CLARITY - our library of practical, frank compliance information for regulated businesses

What the December 2025 Handbook Update Actually Means for Your Business

When the FSA updates its AML/CFT Handbook, firms tend to respond in one of two ways. Some treat it as a five-alarm event, conduct an emergency review of everything and exhaust themselves in the process. Others file it under “things to look at as soon as I can get to it”, which in practice means never. Neither approach is quite right.

Version 5, published in December 2025, is a targeted, practical update. For most businesses, the honest read is that not much has fundamentally changed, but what has changed is worth understanding properly.

BRA and TRA in the same document: yes, but

This one has been queried for years. Can the Business Risk Assessment and the Technology Risk Assessment sit in a single document, rather than as two separate files? The answer is now explicitly yes, provided the two assessments remain distinct and continue to cross-refer each other.

That second part matters more than it might appear. Putting both assessments under the same cover does not automatically create the relationship the Code and Handbook require between them. Your BRA and TRA need to inform each other: technology risks that amplify or mitigate the risks in your BRA should be visible in both documents, and the regulator reading them together should find a coherent picture. Simply merging two previously separate documents into one file saves you some administration, but it does not do that work for you.

If you choose to consolidate, build the cross-referencing in deliberately. A section in the TRA that says “the following risks are informed by section X of the BRA” and vice versa is not bureaucratic box-ticking. It is the evidence that the two assessments are genuinely talking to each other, which is exactly what the framework is designed to produce.

For a fuller picture of what each assessment needs to cover, we have articles on both: How to Build a Business Risk Assessment and How to Build a Technology Risk Assessment set out the framework in detail.

CEPs: more guidance, not more burden

The CEP section received the most substantive update in Version 5. The expanded guidance has been incorporated into the Handbook proper, with the standalone CEP guidance removed. Firms noticing this for the first time may assume that the ask has grown. It has not, at least not in the way that matters.

The FSA's direct requirement is statistical return data. Firms are asked to report on their CEP population through the AML/CFT Statistical Return. Beyond that, identification and risk management are for industry to determine, proportionately, based on their customer base and risk profile. This is not a PEP regime with a different name. There is no requirement to build parallel screening infrastructure, to apply enhanced due diligence automatically on identification, or to treat every person in a higher-risk industry sector as a CEP by default.

What the expanded guidance does is give firms a cleaner operational framework for the two-part test: involvement in an industry or activity typically associated with higher risk, and within that context, a senior decision-making role or ultimate effective control. The Handbook now also carries more practical colour on what higher-risk industries look like in practice.

The right response to the expanded guidance is a proportionate review of your current CEP approach against the updated Handbook, not a wholesale rebuild. If your existing process was already calibrated to the two-part test and your statistical return data is accurate, the December update changes very little for you in practice.

Introducers: what you may not need to do

Version 5 brings two useful clarifications on introducers that are worth reading carefully, because one of them will prompt a quiet reassessment for some firms.

The first is additional guidance on what a useful introducer risk assessment should consider. This is a sensible operational addition: the Handbook now gives more texture to the factors worth examining when assessing an introducer relationship, and firms should check their existing procedures reflect the updated thinking.

The second is the more striking point. The Handbook now makes explicit that verifying the identity of the introducer is not strictly required. For firms that have been routinely doing this as a matter of course, that deserves consideration. It does not mean the practice is wrong or that you should abandon it where it serves a genuine purpose in your risk framework. But it does mean that if identity verification of the introducer has been treated as a mandatory step, that assumption deserves revisiting.

Knowing what is and is not required is one of the more underrated compliance skills. Doing more than the framework demands for no good reason is not virtuous; it is, in fact, a significant red flag to the regulator that you do not understand the risk-based approach. It signals either that you do not know what is required, or that you cannot distinguish real risk from process noise. Neither impression is one you want to create.

The introducer clarification is a good prompt to check your procedures are calibrated to what is genuinely needed. We have a separate article that sets out the basics of introduced business and the updates from the December Handbook in more detail.

Ongoing monitoring: SOF and SOW explicitly in scope

The ongoing monitoring guidance was updated in the February 2025 version of the Handbook to make explicit that consideration should be given, where necessary, to source of funds and source of wealth information during periodic reviews. Version 5 carries that through.

This is not new thinking. Competent compliance practitioners have always understood that periodic review is not just an identity refresh exercise, and that changes in a client's profile, the nature of transactions, or the source and destination of funds can all be relevant.

What the updated Handbook does is remove any ambiguity about whether this is expected. It now clearly is.

The practical implication is that your periodic review procedures and templates should prompt consideration of SOF and SOW, with a note of the outcome where the question was considered and found relevant. Not every review will generate SOF or SOW activity. But the process should make clear that the question was asked.

What to do next

The December 2025 update is not a compliance fire drill. It is a prompt for a proportionate review, and a fairly focused one.

First, if your BRA and TRA are combined or you are considering combining them, confirm that the two assessments are genuinely distinct and cross-referencing each other, not just sitting side by side.

Second, review your CEP approach against the expanded Handbook guidance, proportionately, and make sure your statistical return data is accurate.

Third, check your introducer procedures to confirm they reflect what is actually required, and review your periodic review templates to make sure SOF and SOW consideration is built in.

None of that should take long for a firm with a well-maintained compliance framework. And if it does take longer than expected, that is useful information in itself.