SYSC 6.3: What It Requires and Who It Applies To

What is SYSC 6.3?

SYSC 6.3 is the Financial Crime chapter of the FCA's Senior Management Arrangements, Systems and Controls (SYSC) sourcebook, a binding part of the FCA Handbook. The rule's core text, SYSC 6.3.1R, requires every FCA-authorised firm to "take reasonable care to establish and maintain effective systems and controls for countering the risk that the firm might be used to further financial crime, including for the purposes of the Money Laundering Regulations."

The rule has been in the Handbook since the FSA era and carried over when the FCA assumed regulatory responsibility in April 2013. Its practical weight grew substantially following the UK Money Laundering Regulations 2017, which implemented the EU's Fourth Anti-Money Laundering Directive into domestic law and cross-referenced SYSC 6.3 as the supervisory mechanism for regulated firms.

The FCA introduced the requirement because systemic weaknesses were appearing across the sector. Banks were onboarding high-risk clients without adequate documentation, failing to monitor activity against stated customer profiles, and not assigning clear accountability to named individuals. SYSC 6.3 was the structural answer: put a senior person in charge, write down what you're doing, and prove it works.

The regulation is principles-based. It doesn't specify exact procedures. It requires controls that are "appropriate to the nature, scale and complexity" of a firm's business, with guidance in SYSC 6.3.2G through 6.3.9G. A major retail bank faces expectations of automated transaction monitoring, trained MLRO teams, and board-level financial crime MI. A small investment advisory firm faces the same rule, but the FCA's proportionality principle means a documented risk assessment and annual staff training may be sufficient. Examiners assess substance over form.

Who does SYSC 6.3 apply to?

SYSC 6.3 applies to every firm that is an "authorised person" under the Financial Services and Markets Act 2000 and that falls within the definition of a credit institution or relevant financial institution under the MLR 2017. That covers a wide range of UK-regulated entities.

Covered firm types include:

• UK-authorised banks and building societies: every high-street retail bank, challenger bank, and digital bank with an FCA or PRA banking licence
• PRA-dual-regulated firms: large UK banks and domestic subsidiaries of overseas banking groups supervised jointly by the PRA and FCA
• MiFID investment firms: stockbrokers, wealth managers, discretionary portfolio managers, and investment advisers
• Payment institutions and e-money institutions: firms regulated under the Payment Services Regulations 2017 or E-Money Regulations 2011 where those overlap with SYSC obligations
• Mortgage lenders and intermediaries: authorised under FSMA where financial crime risk is present
• Consumer credit firms: FCA-authorised firms with credit activities carrying meaningful money laundering exposure

There's no minimum asset threshold. A two-person investment advisory firm with an FCA licence is subject to the same underlying rule as HSBC. The proportionality principle in the regulation means expectations are scaled to the firm's risk profile, but the obligation itself applies uniformly.

Overseas firms with UK branches authorised by the FCA are also in scope. The FCA confirmed this interpretation in its Financial Crime Guide (FCG 1.1), noting that a UK branch can't rely on group-level controls from an overseas parent if those controls don't meet UK regulatory standards. The UK compliance function must be able to demonstrate local compliance independently.

What does SYSC 6.3 require?

The obligations draw from SYSC 6.3.1R, SYSC 6.3.3R, SYSC 6.3.6R, and the supporting guidance notes. There are six core areas:

1. Systems and controls for financial crime prevention: Firms must establish documented policies and procedures covering money laundering, terrorist financing, fraud, bribery, and market abuse. Policies can't be generic templates. They must map to the firm's specific business lines, customer types, and geographic footprint. A policy that doesn't address the firm's actual products and services fails the test.

2. Firm-wide risk assessment: Firms must assess and document the financial crime risks they face, covering customer risk, product risk, geographic risk, and delivery channel risk. This requirement sits squarely within the risk-based approach mandated by FATF Recommendation 1 and is one of the first documents FCA supervisors request on examination day.

3. Senior management allocation: Under SYSC 6.3.3R, overall responsibility for financial crime systems and controls must be allocated to a named director or senior manager. In practice, this is the Money Laundering Reporting Officer (MLRO), who holds Senior Management Function 17 (SMF17) under the Senior Managers and Certification Regime. That person must have authority, access, and resources.

