FCA Compliance Checklist for Money Transfer Operators 2026

How to Use This Checklist

This is an operational compliance checklist for UK money transfer operators — SPI, API, or EMI — running in 2026. It is organised by functional area, with each item stated as a concrete thing to verify or have documented evidence of. Use it as an annual self-review, a pre-supervisory readiness check, or a handover document when onboarding a new compliance officer or MLRO.

The checklist is not a substitute for FCA-specific legal advice on your firm's exact circumstances. It is designed to be comprehensive enough to catch common gaps without being so prescriptive that it ignores the risk-based approach UK regulators expect.

If an item is a "no" or "partially", make it a remediation ticket with an owner and date. Then re-run the checklist quarterly and track closure rates. That discipline alone puts you ahead of most firms at your scale.

Section 1: Authorisation and Perimeter

• ☐ Current FCA authorisation or registration verified on the Financial Services Register
• ☐ Permissions scope documented and matches the services you actually provide
• ☐ Any voluntary or own-initiative requirements (VREQ/OIREQ) logged and complied with
• ☐ Change-of-control notifications filed for any material shareholder changes (Part XII FSMA)
• ☐ Passporting arrangements (post-Brexit) documented for any non-UK operations
• ☐ Annual regulatory fee paid on time
• ☐ FCA data (Form A, controllers, approved persons) reviewed and submitted where changed

Section 2: Governance and SM&CR

• ☐ Senior Management Arrangements, Systems and Controls (SYSC) requirements met for your firm type
• ☐ Statements of Responsibilities documented for all Senior Managers
• ☐ Board composition and frequency of meetings meet FCA expectations for your scale
• ☐ Board minutes capture material compliance discussions with evidence of challenge
• ☐ Risk committee or equivalent governance forum meets at least quarterly
• ☐ Compliance officer / MLRO has documented access to the board and escalation authority
• ☐ Fit-and-proper assessment on file for every senior manager, director, and qualifying shareholder
• ☐ Annual fitness-and-propriety re-attestation completed
• ☐ Conduct rules training completed and recorded for all in-scope staff (if SM&CR in scope)

Section 3: AML, KYC and Financial Crime

Policy and Framework

• ☐ Firm-wide Risk Assessment up to date (at least annually) and approved by the board
• ☐ AML/KYC policy current, reflects MLRs 2017, JMLSG guidance, FATF recommendations
• ☐ Policy differentiates standard, simplified and enhanced due diligence
• ☐ PEP policy defines domestic, foreign and associated PEPs clearly
• ☐ Sanctions policy identifies all screened lists (HM Treasury, OFAC, UN, EU) and refresh cadence
• ☐ Training programme delivered and documented for all customer-facing and compliance staff

Customer Due Diligence (CDD)

• ☐ CDD evidence captured for every customer at onboarding
• ☐ Identity verification passes (document + biometric where relevant)
• ☐ Address verification captured and evidenced
• ☐ Source of funds documented for all material transactions
• ☐ Beneficial ownership captured for business customers
• ☐ Ongoing monitoring triggers customer re-verification at defined intervals

Transaction Monitoring

• ☐ Rules-based monitoring in place for structuring, unusual corridor patterns, velocity, and dormant-to-active anomalies
• ☐ Alert triage process documented with investigator review time targets
• ☐ Thresholds calibrated for your specific corridor risk profile, not vendor defaults
• ☐ Alert-to-SAR conversion rate tracked as a quality indicator
• ☐ Model review performed at least annually

Sanctions and PEP Screening

• ☐ Real-time screening at onboarding, at each transaction, and on list refresh
• ☐ Screening covers sender, beneficiary, and (where relevant) corporate principals
• ☐ Fuzzy matching tuned to balance coverage and false-positive rate
• ☐ List-refresh SLA documented and monitored
• ☐ Escalation workflow for positive hits documented and tested

SAR and MLRO

• ☐ MLRO appointed, approved (where required), and named in FCA application
• ☐ MLRO has written access to all customer and transaction data for investigation
• ☐ Internal SAR reporting mechanism available to all staff
• ☐ MLRO decision log maintained for all internal reports
• ☐ External SARs filed to NCA via SAR Online within reasonable timeframe of MLRO decision
• ☐ Tipping-off rules respected throughout the process
• ☐ MLRO annual report to the board documents volumes, trends, and findings

Section 4: Operational Resilience (SYSC 15A)

• ☐ Important Business Services (IBS) identified and documented
• ☐ Impact tolerances set for each IBS (maximum tolerable disruption)
• ☐ Scenario testing performed at least annually (severe but plausible disruption)
• ☐ Test findings logged with remediation owners and dates
• ☐ Third-party dependencies mapped for every IBS
• ☐ Business continuity plan current and tested
• ☐ Disaster recovery plan current and tested
• ☐ Incident response plan defines roles, escalation, and FCA notification triggers
• ☐ Material incidents reported to FCA in line with expectations
• ☐ Operational resilience self-assessment submitted if required by your firm type

Section 5: Customer-Fund Safeguarding (API and EMI)

• ☐ Safeguarding method selected (segregated client account, insurance, comparable guarantee) and documented
• ☐ Segregation of customer funds from corporate funds at all times
• ☐ Daily reconciliation of safeguarded balances to customer liabilities
• ☐ Reconciliation discrepancies investigated and resolved within the next business day
• ☐ Safeguarding bank account held with a compliant institution
• ☐ Safeguarding arrangements reviewed annually for scale and risk alignment
• ☐ External audit evidence of safeguarding compliance (if required by firm type)
• ☐ Wind-down plan addresses safeguarded-fund return to customers

