As both regulatory complexity and geo-political uncertainty continue, the scope and scale of the challenge for insurance firms of successfully identifying and navigating the financial crime risks that they face has never been greater. Despite the dramatic increase in sanctions and other financial crime risk exposure of all financial services businesses over the past three years, many firms in the insurance sector are still treating their risk exposure as the same as it was five years ago. They are relying on incomplete and outdated risk assessments, treating financial crime as part of wider compliance risk, with no detailed considerations, resulting in impractical and ill-conceived policies and over reliance on poorly designed and overly broad controls and a rudimentary use of data and MI to evidence effectiveness and enable oversight. Andrew Roberts examines how to structure a risk assessment framework that aligns with regulatory expectations, incorporating enterprise-wide, business unit, customer, and transaction-level risk assessments. He also explores how firms can enhance their processes by making better use of technology and automation, reducing inefficiencies while improving risk coverage. 1. Key Components of a Financial Crime Risk Assessment Weak control frameworks all start from the same point, the Financial Crime Risk Assessment Framework (“FCRA”). The approach to and execution of the FCRA Framework is the foundation of the control environment. The Financial Conduct Authority (“FCA”) could not have been clearer. It expects insurers, reinsurers, brokers, and managing general agents (“MGAs”) to maintain a clear and well-structured approach to financial crime risk assessments to ensure they identify, mitigate, and monitor risks effectively, with no exceptions. The FCA Financial Crime Guide outlines the expectations for a risk-based approach, ensuring that financial crime controls are proportionate to the risks an organisation faces. For the insurance sector, this means understanding exposure across all risk typologies across all activities and operations, regardless of the distribution and servicing models used and across all customers and third-party interactions. This means understanding and assessing the sanctions risk, money laundering, fraud, bribery and corruption, and financial misconduct linked to underwriting, claims handling, premium financing, and third-party relationships. Risk assessments must cover all financial crime threats relevant to an insurance firm’s operations and must also evidence that they have been considered. The risk assessment process must consider each of the main financial crime risk typologies and then develop a greater understanding through the detailed analysis of those risks that the organisation has an exposure to. Sanctions Risk – Does the organisation have direct or indirect dealings with comprehensively sanctioned countries and the regions that surround them? Is the organisation exposed or likely to be exposed to sanctioned individuals, industries and types of activity? Is the organisation exposed to trade sanctions and export-controlled goods and services, directly or indirectly? Money Laundering Risk – Could the firm be used as a vehicle for money laundering, including trade-based money laundering particularly through high-value goods and assets, premium financing, or early surrenders? Terrorism Financing and Weapons Proliferation Risk – Could the firm be used to channel funds, technology or goods to support terrorist activities, proliferation of chemical, biological or nuclear weapons and associated technology. Fraud Risk – How well does the firm identify and prevent policy fraud, claims fraud, and misrepresentation? What are the employee and third-party fraud risk exposures through business activities? Is the business within scope of the newly created Failure to Prevent Fraud corporate offence? How connected are underwriting and claims fraud functions with wider financial crime prevention teams? Bribery & Corruption Risk – Is there potential for improper payments, particularly in commission arrangements, third-party introducers, and claims settlements? Do you provide cover to companies, activities and services in high-risk countries and regions, or high-risk industries? Ensure you also consider potentially less prevalent risks, such as modern slavery, human rights sanctions, tax evasion or market abuse risks, even if there is a perception that they are low risk. Insurers directly and indirectly deal with the full spectrum of financial crime risks, including market sensitive information, tax efficient structuring of international programs, as well as modern slavery or human rights violations. Using External and Internal Data Sources for Risk Assessments Having considered the different potential typologies, it is then crucial to consider what information is available to demonstrate and evidence, or to help inform the conclusions that will be made about the scope and scale of the exposure. A strong risk assessment process is evidence driven. Firms should not rely only on internal perspectives but incorporate external sources of data to support and validate both scope decisions, areas of focus and risk rating conclusions, such as: National and Supra-National Risk Assessments – These provide a macro-level view of financial crime threats that could impact insurance firms (e.g., UK National Risk Assessment, FATF Mutual Evaluation Reports). Governmental, Quasi-Regulatory and Interest Group Guidance – These provide both high level and, in some cases, very detailed guidance on priorities and expectations, good and bad practice and often valuable insight into different risk considerations (e.g., FCA Financial Crime Guide, JMLSG Guidance, Basel Index, FATF Country Index and Country Evaluations, Transparency International Corruption Perception Index, Global Witness reports, Wolfsberg Group Guidance, World Bank Listing of Ineligible Firms and Individuals). Dear CEO Letters – The FCA frequently highlights failings across financial services that can offer lessons to insurers, even if the focus of the communication is not insurance. Recent Dear CEO letters on AML control failures provide insights into common weaknesses in risk assessment processes. Recent Enforcement Actions – While many regulatory actions focus on banks, insurers must study and learn from them. The Starling Bank (2024) and Metro Bank (2024) cases highlighted deficiencies in risk assessment processes, risk-based monitoring, transaction surveillance, and weak overall governance, which are all relevant to control frameworks within the insurance sector.y. Internal Data: What Can a Firm Learn from Itself? A strong financial crime risk assessment also draws on internal trends that indicate where controls may be failing or where risk profiles are changing. Firms should evaluate: Internal policy breaches – How many compliance breaches occurred, and were they recurring issues in related areas? Internal and external suspicious activity reports (SARs) – How many were submitted? Are they increasing or decreasing? Which categories or types of report are the most common and what insight can this give? Regulatory and law enforcement requests – Has the firm seen an increase in specific types of police or regulatory requests for information? Were there recurring themes from Audit and Compliance Assurance activities and were all remediation actions completed on time and on budget? Whistleblowing reports – Do they indicate concerns about financial crime risk typologies or suggest weak controls or culture? Employee disciplinary proceedings or dismissals for misconduct – What trends are emerging from internal HR cases and investigations? Risk appetite breaches – Were financial crime risks identified that exceeded the firm’s stated risk tolerance? Effectiveness of key controls – How many and which controls were marked ineffective in the last year? How many corrective action plans were delayed? A firm with multiple control failures and delayed remediations, may result in increased regulatory scrutiny and may have broader cultural and governance issues that need addressing within the risk assessment framework. Key questions to ask yourself: Are we using both external and internal data to inform our risk assessment? Have we analysed trends in internal compliance incidents, SARs, and regulatory inquiries? Are we considering broader business culture issues, such as persistent control failures or weak governance? Are controls structured in such a way to provide meaningful and measurable outputs and data points that can help inform risk management? 