The FCA’s June 2026 Financial Crime Speech: What It Means for AML Reporting in UK-Regulated Firms

ByOfficer

Last updated: June 2026

A speech is not a rule. A conference address does not itself create a filing requirement. So when the Financial Conduct Authority gives a financial crime speech, the temptation in a reporting team is to skim the headline cases and move on. That is the wrong instinct. The June 2026 FCA financial crime speech tells you where the regulator is pointing its supervisory attention next, and that is precisely the part that shows up later in a REP-CRIM data request, a skilled person review, or a supervisory visit that arrives with questions you did not expect.

On 17 June 2026, Therese Chambers, the FCA’s Joint Executive Director of Enforcement and Market Oversight, spoke at the 22nd Annual IBA Anti-Corruption Conference. The speech was titled “Beyond the headlines: the unseen fight against financial crime”. Its argument was that the visible enforcement outcomes most people read about are the smallest part of what the FCA actually does on financial crime, and that prevention, supervision and data sharing carry more of the load than the fines suggest. For anyone responsible for anti-money laundering controls and financial crime reporting in a UK-regulated firm, the speech is a map of supervisory priorities translated into the obligations you already hold.

This article reads the speech against the UK reporting framework it sits on top of: the Proceeds of Crime Act 2002, the Money Laundering Regulations 2017, the FCA’s Financial Crime Guide, the annual REP-CRIM return, and the suspicious activity report regime. The speech itself creates no new obligation. What it does is signal how the existing ones are being supervised, and that distinction is the whole point.

Related reading: our guide to the 2026 Senior Managers and Certification Regime reforms.

What the FCA actually said, and why a reporting team should care

Chambers framed the speech around a contrast. Enforcement headlines, she argued, are the tip of a much larger operation. To make the point concrete, she set out the scale of the FCA’s footprint: “We regulate more than 40,000 firms, supervise 1,720 listed issuers, and receive 35m transaction reports every day.” That last figure is worth holding onto. Thirty-five million transaction reports a day is not a number a regulator quotes for colour. It is the FCA telling the market that its primary mode of operation is data, not press releases.

She borrowed a structure from policing: “Law enforcement has the 4 Ps: Prevent. Pursue. Protect. Prepare.” The FCA, she said, increasingly works the same way. Pursuit, the part that produces fines and convictions, is one quarter of the model. The rest is prevention, protection and preparation, and those are the parts a reporting team feeds.

The trap here is reading a financial crime speech as an enforcement speech. It is not. The Nationwide example Chambers cited, “Fining Nationwide £44m for anti-money laundering failings”, is a pursuit outcome, but the speech spends far more energy on the supervisory machinery that sits upstream of any fine. The data you submit, the suspicious activity reports you file, the systems and controls a supervisor inspects: those are the inputs to prevention. When the FCA says it is shifting weight toward prevention, it is saying it will lean harder on those inputs.

The legal spine: where the FCA’s financial crime mandate comes from

The FCA does not regulate financial crime in the abstract. Its mandate is statutory and narrow in definition. Section 1H(3) of the Financial Services and Markets Act 2000 defines financial crime as any offence involving fraud or dishonesty, misconduct in or misuse of information relating to a financial market, handling the proceeds of crime, or the financing of terrorism. Every supervisory action the speech describes traces back to one of those four limbs.

From that definition flows a single, deceptively simple obligation. Under the FCA Handbook, all firms authorised under FSMA must, as part of their Senior Management Arrangements, Systems and Controls requirements, have appropriate systems and controls to counter the risk that they are used for financial crime of all types. The FCA supervises compliance by assessing the quality of those overall systems and controls. This is the obligation a supervisor is really testing when it reviews your AML framework. It is not asking whether you caught every launderer. It is asking whether your systems and controls were adequate to the risk.

That framing matters because it is risk-based, not outcomes-based. A firm can suffer a money laundering event and still have adequate controls. A firm can have no known event and still have inadequate ones. The FCA has been explicit that failures in AML or counter-terrorist financing controls will not automatically result in disciplinary sanctions, but that enforcement is more likely where a firm has not identified its risks, has not put appropriate controls in place, or has failed to make sure those controls actually work. Teams that read the Nationwide fine as “they had a laundering problem” miss the point. The fine attached to control failings, not to the underlying crime.

