It is almost a year since the FCA wrote a Dear CEO letter to payment service providers in its supervisory pool, setting out its expectations for the sector. The letter covered familiar points around financial crime governance, risk assessment, transaction monitoring, fraud controls and the need for clear ownership of outcomes. There was little in it that most MLROs in payment firms did not already know.
Despite this, the MLROs I speak with are still under intense, sustained pressure. Their financial crime controls feel increasingly stretched as their business changes and grows.
This is symptomatic of how hard it is to keep controls aligned when products, business volumes and operating models are evolving so quickly.
-2.png)
A common theme I hear is the feeling of concern about being a step behind. Products rapidly move from idea to testing to go-live. Customer profiles evolve. Expansion into new markets with divergent regulatory regimes is tabled before there is a clear view of the regulatory landscape or the implications for controls and licensing.
Each of these developments might be manageable in isolation, but collectively they can alter the risk profile of the business faster than controls can realistically be recalibrated.
Over time, controls that felt proportionate only months earlier, and processes that worked when volumes were lower, start to unravel. Teams find themselves spending all their time dealing with what is immediately in front of them, with limited opportunity to step back to consider whether the overall framework still reflects how the business now operates.
Business-wide risk assessments are a good example of controls becoming misaligned with the operating model they are intended to support.
I often see assessments that are generic, heavily qualitative and poorly evidenced. Some introduce methodologies which were appropriate for larger and/or banking institutions and adapt them only lightly, without really reflecting the firm’s specific products, customer base or delivery model.
A control is deemed as effective on a subjective basis, because someone looks at it every day and is relatively satisified with its operational performance, without quantitative evidence to show how well it is really performing on an objective basis.
Sometimes assessments are completed, signed off, and then simply parked without clear tracking into control enhancements. Transaction monitoring rules and thresholds are not updated to reflect newly identified risks. Compliance monitoring plans are not refocused towards areas of higher residual risk or known control limitations. Systems and controls tuning becomes a separate exercise, rather than something that dovetails with the assessment itself.
When this happens, the risk assessment doesn’t meaningfully affect how risks are managed, and as a result is of limited value in a firm’s overall risk management approach.
When frameworks come under strain, the indicators are usually visible well before a regulator intervenes. Examples include:
- Permanent backlogs. Onboarding and periodic monitoring queues that never clear. Enhanced due diligence cases that sit open for weeks. Transaction monitoring and sanctions alerts rising, without any increase in capacity or capability to effectively investigate and disposition them.
- Outward appearance of inaction. From the outside, teams look slow to respond. In reality, volumes are growing faster than systems, processes and resourcing can cope with.
- Flimsy management information. MI that is little more than counts and totals. Without trends, context or interpretation, it is hard for MLROs or boards to tell whether the picture is improving or deteriorating, or what action is needed.
- Approval structures no longer fit for purpose. Too many decisions still fall to the MLRO or are escalated to the board, becoming unmanageable as complexity increases. As a result, senior attention is consumed by routine review and sign-off, leaving less capacity to focus on evolving and strengthening the financial crime framework itself.
- Risk appetite falling behind reality. Risk appetite statements, thresholds and metrics that made sense six months ago no longer reflect how the business operates. Over time, they stop being a useful reference point for day-to-day decisions and no longer act as a useful means to guide risk-based decision making.
In most cases, these challenges reflect the practical constraints financial crime and risk/compliance functions face in growing payment firms. Compliance teams are typically small, trying to keep on top of day-to-day work while also managing change and remediation. There is little headroom to pause and step back to think about how everything fits together or how things could be done more effectively.
Technology decisions can be made in haste under pressure. A new tool is introduced to solve a specific problem, then another is added to address a different gap. Over time, systems are bolted on rather than designed cohesively as a harmonised ecosystem. Even where platforms integrate well, the overall environment can be difficult to maintain and enhance without a clear end-to-end view.
People and experience also play a part. Senior leaders in payment firms often come from product or technology backgrounds – they bring a wealth of entrepreneurial experience and have a solid grasp on enhancing functionality and end-user experience, but may not have significant experience of regulatory engagement or prolonged supervisory scrutiny. Without that reference point, it can be difficult to judge what good looks like, or where time, effort and resource are best focused.
When everything is moving quickly, when priorities change frequently, and when there is turnover in key roles, it becomes much harder to build a consistent, positive and robust compliance culture.
There is no single answer to the challenge of maintaining effective financial crime controls as a business grows quickly. In that context, one of the most effective steps is often to pause.
Taking a genuine end-to-end view of the financial crime framework can feel difficult when teams are already stretched, but it is often the only way to regain clarity. Understanding how people, processes and technology actually interact in practice, rather than how they are meant to work on paper, makes it easier to see where duplication, gaps or misalignment have crept in.
More transparency also leads to better external engagement. Open, pragmatic relationships with regulators and peers provide perspective and early warning, and can help MLROs sense-check whether the challenges they are facing are isolated or more widespread.
Looking ahead for this year, there is no single, known regulatory development that can be clearly identified today as materially changing the pressures MLROs face in payment firms. Growth, new products and sustained regulatory focus will nonetheless continue to test already stretched frameworks, requiring constant horizon scanning and readiness.
The priority is creating space to regain control. Taking an end-to-end view of the financial crime framework, grounding risk assessments in how the business actually operates, and ensuring controls genuinely drive assurance and risk-based decision-making will all help keep pace with change.
MLROs do not need to do this alone. Many payment firms bring in specialist advisers at key moments to provide an independent view across people, process and technology. Used well, external support can cut through complexity, uncover blind spots and provide confidence that controls remain proportionate, defensible and aligned to how the business is evolving.
A year on from the Dear CEO letter, with the right focus and support where needed, maintaining control as the business grows is achievable.
-1.png)