2. Structuring a Risk Assessment Framework How should insurers structure their financial crime risk assessments? Firms in the insurance sector take different approaches to structuring risk assessments. Considerations include: Enterprise-wide risk assessments (EWRAs) – An overarching view of financial crime risks across the business, required by the FCA and used to inform compliance strategy. Business unit risk assessments (BWRAs) – Assessing risk at the underwriting, claims, broking, or distribution level to capture the distinct risks within different functions. Consider whether commercial and retail sectors should be assessed separately, reinsurance and insurance, domestic and overseas divisions, or perhaps split according to entity. This should be thoroughly considered and the agreed approach documented with reasoning. Customer risk assessments (CRAs) – Profiling policyholders, claimants, and beneficiaries based on factors such as business line, jurisdiction, recent transaction patterns, adverse media and industry sector. Transaction risk assessments – Analysing how policies are purchased and how claims are paid and routed to identify financial crime red flags, particularly in international placements and complex structures. Considering Business Strategy and Growth Plans A risk assessment should not be static—it must evolve with business growth and strategic changes. Is the firm expanding into new markets or business lines where financial crime risks differ? Are compliance and financial crime risks included within any scenario planning undertaken by the firm to consider emerging risks or vulnerabilities to macro-economic or geo-political changes? Are new products or distribution channels being introduced, such as embedded insurance, exposure to e-money and cryptocurrency, online only distribution, or outsourced claims handling? Is the firm outsourcing major functions, increasing reliance on delegated authorities, increasing third-party risk exposure or changing reinsurance panels? Regulators expect firms to anticipate new risks before they materialise, ensuring that risk assessments remain forward-looking. Key questions to ask yourself: Does our risk assessment process reflect business growth plans and any changes in strategy or operating model? Are new distribution models, outsourcing, and market expansion risks factored into risk assessments? Are risk assessments updated frequently enough to capture evolving risks? 3. The Role of Technology, AI & Automation in Risk Assessments Financial crime risk assessments have traditionally been manual, static processes, often conducted using spreadsheets, paper-based checklists, or standalone opinion-based reports. As regulatory expectations around data, automation and technology have increased, firms are now expected to leverage technology to enhance risk identification, assessment and monitoring. While regulators do not mandate specific technology solutions, they expect firms to use appropriate tools commensurate with the size, scale, and complexity of the organisation and the risks faced. A small firm with a simple risk profile might manage with structured spreadsheets and internal dashboards, while a large, multinational insurer or MGA with a significant number of high-risk lines of business or using delegated authorities extensively for high-risk lines would be expected to have more advanced, potentially automated solutions to maintain oversight of evolving risks. Selecting the Right Platform for Risk Assessments Firms must consider how they execute, store, and analyse their risk assessments. Common approaches include: Basic Tools (Spreadsheets, Shared Documents, Static Reports) Best for : Smaller firms with simple risk profiles and limited data inputs. Advantages : Low cost, easy to use, minimal implementation effort. Challenges : Difficult to scale, version control risks, lacks automation or real-time data integration. General Business Platforms (SharePoint, MS Forms, Database Software, questionnaire and data input applications) Best for : Firms seeking more structured data collection, version control, and centralised storage. Advantages : Allows for multiple users, better audit trail, some level of automation possible. Challenges : Requires configuration, still lacks deeper analytics and automation. Bespoke Risk Management Systems (Commercial Risk Assessment Platforms) Best for : Large firms with complex risk exposure, high transaction volumes, or extensive third-party relationships. Advantages : Real-time updates, automation, integration with transaction monitoring and sanctions screening, enhanced auditability. Challenges : Higher setup and maintenance costs, require careful implementation and ongoing maintenance. The FCA, JMLSG, and FATF do not prescribe a specific tool or system but expect firms to scale their approach appropriately. Firms with high financial crime exposure, international reach, or complex underwriting and claims processes should invest in scalable and automated solutions, while smaller firms may still meet regulatory expectations with structured but simpler technology. Regulatory Expectations on Technology Use in Risk Assessments Appropriateness to the Firm’s Risk Profile – The FCA expects firms to use tools that match their complexity. A market leading global insurer using basic spreadsheets to manage enterprise-wide risk assessments would likely face regulatory scrutiny. Auditability & Documentation – Risk assessments should be well-documented, version-controlled, and traceable, with evidence of regular review and updates. Integration with Financial Crime Frameworks – Risk assessments should not be standalone. There should be a clear link through to the structure and operational processes and controls in place. Consider how transaction monitoring, sanctions screening, and control testing to provide a full and on-going risk picture. A further factor for consideration is how the financial crime risk assessment process and the platform(s) used are integrated into or alongside other compliance and risk frameworks and platforms, to balance efficiency and effectiveness, with resources and duplication and dilution risks. The existence and capabilities of these platforms will help to dictate the structure and approach to implementing a financial crime risk assessment process. Using AI & Machine Learning for Continuous Risk Assessment The shift from static, point-in-time risk assessments to dynamic, continuous monitoring is a key evolution in financial crime compliance. AI and machine learning provide firms with the ability to detect emerging risks, analyse vast data sets, and refine risk assessments in real time. The advent and development of artificial intelligence and machine learning does mean that it is easier than ever to cost effectively develop integrated and intelligent risk assessment platforms, that are affordable and can be scaled. As ever with any AI use case, it is important to be clear on what it will and won’t do, how it will achieve its goals, using what sources and how it will be overseen and governed. How AI & Machine Learning Can Enhance Risk Assessments Automated Risk Scoring AI can continuously update risk scores for specific or groups of customers, policies, transactions, and third parties based on behavioural patterns, jurisdictional risks, and new data inputs, as well as a range of other relevant factors. Example : If a specific policyholder starts making high-risk claims or overall claims connected to high-risk sanctions regions increase, their risk profile updates automatically rather than waiting for the next periodic review. Data Integration for Real-Time Updates AI systems can pull external regulatory changes, law enforcement reports, national risk assessments, and geopolitical developments into the risk model. Example : If the OFSI or OFAC updates a sanctions list, or if a country is placed on the FATF Grey List, the risk assessment updates automatically for impacted jurisdictions, products, or business lines. Identifying Trends & Emerging Risks Machine learning can analyse patterns in suspicious activity reports (SARs), sanctions referrals and alerts, fraud cases, internal policy breaches, and regulatory inquiries to highlight where risks are increasing. Example : A sharp rise in claims or payments to heavily sanctioned regions or linked to regularly sanctioned industries and activities in a specific jurisdiction could indicate increased sanctions or potentially fraud risks, that may warrant triggering deeper reviews into the transactions and trends. Enhancing Transaction & Claims Monitoring AI-powered tools can help identify anomalies versus expected shipping routes and port callings, fraudulent shipping registry use or false flagging activity to disguise sanctioned vessel use within underwriting or claims data, match experiences from information provided at underwriting to claims, spot patterns that might indicate potential money laundering, fraud rings, or sanctions evasion attempts. Example : If an insurer starts seeing irregular port calls, transponder black-outs and unexpected shipping routes or changes in vessel names and flags, an increase in claims payments linked to certain banks and countries known to route payments to sanctioned countries or sanctioned trading activities, claims using the same circumstances and characteristics, AI can flag the transactions or patterns for review. Building a Continuous Risk Assessment Process Firms can build a more adaptive and proactive risk assessment process by: Integrating Internal & External Data Sources Link transaction monitoring systems, claims fraud detection, underwriting risk models, and sanctions screening into the risk assessment framework. Pull in external intelligence and sources—regulatory