The reporting layer the speech sits on: REP-CRIM and SUP 16.23

The most direct connection between a financial crime speech and a reporting team’s calendar is the annual financial crime report, known as REP-CRIM. It is required under chapter 16.23 of the FCA’s Supervision sourcebook, and a firm submits it in the form specified at SUP 16 Annex 42AR, with guidance notes at SUP 16 Annex 42B. The deadline is mechanical: a firm must submit the report within 60 business days of its accounting reference date, and it is notified of the obligation through RegData.

Scope is where teams get this wrong. There is no single revenue threshold that decides whether REP-CRIM applies. The obligation works in two tracks. Some firm types must report irrespective of any revenue threshold, for example banks, building societies and mortgage lenders. Other firms must test the SUP 16.23 application table and the PS21/4 extension against their permissions, activities and total annual revenue. The £5m figure is not a universal exclusion. Since PS21/4, additional categories report irrespective of total annual revenue, including all electronic money institutions, all cryptoasset exchange providers and custodian wallet providers, all MTFs and OTFs, payment institutions subject to specified exclusions, and certain FSMA-authorised firms within the MLRs that hold client money or assets or carry on FCA-specified higher money laundering risk activities. A firm that mentally files itself under “too small to report” because its revenue is under £5m may be in scope anyway because of its firm type.

Cryptoasset businesses are the clearest example of the threshold trap. All cryptoasset businesses registered under the Money Laundering Regulations must submit REP-CRIM regardless of their size. There is no £5m floor for them. A small registered cryptoasset firm that assumes the revenue threshold protects it has misread the rule.

The population in scope is not static. Following the FCA’s August 2020 consultation, the number of firms required to submit a REP-CRIM return increased from roughly 2,500 to roughly 7,000 for reference dates falling after 30 March 2022, with the policy set out in PS21/4. The revenue threshold was removed for certain firms carrying on higher money laundering risk activities, such as dealing in investments as agent or as principal. If your firm took on one of those permissions after 2022, your reporting obligation may have changed without anyone in the business flagging it.

REP-CRIM is also exactly the kind of dataset the speech was describing when it talked about prevention. The FCA aggregates these returns to build a sector-wide picture of financial crime exposure. When Chambers said the FCA’s work is increasingly data-led, REP-CRIM is one of the feeds. A return filed thinly, with weak or inconsistent figures, is not a private document. It is a signal.

Suspicious activity reports: the obligation that does not run to the FCA

Here is a distinction that catches firms repeatedly. The suspicious activity report regime is not an FCA reporting line. SARs are made under the Proceeds of Crime Act 2002 and the Terrorism Act 2000, and they go to the National Crime Agency, specifically to the UK Financial Intelligence Unit, not to the FCA.

The legal obligation is criminal, not just regulatory. A person in the regulated sector who knows or suspects, or has reasonable grounds to know or suspect, money laundering must disclose it. The failure-to-disclose offences sit at sections 330 and 331 of POCA 2002, and at section 21A of the Terrorism Act 2000 for terrorist financing. Conviction on indictment for failing to disclose can carry up to five years’ imprisonment, a fine, or both. This is one of the few places in the reporting universe where getting it wrong is a personal criminal exposure for the reporter, not a firm-level regulatory matter.

The scale of the regime is large and growing. The UKFIU received 866,616 SARs in the 2024-25 reporting year. A firm’s own SAR activity, and the quality of it, is part of what supervisors and law enforcement use to judge whether its monitoring is working. A firm that files almost no SARs in a high-risk business line is not demonstrating clean books. It is more likely demonstrating that its monitoring is not detecting what it should.

Where a firm wants to proceed with a transaction it suspects involves criminal property, it can seek a Defence Against Money Laundering, a DAML, from the NCA. The DAML mechanism runs on statutory clocks. Under POCA section 335, the NCA has a notice period of seven working days, starting with the first working day after the disclosure, to decide whether consent is refused. If consent is refused, the moratorium period is 31 days, starting with the day on which the firm receives notice that consent is refused. The moratorium can be extended by the Crown Court under POCA sections 336A to 336C, subject to the statutory limits. Reporting teams frequently underestimate how operationally disruptive a live DAML is, because the clock, not the firm, controls when the transaction can move.

