How First AML addresses the CDD failures identified in the FCA's 2025 review

The First AML platform capabilities mapped to FCA customer due diligence requirements

The FCA's 2025 multi-firm review identified a consistent pattern: firms knew what their CDD obligations were but could not demonstrate operational application through customer records, escalation trails or independent compliance testing. The failures were not policy failures. They were execution failures — and they are precisely the problems First AML is built to solve.

Policies into practice: structured workflows that remove individual interpretation

Configurable CDD and PCP workflow logic mapped to firm risk appetite and MLR requirements

The FCA's most common finding was the gap between what policies say and what staff do. Policies that lack operational specificity - unclear on alternative ID requirements, vague on review frequency, silent on escalation triggers - leave staff making inconsistent decisions.

Rather than treating policies, controls and procedures as a single document set, First AML translates them into configurable rules and requirements within the workflow via a centralised rules library. Policies define intent. Controls are mapped to risk and executed through the platform. Procedures are reflected in step-by-step guided onboarding. This makes the control layer visible, measurable and testable across the firm.

When a customer cannot produce standard identification, the platform prompts for specified alternative evidence rather than leaving the decision to individual judgement. Risk triggers, escalation thresholds and approval requirements are configured once and applied consistently across offices and practice areas - preventing informal workarounds without imposing blunt, one-size-fits-all processes.

Every step in the CDD process is captured at the point it occurs, creating a current record rather than a retrospective reconstruction.

EDD documentation: source of funds, source of wealth and a complete record by design

Timestamped audit trail of EDD measures, risk-rating rationale and senior management approval

The FCA found that weaker firms could not demonstrate that EDD had taken place at all. Customer files contained no evidence of enhanced measures, no record of how risk-rating decisions were made and no audit trail distinguishing the treatment of low and high-risk customers.

Under Regulation 28 of the MLRs 2017 and FATF Recommendation 10, an undocumented EDD process is indistinguishable from no EDD process in a regulatory file review.

First AML's EDD capability includes structured source of funds and source of wealth collection, ensuring that the two most scrutinised elements of enhanced due diligence are captured in a consistent, evidenced format rather than as narrative assumptions or informal notes. For complex entity structures and higher-risk individuals, First AML integrates with Xapien, an AI-powered research platform that automates deep-dive background investigation - surfacing adverse media, corporate connections, PEP status and reputational risk at a depth and speed that manual research cannot replicate.

Together, these capabilities mean that EDD is not only documented but substantiated. The platform captures the enhanced measures applied, the risk-rating rationale, the escalation path followed and the approval obtained. The purpose and intended nature of the business relationship - specifically flagged by the FCA as routinely absent - is captured as a required field. Senior management approval workflows are embedded in the process, routing cases through a documented governance step and recording who approved what and when.

Under a more evidence-led supervisory approach, this creates structured proof that controls are operating in practice, not just documented in policy.

Periodic and event-driven reviews: systematic, not discretionary

Automated review cycle management triggered by customer risk rating and defined events

Firms that failed to conduct periodic reviews as required shared a common problem: the process depended on manual tracking. First AML automates the review cycle. Customer risk ratings drive review frequency, and the platform surfaces upcoming and overdue reviews through a managed queue.

Event-driven triggers can be configured to initiate an immediate reassessment. This removes the dependency on individual staff members knowing when a review is due and makes it straightforward to demonstrate to an auditor that reviews occurred on schedule.

Purpose and intended nature of business relationship: captured at onboarding

Structured data capture supporting ongoing transaction monitoring under MLR Regulation 28

The FCA found that the purpose and intended nature of the business relationship was routinely absent from customer records,  a gap that undermines ongoing monitoring. Without a baseline record of why a customer is engaging with your firm, transaction monitoring has no reference point.

First AML captures this information as a structured data field at onboarding, not a free-text note that may or may not be completed. It is available throughout the customer lifecycle, providing the reference point that ongoing monitoring and suspicious activity reporting depends on.

Governance and consistency: eliminating variation across offices and teams

Centralised rules library with risk-based escalation logic applied across practice areas

The FCA found that materially similar high-risk cases were handled differently depending on the individual case handler, with no documented rationale for the divergence. This is a governance failure, and it is visible in file reviews.

First AML's configurable escalation logic ensures that requirements are triggered by risk, not individual interpretation. Firm-wide standards are configured centrally, while workflows flex by matter type, jurisdiction and risk level. Risk-based triggers drive EDD, structured approvals and documented rationales. When a judgement is made, the risk factors considered, the checks performed and the approvals obtained are recorded within the case file - creating a clear audit trail showing what was done, who signed off and why.

This aligns with a supervisory model where "show me" carries more weight than "tell me."

Compliance monitoring: independence by design

Separation of onboarding and review functions supporting three lines of defence

The FCA's concern was not the absence of monitoring but the absence of independence. In weaker firms, the same staff who onboarded customers also conducted second-line review - structural self-assessment rather than genuine assurance.

First AML supports the separation the FCA expects. Compliance and audit teams access a structured view of case files, decision rationale and workflow history independently of the onboarding team. Completed records cannot be altered by onboarding staff after the fact.

Because decisions, risk ratings, approvals and overrides are captured in structured fields, firms can review how controls are applied in reality. Patterns, exceptions and escalations are visible through oversight dashboards, giving MLROs visibility across practice groups and enabling targeted internal reviews. This supports evidence that control testing informs remediation and improvement - the standard the FCA applied to stronger firms in the review.

Kayleigh Smale of Smale Compliance describes an audit as "a window into how your firm thinks about risk and culture." First AML ensures that window shows a consistent, documented, defensible picture - not because the firm prepared for an audit, but because the platform captures that evidence as a natural output of day-to-day operations.

Version control and audit trail: demonstrable at any point in time

Full version history of customer records, workflow configurations and policy updates

The FCA found that some firms had no version control on their documentation, meaning they could not demonstrate what their controls looked like at a given point in time. First AML maintains a full audit trail of every change to a customer record, every workflow version in use and every policy configuration applied. This is not a supplementary feature. It is how the platform operates by default.

Inspectors won't just check current files - they look back at historic matters too. First AML's audit trail means that what was done, when it was done and who approved it is recoverable for any matter, regardless of when it was opened.

The four characteristics of effective CDD controls: how First AML delivers them

The FCA identifies four characteristics of firms with effective CDD controls. First AML addresses each directly:

Policies that specify staff actions for non-standard scenarios - configurable workflow logic guides staff through edge cases rather than leaving decisions to individual interpretation. Risk triggers and escalation thresholds are configured once and applied consistently across offices and practice areas.

Customer files that evidence the risk assessment and measures applied - structured, timestamped records capture every CDD and EDD step at the point it occurs, including source of funds and source of wealth collection, Xapien-powered deep-dive research for complex cases, risk-rating rationale and approval decisions.

Governance structures that define and record escalation decisions - built-in approval workflows route cases requiring senior sign-off through a documented governance step, creating a clear record of who decided what and when. Oversight dashboards provide visibility across practice groups for MLROs evidencing consistent control application at scale.

Compliance monitoring independent of the onboarding function - role-based access separates the onboarding and review functions, supporting genuine second-line assurance and third-line audit access. Structured data capture makes control testing possible rather than dependent on manual file sampling.

The FCA has indicated it will continue supervisory monitoring in this area under its 2025-30 strategy. For UK law firms preparing for the transition of AML supervision from the SRA to the FCA, First AML provides the execution layer that turns compliance policy into demonstrable practice. Get in touch to see how First AML works in practice.