updates, law enforcement warnings, and financial crime typology reports. Automating Risk Assessment Updates Move from manual, periodic updates to a combined approach with additional event-driven triggers. Example: If newly formed business lines hit certain growth targets, an outsourcing program is completed, or the firm receives a regulatory request for information about a category of high-risk customers, the risk assessment should update automatically to reflect this. Enhancing Board & Senior Management Reporting Provide live dashboards showing risk exposure changes, control effectiveness trends, and areas requiring remediation. Example: If referral rates for certain fraud typologies or relating to certain high-risk jurisdictions, leadership should be alerted through MI and reporting, rather than waiting for an annual review. Key questions to ask yourself: Are we using technology effectively and in a way that is proportionate to our risk exposure and regulatory obligations? How well does our risk assessment integrate with the financial crime control environment and is there clear connectivity between risks and controls? Are we using AI and automation to enhance our approach and the overall efficiency of the process? Do we have mechanisms to quickly incorporate regulatory changes, external intelligence, and internal trends into our risk framework? How does senior management receive risk assessment insights—is it a static report, or is near or actual real-time data used for decision-making?. 4. Final Considerations – Is Your Risk Assessment Fit for Purpose? A financial crime risk assessment should be a living document and process, regularly updated and capable of responding dynamically to regulatory developments, emerging threats, and business change. Firms must: Align risk assessments with the operating model —whether a global reinsurer or a niche specialty MGA, risk assessment processes must reflect the scale, complexity, and risk exposure of the business. Use internal and external data —SARs, fraud reports, regulatory updates, and market intelligence must be factored into ongoing risk assessments. Invest in appropriate technology —regulators expect firms to use tools that match their size and complexity, with AI-driven risk assessments increasingly becoming a best practice. Ensure findings are used to drive action —risk assessments must inform enhanced due diligence, compliance assurance and audits, claims reviews, third-party oversight, and board-level risk reporting. Firms that fail to maintain proportionate, dynamic, and data-driven risk assessments will face greater regulatory scrutiny and financial crime exposure. If your firm needs to strengthen its risk assessment framework, improve automation, or better integrate financial crime controls, Fairway Financial Crime can help. Andrew Roberts is Managing Director and Founder of Fairway Financial Crime, a specialist financial crime compliance consultancy. He has over 15 years of experience designing, building and maintaining financial crime risk management frameworks within the insurance sector and wider financial services. Andrew Roberts Managing Director and Founder Tel: +44 7786 176 838 Email: Andrew.Roberts@fairwayfinancialcrime.com Connect with Andrew:

Independent assurance of your financial crime frameworks and policies is an effective way of ensuring your approach to managing what have become ever-more complex risks to any financial services business is in line with regulatory expectations. Our new and bespoke health-check tool has been developed to provide a confidential and detailed assessment in an easy-to-use online format that combines the power of technology with the knowledge and expertise of our team. The tool guides the user through a series of questions designed to assess your organisation's approach to understanding financial crime risk against the latest regulatory expectations and market norms for addressing those. The simple-to-use interface ensures the tool can be used by anyone with knowledge of your organisation's frameworks and controls, whether they are a financial crime specialist, or a compliance generalist tasked with overseeing your approach. Your Report The results will provide valuable insights into areas of strength and areas that may require improvement, with your frameworks and controls scored against: Methodology and scope, Inherent risk, Internal controls, Residual risks, Output and actions; and Update and review. Our tool offers: A comprehensive and completely confidential assessment, Simple and easy to use interface, whether you are a full-time financial crime professional, or compliance generalist with responsibility for financial crime, Independent assurance that can help you test your existing frameworks and controls against regulatory expectations and market norms. If you would like to discuss any aspect of your own organisation’s finacial crime frameworks, controls or policies, or would like to understand more about the way our free health-check tool works, please do contact the team. Andrew Roberts is the Managing Director and Founder of Fairway Financial Crime, a consultancy specialising in financial crime compliance. Andrew Roberts Managing Director and Founder Tel: +44 7786 176 838 Email: Andrew.Roberts@fairwayfinancialcrime.com Connect with Andrew:

The regulatory bar is rising. Financial services firms across all sectors are under increasing pressure to demonstrate that their financial crime frameworks are not only fit for purpose but effective, dynamic, and aligned with their business risks. In January 2024, the Financial Conduct Authority (FCA) refused Zeux Limited’s application for registration under the Money Laundering Regulations 2017. Zeux, an Electronic Money Institution offering e-wallet and crypto-asset services, was operating under the Temporary Permissions Regime. What makes this case especially noteworthy is that the FCA has now chosen to publish its detailed reasons for refusal—one of the first such public disclosures for a crypto firm. While this may seem like a crypto-specific matter, it isn’t. The decision reflects core regulatory expectations that apply across sectors. For insurance firms—including MGAs, brokers, Lloyd’s syndicates, and reinsurers—the lessons are direct and urgent. The FCA’s scrutiny of financial crime risk frameworks, governance, and control effectiveness is now sector-agnostic. Understanding and acting on the lessons from Zeux could help your firm avoid costly remediation or reputational damage. Public Enforcement is a Strategic Choice – Take Note 69% of crypto firms applying for FCA AML registration since March 2020 withdrew their applications. Only 4% received a formal Decision Notice. Zeux Limited’s case, published in full, represents the FCA’s shift towards using enforcement transparency as a compliance driver. This is consistent with FCA speeches in late 2024 calling for “proactive remediation and cultural change” in financial crime compliance. Insurance firms are not exempt. The FCA’s public messaging increasingly positions financial crime failings as firm-wide governance failures, not just compliance issues. What Went Wrong – FCA Findings Against Zeux The FCA decision highlights a number of issues – all of which could equally occur in any financial services organisation, including insurance firms. They covered: Outdated and incomplete Business-Wide Risk Assessment (BWRA) and Customer Risk Assessment (CRA) processes; Lack of operational Enhanced Due Diligence (EDD) procedures; Absence of internal escalation or review mechanisms for Suspicious Activity Reports (SARs); Policies and controls unaligned with business risks and regulatory change; Governance gaps, with minimal senior oversight or Board engagement; and Poor data management—Zeux could not provide requested information reliably. These failings mirror themes seen in recent FCA enforcement against Metro Bank (2024), where risk assessments and MI were insufficiently aligned with the firm's actual risk exposure, and in Starling Bank (2024) where risk governance and control testing were inconsistent. What This Means for Insurance Firms – Practical Risk Scenarios Insurers face unique risks, particularly when underwriting, claims handling, or customer onboarding are delegated to third parties. In such models, regulators expect insurers to demonstrate oversight and control over outsourced activities. The following scenarios demonstrate how the same issues could easily arise for insurance firms. Delegated Authority (DA) Risk An MGA writes high-risk property policies via third-party agents in high-risk regions. Have you verified the coverholder’s sanctions screening processes? Are claims payments routed through compliant channels? Is there regular audit or assurance? How and how quickly are high risk transactions escalated to the insurer? Reinsurance Risk (Treaty and Facultative) A reinsurer underwrites facultative marine hull and cargo risks globally. Are ownership and cargo origins checked for sanctions evasion techniques? Are counterparties’ financial crime controls understood? Are ownership structures clearly understood and risk factors such as potential flags of convenience identified? Are