Section 6: Consumer Duty and Conduct

• ☐ Consumer Duty applicability assessed for each customer journey
• ☐ Product and service governance documented (target market, fair value, customer understanding)
• ☐ Price and value assessment completed for all material services
• ☐ Customer communications tested for clarity with target audience in mind
• ☐ Vulnerable customer policy documented and operational
• ☐ Consumer Duty annual board attestation completed
• ☐ Fee disclosure compliant with PSRs 2017 Article 44
• ☐ Total-cost disclosure to the sender matches actual delivered amount
• ☐ Execution-time disclosure aligned with PSR execution-time rules
• ☐ Pre-contract information compliant with PSRs 2017 Schedule 4

Section 7: Complaints and Redress

• ☐ Complaints-handling procedure documented and published
• ☐ All complaints logged with case records
• ☐ Acknowledgement and final-response time targets met
• ☐ Financial Ombudsman Service signposting compliant
• ☐ FOS case cooperation and data provision processes documented
• ☐ Complaints MI reviewed by management at appropriate cadence
• ☐ DISP returns submitted to FCA on time and accurately
• ☐ Root-cause analysis applied to recurring complaint themes

Section 8: Regulatory Reporting

• ☐ Regulatory return calendar maintained with submission dates and owners
• ☐ REP-CRIM submitted annually
• ☐ Payment statistics returns (scale-dependent) submitted on time
• ☐ DISP returns on complaints volumes submitted on time
• ☐ Fee-paying returns submitted on time
• ☐ Controllers return filed for any Part XII trigger events
• ☐ Annual accounts filed with Companies House on time
• ☐ HMRC MSB supervision fees and returns up to date
• ☐ Data-breach notifications to ICO completed where required
• ☐ Tax compliance (corporation tax, VAT, PAYE) current

Section 9: Data Protection and Information Security

• ☐ UK GDPR compliance framework documented
• ☐ Data Protection Officer appointed (where required) and named in ICO registration
• ☐ Data Protection Impact Assessments completed for high-risk processing
• ☐ Records of Processing Activities (RoPA) maintained and current
• ☐ Data retention policy defines retention periods per data category
• ☐ Data subject request process documented and tested
• ☐ Cross-border transfer mechanisms (SCCs, adequacy) documented
• ☐ Data breach procedure defines ICO 72-hour notification workflow
• ☐ Information security framework aligned with ISO 27001 or equivalent
• ☐ Third-party security due diligence completed for material suppliers
• ☐ Penetration testing completed at least annually
• ☐ Vulnerability management programme tracks and closes findings

Section 10: Third-Party Management

• ☐ Third-party register lists every material supplier with services they provide
• ☐ Due diligence completed on every material third party at onboarding
• ☐ Contracts include data protection, security, audit rights, termination
• ☐ Concentration risk assessed where multiple functions rely on the same provider
• ☐ Outsourcing and material arrangements notified to FCA where required
• ☐ Third parties are monitored for performance and compliance (not just signed and forgotten)
• ☐ Exit and substitution plans documented for every critical third party
• ☐ Audit rights exercised periodically for highest-risk providers

Section 11: Technology and Change Management

• ☐ Change management process defines approval gates for platform changes
• ☐ Material changes to the platform notified to FCA where required
• ☐ Release management includes security, compliance, and business-continuity sign-off
• ☐ Access control reviewed regularly with dormant-account removal
• ☐ Segregation of duties enforced in the platform
• ☐ Audit logging captures every material decision and transaction
• ☐ Backup and recovery tested at least annually
• ☐ Encryption applied in transit (TLS 1.2+) and at rest (AES-256)
• ☐ Sanctions list refresh SLA monitored
• ☐ Software vendor compliance updates applied in line with supervisory expectations

Section 12: Staff Training and Culture

• ☐ Induction training covers AML, sanctions, conduct, consumer duty, data protection
• ☐ Annual refresher training delivered to all staff
• ☐ Role-specific training for compliance, MLRO, customer support, operations
• ☐ Training records maintained for each individual
• ☐ Training materials reflect current regulation (not last year's)
• ☐ Speak-up / whistleblowing channel documented and communicated
• ☐ Compliance culture indicators monitored (training completion, alert quality, SAR volumes, complaint trends)

Section 13: Wind-Down and Resolution

• ☐ Wind-down plan documented and approved by the board
• ☐ Plan covers orderly customer-fund return and contract closure
• ☐ Plan identifies resources required for orderly wind-down
• ☐ Plan tested at least annually against a scenario
• ☐ Board attests to plan credibility annually

How to Run This Checklist Practically

1. Assign each section to an owner with sign-off authority — typically the MLRO for AML sections, the CTO for technology, the COO for operations, and the CEO for governance and wind-down.
2. Run the full checklist once a year as a formal review with board sign-off.
3. Run a targeted sub-review each quarter — focus on the 2–3 sections where your firm has seen change or regulatory attention.
4. Log every "no" or "partially" as a remediation item with owner, due date, and evidence target.
5. Report quarterly completion trend to the board.
6. Keep evidence — policies, procedures, training records, test results, incident logs — organised so a supervisor can verify each item without extensive re-work.

How Remitz Supports FCA Compliance

Remitz's platform automates a large share of the technology-side compliance requirements: real-time sanctions and PEP screening, AML transaction monitoring, MLRO dashboards and SAR workflows, audit trails, access control and segregation of duties, encryption, backup, and operational-resilience-aligned incident reporting. What remains is the firm-level policy, governance, training, and reporting work — where this checklist is designed to help.

For a platform walkthrough, book a free demo. For broader context on launching and running a UK MTO, see the UK launch guide and the FCA compliance for money transfer operators explainer.