7 January 2026 - 2 minute read
Supervisory bodies are placing renewed emphasis on how institutions identify, assess, and mitigate money laundering, terrorist financing, and proliferation financing risks. The Business Risk Assessment (BRA) is no longer treated as a static document but as a living analysis that must be demonstrably linked to the institution’s actual products, services, clients, and delivery channels.
Inspectors are testing whether the BRA genuinely reflects the business model and whether identified risks meaningfully inform controls, client risk ratings, and ongoing monitoring. Generic or outdated risk assessments are increasingly viewed as indicators of weak compliance maturity.
Risk Management and Compliance Programmes (RMCPs) remain a central inspection focus, but supervisors are moving beyond paper-based reviews. The key question is whether the RMCP is embedded into day-to-day operations.
Institutions are expected to show clear board or senior management approval, but more importantly, inspectors want evidence that staff understand and apply the RMCP in practice. Alignment between the RMCP, the BRA, and actual customer due diligence processes is a critical test point. Disconnects between documented controls and operational reality are a common source of post-inspection findings.
Customer Due Diligence, particularly beneficial ownership (BO), has emerged as one of the most scrutinised areas. Supervisory bodies are assessing not only whether BO information has been collected, but whether it has been properly established, verified, and understood, with documented evidence.
There is a strong focus on legal entity clients (Companies, Trust and Partnerships), the ownership and control structures, and the rationale behind risk ratings assigned to those clients. Institutions must demonstrate (with documented evidence) that BO information informs risk assessments and enhanced due diligence where applicable, in line with recent regulatory communications.
Another consistent theme is accountability at senior levels. Supervisors expect boards, senior management, and appointed compliance officers to demonstrate active oversight of AML/CFT frameworks. This includes understanding key risks, approving core documents, and responding appropriately to audit findings.
Where internal or external audits exist, supervisors are increasingly assessing whether findings have led to meaningful remediation rather than superficial fixes.
Perhaps the most important shift is the regulator’s emphasis on effectiveness. Inspections are no longer limited to whether an institution can point to the right documents, but whether its measures actually work in mitigating ML, TF, and PF risks.
This signals a more outcomes-focused supervisory approach, particularly in post-remediation inspections, where institutions are expected to demonstrate sustained improvement rather than one-off corrective action.
The latest inspection focus areas highlight a maturing regulatory environment that rewards institutions with a deep understanding of their risks and penalises those relying on form over substance. For accountable institutions, preparing for inspections now means stress-testing how well risk frameworks operate in practice, not just how well they read on paper.
Red Cipher provides the required Regulatory Compliance advisory services. Please feel free to contact us at your earliest convenience to discuss how we can support you and your organisation in meeting its FICA compliance requirements. To find out more:
Tap into Expertise You Can Trust
Leverage Our Certified Professionals to Mitigate Your Risks!
