Global menu

Our global pages


FCA publishes striking new analysis from its annual financial crime data returns 2017-2020

  • United Kingdom
  • Financial services disputes and investigations
  • Fraud and financial crime
  • Financial services



The FCA has published a fascinating new evaluation of the data from its annual financial data returns from the period 2017 to 2020, incorporating submissions from more than 2,300 different firms. With a number of insights relating to trends and developments across a diverse range of subjects including SARs reporting, sanctions and financial crime spend, this analysis will be of great interest to MLROs and financial crime and compliance practitioners across the board. The FCA hopes the analysis will help inform the arrangements and risks of the firms they supervise. In this speedbrief, we take a look at the FCA’s findings and share the key points from the data in what is essential reading for any regulated business.


The FCA supervises approximately 22,000 firms against the requirements in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR). These firms naturally vary greatly in business activity, size and complexity. Since 2017 the FCA has required banks, building societies, mortgage lenders and certain other type of firms to provide an annual financial crime data return (known in the industry as the REP-CRIM). The FCA uses the data to complement its risk-based financial crime supervision. During the three reporting periods between 2017-2020, the FCA received a total of 5,685 submissions. The responses of individual firms to REP-CRIM are confidential, so only aggregated information is presented.

The FCA published a policy statement in March 2021 to extend the REP-CRIM to approximately 4,500 additional firms, hoping that a broader subset of firms providing information would enable it to better understand the intrinsic financial crime risks within these firms, including key data such as firms’ exposure to politically exposed persons (PEPs), their sanction screening controls, jurisdictional risks, suspicious activity reports (SARs), resources to fight financial crime and an insight into fraud risks.

In line with a wider industry move towards using data analytics to complement traditional financial crime controls, the FCA has reported that it is developing new analytical tools to assess the effectiveness of firms’ systems and controls and analyse larger amounts of data. It intends that this approach will allow it to better identify inherent money laundering risks as part of its new ‘proactive data-led AML supervisory approach’.


Key points of interest include the following:   

