Chartered IIA flags £1B+ FCA fines

Internal controls sound boring. But they are where expensive failures usually start. That is the point of a new Chartered Institute of Internal Auditors review, which pulled together FCA enforcement notices from 2021 through 2025 and found that more than half of the regulator’s fines referenced weak, missing, or badly executed controls. The bill attached to those cases topped £1bn. (charterediia.org) ### What actually changed? The news is the report itself. Chartered IIA published *Internal Control Failure!* in late April 2026 and framed it as a warning to boards, audit committees, and executives across UK financial services. The group is not saying every FCA case is identical. It is saying the pattern is now too obvious to ignore — (charterediia.org)iled down already. (charterediia.org) ### What does “internal control failure” mean here? Basically, not getting the basics right. The report says 52 of 97 FCA fines from 2021-2025 directly referenced internal-control failures. That includes weak anti-money-laundering checks, poor fraud defenses, weak escalation, patchy monitoring, and failures to act after risks were alread(charterediia.org)s knowing where the risk sat, then not closing the gap. (charterediia.org) ### Why is AML all over this? Because AML is where weak controls become visible fast. The FCA has been especially aggressive on financial-crime systems and controls, and one recent example was its £44m fine for Nationwide over financial-crime control failings. The regulator also said that, since 2021, it had imposed 13 bank fines totalin(charterediia.org)oming from abstract governance theory — it is tied to concrete compliance breakdowns the FCA keeps seeing again and again. (fca.org.uk) ### Why do these failures keep happening? Turns out the recurring problem is not always that firms lack policies. It is that controls do not keep pace with growth, product complexity, customer volume, or system changes. A firm expands quickly, adds new workflows, leans on manual workarounds, or fragments ownership across firs(fca.org.uk)ollow-through — internal audit can flag a weakness, but if management and the board do not fix it, the regulator eventually notices too. (accountancyage.com) ### Is this really about audit? Partly, but not only. Internal audit sits at the back end of the problem — testing, challenging, escalating. The front end is management discipline. If controls are badly designed, under-owned, or tolerated as temporary patches for years, audit cannot rescue the firm on its own. The re(accountancyage.com)astructure. (charterediia.org) ### Why should non-financial firms care? Because the mechanism travels well. The FCA is a financial regulator, but the lesson is universal: weak reconciliations, unclear approvals, poor segregation of duties, stale master data, and ignored exceptions all become real money eventually. In a factory, that may show up as misstated inventory, (charterediia.org)breach. Different label — same failure mode. This is an inference from the control patterns the report highlights. (charterediia.org) ### So what is the bottom line? The £1bn figure matters because it turns “control weakness” from audit jargon into a price tag. Chartered IIA’s message is simple: most of the damage did not come from exotic risks. It came from ordinary controls that were weak, absent, or left unfixed for too long. That is why this story lands — the expensive part was not the surprise, but the neglect. (charterediia.org)