reinsurance claims vetted against risk assessments? Are vessels monitored for indicators of involvement in circumvention activities? Broker Intermediation Risk A broker introduces commercial clients that formerly had extensive dealings with Russia and Belarus. The clients have complex ownership structures including use of potential secrecy jurisdictions. Have you conducted adequate due diligence yourself or is reliance being placed on the broker? How confident are you that the corporate structure is accurately mapped? Are you confident the insured activity does not involve sanctions circumvention? Is any reliance placed upon the broker justified, evidenced, and subject to oversight? In all cases, failure to identify, assess, and mitigate these risks through a structured and evolving framework could invite regulatory attention. Challenge Your Framework – Expanded Questions for Insurance Firms Is your Business Wide Risk Assessment reviewed annually and tailored to underwriting, claims, and distribution risks? Are risk assessments updated when you enter new markets or deploy new products (e.g., embedded insurance)? Does your Customer Risk Assessment incorporate emerging threats, such as sanctions evasion in shipping or dual use product risks in product liability? Are high risk transactions and enhanced due diligence cases escalated, documented, and signed off by senior management? How do you test the effectiveness of SAR processes across underwriting, claims, and third-party handlers? Can you provide evidence of a complete and up to date frozen assets register, comprehensive sanctions screening performance metrics, and a documented audit trail of decisions in high-risk scenarios within 5 working days or less? Governance is in the Spotlight – FCA Expectations Regulators expect senior management to own and oversee financial crime compliance. Inadequate governance was a key failing in the Zeux refusal . Insurance firms should ask: Is financial crime MI provided regularly and tailored to your risk exposure? Are breaches of risk appetite escalated and tracked? Do your Board and ExCo challenge the adequacy of controls and risk responses? The FCA’s 2025 strategy has been well sign-posted and is expected to call for firms to “embed effective governance structures that promote accountability and responsiveness.” Compliance culture must be demonstrable—not just claimed. Data Readiness and Technology – Are You Audit-Proof? Can your firm respond quickly and accurately to a regulatory request? Can you: Retrieve screening logs and exception reports? Provide complete, up-to-date EDD documentation for increased risk customers? Show that controls were tested and findings acted upon? Firms must use technology commensurate with complexity: Centralised risk dashboards Automated MI generation Auditable control records Real-time monitoring capabilities AI tools can support many aspects of your compliance framework, including fraud detection and sanctions evasion monitoring, but they must be well governed, explainable, and risk appropriate. Firms that rely on third parties must evidence oversight—not just contractual reliance. Three Practical Steps for Firms – Prepare, Don’t React Audit your risk assessments – Are they business-specific, reflect your operating model, up to date, and action-oriented? Conduct a data readiness drill – Can your teams respond to a simulated regulator request for high-risk customer files or screening performance? Evaluate governance – Is your Board engaged and challenging? Are compliance risks and failures documented and addressed? How Fairway Financial Crime Can Help Fairway Financial Crime helps insurers, MGAs, brokers, and Lloyd’s syndicates build effective, proportionate, and practical financial crime frameworks. Our services include: Independent risk assessment review, design and build Control framework review, design and implementation MI and governance improvement Data readiness audits Regulatory engagement support Don’t wait for the regulator to identify your gaps. We can help you assess where you stand—and what to improve. This article was originally published by ICSR. Andrew Roberts acts as an independent consultant and part of the ICSR Talent Pool . If you would like to discuss any aspect of your own organisation’s approach to the issues discussed in this article, please do speak with the author. Andrew Roberts is the Managing Director and Founder of Fairway Financial Crime, a consultancy specialising in financial crime compliance for the insurance sector. Andrew Roberts Managing Director and Founder Tel: +44 7786 176 838 Email: Andrew.Roberts@fairwayfinancialcrime.com Connect with Andrew:

The priorities for the Financial Conduct Authority (FCA) have been broadly consistent for the past 2-3 years – becoming more efficient and data led, an absolute focus on the consumer and the way that firms interact with them, protecting the public and the market from bad actors and becoming a more visible regulator when it comes to enforcement, advocating for active supervision and early intervention. As we wait to see how the FCA frame their approach to financial crime in their 2025-6 Business Plan, we can get a good sense of what will be included by taking a look at recent FCA speeches, publications and enforcement actions in relation to financial crime compliance specifically. These have focused on the need to address commonly identified failings and what organisations should be doing to review and strengthen their financial crime control environment to ensure they do not fall foul of the same issues. What has the FCA Said and Done? The past 12 months has seen a number of publications by the FCA relating to financial crime, from the Dear CEO Letter in March 2024 – Action Needed in Response to Common Control Failings Identified in AML Frameworks , to the FCA Report: Assessing and Reducing the Risk of Money Laundering Through Markets in January 2025, with plenty more in between, there have been clear themes that are being communicated. Both the March 2024 Dear CEO Letter and the FCA Report identified gaps in risk assessments, customer due diligence (CDD), governance, and transaction monitoring. Steve Smart (Joint Executive Director of Enforcement and Market Oversight), stated in a speech in June, 2024: “When it comes to countering financial crime, we are in many respects a law enforcement agency as well as a regulator. We must stay a step ahead of the criminals, whether it is to pre-empt the way they use new technology such as AI and deep fakes or whether it is to work together with the firms we regulate, to ensure their systems and controls keep a step ahead of those seeking to exploit them.” The FCA’s goal is to get to a position where enforcement, supervision and authorisation teams work seamlessly together, to provide clearer, more consistent and faster outcomes. He emphasised that the FCA expects the industry to work smarter and collaborate with peers, industry groups, regulators and law enforcement to achieve improved outcomes in financial crime compliance. In September, 2024 Sarah Pritchard (Executive Director for International Markets), made clear that financial crime was a key focus of the FCA’s 3-year plan. She reinforced that the FCA was going to be focusing on outcomes, relying on data more heavily, making pre-emptive interventions where issues are identified and using the complete regulatory toolbox when it comes to enforcement. She made it clear that the FCA will not hesitate to act decisively to penalise those firms it views as failing to meet the required standards. November 2024, saw the publication of a number of updates to the FCA: Financial Crime Guide for Firms. The introduction made clear that the FCA is working to be a pro-active and data led regulator, that is focused on effectiveness and outcomes. The announcement stated that the FCA expected improved compliance and for firms to be able to demonstrate that they have considered and acted on the contents of the Guide. Within enforcement, in the past 6 months, we have seen actions and fines for financial crime failings being brought against Starling Bank, Metro Bank, Macquarie Bank, Arian Financial LLP and Mako Financial Markets Partnership LLP, which have all highlighted a number of key themes in terms of FCA expectations: Failures in the risk assessment processes from an enterprise to a customer and transaction level. Poorly designed and maintained governance and oversight processes supported by ineffective management information. Policies, controls and procedures not aligned to the risk exposure of the business. Ineffective customer due diligence and transaction monitoring processes that were not updated as the profile of the business changed. What does this mean for Financial Crime Compliance? It is essential that compliance teams take note of the continued focus on and increasing reliance on data to support a strategy based upon early intervention, active supervision, and a goal of faster enforcement. What has been seen through the evolution of the approach to being more data led, is that firms need to be able to respond to FCA requests accurately, promptly and with complete data sets. The FCA has already