UK anti-money laundering rules overhauled: what financial services firms must do now

The Money Laundering and Terrorist Financing (Amendment) Regulations 2026 (SI 2026/621) amends the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.  The update implements the Government's response to the 2024 consultation "Improving the effectiveness of the Money Laundering Regulations", which followed the 2022 review of the UK's AML/counter terrorist financing (CTF) regulatory and supervisory regime.  These changes are intended to support the UK's wider work under the Economic Crime Plan 2023–26 and the forthcoming anti-money laundering and asset recovery strategy, and to ensure the UK's AML/CTF regime remains aligned with international standards set by Financial Action Task Force (FATF), ahead of FATF's next mutual evaluation of the UK starting in 2026.

Where a relevant person provides a customer with a new pooled account on or after the commencement date, it must take reasonable measures to understand the purpose of the account, be satisfied that the purpose is consistent with its knowledge of the customer and their risk profile, and assess and mitigate the money laundering and terrorist financing risks associated with the account. Customers holding pooled accounts must maintain accurate written records of all payments into and out of the account for five years.  Banks and financial institutions should review their onboarding processes and risk frameworks for pooled accounts immediately.

The threshold for applying enhanced due diligence has been tightened: firms must now apply EDD to transactions that are "unusually complex or unusually large in each case given the nature of the transaction", replacing the previous broader reference to transactions that are merely "complex or unusually large". This clarification is designed to align the regime with a more risk-based approach and reduce the scope for overly cautious interpretations. Firms should update their EDD policies and training to reflect the refined test.

The definition of "high-risk third country" is replaced with a new "FATF call for action country", defined as a country named on the FATF list of High-Risk Jurisdictions subject to a Call for Action as that list has effect from time to time. This narrows mandatory EDD for high-risk jurisdictions to the FATF "black list" only, reducing the scope of mandatory jurisdiction-based EDD for firms with counterparties linked to FATF "grey list" countries. Firms must review their jurisdiction risk matrices accordingly.

A credit institution may now permit an "insolvent bank customer" to open an account and transact from it before completing full customer due diligence measures. An "insolvent bank customer" means a customer that the credit institution is reasonably satisfied was a customer of an insolvent bank at the insolvency date, and with whom the credit institution begins to establish a business relationship within 30 days of that insolvency date. Banks should review their contingency planning and operational readiness for rapid mass-onboarding scenarios.

From 1 February 2027, cryptoasset exchange providers and custodian wallet providers entering correspondent relationships with third-country providers must gather sufficient information about the respondent, assess its AML/CTF controls, obtain senior management approval before establishing new relationships, and document the responsibilities of each party. Cryptoasset businesses must not enter into or continue a correspondent relationship with a shell bank. Affected firms should begin updating their systems and policies ahead of the February 2027 deadline.

Part 12 of FSMA (control over authorised persons) now applies, with modifications, to registered cryptoasset businesses included in the FCA register before 25 October 2027. This aligns change in control thresholds for MLR-registered cryptoasset businesses with FSMA thresholds. Cryptoasset businesses and their investors should review governance and ownership structures in light of the expanded notification obligations.

Where, at any time after an FCA-authorised person has provided information to the FCA under the MLRs, there is a material change affecting that information or it becomes apparent that the information contains an inaccuracy, the firm must provide the FCA with details of the change or a correction within 30 days of the occurrence of the change or the discovery of the inaccuracy. Firms should establish clear internal processes for monitoring and escalating reportable changes.

The Regulations replace various references to euros throughout the MLRs with references to sterling, converting on a 1:1 basis (for example, €10,000 becomes £10,000), except where to do so would risk failing to meet FATF recommendations. Notably, the £1,000 occasional transaction CDD trigger for cryptoasset transfers has been converted to £800. Firms must update their policies, systems and controls to reflect the new sterling thresholds throughout.

The sale of an "off-the-shelf firm" - defined as a firm that does not carry on business, or whose business is not the main activity of the trust or company service provider - is now expressly within scope of regulated TCSP activity and is to be treated as a business relationship, meaning CDD obligations apply. Relevant corporate service providers and financial institutions assisting with corporate structuring should review their compliance frameworks.

The duty to cooperate under the MLRs is extended to include the Registrar of Companies (Companies House), in addition to the Treasury and existing supervisory authorities. This is designed to improve how intelligence about economic crime is used and shared more effectively across the AML/CTF system.