4. Customer due diligence and enhanced due diligence: Firms must implement CDD and EDD procedures calibrated to customer risk. High-risk customers, including politically exposed persons and those with complex ownership structures, require enhanced scrutiny before onboarding and throughout the relationship. The standard for EDD goes beyond identity verification: source of wealth, source of funds, and the business rationale for the relationship must all be documented.

5. Transaction monitoring: Firms must monitor customer transactions against expected activity profiles. Alerts require review by trained staff, and suspicious activity reports must be filed with the National Crime Agency where suspicion arises. Under POCA 2002, firms seeking consent to proceed with a transaction have a 7-working-day window before deemed consent, followed by a 31-day moratorium if the NCA refuses. Delays in filing are treated as control failures.

6. Training: Under SYSC 6.3.6R, employees whose roles expose them to financial crime risk must receive appropriate, role-specific training on a regular basis. Annual refresher training is the sector norm. Firms in higher-risk segments, such as trade finance or correspondent banking, typically train more frequently. The FCA expects records of who trained, on what, and when.

What evidence do regulators expect?

FCA supervisors conducting a financial crime visit or thematic review look for documentation that shows controls are real and operational, not just policy statements. We've seen firms fail examinations with entirely adequate controls in place, simply because they couldn't produce the paper trail.

The audit-day checklist:

• Written policies and procedures: Current, version-controlled, and approved by a named senior manager. A policy last reviewed in 2020 with no refresh since raises immediate questions about whether it reflects current risks.
• Documented firm-wide risk assessment: Including product risk, customer segment risk, geographic risk, and channel risk. Gaps in coverage get flagged immediately.
• MLRO appointment record: Name, start date, qualifications. The MLRO must be senior enough to escalate concerns to board level and access customer files and transaction data without obstruction.
• Training completion records: By employee, by role, by date, with the content covered. The FCA has cited firms for having no records of what training was delivered, even when training actually happened.
• Transaction monitoring system configuration: Alert rule parameters, threshold settings, and back-testing results showing the rules fire appropriately. Examiners ask about the false-positive rate. A rate above 90% suggests the rules aren't calibrated to the firm's customer base. See also AML transaction monitoring rules tuning for practical benchmarks.
• SAR internal reports and external disclosures: Volume of internal SARs raised, the number that converted to NCA disclosures, average time from suspicion identification to filing. Slow filing is treated as a control failure, not an administrative issue.
• Customer file samples: CDD documentation for a risk-stratified sample of customers. Examiners pull files and check for source of wealth verification, source of funds documentation, and EDD sign-off on high-risk accounts.
• Board-level MI: Evidence that financial crime data reaches the board, not just the compliance function. Minutes, dashboard reports, and escalation logs all count.

Common failure modes

Most FCA enforcement actions involving SYSC 6.3 share the same root causes. The technology isn't usually the problem. The gaps are in process discipline and accountability.

• Stale customer risk ratings: Firms assign risk ratings at onboarding and never update them. A customer who starts as low-risk but begins conducting activity inconsistent with their stated profile doesn't trigger a review. Regulators call this "static onboarding" and it appears in almost every financial crime enforcement notice.

• Transaction monitoring that doesn't monitor: Alert rules deployed at implementation and never tuned. In the FCA's 2021 criminal prosecution of NatWest, the bank failed to monitor high volumes of cash deposits from a Bradford gold dealer. The monitoring system existed. It just didn't catch £365 million in deposits over five years.

• MLRO without authority: An MLRO appointed on paper but lacking the seniority to escalate to the board, access to transaction data, or resources to investigate alerts. The FCA's FCG notes that the MLRO must have authority within the firm's governance structure, not just a title.

• Training without records: Annual AML training delivered but not logged. One firm cited in FCA feedback had run consistent annual sessions for three years but couldn't produce completion records for any of them. The training was adequate; the record-keeping wasn't.

