.svg "MCO-Color-logo")
UK anti-money laundering compliance is moving into a more targeted and risk-based phase. The core framework remains the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, but firms now need to respond to three things at once: updated national risk signals, clearer supervisory expectations, and ongoing reform of the regulations themselves.
For compliance teams, the practical question is no longer whether change is coming; it is whether they are ready for it. It is how quickly firms can update their risk assessments, due diligence logic, training, governance, and controls so they remain aligned with the UK’s direction of travel on AML, CTF, and proliferation financing.
The UK Money Laundering Regulations are the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. They require firms in the regulated sector to assess risk, carry out customer due diligence, apply enhanced due diligence where required, maintain policies and controls, appoint key AML roles, train relevant staff, and keep records. They also include obligations for ongoing monitoring and for reporting suspicious activity.
These regulations are not static. They have already been amended several times, including by subsequent statutory instruments, and HM Treasury continues to refine them to improve effectiveness and reduce unnecessary compliance burden by applying controls in a more proportionate manner. The reform agenda aims to improve both effectiveness and competitiveness. HM Treasury’s 2024 consultation on making the Money Laundering Regulations more effective ran from 11 March to 9 June 2024. The government response, published on 1 July 2025, confirmed planned changes in several areas. These changes include enhanced due diligence for complex transactions, high-risk third countries, pooled client accounts, and due diligence triggers for certain non-financial firms.
That means firms should not view UK AML reform as a single event. It is a rolling program of change that affects how firms assess risk, when they apply enhanced due diligence, and how they align internal controls with the law as it evolves. Draft legislation published in 2025 and 2026 shows that some of these refinements are still moving through the legislative process.
Pro Tip- Do not wait for every amendment to be fully in force before reviewing your framework. Start by mapping likely regulatory changes to your risk assessment, due diligence triggers, and policy documents.
HM Treasury and the Home Office published the 2025 National Risk Assessment of Money Laundering and Terrorist Financing on 17 July 2025. It states that the UK remains at high risk of money laundering due to its role as a global financial center and as an open economy. The assessment also highlights increased risks associated with new technologies, including cryptoassets and artificial intelligence, and points to the growing overlap among money laundering, sanctions evasion, and kleptocracy-related activity.
The NRA highlights sector-specific exposure, identifying higher risks in banking, money service businesses, electronic payments, and trust and company service providers. Supervisors expect firms to use the NRA directly when shaping risk assessments and controls—it is not just background reading.
One of the clearest reform themes is a more proportionate use of enhanced due diligence. In its July 2025 response, HM Treasury said it intended to amend the rules on complex transactions so that enhanced due diligence applies only where a transaction is unusually complex. The latter policy note and draft statutory materials sharpen this further by clarifying that the threshold applies to transactions that are unusually complex or unusually large relative to what is typical for the sector or the nature of the transaction.
This change pushes firms to use defensible judgment instead of broad, formulaic controls. Strong risk management remains essential, but controls must target genuinely higher-risk activity as specified by the new legal direction.
Pro Tip- A risk-based approach is only as strong as the rationale behind it. If you narrow enhanced due diligence triggers, make sure your teams can explain why the remaining triggers capture the higher-risk activity that matters most.
Several UK bodies play different roles in AML. The FCA supervises AML controls for a wide range of financial services firms. This includes banks and registered cryptoasset businesses. It also houses OPBAS, which oversees professional body AML supervision. The FCA’s financial crime pages and strategy materials show that fighting crime remains one of its priorities through 2030. HMRC supervises AML compliance for the sectors it is responsible for. These include money service businesses and other businesses under the MLR framework. HM Treasury’s annual AML/CTF supervision reports continue to describe HMRC as one of the main statutory supervisors under the Regulations.
The National Crime Agency leads investigations into serious economic crime and manages the Suspicious Activity Reports regime. In July 2025, the NCA and FCA released nine economic crime priorities for the UK.
OPBAS supervises professional bodies, while the Gambling Commission and other sector supervisors play specific roles. HM Treasury’s reports highlight the multi-supervisor UK AML structure.
The FCA updated its Financial Crime Guide in late 2024, adding guidance on sanctions controls, transaction monitoring, cryptoasset businesses, proliferation financing risk, and governance. The policy statement clarifies that the FCA expects effective implementation and monitoring of transaction systems and sanctions screening that is fit for purpose.
The FCA’s broader strategy for 2025 to 2030 also says the regulator will focus on fighting crime and supporting firms to be an effective line of defense. That should be read as a sign of sustained pressure on AML, sanctions, fraud, and broader financial crime controls rather than a short-term supervisory theme.
Risk assessment remains the backbone of UK AML compliance.
Regulation 18 requires firms to identify and assess the risks of money laundering and terrorist financing to which their business is subject, taking account of factors including customers, countries or geographic areas, products or services, transactions, and delivery channels. Regulation 18A requires firms to identify and assess the risk of proliferation financing.
