Blog

FCA Insurance Financial Crime Review 2026: Six Findings Insurers Needs to Act On

06.30.2026 | Charmian Simmons

Quick summary

The FCA’s June 2026 multi-firm review assessed financial crime controls across retail, wholesale, and life insurance. Life insurance performed best overall while transaction monitoring was the most consistent gap across all three sectors. Six cross-sector themes, including controls testing, third-party oversight, and obligations management, apply to every UK insurer, not just those in the sample.

Introduction

On 23 June 2026, the FCA published the findings of its multi-firm review into financial crime controls across the UK insurance market. The regulator has set a clear benchmark for what “good” looks like in retail, wholesale, and life insurance, and every insurer and intermediary operating in the UK should expect to be measured against it, whether they were in the sample or not.

Insurance has long sat slightly outside the core AML conversation, which tends to fixate on banks and payments. This review is a reminder that insurers are, in the FCA’s own words, a vital line of defence against financial crime. With sanctions exposure, fraud, money laundering, and bribery and corruption risk all live across the sector, the days of insurance treating financial crime as a secondary compliance concern are over.

How the FCA structured its Insurance Financial Crime Review

The FCA selected a sample of larger insurance firms spanning a broad mix of business models, then asked them to respond to 38 questions across ten control areas

  • Governance and oversight
  • Risk assessment
  • Regulatory reporting and issue management
  • People and knowledge
  • Third-party risk
  • Client due diligence
  • Sanctions
  • AML transaction monitoring
  • Fraud
  • Anti-bribery and corruption. 

Responses were assessed against the Money Laundering Regulations 2017, the FCA’s Financial Crime Guide, SYSC, JMLSG guidance, and FATF standards, with each area rated Strong, Moderate, or Weak based on design effectiveness – not necessarily how well controls performed in practice.

Markets in scope: retail insurance, wholesale insurance, and life insurance

The findings apply across all three of the UK’s major insurance segments. The FCA is explicit that firms outside the sample should still treat the findings as a direct read-across for their own businesses.

The headline findings of the FCA insurance review:

Life insurance came out on top. Firms in this sector showed the strongest overall design effectiveness, particularly in risk assessment, client due diligence, people and knowledge, third-party risk, and sanctions. The FCA suggests this likely reflects the sector’s closer alignment with AML-regulated activity and product types. The one weak spot was transaction monitoring, where even the strongest performers had room to improve.

Retail and wholesale insurance landed in similar territory – moderate overall, with sector-specific strengths and gaps:

  • Retail insurance scored well on sanctions, fraud risk management, and anti-bribery and corruption, consistent with a risk profile weighted toward fraud and sanctions exposure rather than money laundering. But risk assessment and client due diligence were assessed as weak, often because group-level policies hadn’t been localised to the business unit, and ownership of those policies was unclear.
  • Wholesale insurance was strong in people and knowledge, anti-bribery and corruption, and sanctions, but fraud risk management lagged, largely due to thin management information.

Beyond the sector splits, six cross-sector themes ran through the findings.

The six cross-sector themes of the UK FCA Insurance Sector Review

  1. AML transaction monitoring

This was the most consistently flagged gap, and the most nuanced. Across the wholesale and retail portfolios, most firms simply did not carry out formal transaction monitoring, so the FCA wasn’t able to assess this area in depth for those firms. That absence isn’t automatically a failing. The regulator acknowledges it can reflect a firm’s regulatory status (many retail and wholesale insurers sit outside full AML regulation) and the predictability of their transaction patterns. But the FCA is clear that ‘no monitoring’ can’t simply mean ‘no thinking.’ Firms still carry obligations around suspicious activity reporting, sanctions compliance, and broader financial crime risk management regardless of whether transaction monitoring is in place. Any decision to reduce, simplify, or skip monitoring needs to be risk-based, proportionate, and documented, so a firm can show its reasoning if challenged. This is also the one area where even the strongest sector, life insurance, was told it needs to improve, suggesting this is a sector-wide blind spot rather than a symptom of weaker firms only.

  1. Controls monitoring and testing

Second- and third-line assurance activity was broadly consistent in terms of who was doing it, but inconsistent in terms of how rigorously. Many firms could not evidence a structured, risk-based testing plan; monitoring happened, but not necessarily against a documented schedule that tied testing intensity to risk level. The FCA’s expectation here is specific: firms should have risk-based testing plans for both second- and third-line activity, with clear coordination between the two lines to avoid the twin failure modes of duplicated effort in some areas and blind spots in others. For firms without dedicated in-house financial crime assurance expertise, the regulator wants to see evidence that the gap has been actively considered, including a documented assessment of whether specialist or outsourced review is needed, rather than the absence of expertise simply going unaddressed.

  1. Policies and procedures

Almost universally, firms had comprehensive policies and procedures, but primarily at group level. The granularity dropped off sharply below that. Business-unit and jurisdiction-specific procedures were often thin or absent, which creates a interpretation risk: a group policy that doesn’t say how it applies to a specific product line, legal entity, or local regulatory regime leaves staff to fill in the gaps themselves. The FCA’s recommendation is to keep the overarching group framework but build out linked, business-unit-specific documentation that shows precisely how the policy is applied in practice in each part of the firm. Firm should not duplicate the group policy – they should translate it into operational reality at the level where staff are actually making decisions.

