What financial crime systems and controls the FCA expects in an authorisation application: risk assessment, AML policy, MLRO, CDD, monitoring and training.

When the FCA assesses an application for authorisation, it wants evidence that your firm can identify and manage the risk of being used to further financial crime. This is not a box you tick after you go live. The systems and controls must exist, be documented and be capable of working from day one, because the regulator is judging whether your firm can meet the threshold conditions before it grants permission.
Financial crime controls sit at the centre of that assessment. The FCA has been explicit that firms without adequate anti-money-laundering controls can expect to be refused, and refusal or withdrawal rates for money-laundering registrations have been high, particularly among cryptoasset businesses and firms registering for anti-money-laundering supervision only. An application that cannot show a credible, proportionate framework tends to stall in casework or fail outright.
This article sets out the financial crime systems and controls the FCA expects to see in an application, where those expectations come from in the FCA Handbook and the Money Laundering Regulations 2017, and a practical sequence for building the framework so it stands up to scrutiny. Every rule reference below is drawn from the FCA Financial Crime Guide, the SYSC sourcebook or the Regulations themselves.
Two sources drive what the FCA expects. The first is the FCA Handbook. SYSC 6.1.1R and SYSC 3.2.6R require a firm to establish and maintain effective systems and controls to counter the risk that it might be used to further financial crime, and the money-laundering rules sit in SYSC 3.2.6 to SYSC 3.2.6IR and SYSC 6.3. These are binding rules, not suggestions.
The second is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which impose direct legal duties on relevant persons. The FCA also publishes the Financial Crime Guide (FCG), which it updated in the version dated May 2026. The FCG is general guidance under section 139B of the Financial Services and Markets Act 2000, so it is not binding, but the regulator expects firms to be aware of it and to consider it when building their controls. In the FCG, the FCA uses must for mandatory provisions, should for how it normally expects a firm to meet its obligations, and may for examples of good practice.
The FCG also stresses proportionality. Firms should apply the guidance in a risk-based way, taking into account the nature, size and complexity of the firm. A large retail bank monitoring high transaction volumes may need automated systems, whereas a small firm with low volumes could monitor manually. The FCA is not looking for the biggest possible framework, but for one that fits the risks your business actually carries.
An application needs to show a joined-up framework rather than a stack of unrelated documents. The business-wide risk assessment sits first, because it justifies everything else. Under regulation 18 of the Regulations, a relevant person must take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject, taking account of risk factors relating to its customers, the countries or geographic areas in which it operates, its products or services, its transactions and its delivery channels, and must keep an up-to-date written record of the steps taken.
From that assessment flow the policies and the operational controls. Regulation 19 requires a relevant person to establish and maintain policies, controls and procedures to mitigate and manage the risks identified, proportionate to the size and nature of the business and approved by senior management. Those policies must cover risk-management practices, internal controls, customer due diligence, ongoing monitoring, reporting, record-keeping and the management of compliance. The table below sets out the core controls and what each one demonstrates to a case officer.
The FCG groups this material into its chapters on financial crime systems and controls (FCG 2), money laundering and terrorist financing (FCG 3) and sanctions, asset freezes and proliferation financing (FCG 7). Reviewers will look for coherence across all of them: a policy that references a risk assessment that does not exist, or a monitoring rule that ignores a product line, signals a framework that has not been thought through.
| Control | Source | What it demonstrates to the FCA |
|---|---|---|
| Business-wide risk assessment | MLR 2017 reg 18 | You understand your specific customer, geographic, product, transaction and delivery-channel risks and have documented them |
| AML/CTF policy and procedures | MLR 2017 reg 19; SYSC 6.3 | You have senior-management-approved policies proportionate to the business that translate the risk assessment into day-to-day controls |
| MLRO / nominated officer | MLR 2017 reg 21 | A named individual receives internal disclosures and a board or senior manager owns compliance with the Regulations |
| Customer due diligence and EDD | MLR 2017 regs 27 and 33 | You verify who your customers are and apply enhanced measures to higher-risk relationships |
| Sanctions screening | FCG 7 | You screen customers and payments against relevant sanctions and asset-freeze lists |
| Ongoing transaction monitoring | MLR 2017 reg 19; FCG 3 | You can spot unusual or suspicious activity on a risk-sensitive basis, manually or through systems |
| Staff training and awareness | MLR 2017 reg 24 | Relevant employees know the law and your procedures, and you keep a written record of the training given |
Governance is where many applications are judged. Regulation 21 of the Regulations requires a relevant person to appoint one individual who is a member of the board or senior management as the officer responsible for compliance with the Regulations, and to appoint a nominated officer who evaluates internal disclosures to decide whether they give rise to knowledge or suspicion of money laundering or terrorist financing. In practice the money laundering reporting officer (MLRO) is the person who fills this role and acts as the point of contact for suspicious activity.
The FCG expects the MLRO to have sufficient seniority, independence and access to senior management and the board, together with adequate resources to do the job. It is not enough to name someone on a form. The FCA will look at whether the individual has the authority, time and support to challenge the business, and whether responsibility for anti-money-laundering systems and controls has been clearly allocated at a senior level rather than left floating.
Regulation 21 also requires screening of relevant employees before and during their appointment, and, where proportionate to the size and nature of the business, an independent audit function to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures. A firm must inform its supervisory authority within a short period of appointing the responsible officer and the nominated officer, so make sure your application and your notifications are consistent.