The Money Laundering Regulations 2017 and the risk-based approach

Underneath both REP-CRIM and the SAR regime sits the rulebook that actually defines AML obligations: the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, usually shortened to MLR 2017. They came into force on 26 June 2017 and set out what relevant persons, defined in regulation 8, must do to prevent their services being used for money laundering, terrorist financing or proliferation financing.

The MLR 2017 are built on a risk-based approach. Firms apply customer due diligence and conduct ongoing monitoring of business relationships, calibrated to the risk each relationship presents. Enhanced due diligence is required for higher-risk situations, including relevant transactions where a party is established in a high-risk third country, or transactions that are complex, unusually large, have no apparent economic or legal purpose, or show unusual patterns. The risk-based logic is the same one the FCA applies to its own supervision, which is why the speech’s prevention framing maps so cleanly onto the regulations: both ask whether the firm understood and mitigated its risk, not whether a bad outcome occurred.

One common error worth naming. The MLR 2017 risk-based approach does not mean a firm can decide a whole customer category is too risky and simply exit it without assessment. Wholesale de-risking, cutting off entire sectors or jurisdictions to avoid the cost of due diligence, is itself a supervisory concern, because it can push legitimate activity outside the regulated perimeter where it is harder to monitor. The risk-based approach asks for proportionate controls, not blanket avoidance.

The Financial Crime Guide: guidance, not rules, and why that matters

When a supervisor assesses your systems and controls, the reference point is usually the FCA’s Financial Crime Guide. Its full title is “Financial Crime: A Guide for Firms”, abbreviated FCG. Its status is precise and often misunderstood. FCG 1.1.7 states that the Guide contains general guidance as defined in section 139B of FSMA 2000, that the guidance is not binding, and that the FCA will not presume a firm’s departure from it indicates a breach of the rules. FCG 1.1.8 adds that the FCA nonetheless expects firms to be aware of the guidance where it applies to them and to consider it when establishing, implementing and maintaining their anti-financial crime systems and controls.

That non-binding status cuts both ways. A firm is free to meet its obligations by other means, and departing from the Guide is not automatically a failure. But the Guide is also the clearest articulation of what good and poor practice look like in the FCA’s eyes, which means a firm that departs from it should be able to explain why its alternative is at least as effective. In practice, supervisors read the Guide as a benchmark, and a firm that has not even considered it is harder to defend.

The Guide is organised by topic. FCG 1 is the introduction. FCG 2 covers financial crime systems and controls, including governance and risk assessment. FCG 3 covers money laundering, including ongoing monitoring. FCG 4 covers fraud. FCG 7 covers sanctions and proliferation financing. The FCA refreshed the Guide through consultation paper CP24/9, published in April 2024, and finalised the changes in policy statement PS24/17, “Financial Crime Guide updates”. Those updates added, among other things, a reminder in FCG 7.2.2 that the financial crime risk assessment requirement applies to sanctions and proliferation financing as well, reflecting the proliferation financing risk-assessment duty added to the Money Laundering Regulations 2017 in 2022. If your AML policies still cite the pre-2024 Guide structure, they are out of date.

Sanctions: the part of the speech that reaches beyond AML teams

Sanctions sit inside the same systems and controls obligation as money laundering, but the supervisory architecture is more crowded. The FCA supervises whether firms have adequate systems and controls to counter the risk of breaching sanctions legislation, but it is not the competent authority for financial sanctions. That role belongs to HM Treasury, through the Office of Financial Sanctions Implementation, whose powers derive from the Sanctions and Anti-Money Laundering Act 2018.

There is now a second sanctions body in the picture. The Office of Trade Sanctions Implementation, part of the Department for Business and Trade, launched in October 2024 to strengthen the UK’s implementation and enforcement of trade sanctions. The FCA has a memorandum of understanding with OFSI and a separate one with OTSI, and both set out how supervisory information about suspected sanctions weaknesses flows between the agencies. A firm that treats sanctions as a self-contained compliance silo misreads how the information moves: a sanctions breach the FCA learns about can surface a broader systems failing, and information about that failing can travel to OFSI or OTSI.

