Improving the effectiveness of the UK Money Laundering Regulations – what do the proposed amendments mean for fintech firms?

The response proposes changes to the MLRs that aim to clarify, streamline and modernise the UK’s financial crime regulatory framework. On 2 September 2025, HM Treasury published a draft statutory instrument (the Draft SI) and policy note setting out the proposed legislative changes.¹ In areas where HM Treasury has not proposed legislative changes, it will instead work with supervisors to issue guidance.

HMRC and the Financial Conduct Authority (FCA) oversee supervision and enforcement for financial crime control in the UK and will require firms to comply with these changes. In the last couple of years, financial crime controls and compliance with anti-money laundering (AML) requirements have become a particular area of focus for regulators in this area, and they have taken significant enforcement action. Firms should therefore be aware of the key updates outlined in this blog post.

Making CDD more proportionate and effective

Supervisors and industry bodies will develop guidance to clarify when and how firms should be applying customer due diligence (CDD):

• When a business relationship is established: One trigger for CDD is at the establishment of a business relationship.² This has proved difficult to identify in practice, and so supervisors and industry bodies will review sector-specific guidance to determine whether further detail or practical case studies are needed to clarify when a business relationship is established.
• Source of funds checks: Currently, firms must conduct source of funds checks as part of ongoing monitoring “where necessary”,³ which has led to inconsistent compliance, and in many cases, over compliance due to lack of clarity. Supervisors and industry bodies will produce revised guidance to specify that source of funds checks are necessary only when transactions appear “inconsistent” with a customer’s profile.
• Third parties acting on behalf of another: Firms are required to conduct CDD on third parties who are acting on behalf of a customer.⁴ Some firms have interpreted this requirement as applying to employees when they are acting in the course of their employment (e.g. a company’s Head of Treasury authorised to instruct bank transfers for the company). HM Treasury will ask supervisors and other sector-specific guidance authors to confirm that firms need not perform CDD on employees authorised to act in such capacity; HM Treasury’s view is that they are acting as their employer, not on their employer’s behalf.
• Digital identity verification for MLR due diligence: Whilst digital identification and verification (ID&V) is a familiar process for all fintech customers, there has recently been appetite for enhanced use of digital ID products (offered by the likes of OneID and Yoti) for performance of CDD. However, current guidance does not address the parameters for use of digital IDs in identity checks. To address this and help to promote the uptake of digital identity solutions, HM Treasury will release joint guidance with the Department for Science, Innovation and Technology and introduce a new statutory framework for digital identity standards and accreditation under the Data (Use and Access) Act 2025.
• CDD carve-out for migrating customers of insolvent banks: HM Treasury will introduce a new CDD carve-out in the MLRs to allow banks to onboard customers from insolvent banks more quickly.⁵ This follows an investigation by the Bank of England,⁶ which identified that the requirement for banks to verify new customers could create a backlog in an insolvency context if the demand exceeds market capacity, potentially causing serious economic impacts. Banks must notify the FCA when relying on this exemption and complete CDD on new customers transferring from the insolvent bank as soon as practicable.

Focussed changes to EDD

Currently, enhanced due diligence (EDD) must be performed in certain listed high-risk situations, including where there is a “higher risk of money laundering or terrorist financing”.⁷ The proposed changes to the MLRs and related guidance are intended to provide further clarity as to when EDD shall be triggered.

• Unusually complex transactions: EDD is required for “a complex or unusually large” transaction.⁸ There is significant ambiguity across sectors over what constitutes a “complex” transaction. The revised obligation is for firms to conduct EDD on transactions which are “unusually complex or unusually large in each case given the nature of the transaction”.⁹ Such transactions may, for example, involve several high-risk jurisdictions, the use of new technology or products that varies significantly from standard behaviour, or overly elaborate structures. Transactions that only have some unusual features, but which can be justified in the context of the customer’s known business or industry norms, may no longer require EDD. The threshold for “unusually large” transactions remains unchanged.
• High risk third countries: Firms must carry out EDD in any business relationship with a person established in a high-risk country.¹⁰ Currently, a high-risk country means a country named on the Financial Action Task Force’s (FATF) “Call for Action” list (which names countries whose AML/countering the financing of terrorism (CTF) regimes have serious strategic deficiencies), and its “Increased Monitoring” list (which names countries whose regimes have some deficiencies).¹¹ HM Treasury proposes to amend the MLRs so that EDD is only required for a person established in a “Call for Action” country, as opposed to an “Increased Monitoring” country.¹² Broader requirements to assess geographic risk will remain, allowing firms to focus on risks most relevant to the UK.
• Mandatory and recommended risk factors: HM Treasury will retain the current list of EDD risk factors in regulation 33 of the MLRs, but will work alongside supervisors and industry bodies to create guidance to help distinguish where these are mandatory and where they are merely recommended.