  1. Roles and responsibilities

Most firms operate a recognisable three-lines-of-defence model, but the FCA found that very few had gone the extra step of mapping that model into a formal RACI (Responsible, Accountable, Consulted, Informed) matrix for financial crime specifically. Without one, it’s easy for accountability to become diffuse, particularly in larger or group-structured firms where compliance activity is spread across multiple teams, or where third-party administrators are doing some of the work. A RACI matrix isn’t a regulatory requirement, but the FCA frames it as good practice precisely because it forces a firm to be explicit about who owns each control, who needs to be consulted before decisions are made, and who simply needs visibility. 

  1. Obligations management

Most firms could not point to an obligations register, a single document mapping their legal and regulatory requirements to the specific internal controls designed to meet them, with a named accountable owner attached to each one. Without this, firms are relying on institutional knowledge and policy documents scattered across teams to demonstrate compliance, which becomes fragile as staff change roles or obligations evolve. The FCA’s expectation is firms should be able to clearly articulate each legal and regulatory obligation they’re subject to, show which control or process addresses it, and name who is accountable for it. This matters across regulated and non-regulated activities alike, and across multiple products and jurisdictions where obligations may differ materially from one business line to the next.

  1. Third-party outsourcing

Firms were consistent on one point: they understood that outsourcing a financial crime activity doesn’t outsource the liability for it. Where the picture diverged was oversight. Only one firm in the entire review had built genuinely risk-based, tiered oversight -applying enhanced scrutiny specifically to higher-risk outsourced controls rather than treating all third-party relationships the same way. For everyone else, oversight existed but wasn’t calibrated to risk and materiality. The FCA wants firms to categorise third-party relationships by risk level, then match the intensity of oversight to that categorisation – more scrutiny, more frequent review, and more detailed management information for the relationships that carry the most exposure. Firms should also be able to show clear governance structures, defined escalation pathways when a third party underperforms, and a documented trail of oversight decisions, rather than oversight that happens informally and leaves no paper trail.

What UK insurers should do now: Five practical steps

For compliance, risk, and financial crime leaders across the insurance sector, this review is a free gap-analysis template. Five practical steps stand out:

  1. Run a self-assessment against the control groups. Use the ten control areas named by the FCA as a starting point 
  2. Build or refresh your RACI matrix. This was one of the most consistently cited gaps. A documented RACI across financial crime governance is low-cost and high-signal to a supervisor
  3. Localise group policies. If your financial crime framework lives only at group level, start documenting how it applies in each business unit, jurisdiction and has clear ownership
  4. Document your transaction monitoring rationale. If your firm doesn’t run formal transaction monitoring, the FCA wants to see a clearly evidenced, risk-based reason why
  5. Risk-tier your third-party oversight. Review and map outsourced financial crime activities by risk and materiality and ensure escalation pathways and management information are proportionate to that risk.

The FCA has confirmed it will give individual feedback to participating firms and continue monitoring the wider market. Firms that get ahead of these findings now – rather than waiting for a follow-up review – will be in a far stronger position when the next round of supervisory attention arrives.

SymphonyAI helps insurers build the controls, data foundations, and governance frameworks that regulators increasingly expect to see. Explore how Symphony Risk Intelligence supports financial crime compliance in insurance across the full compliance lifecycle.

 

Related resources:

White paper: Transforming financial crime compliance in insurance

AI-Enabled Financial Crime Prevention Toolkit for Insurance

Webinar: Building a Future-Proof FinCrime Operating Model for Insurance

The UK’s New Fraud Strategy 2026-2029: What it means for financial crime and compliance

Case study: Leading US insurer seamlessly secures 500,000 daily transactions

Case study: Global insurer expands partnership to strengthen global financial crime compliance

Learn more about Symphony Risk Intelligence

Find out more about Symphony Risk Intelligence and Always-on Compliance, and how it can improve your approach to transaction monitoring, KYC/CDD, fraud, and screening.

about the author
photo

Charmian Simmons

Principal Strategic Advisor for FinCrime Compliance

Charmian Simmons is a Principal Strategic Advisor for FinCrime Compliance, helping financial institutions navigate the evolving intersection of regulation, risk, technology and innovation. She has over 20 years of experience in the financial sector across risk management, financial crime, internal controls and IT advisory. A technology evangelist with a focus on AI-driven innovation and transformation, Charmian leverages her practitioner expertise and industry knowledge to provide strategic advisory services and thought leadership on the regulatory, policy and technology developments transforming financial crime compliance. Prior to joining Symphony AI, Charmian was a FinCrime Expert with BAE Systems, a Regional Director of Strategy and Performance for the Risk business at Refinitiv, the Head of Audit in North America at Lloyds Banking Group USA and a Vice President at Morgan Stanley covering Capital Markets. Charmian is CAMS, CDPSE, CRMA and CISA certified.

Learn more about the Author

Latest Insights

 
06.19.2026 Webinar

From Regulation to Action: Getting EU AMLA-ready

Financial Services Square Icon Svg
 
06.16.2026 Infographic

AI-Enabled Financial Crime Prevention Toolkit for Insurance

Financial Services Square Icon Svg
 
06.11.2026 White paper

Agentic AI & Embedded Risk Intelligence – Leader’s Guide

Financial Services Square Icon Svg