The practical reading point is that effective customer due diligence and screening against the consolidated list are not optional add-ons to AML. The FCG treats sanctions and proliferation financing as part of the wider financial-crime control framework, but sanctions screening is not the same test as AML transaction monitoring. A firm should be able to evidence both: sanctions list screening and escalation on one side, and AML customer-risk assessment, due diligence and transaction monitoring on the other.

Data sharing and the prevention agenda the speech is really about

The most forward-looking part of the speech was not enforcement at all. It was infrastructure. Chambers described two collaborations that signal where supervision is heading. First: “We’ve already published, with the National Crime Agency, 9 shared economic crime priorities.” Those priorities, set for the regulated sector, include cash-based money laundering, the exploitation of money mules, and fraud linked to overseas jurisdictions. Second: “We’ve joined the Data Fusion project with the Bank of England and industry, to improve our ability to detect and disrupt serious organised crime.” Data Fusion brings law enforcement officers, financial crime investigators and bank data scientists into joint analytical work on account and transaction data, and the pilot has produced hundreds of intelligence products feeding UK law enforcement operations.

For a reporting team, the implication is direct. The data you submit is increasingly being fused with data from other firms and from law enforcement. A SAR that would once have sat in isolation can now be a node in a pattern visible across institutions. This raises the value of accurate, well-structured reporting and raises the cost of sloppy reporting, because the gaps are more visible when the data is pooled.

Chambers also flagged a scope change for the AML supervisory regime itself: “We’re looking forward to deepening our relationships with professional body supervisors in the legal and accountancy sectors under our new anti-money laundering jurisdiction.” For firms that interact with legal and accountancy intermediaries, this signals tighter coordination across the AML supervisory landscape, and less room for risk to fall between supervisory cracks.

What this means for your reporting calendar and controls

None of this changes a deadline today. The speech adds no template and moves no date. What it does is tell you which existing obligations are under the brightest light. Three of them deserve a fresh look. Your REP-CRIM return, because the FCA is using that data more actively and the scope rules catch more firms than teams assume. Your SAR quality, because pooled data makes thin or inconsistent reporting easier to spot. And your systems and controls documentation, because prevention-led supervision tests the adequacy of controls, not the absence of incidents.

A useful exercise after a speech like this is to map each priority the regulator named back to a control you already operate, and ask whether the evidence for that control would survive a supervisor’s question. The FCA has told you, in its own words, that the unseen work matters more than the headlines. The unseen work, on your side of the relationship, is the reporting.

Frequently Asked Questions

Does the FCA’s June 2026 financial crime speech create any new reporting obligation?

No. A speech is not a rule or guidance. The June 2026 speech by Therese Chambers signals supervisory priorities and describes existing tools such as REP-CRIM, SARs and the systems and controls obligation. It does not add a template, change a deadline, or impose a new return. Its value is as a read on where supervisory attention is moving.

Who has to submit the REP-CRIM annual financial crime report?

REP-CRIM under SUP 16.23 applies in two tracks. Some firm types report irrespective of revenue, such as banks, building societies and mortgage lenders. Other firms must test SUP 16.23 and PS21/4 against their permissions, activities and total annual revenue. The £5m test is not universal. Since PS21/4, additional categories report irrespective of total annual revenue, including all electronic money institutions, all cryptoasset exchange providers and custodian wallet providers, all MTFs and OTFs, payment institutions subject to specified exclusions, and certain FSMA-authorised firms within the MLRs that hold client money or assets or carry on FCA-specified higher money laundering risk activities. A firm is notified of the obligation through RegData.

When is the REP-CRIM return due?

A firm must submit the report within 60 business days of its accounting reference date, in the form specified at SUP 16 Annex 42AR, with completion guidance at SUP 16 Annex 42B.

Do suspicious activity reports go to the FCA?

No. SARs are made under the Proceeds of Crime Act 2002 and the Terrorism Act 2000 and are submitted to the National Crime Agency through the UK Financial Intelligence Unit. The failure-to-disclose offences in the regulated sector sit at sections 330 and 331 of POCA 2002 and section 21A of the Terrorism Act 2000, and can carry up to five years’ imprisonment on conviction on indictment.