begun to more fully question delays and extension requests, query data completeness and structure, as well as more fully probing issues identified through data weakness and anomalies, in some cases to launch full scale reviews and even enforcement actions that started from an inability to provide complete or comprehensive data in response to a query. Firms should act now to assess and where appropriate, strengthen their compliance frameworks based on the outputs that it must be able to produce to evidence its effectiveness. This output should be a prompt for regular reflection on the overall approach to and management of financial crime risk, in the light of the changing internal and external environment. At the same time boards must ensure that they are building a culture of continuous improvement. This does not just mean reaching for the latest technology or AI tool. In this rapidly changing AI world, it is tempting to overestimate the impact of technology while underestimating the role of processes, structure, and accountability in driving real operational efficiency. AI and technology are not magic bullets, but part of a financial crime framework built upon strong core foundations and poorly configured and deployed technology can embed issues and not solve them. It is essential to identify, implement and embed the right combination of tools for the organisation, within a considered and connected compliance framework and directly relevant to the way that it operates and the risk exposure of the business. Finally, it is essential for firms is to consider how they can strengthen relationships with the FCA (and other regulators), to ensure that there is trust on both sides, and a clear understanding of what the regulator is asking for and seeking to achieve through its interactions, enabling businesses to react accordingly. It is clear to see for example, that there is a move within the Office of Financial Sanctions Implementation (OFSI) and Office of Trade Sanctions Implementation (OTSI), that they are seeking to pro-actively engage and educate industry, other more established regulators may be far more structured in their approach, and less willing to engage informally. Knowing your regulator, their priorities and the pressures that they are coming under can help you and your firm to more successfully navigate your interactions. What Steps to Take? There is no magic bullet to ensure financial crime compliance effectiveness, but below, are several recommendations and questions for firms to be asking themselves to help them be confident that their control frameworks will stand up to regulatory scrutiny. Financial Crime Risk Assessments Must Be Comprehensive and Updated Firms must identify and assess financial crime risks on a continuing basis, and not as a standalone or one-off exercise. The FCA expects risk assessments to be detailed, tailored, and updated in response to internal and external changes. Common Failings Identified by the FCA: Incomplete or outdated risk assessments: The FCA Report: Assessing and Reducing the Risk of Money Laundering Through Markets found that many firms underestimate financial crime risks or fail to document them properly in their business-wide risk assessments (BWRAs). Failure to adapt to business changes: In the Metro Bank enforcement notice, transaction monitoring systems failed to assess over 60 million transactions, as they failed to integrate a key customer platform, leaving major gaps in risk detection. Weak customer risk assessments (CRAs): The FCA Report: Assessing and Reducing the Risk of Money Laundering Through Markets (“MLTM 2025”) highlighted that firms often override customer risk ratings without proper documentation, leading to inconsistent risk classification. The Starling Bank notice detailed how they failed to comply with an agreed action because they could not correctly identify and prevent the onboarding of high risk customers, despite a commitment to do so. Key Actions for Firms - Financial Crime Risk Assessments Update enterprise-wide risk assessments at least annually or when there is a significant change. Use granular risk ratings for customers, transactions, and third parties. One-size-fits-all models do not work. Ensure risk assessments drive policies and controls , not the other way around. Test Your Risk Assessment Methodology and Process : How do you know your risk assessment reflects real threats? Are risk assessment factors and processes adapted to local regulatory requirements, or focused from a head office perspective only? Can your firm quickly explain how risks are identified and controlled? Can you draw a clear thread from your risk assessment findings through all the components of your control environment? Are changes in risk exposure identified, assessed and do they lead to updates in policies and procedures? Governance and Accountability Must Be Clear and Effective Senior management must take responsibility for financial crime risks. The FCA expects boards and executives to be actively involved in compliance oversight. Common Failings Identified by the FCA: Lack of senior management engagement : The Macquarie Bank enforcement notice showed that a junior trader was able to manipulate controls, making over 400 fictitious trades over 20 months, exposing the firm's poor oversight. Inadequate oversight : In the Starling Bank investigation , the FCA found severe governance failings, leading to weak financial crime detection measures Failure to escalate risks : The MLTM 2025 found that firms do not always escalate material financial crime risks to senior management, resulting in delayed responses Key Actions for Firms - Governance and Accountability Hold regular board-level discussions on financial crime risks and control effectiveness. Assign clear accountability under the Senior Managers and Certification Regime (SMCR) . Establish an escalation framework for high-risk issues and ensure it is used in practice. Conduct board and executive committee level training on financial crime risks, including practical case studies. Test your firms Governance and Accountability : Can senior leaders explain the firm's financial crime risks and controls in a coherent way and explain why certain approaches have been adopted? Are financial crime issues escalated and resolved promptly? Can you demonstrate this? Are roles and responsibilities clearly documented both generally and specifically in relation to control ownership and operation, as well as for remediation activities and improvement programmes? Policies and Procedures Must Be Aligned with Real Risks Policies and procedures must reflect the firm's actual risks and business model. They should be clear, practical, and embedded into daily operations. Common Failings Identified by the FCA: Outdated or misaligned policies : Metro Bank's enforcement revealed outdated transaction monitoring rules that failed to detect high-risk transactions, as key systems were not integrated. Failure to link policies to real risks : One theme highly relevant for insurance is that several enforcement actions have found that firms can overly rely on third parties or others in the distribution chain for due diligence, assuming others have conducted proper risk assessments, and do little to verify or monitor the effectiveness of the checks and subsequent actions. Inconsistent application of procedures : While some employee actions were totally locked down, the Macquarie Bank case exposed inconsistent internal controls, enabling a single employee to bypass key compliance processes. Key Actions for Firms – Policies and Procedures Align policies with risk assessments and update them whenever risks change. Ensure procedures are practical and used in day-to-day operations. Regularly test policy effectiveness through spot checks and assurance reviews. Provide regular staff training with real-life case studies and interactive sessions that are relevant to their roles. Tests for your Policies and Procedures : Is there a clear connection between the risk assessment and the controls put in place? Are financial crime policies easy to follow for non-experts and are they linked to actual activities? How often do you test whether policies, controls and procedures are working as intended? Can employees explain how financial crime policies apply to their roles? Are employees confident that they can raise concerns about compliance matters and their concerns be investigated and acted upon? Screening and Monitoring Must Be Accurate and Efficient Screening and transaction monitoring systems must detect risks effectively. The FCA expects firms to validate and improve their systems continuously. Common Failings Identified by the FCA: Inadequate transaction monitoring : Metro Bank (2024) failed to monitor 60 million transactions worth £51 billion, leaving critical financial crime risks undetected. Failure to embed and maintain screening systems effectively : There are 3 common ways that screening controls fail – Organisations procure (or build) an inappropriate platform for their operating model, risk exposure and resource availability, they failure to integrate it effectively and utilise its capabilities, and finally they