Weak internal controls leave firms facing over £1bn in FCA fines

Major control weaknesses behind more than half of all FCA enforcement action, putting customers and markets at risk.

Regulators and audit committees called upon to act by strengthening internal controls through more robust internal audit capabilities.

More than £1bn in fines handed out by the Financial Conduct Authority (FCA) over the past five years were triggered by basic failures in firms’ internal controls, according to a hard‑hitting report from the Chartered Institute of Internal Auditors.

The findings show that more than half (54%) of all FCA fines between 2021 and 2025 were linked to control failures that regulators warned could have enabled money laundering, terrorist financing or organised crime. These failures also caused consumer harm and market abuse, affecting millions of customers.

Behind the headline fines lie real‑life consequences for people. Customers exposed to fraud. Hard‑earned savings and investments put at risk. Vulnerable people treated unfairly. In several cases, firms were fined years after serious weaknesses had already been identified, with warnings ignored, issues left unchecked, and problems allowed to fester.

The new report, Internal Control Failure!, analysed every FCA final notice issued over the past five years and found that 52 of the 97 fines directly referenced control failures. These failures covered areas including anti‑money laundering checks, fraud, data quality, technology systems, and the effectiveness of governance and oversight.

In case after case, the regulator found that firms had been warned internally and failed to act. Internal audit and compliance teams raised red flags about control weaknesses, but corrective action stalled, lacked pace or was not sustained. In some cases, firms failed to address known deficiencies for years.

In several cases, this resulted in serious consumer harm. Customers’ accounts were left exposed to the risk of criminal abuse. Systems failed to identify suspicious transactions. Customer data was exposed to the risk of cyber‑attack. Consumers faced disproportionate and aggressive debt collection action for low‑value arrears because systems were not designed correctly. Weak governance and oversight allowed risks to multiply and go unchecked.

The total value of fines linked to internal control failures came to £1,025,543,747. However, the true cost is likely to be far higher once customer redress, remediation costs, management time and long‑term reputational damage are taken into account.

A call to action for boards and audit committees

The Chartered IIA says the findings should serve as a wake‑up call for boards, audit committees and senior management, particularly in financial services, where internal audit is already a regulatory requirement due to the sector’s systemic importance.

The report raises difficult questions about whether assurance over key risks is sufficiently robust, timely and joined‑up, and whether boards are consistently receiving the information they need to challenge senior management and drive effective remediation.

The analysis also revealed that at least 13 of the firms fined for internal control failures appeared to be operating without an internal audit function, pointing to potential gaps in the scope of the FCA’s current rules and regulations.

Arleen McGichen, President of the Chartered Institute of Internal Auditors, said:

“When more than half of FCA fines are rooted in internal control failures, to the value of over £1bn, this should seriously concern boards across the financial services sector and beyond. Too many firms are not getting the basics right in areas such as anti‑money laundering, where there should be zero tolerance for failure.

“Internal audit has a critical role to play in independently assessing whether controls are effective and in holding senior management and boards to account when issues persist. But assurance only works when it is properly resourced, with issues taken seriously and acted upon.”

The report is published as companies face new pressure to demonstrate the effectiveness of their internal controls under the UK Corporate Governance Code, following the introduction of the new Internal Controls Declaration, also known as Provision 29. The Chartered IIA says the findings expose a gap between what firms often say about controls in boilerplate statements in their annual reports and what happens in practice.

It warns that unless firms treat internal controls as vital safeguards rather than a box‑ticking exercise, customers and markets will continue to bear the cost of failure.

-ENDS-

FOR MORE INFORMATION / FURTHER COMMENT CALL GAVIN HAYES ON 07900195591

Notes to editors

The report Internal Control Failure! analysed 97 FCA enforcement cases from 2021 to 2025, finding that 52 cases (54%) directly referenced internal control failures.
The total fines linked to these failures exceeded £1bn (£1,025,543,747).
Control weaknesses were most commonly linked to AML, fraud prevention, governance, data and technology failures.
The full report can be downloaded here.

About the Chartered Institute of Internal Auditors

The Chartered IIA represents around 10,000 internal audit professionals in organisations spanning all sectors of the economy, across the UK and Ireland. It champions the contribution internal audit makes to good corporate governance, strong risk management and a rigorous control environment leading to the long-term success of organisations, including those in the public sector.