models, and sanctions screening into the risk assessment framework. Pull in external intelligence and sources—regulatory updates, law enforcement warnings, and financial crime typology reports. Automating Risk Assessment Updates Move from manual, periodic updates to a combined approach with additional event-driven triggers. Example: If newly formed business lines hit certain growth targets, an outsourcing program is completed, or the firm receives a regulatory request for information about a category of high-risk customers, the risk assessment should update automatically to reflect this. Enhancing Board & Senior Management Reporting Provide live dashboards showing risk exposure changes, control effectiveness trends, and areas requiring remediation. Example: If referral rates for certain fraud typologies or relating to certain high-risk jurisdictions, leadership should be alerted through MI and reporting, rather than waiting for an annual review. Key questions to ask yourself: Are we using technology effectively and in a way that is proportionate to our risk exposure and regulatory obligations? How well does our risk assessment integrate with the financial crime control environment and is there clear connectivity between risks and controls? Are we using AI and automation to enhance our approach and the overall efficiency of the process? Do we have mechanisms to quickly incorporate regulatory changes, external intelligence, and internal trends into our risk framework? How does senior management receive risk assessment insights—is it a static report, or is near or actual real-time data used for decision-making?. 4. Final Considerations – Is Your Risk Assessment Fit for Purpose? A financial crime risk assessment should be a living document and process, regularly updated and capable of responding dynamically to regulatory developments, emerging threats, and business change. Firms must: Align risk assessments with the operating model —whether a global reinsurer or a niche specialty MGA, risk assessment processes must reflect the scale, complexity, and risk exposure of the business. Use internal and external data —SARs, fraud reports, regulatory updates, and market intelligence must be factored into ongoing risk assessments. Invest in appropriate technology —regulators expect firms to use tools that match their size and complexity, with AI-driven risk assessments increasingly becoming a best practice. Ensure findings are used to drive action —risk assessments must inform enhanced due diligence, compliance assurance and audits, claims reviews, third-party oversight, and board-level risk reporting. Firms that fail to maintain proportionate, dynamic, and data-driven risk assessments will face greater regulatory scrutiny and financial crime exposure. If your firm needs to strengthen its risk assessment framework, improve automation, or better integrate financial crime controls, Fairway Financial Crime can help. Andrew Roberts is Managing Director and Founder of Fairway Financial Crime, a specialist financial crime compliance consultancy. He has over 15 years of experience designing, building and maintaining financial crime risk management frameworks within the insurance sector and wider financial services. Andrew Roberts Managing Director and Founder Tel: +44 7786 176 838 Email: Andrew.Roberts@fairwayfinancialcrime.com Connect with Andrew:

Independent assurance of your financial crime frameworks and policies is an effective way of ensuring your approach to managing what have become ever-more complex risks to any financial services business is in line with regulatory expectations. Our new and bespoke health-check tool has been developed to provide a confidential and detailed assessment in an easy-to-use online format that combines the power of technology with the knowledge and expertise of our team. The tool guides the user through a series of questions designed to assess your organisation's approach to understanding financial crime risk against the latest regulatory expectations and market norms for addressing those. The simple-to-use interface ensures the tool can be used by anyone with knowledge of your organisation's frameworks and controls, whether they are a financial crime specialist, or a compliance generalist tasked with overseeing your approach. Your Report The results will provide valuable insights into areas of strength and areas that may require improvement, with your frameworks and controls scored against: Methodology and scope, Inherent risk, Internal controls, Residual risks, Output and actions; and Update and review. Our tool offers: A comprehensive and completely confidential assessment, Simple and easy to use interface, whether you are a full-time financial crime professional, or compliance generalist with responsibility for financial crime, Independent assurance that can help you test your existing frameworks and controls against regulatory expectations and market norms. If you would like to discuss any aspect of your own organisation’s finacial crime frameworks, controls or policies, or would like to understand more about the way our free health-check tool works, please do contact the team. Andrew Roberts is the Managing Director and Founder of Fairway Financial Crime, a consultancy specialising in financial crime compliance. Andrew Roberts Managing Director and Founder Tel: +44 7786 176 838 Email: Andrew.Roberts@fairwayfinancialcrime.com Connect with Andrew:

The regulatory bar is rising. Financial services firms across all sectors are under increasing pressure to demonstrate that their financial crime frameworks are not only fit for purpose but effective, dynamic, and aligned with their business risks. In January 2024, the Financial Conduct Authority (FCA) refused Zeux Limited’s application for registration under the Money Laundering Regulations 2017. Zeux, an Electronic Money Institution offering e-wallet and crypto-asset services, was operating under the Temporary Permissions Regime. What makes this case especially noteworthy is that the FCA has now chosen to publish its detailed reasons for refusal—one of the first such public disclosures for a crypto firm. While this may seem like a crypto-specific matter, it isn’t. The decision reflects core regulatory expectations that apply across sectors. For insurance firms—including MGAs, brokers, Lloyd’s syndicates, and reinsurers—the lessons are direct and urgent. The FCA’s scrutiny of financial crime risk frameworks, governance, and control effectiveness is now sector-agnostic. Understanding and acting on the lessons from Zeux could help your firm avoid costly remediation or reputational damage. Public Enforcement is a Strategic Choice – Take Note 69% of crypto firms applying for FCA AML registration since March 2020 withdrew their applications. Only 4% received a formal Decision Notice. Zeux Limited’s case, published in full, represents the FCA’s shift towards using enforcement transparency as a compliance driver. This is consistent with FCA