What is a Defence Against Money Laundering, and how long does it take?

A DAML is consent sought from the NCA to proceed with a transaction a firm suspects involves criminal property. Under POCA section 335, the NCA has a notice period of seven working days, starting with the first working day after the disclosure, to decide whether consent is refused. If consent is refused, the moratorium period is 31 days, starting with the day on which the firm receives notice that consent is refused, and it can be extended by the Crown Court under POCA sections 336A to 336C, subject to the statutory limits. The clocks, not the firm, govern when the transaction can move.

Is the FCA’s Financial Crime Guide legally binding?

No. The Guide, full title “Financial Crime: A Guide for Firms”, contains general guidance under section 139B of FSMA 2000. FCG 1.1.7 states it is not binding and that the FCA will not presume a departure from it indicates a breach. It functions as a benchmark of good and poor practice, and a firm that departs from it should be able to explain why its alternative is at least as effective.

Does the FCA enforce UK financial sanctions?

The FCA supervises whether firms have adequate systems and controls to manage sanctions risk, but it is not the sanctions competent authority. HM Treasury, through the Office of Financial Sanctions Implementation, holds the financial sanctions enforcement role, and the Office of Trade Sanctions Implementation, launched in October 2024, handles trade sanctions. The FCA shares supervisory information with both under memoranda of understanding.

How is data sharing changing what firms should report?

Initiatives such as the Data Fusion project and the nine shared economic crime priorities published with the National Crime Agency mean firm-submitted data is increasingly analysed across institutions. Accurate, well-structured SARs and REP-CRIM returns gain value, and inconsistent reporting becomes easier to spot, because gaps are more visible once data is pooled.

Related Articles

Key Takeaways

  • The FCA’s June 2026 financial crime speech creates no new obligation. It signals a shift toward prevention-led supervision built on the data firms already submit.
  • The financial crime mandate is statutory: FSMA section 1H(3) defines financial crime, and the SYSC systems and controls requirement is what a supervisor actually tests.
  • REP-CRIM under SUP 16.23 is due within 60 business days of the accounting reference date. Scope is mixed. Some firms report irrespective of revenue, and PS21/4 added further categories that report irrespective of total annual revenue, including all electronic money institutions, all cryptoasset exchange providers and custodian wallet providers, all MTFs and OTFs, payment institutions subject to specified exclusions, and certain FSMA-authorised firms within the MLRs that hold client money or assets or carry on FCA-specified higher money laundering risk activities. The £5m test applies only where SUP 16.23 preserves it.
  • SARs go to the National Crime Agency’s UK Financial Intelligence Unit, not the FCA, under POCA 2002 and the Terrorism Act 2000. The UKFIU received 866,616 SARs in the 2024-25 reporting year.
  • A Defence Against Money Laundering runs on a seven working day notice period and, if refused, a moratorium period during which the firm must not proceed.
  • The Financial Crime Guide is general guidance, not binding rules, but supervisors use it as a benchmark. It was updated via CP24/9 and PS24/17 in 2024.
  • Sanctions sit in the same systems and controls obligation as AML, but HM Treasury’s OFSI and the trade sanctions body OTSI, launched October 2024, hold the enforcement roles.
  • Data Fusion and the nine shared economic crime priorities mean firm data is increasingly analysed across institutions, raising the value of accurate reporting.

Sources and References

Reading a speech like a reporting officer, not a headline reader

The instinct to skim a regulator’s speech for the fine and ignore the rest is exactly the instinct the June 2026 address was arguing against. The fine is the visible quarter. The other three quarters, prevention, protection and preparation, run on data your firm submits and controls your firm operates. When the FCA tells you it is leaning into the unseen work, it is telling you that your REP-CRIM return, your SARs and your systems and controls documentation are the surface it will be testing. The headline is the part you can read in a newspaper. The reporting is the part you own.

Disclaimer: The information on RegReportingDesk.com is for educational and informational purposes only. It does not constitute legal, regulatory, tax, or compliance advice. Always consult your compliance officer, legal counsel, or the relevant supervisory authority for guidance specific to your institution.

Similar Posts