failure to manage the platform on an on-going basis. Failure to detect suspicious activity through backlogs and false positive rates : A common theme of s166 enforcements around screening is the failure to calibrate screening and transaction monitoring tools correctly and manage the subsequent workload in a timely manner, meaning risks are missed or identified too late to be relevant. Weak transaction monitoring controls : The MLTM report found that firms lack tailored monitoring rules for market transactions, resulting in missed red flags. Key Actions for Firms - Screening and Monitoring: Regularly test and validate screening systems to ensure they detect sanctioned entities and high-risk individuals correctly. Improve transaction monitoring rules based on real risks and past case reviews. Ensure alerts are investigated and escalated within defined timelines. Use AI and machine learning carefully—to bolster and build on a strong framework and with thorough understanding of its role and strong governance and assurance in place since automation can create blind spots and weaknesses. Test your Screening and Transaction Monitoring Processes: When was the last time you validated your screening and transaction monitoring system's effectiveness and efficiency? Are false positives overwhelming compliance teams, or is suspicious activity going undetected? What metrics do you employ to tell how effective your screening controls are at identifying risks and enabling those increased risk situations to be investigated and worked to resolution in a timely manner? Do you delegate screening or customer onboarding to third parties and how do you monitor the effectiveness of screening conducted by third parties? Uncertainty and Rapidly Changing Risks Require Flexible Compliance Frameworks Conclusion The risk environment is constantly shifting and becoming more challenging to navigate effectively without incurring costs and layering an unsustainable burden on business or compliance staff. Sanctions programs have expanded rapidly and there is an increasing risk of divergence between USA, UK and EU as geopolitical conflicts are reshaping trade and financial flows. Governments are scrambling to respond to the new Trump Administration and the speed with which changes are occurring. Criminals are using more sophisticated methods to evade controls. Regulators are demanding businesses play a larger role in preventing fraud and financial crime. Firms must have a framework in place that can adapt quickly to keep up with these changes Key Actions for Firms - Compliance Frameworks: Ensure financial crime frameworks are flexible and scalable . Monitor regulatory updates, geopolitical developments, and enforcement trends in real time. Build an internal capability to assess new risks quickly and adjust controls accordingly. Use scenario testing to assess how well your firm can handle fast-moving financial crime risks. Test your Framework and its ability to adapt to change: Is your compliance team equipped to respond to emerging threats and how are they communicated in a timely manner to senior management? Are funding reserves available for rapid adaptation? How quickly (and completely) can your firm assess the risks of and then adapt to the different types of regulatory change, e.g., immediately effective sanctions regimes and restrictions, new AML guidance, new corporate criminal offence of failure to prevent fraud? How are new financial crime risks reflected in policies and controls, and how are changes made at an operational level? Next Steps Firms should continuously assess, develop, and stress-test their financial crime frameworks. The FCA expects an ongoing process of improvement , not one-time fixes. Key Steps to Take Immediately: Review and update risk assessments to reflect the latest threats and regulatory expectations. Strengthen governance by ensuring senior leaders engage with financial crime risk management. Validate screening and monitoring systems to ensure they work effectively. Test compliance processes through simulated regulatory requests and assurance reviews. Prepare for FCA scrutiny —firms should be ready to demonstrate their financial crime controls at short notice. Final Thoughts: It is crucial that insurers, the wider insurance sector and other financial services firms pay close attention to the expectations being communicated and the issues being highlighted even when the enforcement actions are not in the same specific financial services sector. The approach expected must be thoroughly considered and tailored to the firm in question, based upon a complete understanding of the risks faced by the business and that thread must be traceable through policy, procedure and controls, into actions that can be evidenced and proven to be effectively managing the risk exposure of the firm. There must be mechanisms that consistently test the foundations of the approach, and that re-affirm both the appropriateness and effectiveness of how the different components of it operate. Can your firm evidence that it is meeting FCA expectations on financial crime compliance? If not, now is the time to act. If you would like to discuss any aspect of your own organisation’s approach to the issues discussed in this article, please do speak with the author. Andrew Roberts is the Managing Director and Founder of Fairway Financial Crime, a consultancy specialising in financial crime compliance for the insurance sector. Andrew Roberts Managing Director and Founder Tel: +44 7786 176 838 Email: Andrew.Roberts@fairwayfinancialcrime.com Connect with Andrew:

On 19th March, Andrew Roberts will be one of the “Rockstar Speakers” talking about risk, compliance, cybersecurity, AML, KYC and fraud prevention at the UK’s newest and biggest Fraud & FinCrime event, FID Fraud & FinCrime 2025. The event will be covering the key themes of: • Fraud & scams • Regulation • Corruption & insider threats • Customer due diligence & onboarding • Transaction monitoring • Fraud & risk detection technology innovation. Andrew will be chairing a conversation entitled " Sanctions Screening: Detecting sanctions evasion attempts and ensuring compliance " with Stephen Alsace , Nathalie von Taafe , Michelle Weiss Bockmann , and Shereen George at 17:00 on the Fraud & FinCrime Stage. The full agenda is available here  and registration is free for ‘Relying parties’ including regulated lenders, Financial Institutions, non-financial brands and retailers. If you plan to attend and would like to schedule some time to catch up with Andrew on that day, please do contact Andrew directly  to make arrangements. Andrew Roberts Managing Director and Founder Tel: +44 7786 176 838 Email: Andrew.Roberts@fairwayfinancialcrime.com Connect with Andrew:

How does your Sanctions Compliance Framework Stack up to OFSI’s Inaugural Financial Services Threat Assessment? In February 2025, the UK's Office of Financial Sanctions Implementation (OFSI) released its inaugural Financial Services Threat Assessment Report . This comprehensive report delves into the evolving threats and vulnerabilities within the UK's financial services sector, particularly in the wake of the extensive sanctions imposed following Russia's invasion of Ukraine in 2022. At the same time, further information is being revealed in the public sphere from multiple sources as analysis and investigations are being conducted into the steps being taken by state, corporate and individual actors seeking to facilitate sanctions circumvention. Given the uncertainty that has only increased as a result of the Trump Administration’s approach towards Russia and Ukraine, it is more crucial than ever that organisations have taken all necessary steps to understand their sanctions risk exposure, and how well prepared they are to navigate additional complexity over the coming weeks, months, and years. For everyone involved in sanctions compliance, understanding and responding to these insights is paramount to safeguarding their institutions against sanctions breaches and associated risks. This article examines the key findings of the OFSI report, explores the emerging techniques used to evade sanctions, and outlines recommended actions to enhance compliance frameworks. Key Judgements from the OFSI Report The OFSI report presents several critical findings that demand attention from those involved in sanctions compliance at UK financial services firms: Escalation in Enabler Activities: Since 2023, there has been a significant increase in individuals and entities assisting Russian designated persons (DPs) in seeking to evade UK financial sanctions. This escalation highlights the growing sophistication of sanctions evasion tactics and the need for enhanced vigilance to look beyond the surface of a transaction. Utilisation of Non-Bank Payment Service Providers (NBPSPs) : Enablers have been channelling funds through NBPSPs to sustain the assets and lifestyles of Russian DPs, including luxury assets such as superyachts and UK real estate. This trend underscores the need for comprehensive monitoring across all payment channels. Obfuscation of Asset Ownership : A subset of enablers has attempted to conceal the true ownership of frozen assets