speeches in late 2024 calling for “proactive remediation and cultural change” in financial crime compliance. Insurance firms are not exempt. The FCA’s public messaging increasingly positions financial crime failings as firm-wide governance failures, not just compliance issues. What Went Wrong – FCA Findings Against Zeux The FCA decision highlights a number of issues – all of which could equally occur in any financial services organisation, including insurance firms. They covered: Outdated and incomplete Business-Wide Risk Assessment (BWRA) and Customer Risk Assessment (CRA) processes; Lack of operational Enhanced Due Diligence (EDD) procedures; Absence of internal escalation or review mechanisms for Suspicious Activity Reports (SARs); Policies and controls unaligned with business risks and regulatory change; Governance gaps, with minimal senior oversight or Board engagement; and Poor data management—Zeux could not provide requested information reliably. These failings mirror themes seen in recent FCA enforcement against Metro Bank (2024), where risk assessments and MI were insufficiently aligned with the firm's actual risk exposure, and in Starling Bank (2024) where risk governance and control testing were inconsistent. What This Means for Insurance Firms – Practical Risk Scenarios Insurers face unique risks, particularly when underwriting, claims handling, or customer onboarding are delegated to third parties. In such models, regulators expect insurers to demonstrate oversight and control over outsourced activities. The following scenarios demonstrate how the same issues could easily arise for insurance firms. Delegated Authority (DA) Risk An MGA writes high-risk property policies via third-party agents in high-risk regions. Have you verified the coverholder’s sanctions screening processes? Are claims payments routed through compliant channels? Is there regular audit or assurance? How and how quickly are high risk transactions escalated to the insurer? Reinsurance Risk (Treaty and Facultative) A reinsurer underwrites facultative marine hull and cargo risks globally. Are ownership and cargo origins checked for sanctions evasion techniques? Are counterparties’ financial crime controls understood? Are ownership structures clearly understood and risk factors such as potential flags of convenience identified? Are reinsurance claims vetted against risk assessments? Are vessels monitored for indicators of involvement in circumvention activities? Broker Intermediation Risk A broker introduces commercial clients that formerly had extensive dealings with Russia and Belarus. The clients have complex ownership structures including use of potential secrecy jurisdictions. Have you conducted adequate due diligence yourself or is reliance being placed on the broker? How confident are you that the corporate structure is accurately mapped? Are you confident the insured activity does not involve sanctions circumvention? Is any reliance placed upon the broker justified, evidenced, and subject to oversight? In all cases, failure to identify, assess, and mitigate these risks through a structured and evolving framework could invite regulatory attention. Challenge Your Framework – Expanded Questions for Insurance Firms Is your Business Wide Risk Assessment reviewed annually and tailored to underwriting, claims, and distribution risks? Are risk assessments updated when you enter new markets or deploy new products (e.g., embedded insurance)? Does your Customer Risk Assessment incorporate emerging threats, such as sanctions evasion in shipping or dual use product risks in product liability? Are high risk transactions and enhanced due diligence cases escalated, documented, and signed off by senior management? How do you test the effectiveness of SAR processes across underwriting, claims, and third-party handlers? Can you provide evidence of a complete and up to date frozen assets register, comprehensive sanctions screening performance metrics, and a documented audit trail of decisions in high-risk scenarios within 5 working days or less? Governance is in the Spotlight – FCA Expectations Regulators expect senior management to own and oversee financial crime compliance. Inadequate governance was a key failing in the Zeux refusal . Insurance firms should ask: Is financial crime MI provided regularly and tailored to your risk exposure? Are breaches of risk appetite escalated and tracked? Do your Board and ExCo challenge the adequacy of controls and risk responses? The FCA’s 2025 strategy has been well sign-posted and is expected to call for firms to “embed effective governance structures that promote accountability and responsiveness.” Compliance culture must be demonstrable—not just claimed. Data Readiness and Technology – Are You Audit-Proof? Can your firm respond quickly and accurately to a regulatory request? Can you: Retrieve screening logs and exception reports? Provide complete, up-to-date EDD documentation for increased risk customers? Show that controls were tested and findings acted upon? Firms must use technology commensurate with complexity: Centralised risk dashboards Automated MI generation Auditable control records Real-time monitoring capabilities AI tools can support many aspects of your compliance framework, including fraud detection and sanctions evasion monitoring, but they must be well governed, explainable, and risk appropriate. Firms that rely on third parties must evidence oversight—not just contractual reliance. Three Practical Steps for Firms – Prepare, Don’t React Audit your risk assessments – Are they business-specific, reflect your operating model, up to date, and action-oriented? Conduct a data readiness drill – Can your teams respond to a simulated regulator request for high-risk customer files or screening performance? Evaluate governance – Is your Board engaged and challenging? Are compliance risks and failures documented and addressed? How Fairway Financial Crime Can Help Fairway Financial Crime helps insurers, MGAs, brokers, and Lloyd’s syndicates build effective, proportionate, and practical financial crime frameworks. Our services include: Independent risk assessment review, design and build Control framework review, design and implementation MI and governance improvement Data readiness audits Regulatory engagement support Don’t wait for the regulator to identify your gaps. We can help you assess where you stand—and what to improve. This article was originally published by ICSR. Andrew Roberts acts as an independent consultant and part of the ICSR Talent Pool . If you would like to discuss any aspect of your own organisation’s approach to the issues discussed in this article, please do speak with the author. Andrew Roberts is the Managing Director and Founder of Fairway Financial Crime, a consultancy specialising in financial crime compliance for the insurance sector. Andrew Roberts Managing Director and Founder Tel: +44 7786 176 838 Email: Andrew.Roberts@fairwayfinancialcrime.com Connect with Andrew: