By Priya Giuliani

Over £186 million in fines, five criminal convictions, and a seven-fold increase in cancelled authorisations show that the Financial Conduct Authority (FCA) is running faster than ever. Navigating FCA supervision is not a sprint. It’s a marathon requiring stamina, strategy, and foresight. The regulator is setting the pace with data-led oversight and assertive interventions. If your compliance framework is not trained for endurance, you risk hitting the wall when the FCA comes calling.

This article explores:

• How FCA supervision is evolving
• The tools in the regulator’s kit
• Practical steps to help your firm keep pace

The Direction of Travel

Be in no doubt that fighting financial crime remains at the centre of both government and regulatory agenda despite the broader focus on economic growth. Recent activity confirms this focus:

• New Anti-Corruption Strategy (Dec 2025):[1] 123 commitments including reforms for the FCA to become the single professional services AML supervisor and expanded use of sanctions, signalling continued focus on integrity despite wider deregulatory themes
• New Fraud Strategy (Mar 2025):[2] commitment to invest over £250 million between 2026 and 2029 to combat fraud, the largest reported crime type in England and Wales
• First enforcement against a professional body supervisor (Nov 2025): censuring the Institute of Certified Bookkeepers for failures in its oversight under the Money Laundering Regulations (MLRs),[3] further supports the need for stronger oversight in this sector.
• FCA’s strategic priority[4] emphasis on financial crime through stronger and faster interventions alongside fewer but more impactful formal investigations.[5]
• Upcoming FATF Mutual Evaluation (due 2027): expect continued focus and change. In the pipeline are changes to the due diligence and information sharing requirements in the MLRs.[6]

These developments, and more to come, set the tone for a more assertive supervisory approach.

More Assertive and Data-Led Supervision

The FCA is running faster than ever, powered by data, technology and intelligence. If you’re still warming up while they’re already at mile 10, catching up will be tough.

Their portfolio-based model means they can spot harm early and intervene before you’ve reached the first water station. Recent enforcement data signals that the FCA is prioritising speed and deterrence, over lengthy investigations. Open enforcement operations fell from 188 to 130 during the year to March 2025, 37 final notices were issued, five criminal convictions were secured, fines exceeded £186 million and 1,456 firms had their authorisations cancelled.[7]

Advances in technology are powering more intrusive supervision. The FCA has expanded the population,[8] uses synthetic data to test sanctions screening tools,[9] and is piloting similar techniques for transaction monitoring. Inspections are rising too: 6% of firms were subject to desk-based or onsite reviews, a 15% increase, supported by a 22% growth in financial crime supervision headcount and the creation of specialist sanctions and fraud teams.[10]

Common failings persist: weak AML knowledge, inadequate policies, poor Customer Due Diligence, and misuse of Simplified Due Diligence. The FCA has been clear that firms which recognise issues early, take responsibility, remediate thoroughly and pay redress where necessary will be treated differently than those who delay or obfuscate.[11]

The Regulator’s Toolkit: A Growing Arsenal

The FCA’s toolkit is extensive[12] and increasingly deployed. Voluntary requirements (VREQs), variation of permission, Skilled Person reviews, attestations and own-initiative measures can be combined for maximum impact. These interventions can reshape business models, halt revenue streams, and demand significant resources. Firms that have endured them often speak of the scars left behind.

Skilled Person Reviews: The Ultimate Endurance Test

Think of a Skilled Person review as hitting ‘the wall’ in a marathon. It is painful, costly, and avoidable with the right training. These reviews appoint independent experts to assess systems, controls or conduct, and often recommend remediation. The majority to governance, controls, risk management, conduct and financial crime issues.[13]

Skilled Person reviews are highly intrusive, lengthy, take attention away from growth averaging[14] £690,0000 and often lasting 18-36 months for smaller firms, considerably longer for larger ones.  They are often combined with VREQs, which tend to curb revenue, so firms end up in a double whammy situation of higher costs and lower (or no) revenue.

Skilled Persons are also used in ‘monitorship’ roles while firms carry out remediation to provide the FCA with assurance that adequate progress is being made and any risks in the interim are mitigated appropriately. Our experts have been previously appointed in Skilled Person roles to:

Enhance a firm’s correspondent banking framework after multiple failed attempts to do this in-house, in a timely manner, that met the required standard.

Provide assurance over trade finance transactions prior to execution until the framework was fully remediated and embedded.