by masquerading as legitimate proprietors. This tactic leverages complex corporate structures and nominee arrangements to obscure beneficial ownership. Adoption of Alternative Payment Mechanisms : There is a high likelihood that enablers are leveraging crypto assets to contravene UK financial sanctions related to Russia (and other regimes). The anonymity and decentralized nature of cryptocurrencies pose significant challenges to traditional compliance controls. Engagement with Intermediary Jurisdictions : Activities indicative of potential sanctions violations have been detected in countries such as the UAE and Türkiye, possibly due to the migration of Russian capital to regions not enforcing sanctions against Russia. This highlights the importance of ongoing and updated geographical risk assessments and enhanced due diligence for transactions involving high-risk jurisdictions. Recommended Actions for Assessing and Strengthening your Sanctions Compliance Framework To effectively mitigate the identified threats, organisations should review and assess their existing policies, procedures, and controls  to ensure they are comprehensive, robust, and capable of addressing the evolving risks of sanctions evasion. It is essential to determine whether these measures are not only in place but are also effective in practice . In doing so, institutions should consider reviewing their approach and updating the procedures in place, depending on the risk profile and operating model of their firm, consider incorporating the following elements: Enhanced Due Diligence (EDD): To effectively address the complexity of sanctions landscape and the methods used to disguise and evade sanctions, organisations should review the following areas of their due diligence processes: Know Your Customer (KYC) Procedures : Review and Update KYC Protocols : Ensure that KYC and due diligence procedures are comprehensive, up-to-date, and tailored to the risk profiles of customers (and the products), particularly those with complex corporate structures or connections to high-risk jurisdictions. This includes enhancing verification processes for beneficial owners, intermediaries, and third-party payers. Consider how procedures can be structured to enable enhanced checks considering certain risk triggers and simplified processes in less risky situations. If you delegate or outsource any of these activities, re-confirm what are those third parties doing, and how are you assuring themselves that it is happening effectively. Deep-Dive Risk Assessments : Conduct enhanced risk assessments for high-risk clients, product or transaction types, including politically exposed persons (PEPs), particular goods and services, deal structures and entities linked to sanctioned countries. Are you able to utilise advanced data analytics and open-source intelligence (OSINT) tools to better uncover hidden affiliations and control structures. Beneficial Ownership Verification : Strengthen Identification Procedures : Confirm that beneficial ownership information is accurate, comprehensive, and up to date. Organisations should require detailed ownership disclosures, especially for entities operating in complex or layered structures. Consider how this occurs in delegated authority and outsourced scenarios, and how you are able to have confidence in the third-party processes. Cross-Verification Techniques : Implement cross-verification techniques using multiple independent sources to validate ownership information and reduce reliance on self-reported data. Transaction Monitoring and Screening: To detect and prevent sophisticated evasion techniques, organisations should ensure they have processes for: Real-Time Monitoring Systems : Implement Advanced Monitoring Systems : Higher risk businesses and business lines should be using real-time monitoring systems that are equipped with machine learning algorithms to detect suspicious transactions, including the use of crypto-assets, intermediary jurisdictions, and high-risk payment patterns. Behavioural Pattern Analysis : Enhance monitoring capabilities with behavioural analytics to identify anomalies that deviate from normal customer activity, enabling early detection of potential evasion tactics. Look to analyse and monitor the behaviours of higher risk enablers and intermediaries whose business model or reputation may be structured to support higher risk customers and transactions. Review and Update Sanctions Screening & Screening Governance: Automated Sanctions List Updates : Integrate automated updates of global sanctions lists from OFSI, OFAC, EU, and UN, ensuring screening tools are accurate and up to date. This includes capturing variations in spelling, aliases, and other identifiers used in sanctions evasion schemes. Comprehensive Screening : Implement enhanced screening protocols that encompass all counterparties involved in transactions, including intermediaries, facilitators, and ultimate beneficiaries. How is this achieved amongst delegated authorities and third-party outsourcing arrangements, what mechanisms and protocols are in place to provide assurance over the approach and effectiveness of the screening activities undertaken by others on your behalf. Screening Governance : How is the screening framework structured to ensure clear roles and responsibilities are maintained, and how is the framework overseen and assured. When and how is it reviewed for completeness and accuracy, when and how are screening list and system updates implemented in a timely manner. How are screening rules adapted to ensure effectiveness and efficiency, and how is the system and its output reported on to ensure senior management awareness. How are internal governance frameworks translated to delegated authority and outsource arrangements for consistency and accountability. Risk-Based Approach: To ensure proportional and effective risk management, organisations should consider the approach that they take towards financial crime risk assessment, and the structure that they use to fully understand the risks that they are exposed to, from both a top down and a bottom-up approach. It is essential to ensure that there is both a holistic overall assessment and a targeted approach to more exposed areas, allowing for greater understanding and controls which can be deployed efficiently and effectively, including: Financial Crime Risk Assessment Process Enterprise-Wide Risk Assessments : Conduct comprehensive risk assessments of the entire business operation, considering factors such as customer type, geographical exposure, transaction types, and products, as well as regulatory exposure, geo-political vulnerability, and considering methods of distribution and servicing of the business. Business Planning and Strategy : What are the strategic goals of the business over the coming months and years: will it be targeting specific growth areas or markets; will it be closing or retreating from others, opening up distribution via delegation or accepting digital currencies; is it preparing for listing or sale? How will the business be reaching its growth and cost targets; will these create additional financial crime risk exposure and how will the business ensure that its financial crime compliance framework continues to adapt and evolve to the changing risks and profiles. Customer Risk Profiling : Dynamic Risk Scoring Models : Develop dynamic risk scoring models that adjust customer risk ratings based on real-time data and changes in geopolitical risk factors. Regularly recalibrate models to reflect the latest threat landscapes, enforcement actions, regulatory guidance and publications (e.g. Dear CEO letters). Product and Service Risk Assessment : Review Product Risk Profiles : Re-evaluate the risks associated with specific products and services, particularly those susceptible to misuse for or linked to common sanctions evasion priorities such as global trade, energy transport and extractive industries, trade in hard to trace assets, and consider non-bank financial products, cryptocurrencies, and trade finance instruments. How can the organisation focus it’s controls to be relevant and effective for the specific products and markets it is providing and servicing. Vulnerability Assessments : Conduct detailed vulnerability assessments on high-risk products and services and seek to design and implement coordinated controls that are effective in mitigating misuse for sanctions evasion. Staff Training and Awareness: To build an informed and vigilant workforce, organisations should focus on: Regular Training Programs : Tailored Training Programs : Develop and deliver training programs tailored to the organisation for employees at all levels to ensure relevant and effective training for the roles that people are completing, including where relevant, a focus on the latest sanctions regulations, evasion techniques, and internal reporting procedures. This should include scenario-based training for high-risk roles. Periodic Testing and Assessments : Implement periodic testing and knowledge assessments to evaluate employee understanding of sanctions compliance requirements and reinforce learning. Cultivating a Compliance Culture : Leadership Engagement : Foster a corporate culture that emphasises ethical business practices, accountability, and a proactive approach to compliance, driven by leadership engagement and clear communication of compliance expectations. Whistleblower Protection : Encourage employees to report suspicious activities without fear of reprisal by establishing robust whistleblower protection mechanisms and clear reporting channels. Collaboration and Information Sharing: To enhance resilience through collective intelligence, organisations should: Engage with Industry Bodies and Specialist Advisory Groups Proactive Industry Engagement : Seek out and utilise the many industry advisory groups available in your specific sector. Other organisations will be facing many of the same challenges and will be looking to or have already addressed the problems you are facing. Several industries have specialist  Sanctions Advisory Groups , who can provide invaluable guidance and support to entities who are seeking to better understand the risks that they are facing and the approaches that are available to organisations to help them implement and manage a sanctions compliance framework. Engage with Regulatory Bodies : Proactive Regulatory Engagement : Establish and maintain open communication channels with regulatory authorities such as OFSI, OTSI and the FCA to stay informed of emerging threats, enforcement actions, and compliance expectations. OFSI and OTSI continue to position themselves as approachable, responsive and desiring a positive relationship with businesses. Participation in Regulatory Initiatives : Actively participate in regulatory initiatives, industry consultations, and public-private partnerships to contribute to the development of effective sanctions policies and practices. Comprehensive Regulatory Reporting and Disclosures : Streamlined Reporting Processes : Ensure that processes supporting regulatory reporting and disclosures are complete, accurate, and timely. This includes sanctions reporting, proceeds of crime disclosures, and other relevant regulatory requirements. Training on Disclosure Requirements : Train staff to understand the requirements and importance of comprehensive and effective disclosures, ensuring that reports are meaningful and comply with regulatory expectations. This includes understanding the contents of a comprehensive and useful disclosure. Conclusion The OFSI's Financial Services Threat Assessment Report serves as a crucial resource for financial institutions aiming to fortify their defences against sanctions evasion. The growing complexity and sophistication of evasion techniques necessitate a proactive and adaptive approach to compliance. The report, together with other recent publications continues to emphasise the importance of having in place a living and coordinated sanctions compliance framework, that is kept under constant review and can adapt and evolve to the changing internal and external environment. By continuously assessing and enhancing existing policies, procedures, and controls, organisations can better navigate the challenges of the current sanctions landscape, effectively mitigate associated risks, and uphold the integrity of the financial system. If you would like to discuss any aspect of your own organisation’s approach to sanctions compliance or know more about the various industry advisory groups that exist to help firms navigate compliance in this complex area, please do speak with the author. Andrew Roberts Managing Director and Founder Tel: +44 7786 176 838 Email: Andrew.Roberts@fairwayfinancialcrime.com Connect with Andrew:

We are thrilled to announce the official launch of Fairway Financial Crime, a specialised consultancy founded by Andrew Roberts, a leading financial crime and anti-money laundering expert with over 15 years' experience in the insurance sector. Andrew's proven track record in managing financial crime compliance spans UK and International firms, the Lloyd’s market and covers both general and life insurers. Why Fairway Financial Crime? In an era of increasing regulatory scrutiny, rapidly changing financial crime typologies, and growing complexity in global financial systems, businesses must remain vigilant and proactive. Fairway Financial Crime was established to meet the growing demand for expert guidance in tackling financial crime risks, including money laundering, fraud, bribery, and corruption. Andrew’s extensive experience, coupled with the firm’s deep understanding of financial regulations and best practices, ensures clients receive the most effective strategies for compliance and risk mitigation. Andrew is supported by a flexible team of subject matter experts. Our Services At Fairway Financial Crime, we understand that every organisation faces unique challenges when it comes to financial crime. That’s why we offer a comprehensive suite of services, tailored to meet the specific needs of each client. Our core services include: Sanctions Compliance Navigating the complexities of sanctions regimes can be challenging, especially for businesses with global operations. Fairway Financial Crime can provide comprehensive sanctions screening and monitoring services, ensuring your business remains compliant with international sanctions lists, including those issued by the United Nations, the European Union, and OFAC. Regulatory Investigations & Remediation Support If your organisation is under investigation or requires remediation after a regulatory breach, we offer expert support to navigate these challenges. We work closely with clients to manage regulatory communications, conduct internal investigations, and implement remedial action plans to meet compliance expectations. Financial Crime Audits & Health Checks We provide comprehensive financial crime audits, designed to assess the effectiveness of your current financial crime controls. Through detailed health checks, we identify gaps, recommend improvements, and assist in the implementation of solutions that strengthen your overall financial crime resilience. Anti-Money Laundering (AML) & Counter-Terrorist Financing (CTF) Compliance We help businesses implement robust AML and CTF programs, ensuring compliance with global and local regulations such as the UK's Money Laundering Regulations, the US Bank Secrecy Act, and EU directives. Our services cover everything from policy design and risk assessments to staff training and ongoing compliance monitoring. Fraud Risk Management Fraud continues to be one of the most prevalent financial crimes, and we are here to assist organisations in building comprehensive fraud prevention frameworks. Our approach includes fraud risk assessments, the design and implementation of internal controls, and advanced fraud detection strategies using cutting-edge technology. Bribery & Corruption Risk Management With increasing regulatory attention on bribery and corruption, we support clients in aligning their practices with frameworks like the UK Bribery Act and the US Foreign Corrupt Practices Act (FCPA). We design and implement anti-bribery policies, conduct due diligence, and help with third-party risk management. Transaction Monitoring & Reporting Solutions We assist clients in implementing effective transaction monitoring systems that detect suspicious activity in real time. Our solutions include advising on automated monitoring platforms, reporting protocols, and ongoing enhancements to meet changing regulatory requirements. Why Partner with Us? Fairway Financial Crime is built on a foundation of trust, expertise, and a client-centric approach. We pride ourselves on offering tailored, practical and pragmatic solutions that deliver measurable results. Our deep regulatory knowledge and experience ensures that our clients remain compliant while focusing on what they do best – running their business. We believe that when financial crime compliance is done well, it can be something that sets your organisation apart in a good way, not just a cost but through enhanced risk understanding, improved integration of controls in to operational process, resulting in better informed decision making, and enabling you to move at speed and with greater confidence. Whether you're a multinational financial institution, operating in the Lloyd’s market or a UK-focused insurance firm, we have the insights and tools to help protect your organisation from financial crime risks. By partnering with Fairway Financial Crime, you’re choosing to stay ahead of the curve and protect your business’s reputation and assets. About Andrew Roberts Founder and Managing Director Andrew Roberts is a recognised leader in the financial crime space, has previously held SMF17 (MLRO) roles and has been at the forefront of helping financial services firms combat financial crime for over two decades. His expertise spans a wide range of financial crime issues, including AML/CTF compliance, fraud prevention, sanctions, and anti-bribery and corruption efforts. Ready to Protect Your Business from Financial Crime? If you are looking to help mitigate financial crime risks within your insurance firm, we’re here to help. Please contact Andrew Roberts to learn more about the way Fairway Financial Crime can help.