Risk assessments must be kept current. The Regulations require updates, and FCA guidance stresses the need for review when business models, delivery methods, or risk conditions change. The 2025 NRA is a strong trigger for updating.
Pro Tip- When you refresh a firm-wide risk assessment, document what changed and why. Regulators often learn more from the update trail than from the final risk rating alone.
Even as the rules evolve, the main control obligations remain familiar.
Regulation 21 requires certain firms to appoint an individual at the board or senior management level as the officer responsible for compliance with the Regulations. Firms also commonly appoint a nominated officer or MLRO to handle internal reporting and SAR-related responsibilities.
Regulation 24 requires firms to ensure that employees and agents know the relevant money laundering, terrorist financing, and proliferation financing laws, and to provide regular training to recognize related activities.
Regulation 40 requires firms to retain customer due diligence documents and transaction records for five years after the business ends, as set out in the Regulations.
The MLRs require firms to set and maintain policies, controls, and procedures to manage money laundering and terrorist financing risks identified in risk assessments. These should fit the business model and current obligations.
This page should clearly explain AML, CTF, and proliferation financing. Firms must address all three as compliance expectations grow.
AML refers to anti-money laundering controls designed to prevent criminals from disguising illicit funds as legitimate funds. CTF refers to counter-terrorist financing controls aimed at detecting and preventing the movement of funds used to support terrorism. Proliferation financing concerns funds or financial services used to support the proliferation of weapons of mass destruction. UK rules now explicitly require firms to assess proliferation financing risk as part of their broader compliance framework.
Many UK firms now manage customers, payments, intermediaries, and ownership structures across multiple jurisdictions. That raises practical issues around high-risk third countries, sanctions overlaps, cross-border payment flows, differing source-of-funds expectations, and data-sharing constraints. HM Treasury’s recent work on MLR reform includes further attention to high-risk third countries and due diligence design, while the 2025 NRA highlights the importance of trade, payments, and international exposure in UK risk.
For compliance teams, this means UK AML programs cannot be designed as purely domestic control frameworks. Even firms with a UK base often need governance, screening, and monitoring models that reflect international risk.
Pro Tip- Cross-border AML issues usually surface first during onboarding and payment activities, but they often stem from weak legal-entity mapping, inconsistent customer data, or poor visibility into ownership.
UK AML reform is moving toward sharper risk targeting, better supervisory coordination, and clearer expectations around governance and monitoring. But the basics still matter most: a sound risk assessment, defensible due diligence, strong training, clear accountability, and records that show the framework is working in practice.
For firms planning for 2025 and beyond, the best response is not to wait for one final regulatory endpoint. It is to build an AML framework that can absorb change without becoming fragmented or overly manual. That is what will matter most as UK reforms continue to develop.
The UK Money Laundering Regulations are the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. They set requirements for risk assessment, customer due diligence, enhanced due diligence, training, recordkeeping, and internal AML controls for firms in scope.
UK AML regulations apply to firms and professionals that fall within the regulated sector under the Money Laundering Regulations, including many financial services firms, money service businesses, cryptoasset firms, and certain professional and corporate service providers. The exact scope depends on the activities carried out.
A risk-based approach means firms assess where their money laundering, terrorist financing, and proliferation financing risks are highest and then apply controls that are proportionate to those risks. In the UK, this includes firm-wide risk assessments and more targeted due diligence and monitoring based on customer, geographic, product, transaction, and delivery-channel risk.
The FCA supervises AML controls for a wide range of financial services firms and registered cryptoasset businesses in the UK. It sets supervisory expectations, updates guidance such as the Financial Crime Guide, and can take enforcement action where firms fail to maintain effective AML systems and controls.
Under the UK framework, firms should consider customer risk, geographic exposure, products and services, transactions, and delivery channels. They must also assess proliferation financing risk and keep the assessment up to date as business activity and external risks change.
The reform agenda in 2025 included HM Treasury’s response to its consultation on improving the effectiveness of the Money Laundering Regulations, along with the publication of the 2025 National Risk Assessment. One of the key themes was making parts of due diligence more targeted and risk-based, including proposed changes to how firms approach unusually complex transactions.
The 2025 National Risk Assessment is HM Treasury’s updated assessment of money laundering and terrorist financing risk in the UK. It matters because it highlights where the UK sees the highest current risks, including risks linked to banking, payments, cryptoassets, sanctions evasion, and new technologies, and it helps shape what supervisors expect firms to address in their own frameworks.
Firms should review and update AML risk assessments and related policies regularly, and whenever there are material changes to their business, products, delivery models, jurisdictions, or regulatory obligations. The Regulations require these assessments and controls to be kept up to date rather than left static.
