Internal Audit Flagged It. The Board Ignored It. The FCA Fined It.

The FCA has now imposed more than £1.02 billion in penalties—about $1.30 billion—on UK‑based financial firms for internal‑control breakdowns between 2021 and 2025, according to the Chartered Institute of Internal Auditors’ new report *Internal Control Failure!*. The bulk of the enforcement actions stem from basic AML, fraud‑prevention and data‑governance lapses that were flagged by internal audit teams long before regulators intervened. The data underscores a systemic “remediation gap”: deficiencies are recorded, yet the corrective work stalls, leaving firms exposed to escalating supervisory scrutiny.

The timing coincides with the rollout of Provision 29 in the UK Corporate Governance Code, which obliges boards to sign off on the effectiveness of material controls for periods starting 1 January 2026. This shift transforms internal‑control statements from boilerplate disclosures into legally binding attestations, exposing senior executives to personal liability under the Senior Managers and Certification Regime if weaknesses are concealed. Moreover, the IIA found that at least 13 of the fined institutions operated without a dedicated internal audit function, a red flag for board culture and risk oversight.

Beyond the headline fines, firms face costly Section 166 reviews, diverted management time, and a reputational premium that can raise the cost of capital. The FCA’s move toward “assertive supervision” signals that a mere promise of remediation is no longer sufficient; regulators now demand demonstrable, sustainable fixes. Companies should therefore embed continuous monitoring, empower audit committees with enforcement authority, and allocate resources to close identified gaps promptly. Proactive remediation not only averts future penalties but also restores stakeholder confidence in an increasingly compliance‑driven market.