As 2024 came to a close, the FINTRAIL team took a deep dive into the anti-financial crime (AFC) audits we conducted during the year. In true ‘Spotify Wrapped’ style, we’re bringing you the key trends, recurring themes, and standout findings—our ‘most played’ compliance challenges of the year.

In 2024, we worked with firms of all sizes, from pre-launch fintechs to global financial institutions, spanning multiple jurisdictions and regulatory landscapes. As the industry grappled with shifting compliance expectations, emerging financial crime risks, and evolving fraud tactics, our audits provided valuable insights into how AFC programmes are adapting—and where gaps still exist.

While some firms made notable progress in strengthening their frameworks, others continued to face challenges in critical areas. From regulatory updates catching firms off guard to control weaknesses that appeared across multiple reviews, our analysis sheds light on the key themes that defined AFC compliance in 2024. Read on for the most pressing trends and takeaways from our audit work over the past year.

• In 2024, we conducted a total of 50+ audits and thematic reviews across a range of firm sizes varying from small pre-launch businesses to global well-established financial institutions; different types including Money Service Businesses (MSBs), Electronic Money Institutions (EMIs), Authorised Payment Institutions (APIs) and other; and multi-jurisdictional reviews including the UK, Netherlands, Canada, Ireland and Lithuania. Half of these audits included in-depth reviews of the clients fraud framework. 

• We found a total of 789 findings across our reports with 36 critical, 159 high priority, 316 medium priority and 278 low priority recommendations. 

• The highest number of findings related to the payment and customer screening control area (126 findings total). Closely after were policies and procedures with a total of 89 findings—followed by risk assessments with 87.

• When we split benchmarking data for 2024 between small (mostly small EMI or PI providing remittance services) and large firms, we can observe some interesting trends. On one hand, deficiencies in polices and procedures appear to be an outlier for small firms where we observed generic documents not tailored to firms’ business models and lacking regular updates. On the other hand, weakness in the transaction monitoring framework appears to be an outlier for large firms. We often observed that transaction monitoring systems and controls do not keep up with increased complexity of products and services offered by large firms, leading to gaps in coverage, or outdated or ineffective rule sets.

So, what did we see?

The majority of the critical findings in 2024 related to firms’ sanctions screening controls, particularly the overall documenting of risk based approach (RBA) applied by firms and frequency of ongoing customer screening. In some instances we saw firms were unable to demonstrate that ongoing customer screening was being performed. This was often a result of firms not understanding their third party tooling settings—or being unaware that their tools had this functionality, and as a result, they did not turn it on. In terms of documenting RBA to screening, we noted lack of sufficient assessment of associated sanctions risks, adequate justification and appropriate approval by senior management. Compliance with sanctions regimes has been high on regulatory agenda over the last couple of years; we believe that it was a driving force behind the reduction of findings in 2024, compared to 2023. 

The “most played” finding related to firms not updating their policies and procedures and subsequent processes with the latest regulatory updates on the treatment of domestic PEPs. Many firms are still applying default enhanced due diligence (EDD) for all PEPs. Additionally, we still frequently did not see reporting discrepancies in registers and proliferation financing covered by firms’ polices and procedures. 

Last year we saw an increase in findings related to customer risk assessment (CRA) and fraud. In terms of CRA, we observed some firms not applying any risk assessment to its customers at the onboarding or failing to update it regularly throughout business relationships. With the launch of the mandatory reimbursement for Approve Push Payment (APP) fraud last year, an increase in findings related to fraud should not come as a surprise. These included insufficient fraud risk assessments and  limited transaction monitoring coverage among others. 

Going forward

In 2024, we acknowledged the Wolfsberg factors  in our audit methodology. Going forward, FINTRAIL will be applying an updated audit methodology fully aligned with the Wolfsberg principles to ensure our reviews look for effectiveness of the programme and not just regulatory compliance.

How can FINTRAIL help?

At FINTRAIL we are passionate about combating financial crime. Our unique team of experts is drawn from the industries we support and has deep hands-on experience in developing and deploying risk management controls from leadership roles with leading banks, FinTechs, and other financial institutions. 

We have extensive experience assisting financial services businesses with audits and assurance processes. We have a proven track record of identifying areas where clients can enhance their compliance and make their programmes more effective. Our approach is:

• Tailored to the unique circumstances of each client

• Regulatory and technology driven

• Focused on providing excellent customer outcomes

We offer our clients pragmatic solutions to the most complex challenges and our goal is to ensure our clients can thrive, free from the negative impacts of financial crime.

If you wish to speak to our team about your requirements for an upcoming audit, please send us an email or get in touch via our website.