  • Politically Exposed Persons (PEPs): Customers treated as PEPs have reduced over this period, with firms reporting approximately 89,000 PEPs as customers in 2019/20 and 2018/2019, a substantial decrease from approximately 111,000 PEP customers in 2017/18. The FCA attributes this in part to the amendment of new PEP guidance in 2017 to exclude the reporting of certain domestic customers as PEPs [see paragraph 3.1]
  • Correspondent Banking: Wholesale financial markets firms account for 67% on average of the 180 submissions received reporting non-EEA correspondent banking relationships. The FCA views this as indicative of the complexity of services this sector provides which spans multiple jurisdictions [see paragraph 3.2]. 
  • High-risk customers: Retail banking firms have reported approximately 390,000 high risk customers in 2019/2020 which is almost half the high-risk customers reported by all firms (far exceeding firms from other sectors). The FCA sees this as reflective of the increased exposure and vulnerability of the retail banking business model to being used for the purposes of money laundering, as reflected in the National Risk Assessment 2020 [see paragraph 3.3]. Overall, there is a declining trend in the total number of such high-risk customers on the books of the firms reporting the data in most sectors, but with an interesting increase in high risk customers in the Pensions & Retirement Income sector, contributed to by a few firms who have submitted REP-CRIM for the first time in 2019/20. Whilst the FCA doesn’t refer to it specifically, it’s also possible that the decrease in high risk customers could be partly reflective of better risk rating methodologies and awareness of risk, in the sense that some financial institutions have tightened their risk rating criteria due to the costs of maintaining a high risk client relationship. If that’s the case, some of these numbers may not be reflective of the actual risks involved. De-risking also continues, which may be another factor here. 
  • Suspicious Activity Reports (SARS): The number of SARs reported to the National Crime Agency (NCA) has increased, from 394,048 in 2017/2018 to 480,202 in 2019/2020, with an uplift of approximately 22% in real terms. [see paragraph 3.4]. In an astonishing statistic, the FCA reports that, for the reporting year 2019/20, close to half of the 1,028,260 SARs reported internally to MLROs are from just three firms and the same firms are also contributing to over 60% of the SARs reported to the NCA. In addition, and perhaps unsurprisingly, retail banking contributed to over 78% of the SARs internally reported to MLROs and about 85% to SARs reported to the NCA. The FCA notes that the difference between the volume of SARs reported to the NCA and the volume of SARs reported internally to MLROs varies greatly between firms within the sector, which it considers could be reflective of firms’ differing risk appetites.
  • Sanctions: The number of firms reporting automated sanctions screening is also up year on year, with a 16.5% increase over the three reporting periods. The investment management sector has the highest number of firms that do not use automatic screening [see paragraph 3.5]. Somewhat surprisingly, every sector has firms that do not use automatic screening. The investment management sector has the most, at 271 submissions, while retail banking has six firms who reported that they do not use automatic screening. Like SARs reporting, a small number of firms are responsible for a significant number of matches. In the reporting year 2019/20:
    • 2,191 customer sanctions matches were reported, coming from 68 submissions. 5 firms contributed to approximately 90% of these matches while retail lending contributed to about 70% of these hits followed by retail banking at about 16%.
    • 5,438 payment matches were reported, coming from 35 submissions. 5 firms contributed to over 90% of these hits with retail banking contributing to about 93% of the total matches.
  • High-risk jurisdictions: As part of the REP-CRIM, firms submit a list of the jurisdictions in which they carry out business and have assessed as being high risk for financial crime. Respondents rated countries based on ‘financial crime’ risk which, in addition to money laundering risk, may also cover a variety of threats, including sanctions breaches, fraud and bribery. The top five jurisdictions in 2019/2020 appearing in the aggregated table reflecting the number of instances a country has been assessed as higher risk by a firm, were Pakistan, the Bahamas, Panama, the Russian Federation and Yemen, It is important to note that the position of a country in the table will be influenced by many factors, including firms’ different risk appetites and the countries in which firms carry out business. For example, a country may be considered high risk but due to few firms operating in the country it wouldn’t be included in many firms’ submissions, causing it to appear in a lower position in the table.
  • Financial crime spend: For the year 2019/20, REP-CRIM-submitting firms collectively employed approximately 17,000 full-time equivalent staff in financial crime roles, compared to approximately 15,700 in 2017/2018 [see paragraph 3.8]. The FCA estimates that firms who submitted the REP-CRIM are collectively spending around £1.1b annually in dedicated staff time to combat financial crime. Interestingly, the figure does not include other costs such as those related to IT systems or time taken by the rest of a firm’s staff on preventing financial crime, e.g. 1LOD staff in customer-facing roles.
  • Exiting customers: A total of 761,437 customers were exited during the 2019/20 reporting period, which has more than doubled in the last three years. This was about 0.16% of total customers across all submissions that year. Retail lending and retail banking sectors have exited the most customers for each of those years [see paragraph 3.9].
  • Fraud: Firms were asked to submit their top three fraud concerns on a voluntary basis, with cyber-crime shown to be a key concern, as many of the frauds that were most frequently mentioned (such as computer hacking and phishing) related to information technology. However, some long-established crimes (such as account takeover and card fraud) were also highly-cited threats. The top reported frauds differ by sector, while some are universal (or near-universal) such as identity fraud and theft, and phishing. There’s also some interesting data within the FCA’s report relating to victim by fraud type, and suspected perpetrators.


This report is critical reading for MLROs and senior compliance staff across the regulated sector. Firms will want to review the information and analysis in the FCA’s report extremely carefully to ensure that aspects of their business which do not ‘align’ to the FCA’s findings are examined, and that reasons for any departure from the general trends set out within are capable of credible explanation.

Firms should also be alert to the requirement to provide ‘consistent’ data. The FCA has noted various inconsistent data submissions, including examples where the number of SARs reported externally were greater than the number of SARs reported internally, or firms stated that the total number of full-time staff dedicated to financial crime exceeded the firm’s total number of customers. The FCA uses the report to remind firms that those required to submit REP-CRIM data are obliged to do as part of a regulatory obligation (SUP 16.23.4). The FCA says it will follow-up with firms who submit poor-quality data, noting that poor data submissions can, in some instances, be evidence of poor financial crime systems and controls.

For this reason, and in our view, firms should ensure that their REP-CRIM submission is prepared by someone with appropriate seniority and subject to rigorous checking to ensure that contradictory or conflicting information is not given in error. It’s likely that MLROs and MLCOs will wish to review the submission before it is finalised and so the submission should be prepared in good time to allow such a quality assurance process to take place.