A new report from the Chartered IIA reveals that UK financial firms have faced £1.02bn in fines for internal control failures since 2021. With the new Internal Controls Declaration now in force, boards can no longer rely on boilerplate compliance to satisfy the FCA.
The Financial Conduct Authority (FCA) has a long memory, but it seems many UK financial services firms do not. A new deep-dive report from the Chartered Institute of Internal Auditors (IIA), Internal Control Failure! has quantified a trend that has been simmering in enforcement notices for years: a fundamental disconnect between identifying a risk and actually fixing it.
Between 2021 and 2025, more than £1.02 billion in fines were levied against firms for internal control failures. This represents 54% of all FCA enforcement action by volume. While a billion-pound headline is eye-catching, the more alarming detail for the accounting and audit profession is the “why.” These weren’t sophisticated, invisible crimes; they were often basic failures in anti-money laundering (AML), fraud prevention, and data governance that had been flagged months or years internally before the regulator stepped in.
The IIA’s analysis of 97 final notices suggests a recurring theme of “stalled” remediation. It is a scenario familiar to many internal auditors: a deficiency is identified, it’s added to the risk register, and then it sits there.
In several cases highlighted in the report, firms were fined years after serious weaknesses had been identified. Warnings from internal audit and compliance teams were ignored, or the “pace” of change was deemed insufficient by the regulator. This highlights a critical failure in the governance chain if the audit committee is receiving reports on control weaknesses, but the executive team isn’t empowered (or pressured) to fix them, the entire three-lines-of-defence model collapses.
The report also identifies a glaring structural void: at least 13 of the firms hit with major fines appeared to be operating without an internal audit function entirely. In an era of heightened scrutiny, attempting to navigate the UK’s regulatory landscape without a dedicated assurance function is increasingly seen by the FCA not just as a risk, but as a red flag for poor culture.
This data arrives just as the UK Corporate Governance Code’s new Internal Controls Declaration, Provision 29 takes full effect. For accounting periods beginning on or after 1 January 2026, boards must now explicitly sign off on the effectiveness of their “material controls.”
Historically, annual report statements regarding internal controls have been criticized for being “boilerplate” vague, optimistic, and largely indistinguishable from one company to the next. The IIA’s findings suggest that for over half of the firms recently fined, such statements would have been factually inaccurate.
Under the new regime, the stakes for the CFO and the Board are significantly higher. A failure to disclose a known material weakness that later leads to an FCA fine could lead to more than just a penalty for the firm; it could lead to personal accountability issues under the Senior Managers and Certification Regime (SMCR).
We often focus on the headline fine, but the £1.02bn figure is merely the tip of the iceberg. For an accountant looking at the balance sheet, the secondary costs of control failure are often ruinous:
Section 166 Reviews: The cost of hiring a “Skilled Person” to oversee remediation can often eclipse the original fine.
Operational Drag: When a firm is under a Cloud of Enforcement, the “management time” diverted from strategy to firefighting can stall growth for years.
Reputational Premium: The long-term impact on credit ratings and the cost of capital after a public dressing-down by the FCA for “basic” AML failures.
Arleen McGichen, President of the Chartered IIA, notes that this should be a “wake-up call” for boards. However, the data suggests that many boards are already awake, they just haven’t been getting out of bed to fix the problems.
The FCA’s shift toward “assertive supervision” means the grace period for fixing legacy systems is over. Whether it’s a challenger bank struggling to scale its compliance or an established high-street name failing to monitor suspicious transactions, the regulator’s patience for “work in progress” remediations has evaporated.
For those sitting in audit committees or advising on risk, the priority has shifted from simply identifying a problem to proving its resolution. If the remediation isn’t sustained and verifiable, the fine isn’t a possibility it’s an eventual certainty.