• SAR quality failures: Filing reports with insufficient detail for the NCA to act on, or not filing at all. The NCA's SARs Annual Report 2023 noted that missing account numbers, vague grounds for suspicion, and incomplete subject details remain the most common quality issues in submissions. Quality matters as much as volume.

Penalties for non-compliance

The FCA uses its powers under FSMA to impose financial penalties and public censure for SYSC 6.3 failures. There's no fixed scale. The FCA calculates penalties under its Decision Procedure and Penalties Manual (DEPP 6), which considers the seriousness of the breach, whether it was deliberate or negligent, the firm's financial resources, and any aggravating or mitigating factors.

Named enforcement actions give a realistic picture of the exposure:

• NatWest (2021): The FCA brought the first ever criminal prosecution of a UK bank under POCA 2002 for AML failures. NatWest pleaded guilty to three offences and was fined £264.8 million. The customer, Fowler Oldfield, deposited approximately £365 million largely in cash over five years without adequate monitoring. FCA press release, November 2021.

• Santander UK (2022): Fined £107.7 million for sustained AML failures between 2012 and 2017. The bank's transaction monitoring system excluded entire customer segments, and its business banking onboarding controls were inadequate for high-risk clients. FCA final notice, September 2022.

• Deutsche Bank (2017): Fined £163.1 million for financial crime control failings, including AML failures that allowed approximately $10 billion in mirror trades to move through its Moscow, London, and New York branches without adequate scrutiny. FCA final notice, January 2017.

Beyond fines, the FCA can restrict or withdraw a firm's authorisation, require a skilled person review under Section 166 of FSMA at the firm's own cost, and mandate board-level attestations on control remediation. Senior managers with SMF17 responsibility can face personal regulatory action for individual failures under SM&CR.

Related regulations and frameworks

SYSC 6.3 doesn't operate in isolation. It connects to a stack of overlapping UK and international obligations.

UK Money Laundering Regulations 2017: The primary domestic AML legislation, implementing the EU's 4th Anti-Money Laundering Directive and subsequently updated by the 2019 and 2022 amendments. SYSC 6.3.1R explicitly references MLR 2017 compliance as part of its purpose. The MLR 2017 imposes specific obligations on CDD, record-keeping (minimum five years), and risk assessment that SYSC 6.3 systems and controls must cover. The UK MLR 2017 dossier covers those obligations in detail.

FATF Recommendations: The risk-based approach in FATF Recommendation 1 underpins the FCA's proportionality principle for SYSC 6.3. FATF Recommendation 10 on customer due diligence and Recommendation 20 on suspicious transaction reporting map directly to SYSC 6.3's CDD and SAR obligations. The UK's FATF mutual evaluation, published in 2018, identified weaknesses in the banking sector's implementation that subsequently informed FCA supervisory priorities.

Proceeds of Crime Act 2002 and Terrorism Act 2000: These create the criminal offences, including money laundering, tipping off, and failure to disclose, that SYSC 6.3 controls are designed to prevent. Firms with inadequate SYSC 6.3 controls face both FCA regulatory action and potential criminal liability under POCA. The two regimes operate in parallel.

FCA Senior Managers and Certification Regime (SM&CR): SYSC 6.3.3R's requirement for named senior management accountability connects directly to SM&CR. The MLRO function is SMF17 for most banks. Failures that breach SYSC 6.3 can result in personal accountability for the SMF17 holder under Conduct Rules.

EU framework (post-Brexit context): UK firms with EU operations must also track the EU's Sixth Anti-Money Laundering Directive and the forthcoming EU AMLR. The UK regime has diverged from the EU since Brexit, but substance remains largely aligned at the FATF level.

How FluxForce supports SYSC 6.3 compliance

FluxForce's AI agents automate the transaction monitoring, alert triage, and CDD workflows that SYSC 6.3 demands. Nova Sentinel handles real-time transaction screening, cutting false-positive rates so analysts focus on genuine risk rather than noise. Aiden Flux supports customer risk scoring and EDD documentation, with complete decision audit trails for every case reviewed. All actions are logged with evidence attached, giving compliance teams the documentation the FCA expects on examination day. Request a demo to see how FluxForce maps to your SYSC 6.3 obligations.