SDD and pooled client accounts

Existing Joint Money Laundering Steering Group (JMLSG) guidance states that where a firm considers that its customer (acting as provider of the pooled account) is not low risk for ML/TF purposes and is therefore not eligible for simplified due diligence (SDD), the firm must take reasonable measures to identify and verify the identity of those individuals holding funds in the pooled client account (PCA).¹³ This has posed a barrier to the provision of PCAs, since it places a high and often administratively complex burden on firms. New MLR provisions will allow firms to offer PCAs under wider circumstances, provided they assess the purpose and risk of the account and maintain information on underlying clients for disclosure if required.¹⁴ This is expected to improve access to PCAs while maintaining appropriate safeguards.

Registration, change in control and counterparty due diligence

Two further changes will be particularly helpful for crypto firms:

Alignment of the MLRs with FSMA

• Currently, UK crypto firms are required to register under the MLRs to conduct either exchange or custodial activity.¹⁵ With the UK shortly introducing a full-scale licensing regime for crypto firms under the Financial Services and Markets Act 2000 (FSMA), HM Treasury will align the MLRs with FSMA so that ultimately crypto firms will only be subject to a single licensing and supervisory regime, i.e. under FSMA.¹⁶
• HM Treasury will also align thresholds for change in control applications with FSMA to ensure fit and proper checks are being conducted in respect of any person exceeding prescribed thresholds (i.e. equal to or exceeding 10% of the shares / voting rights in the business).¹⁷ Currently, only natural persons and trusts acquiring control over an FCA-registered crypto business must notify the FCA that they intend to become a beneficial owner (i.e. that they intend to acquire holdings in excess of 25%).¹⁸

Alignment of the MLRs with FATF standards

• FATF requires crypto firms to conduct counterparty due diligence (CPDD) when transacting. CPDD involves carrying out due diligence on transactions between a customer and the customer’s counterparties, including identifying and assessing risks associated with parties involved in the transaction who are not the firm’s direct customer. HM Treasury proposes to amend the MLRs to align their requirements with FATF standards. In particular, changes will ensure consistency with FATF recommendations 13 (Correspondent Banking) and 15 (New Technologies), bringing requirements for crypto businesses in line with those for credit and financial institutions.¹⁹

Next steps

These reforms mark a step towards a more risk-based and effective money laundering regime in the UK.

Fintech firms may wish to:

• Provide technical feedback on the Draft SI, the deadline for which is 30 September 2025.
• Engage with supervisors and industry bodies on updates to guidance on CDD and EDD triggers.
• Consider reviewing and updating internal AML policies in light of the proposed changes.
• Review other recent changes to financial crime law, including revisions to the FCA’s Financial Crime Guide, government guidance concerning the failure to prevent fraud offence, and FATF’s targeted update and recommendations for virtual assets and virtual asset service providers.

 

For further information please see our webinar: Ahead of the curve — The modernizing of the UK financial crime framework.

 

1 The Money Laundering and Terrorist Financing (Amendment and Miscellaneous Provision) Regulations 2025.

2 Regulation 27(1)(a), MLRs.

3 Regulation 28(11)(a), MLRs.

4 Regulation 28(10), MLRs.

5 Regulations 16 to 18 of the Draft SI.

6 https://www.bankofengland.co.uk/statement/2021/improving-depositor-outcomes-in-bank-or-building-society-insolvency

7 Regulation 33(1)(g), MLRs.

8 Regulation 33(1)(f)(i), MLRs.

9 Regulations 10 and 18(a) of the Draft SI.

10 Regulation 33(1)(b), MLRs.

11 Regulation 33(3)(a), MLRs.

12 Regulations 18(b) and 22 of the Draft SI.

13 Part I Chapter 5, JMLSG Guidance.

14 Regulation 15 of the Draft SI.

15 Regulation 56, MLRs.

16 Regulation 37 of the Draft SI.

17 Regulation 37 of the Draft SI.

18 Part 12 of FSMA change in control regime, as modified by Regulation 60B and Schedule 6B to the MLRs.

19 Regulation 19 of the Draft SI.