Financial crime is one of the areas where applications most often run into trouble. The FCA has stated that firms without sufficient anti-money-laundering controls can expect to be refused, and published figures have shown high proportions of money-laundering registrations, especially for cryptoasset businesses and firms applying solely for anti-money-laundering supervision, being refused, withdrawn or rejected. The most common failing is not the absence of documents but a framework that does not reflect the firm's actual risk profile.
The FCA assesses applicants against the threshold conditions, which include being capable of effective supervision, having appropriate financial and non-financial resources, and being suitable to carry on the regulated activities. A financial crime framework that is generic, copied from a template, or unsupported by a real risk assessment undermines the resources and suitability conditions and gives a case officer a reason to ask hard questions or recommend refusal. If the case officer does not consider that the application meets the required standard, they can recommend refusal to an FCA decision-maker.
The practical lesson is that quality and coherence beat volume. A short, specific risk assessment that names your products and customer types, a policy that plainly follows from it, and an MLRO who can explain how monitoring works in your firm will carry far more weight than a long generic manual that could belong to any business.
Some applicants need more than authorisation permissions. Certain firms must register with the FCA for anti-money-laundering supervision under the Regulations. This includes cryptoasset businesses, and existing authorised firms, electronic money institutions or payment services businesses undertaking cryptoasset activity, which must apply for registration. Annex 1 financial institutions, which carry out activities such as financial leasing, certain lending, and safe custody services, must also register for supervision under the Regulations.
Registration is not a lighter-touch alternative. The FCA assesses the same core financial crime controls: a business-wide risk assessment, proportionate policies and procedures, a nominated officer or MLRO, customer due diligence, screening and training. Refusal rates for these registrations have been high, so the framework needs to be as robust as for a full authorisation.
Work out early whether your permissions require registration, a full authorisation, or both, because it shapes the forms you complete and the fitness assessments the FCA runs on your senior people. Building the financial crime framework once, to the standard the Regulations demand, means the same evidence supports either route.
Regulation 18 requires firms to assess risk across these factor categories. All must be considered and documented.
The most reliable way to satisfy a case officer is to build the framework in the order the Regulations follow, so each control clearly justifies the next. Start with the risk assessment, let it drive the policy, appoint and resource the MLRO, then put in place the operational controls for due diligence, screening, monitoring and training. Keep everything documented and internally consistent, because reviewers test how the pieces fit together.
Explore how our tooling supports authorisation and ongoing financial crime controls in Nasara Authorise and Nasara Control. Both are designed to help you evidence a proportionate framework rather than a generic one.
The steps below give a workable sequence. Treat them as a starting structure and scale each stage to the nature, size and complexity of your firm, as the FCG expects.
Financial crime controls are not a formality bolted onto an FCA application; they are a core part of how the regulator decides whether your firm meets the threshold conditions. The FCA expects a documented business-wide risk assessment, policies and procedures that follow from it, a properly resourced MLRO, customer due diligence, sanctions screening, transaction monitoring and staff training, all proportionate to your business. These expectations come directly from SYSC 6.1.1R and SYSC 6.3, the Financial Crime Guide, and the Money Laundering Regulations 2017.
Because weak or generic financial crime controls are a common reason for delay and refusal, the safest approach is to build the framework in the order the Regulations follow, evidence each control against a real assessment of your risks, and make sure your governance stands up to questioning before you submit. A specific, coherent framework is far more persuasive than a long generic one. Preparing and evidencing it in a structured way gives your application the best chance of a smooth path through casework.
The FCA expects a documented business-wide risk assessment, senior-management-approved AML policies and procedures, an appointed MLRO or nominated officer, customer due diligence and enhanced due diligence, sanctions screening, ongoing transaction monitoring, and staff training. These flow from SYSC 6.3, the Financial Crime Guide and the Money Laundering Regulations 2017, and should be proportionate to your firm's size, nature and complexity.
You need to identify and appoint the person who will act as your nominated officer, and allocate responsibility for compliance with the Money Laundering Regulations to a board member or senior manager, as regulation 21 requires. The FCA expects the MLRO to be sufficiently senior, independent and resourced. Naming someone who cannot realistically do the role is a common weakness that invites further questions.
Yes. The FCA has said firms without sufficient anti-money-laundering controls can expect to be refused, and refusal, withdrawal and rejection rates have been high for money-laundering registrations, particularly cryptoasset businesses. The most common failing is a generic framework that does not reflect the firm's actual risks, which undermines the resources and suitability threshold conditions.
No. The Financial Crime Guide is general guidance under section 139B of the Financial Services and Markets Act 2000, and the FCA will not presume that departing from it breaches its rules. However, the FCA expects firms to be aware of it and to consider it when building their financial crime systems and controls, alongside the binding rules in SYSC and the Money Laundering Regulations 2017.
Cryptoasset businesses must register with the FCA for anti-money-laundering supervision under the Regulations, and existing authorised firms, e-money institutions or payment services businesses undertaking cryptoasset activity must also apply. Annex 1 financial institutions, such as certain lenders and safe custody providers, must register too. The FCA assesses the same core financial crime controls for registration as for authorisation.
Regulation 18 requires you to identify and assess money-laundering and terrorist-financing risks across your customers, geographies, products or services, transactions and delivery channels, and to keep an up-to-date written record. It should be specific to your business rather than generic. The FCA applies proportionality, so a small firm with low volumes can keep it simpler than a large firm with complex activities.
Nasara Authorise helps UK firms send and control payments with lower fees, better rates and full visibility.



Practical guides and updates for UK firms, straight to your inbox.