How to Prepare

Leaders should have confidence that their frameworks are robust, meet regulatory requirements & expectations, and demonstrate good industry practice. Confidence in your framework comes from credible assurance. Yet firms often stumble when internal or external auditors lack deep subject matter expertise, when scope is narrowed by cost, or when overseas internal audit teams misunderstand local requirements. Cultural barriers, such as fear of highlighting issues, compound these weaknesses, leaving senior management unable to exercise appropriate oversight.

If a Skilled Person appointment looms, act immediately. Engage experts with a proven track record to manage regulatory dialogue, shape strategy, and identify suitable candidates for the appointment. Most appointments (87%) allow the firm to nominate their preferred Skilled Person which will be considered for approval by the FCA (indirect appointment). Whilst the FCA has a panel for its own direct appointments, it is clearly stated on Requirement Notices and the FCA website that a firm can nominate any suitable firm to be their Skilled Person. The firm is responsible for assessing whether a Skilled Person is appropriate for its requirements.[15] Selecting the right firm, one which provides independence from you and the FCA, and applies senior judgement to truly assess a risk-based approach, is vital. The selection of the right Skilled Person for your business need is critical.

Unless you have a VREQ, which stops the majority of your business and therefore you can divert resources, it is likely you will need additional headcount to get through the review in as short a time as possible. The Skilled Person needs access to most parts of the firm, access to systems & controls, and a ton of evidence. The firm will need to ensure there are clear communication protocols in place and maintain their own log of information provided. Most firms find it helpful to prepare their workforce ahead of the visit to minimise disruption.

Scope creep during a Skilled Person appointment is a valid concern, however, the review should be guided by the Requirement Notice which typically is not open ended. If you think the Skilled Person appears to be going beyond the required scope, it is appropriate to question this. Bear in mind, where firms’ cultures do not encourage speaking up, we have observed on occasion that staff use the Skilled Person as an informal whistleblowing channel which may extend the scope, but this should be done in a transparent way in dialogue with the regulator.

It can’t be overstated that those firms that prepare early with robust frameworks rarely face this endurance test.

Voluntary Requirements: The ‘Voluntary Headlock’

Voluntary Requirements are anything but voluntary – they can feel like a headlock.  But they are increasing with a 52% increase in voluntary actions in the last two years. Notably firms are more cooperative in accepting voluntary requirements rather than the FCA imposing them formally, reflecting the regulator’s preference in many cases for swift agreed measures that deliver consumer protection and deterrence. However, these intervention actions can be the end of the road for smaller firms as they can stop all revenue, and remediation needs to be funded from reserves and shareholder injections. Capital and liquidity plans may be required to demonstrate how the firm will survive the period ahead.

Voluntary requirements are designed to restrict activities and mitigate risks swiftly. In those instances, where firms do not agree to voluntary requirements, the FCA can formally impose OIRECs. Refusing a voluntary requirement may raise questions about the firm’s cooperation with regulatory intervention, and it may struggle to rebuild a constructive dialogue for the future.  

The FCA uses VREQs as they encourage senior management engagement and mitigate risks swiftly. But, once a VREQ is place, and the risk is mitigated (for example, because there is no business, therefore no risk), the pressure to remediate and lift the VREQ falls on the firm.

VREQ’s can be difficult to operationalise. Agreeing to a VREQ without planning is like starting a race without hydration. You’ll quickly run out of steam. Recent breaches by Starling, Monzo, and CB Payments highlight the risks of weak governance and poor operationalisation. These failures were about execution, not intent. They show that poor planning can lead to serious compliance failures:

Starling[16] opened 54,359 accounts for high or higher-risk customers breaching its VREQ. This led to a separate investigation of the root causes of failure in the implementation of its VREQ and an action plan to respond to the findings.

Monzo[17] opened 33,039 accounts in breach of its VREQ. Separately, Monzo failed to apply certain of its VREQ controls properly resulting in a further 167,444 accounts opened of which 34,262 were high-risk.

CB Payments[18] onboarded and/or provided payment or e-money services to 13,416 separate high-risk customers in contravention of its VREQ.

The common thread? Weak governance, poor communication, and inadequate testing.

In our experience, firms have signed VREQs without adequately considering governance arrangements and how they will operationalise their activity to comply with the terms. Removing a VREQ is equally challenging. It is typically removed after the FCA has the necessary assurance that remediated controls have been embedded and risks are being managed appropriately, typically through a Skilled Person review or other independent assessment. Strategic planning can offer possibilities to deviate from the norm.

