FCA compliance has left the back office

Back to Insights

There is a version of FCA compliance that many regulated firms still operate: a manual review here, a documented policy there, a compliance manual updated annually and referenced rarely. That version of compliance was never adequate. Over the past two years, the FCA has made the cost of it explicit.

The Fintech Global analysis of FCA compliance technology, culture, and risk captures the structural problem clearly. Business communications now happen across email, Slack, Teams, video calls, and AI-powered platforms. Each of those channels generates data. Each represents a potential regulatory exposure. The firms relying on manual oversight to monitor that volume of activity are not managing risk. They are hoping nothing surfaces. The FCA, increasingly, is making sure something does.

The 2024 enforcement picture was striking enough. The FCA issued £176 million across 27 enforcement actions, more than triple the £53 million recorded in 2023. Starling Bank was fined £29 million after its automated sanctions screening system was found to have been checking customers against only a fraction of the required list since 2017, generating no alerts at all between July 2022 and January 2023 despite an unprecedented surge in sanctions designations following Russia's invasion of Ukraine. The bank had opened more than 54,000 accounts for 49,000 high-risk customers in direct breach of an FCA requirement it had itself agreed to. Barclays received two separate fines totalling £40 million. Citigroup was fined £28 million. Metro Bank £17 million. TSB £11 million. In each case the underlying cause was the same: systems and controls that did not match the regulatory environment the firm was operating in.

2025 continued that trajectory. Total FCA fines exceeded £124 million by year end, with the majority again tied directly to AML and financial crime control failures. Nationwide Building Society received the largest single penalty of the year at £44 million, cited for deficient AML systems and failures in governance and oversight at senior level. Barclays was fined a further £39.3 million after the FCA found it had failed to properly identify, assess, and manage money laundering risks connected to a long-standing corporate banking relationship, allowing £46.8 million in funds from a criminal operation to pass through. Monzo Bank was fined £21.1 million after rapid customer growth outpaced the maturity of its compliance infrastructure, with the FCA noting that its customer base had grown almost tenfold without commensurate scaling of customer due diligence and transaction monitoring. The London Metal Exchange was fined £9.2 million for market conduct and control failures, demonstrating that the FCA's financial crime scrutiny extends well beyond retail banking.

The pattern that runs through all of these cases is not complexity or bad intent. It is the gap between the pace of business change and the pace of compliance infrastructure investment. Starling and Monzo both grew faster than their controls. Nationwide and Barclays had controls that existed on paper but were not being actively governed. The FCA's message across both years is consistent: documented intent is not enough. Boards and senior management need to demonstrate active, evidenced engagement with financial crime controls, not passive ownership of a policy framework.

The FCA's own enforcement strategy is also becoming faster and more targeted. Its joint executive director of enforcement has stated publicly that the regulator is conducting fewer investigations but resolving them more quickly, with a deliberate focus on closing cases at pace. The Starling investigation took 14 months from opening to outcome, against an average of 42 months for cases closed the previous year. Firms that once relied on the length of regulatory processes as a form of natural buffer should not be factoring that into their risk calculations.

Consumer Duty, SMCR, and GDPR share a common regulatory logic: the FCA is no longer satisfied with documented intent. It wants demonstrated outcomes. The question it asks is not whether you have a policy covering a given situation, but whether you can prove your controls worked when it mattered. That distinction changes what compliance infrastructure needs to do. Real-time audit trails, unified oversight across communication channels and transaction data, and governance that connects board accountability to operational controls are not optional features. They are what the evidence record now demands.

RegTech addresses this directly. Unified platforms that pull communications, transactions, and client interaction data into a single monitored environment give compliance functions visibility they cannot achieve manually. They also produce the defensible evidence that Consumer Duty and SMCR require in practice rather than in theory. But the technology is only part of it. A RegTech platform deployed on top of a compliance culture that still treats regulation as a back-office function will not deliver what it promises. The firms getting the most from their compliance investment are those where it sits at board level, owned by senior leadership and connected explicitly to commercial reputation and business strategy.

The two-year enforcement picture makes the commercial argument plainly. Growth that outpaces compliance infrastructure is not growth. It is deferred liability. Since 2015, the FCA has imposed approximately £2.8 billion in total fines on the industry. The firms still running 2026 risks on 2015 tools are not managing compliance. They are deciding when, not whether, the bill arrives.