Inside the FCA’s 2025 Priorities: What Compliance Teams Need to Know About AML, Crypto, and High-Risk Jurisdictions

As someone who spends more time reading regulator speeches than most people read their email, I’ll say it plainly: 2025 is the year the FCA expects firms to stop treating financial crime as a checkbox and start treating it like the strategic risk it is. If you run or support a compliance programme, that shift changes what you do day-to-day, and how confidently you can defend your controls to supervisors.

Below I unpack the FCA’s priorities for 2025, explain what they mean for AML, crypto and work with high-risk jurisdictions, and give practical steps compliance teams can take this quarter.

What the FCA is signalling

The FCA’s 2025 strategy and business plan make one message clear: fighting crime is a core regulatory priority, and the regulator will be more data-led, proactive, and willing to escalate where firms aren’t demonstrating effective controls. That applies across banking, payments, crypto and regulated non-financial firms.

AML: from policies to demonstrable outcomes

The FCA has repeatedly emphasised that weak AML systems won’t pass muster even if a firm has policy documents on a shelf. Recent guidance and policy statements underline a risk-based, outcomes-focused approach: supervisors will look for evidence you actually know your customers, that your transaction monitoring works, and that you can show escalation and remediation when alerts are triggered.

What to do now

• Refresh your firm-wide AML risk assessment and map it to real controls (not just processes).
• Validate your customer risk segmentation with recent data (re-score a representative sample).
• Run “reverse-test” exercises on alert outcomes: how many alerts lead to investigations, SARs or account actions? If the conversion rate is near zero, dig in.
• Document measurable KPIs (e.g., time-to-investigation, SAR quality scores) and keep them ready for supervisors.

Crypto: the FCA expects parity with traditional finance 

Crypto remains an FCA focus, but the tone has shifted from “we’re learning” to “align with standards.” The FCA’s crypto-AML framework and ongoing consultations push crypto firms to meet the same expectations around CDD, custody and governance that apply to banks and payment firms. The market’s fast evolution and new UK initiatives mean firms should not wait for final rules to start aligning with good practice. 

Practical steps for crypto teams

• Treat crypto asset activity like any other product line: perform product-level risk assessments and instrument-specific transaction monitoring rules.
• Ensure wallet custody models and key-management controls are documented and stress-tested.
• Strengthen source-of-fund/source-of-wealth evidence for higher-risk crypto flows; enrich KYT with on-chain analytics where feasible.
• Be ready to explain how your crypto controls produce the same outcomes (or better) than equivalent fiat processes.

High-risk jurisdictions: sanctions + enhanced due diligence

With heightened geopolitical volatility and the UK’s active sanctions regime, the FCA (and HM Treasury/OFSI) expect firms to have a layered approach: screening, enhanced due diligence (EDD), and a governance framework that escalates jurisdictional risk to senior management. The National Risk Assessment and regulator communications in 2025 reinforce that lapses tied to cross-border exposure are a primary supervisory focus. 

Concrete actions

• Maintain a documented process for monitoring updates to FATF lists, OFSI/UK sanctions, and Treasury guidance; assign clear ownership.
• Apply EDD consistently to customers connected to high-risk jurisdictions, including source of funds, ownership structures, and transactional pattern analysis.
• Ensure your sanctions screening covers both direct and indirect relationships (e.g., third-party payment routes, payable-through accounts).
  

Supervisory expectations: data, governance, and escalation

The FCA is investing heavily in data capabilities and says it will use more intelligence to target supervisory activity. That means firms should prioritise data quality: accurate customer attributes, clear ownership trees, clean transaction data, and auditable decision records. Boards and senior management must receive clear, concise risk reporting that links controls to outcomes, not just lists of overdue training. 

Boardroom deliverables

• Produce a one-page heat map showing top AML risks, key indicators, and recent control tests.
• Provide an executive summary that ties incidents (e.g., a SAR, near miss, or typology) to remediation actions and metrics.
• Keep an evidence pack for samples of KYC, EDD and SARs that demonstrates quality and escalation decisions.

The role of technology — but not as a silver bullet

Supervisors expect firms to use analytics, AI and external data, but they also expect human oversight and explainability. Investing in tools is wise; procuring them without governance, model validation and data hygiene will not protect you. Use technology to reduce noise, not to hide poor CDD. 

Checklist for tech adoption

• Validate models against known typologies and run periodic back-testing.
• Define clear thresholds for automation vs human review.
• Keep change logs and rationale for tuning rules, supervisors want to see why thresholds moved.

Quick compliance playbook (what to prioritize this quarter)

1. Update your AML risk assessment and map to controls.
2. Run a sample audit of crypto onboarding and transaction monitoring.
3. Reconcile your list of high-risk jurisdictions against FATF/OFSI updates and document EDD trigger points.
4. Produce an executive one-pager for the board tying metrics to actions.
5. Perform a SAR-quality review and close the loop on feedback.

Final thought

Regulation in 2025 isn’t about more rules for the sake of rules. It’s about demonstrable outcomes: can your firm show it prevents, detects and escalates financial crime effectively? The FCA is moving to a world where evidence speaks louder than policy prose. For compliance teams, that’s both a challenge and an opportunity, to move from defensive compliance to value-adding risk partners.

If you’d like, I can help convert your current AML risk map into an executive one-pager or draft an EDD template specific to crypto onboarding. (No fluff, just what supervisors will ask for.)