Attestations: Mile Markers for Accountability

Attestations place personal accountability on senior leaders, requiring formal confirmation that actions will be taken, or completed, within a set timeframe. They are checkpoints: proof you are on track and not cutting corners. Failure to meet these commitments can escalate supervisory action and, under the Senior Manager’s Regime, increase the risk of individual enforcement. We are observing a larger number of individual fines. 55% of FCA enforcement fines (by number) related to individuals in 2025 and at the time of writing, 6 out of the 7 fines issued in 2026 are for individuals.

The number of attestations has increased exponentially, principally for thematic concerns. In 2024/25, the FCA had concerns that customer accounts may have been terminated due to their political beliefs, and in relation to thematic work relating to Consumer Duty outcome monitoring and product governance in the insurance sector.

Boards should treat attestations with the utmost seriousness, ensuring independent testing, strong evidence retention, and clear reporting lines.

Staying Ahead of the Pack

The regulator is increasingly assertive and data-led. It is resolving more issues through supervision, early interventions and voluntary outcomes, reserving formal enforcement for impactful deterrence. To stay ahead of the pack:

1. Ensure the assurance you rely on is robust and credible to avoid in-depth supervision intervention.
2. Act swiftly when supervisory tools are mentioned in discussions.
3. Treat voluntary requirements and undertakings as firm-wide programmes, ensuring clear accountability, governance, communication and operationalisation.

The FCA’s pace will only quicken. Firms that prepare now will finish strong; those that don’t risk being left behind. Train early, pace yourselves, and stay focused on the road ahead to cross the line without injury.

---

[1] UK Anti‑Corruption Strategy 2025

[2] UK Fraud Strategy 2026-2029

[3] Final Notice 2025: Institute of Certified Bookkeepers

[4] Our strategy 2025 to 2030

[5] FCA Enforcement data 2024/25 | FCA

[6] MLRs_Consultation_Response.pdf

[7] FCA Enforcement data 2024/25 | FCA

[8] REP-CRIM is the financial crime data return which allows the FCA to be more data-led and broaden its understanding of firms’ risks. This information is used to underpin its risk-based supervisory approach.

[9] The FCA Sanctions Screening Tool (SST) is an analytics-based tool developed to objectively test how effective firms are at identifying sanctioned individuals and entities using test data.  

[10] Supervision_24-25_Annual_Report

[11] Do the right thing: Part II | FCA

[12] Voluntary Requirements (VREQ), Voluntary Variation of Permission (VVOP), Voluntary Directions under MLRs (VDIR), Own Initiative Requirements (OIREQ), Own Initiative Variation of Permission (OIVOP), Own Initiative Direction under MLRs (OIDIR), Own Initiative Variation of a SMF Holders Approval (OIVAP), Section 165 and Section 166 of the Financial Services and Markets Act 2000 (FSMA) – powers to request information and Skilled Person Reports, attestations, undertakings, redress, and, capital & liquidity measures.

[13] Skilled person reviews | FCA

[14] Five-year average

[15] Skilled person reviews | FCA

[16] Final Notice 2024: Starling Bank Limited

[17] Final Notice 2025: Monzo Bank Limited

[18] Final notice 2024: CB Payments Limited

About the Author:

Priya Giuliani is a specialist in financial crime investigations & compliance with nearly 30 years’ experience, including a decade as a Partner. She specialises in helping clients on a proactive basis to assess and manage the risk of financial crime including assessing governance, oversight, conduct, and training Senior Managers and Boards. Her investigative experience provides insight in to how various financial crime types (e.g. money laundering, terrorist and proliferation financing, sanctions and tax evasion, bribery, corruption and fraud) can occur, including through the use of professional enablers, and the controls required to manage these risks effectively. Priya has been appointed on many Skilled Person engagements. Widely regarded as a well-qualified and highly experienced expert in financial crime risk management and investigations. She understands risk well and works with clients to assess and develop proportionate and effective control frameworks.

---

---

---

This article presents views, thoughts or opinions that are provided for general information purposes only. It does not represent the views of, or constitute advice of any form (legal, professional or otherwise) from, HKA or any of its affiliates. While HKA takes reasonable care to ensure the accuracy of its contents at the time of publication, the article does not deal with all aspects of the referenced subject matter and may not be relied upon as a substitute for professional judgement or independent analysis. Accordingly, neither HKA nor the author accepts liability for any use of, or reliance on, the information presented in the article. This article is protected by copyright © 2026 HKA Global, LLC/© 2026 HKA Global Ltd. All rights reserved.