AML/CFT Compliance in the United Kingdom: FCA, MLR 2017, and the 2026 Regulatory Landscape
The United Kingdom's AML/CFT regime is under intense scrutiny as the Financial Conduct Authority (FCA) ramps up enforcement actions. With fines exceeding £36.7 million in 2025 and a notable increase in 2026, the FCA is making it clear that AML/CFT compliance is a top priority. The regulatory landscape, shaped by the Money Laundering Regulations 2017 (MLR 2017) and the Proceeds of Crime Act 2002 (POCA), demands a proactive and risk-based approach from financial institutions.
Key Facts at a Glance
- Primary regulator
- FCA (Financial Conduct Authority)
- Primary AML law
- MLR 2017 (Money Laundering Regulations 2017)
- Predicate offences
- Section 1 POCA 2002 (Proceeds of Crime Act 2002)
- FIU
- NCA (National Crime Agency) Financial Intelligence Unit
- Sanctions enforcement
- OFSI (Office of Financial Sanctions Implementation)
- Industry guidance
- JMLSG (Joint Money Laundering Steering Group)
- Recent legislation
- Economic Crime and Corporate Transparency Act 2023
The Regulatory Landscape
The UK’s AML/CFT framework is built on the MLR 2017, which transposes EU directives and establishes obligations for a wide range of entities. The POCA 2002 provides the foundation for investigating and confiscating proceeds of crime, including money-laundering and terrorist-financing offences. The FCA, as the primary regulator, works closely with other agencies, such as the NCA and OFSI, to ensure a coordinated approach to AML/CFT.
The MLR 2017 requires financial institutions to implement a risk-based approach, conduct customer due diligence, and report suspicious activities. The regulations also mandate the maintenance of records and the implementation of internal controls. The FCA’s guidance, together with the JMLSG’s recommendations, provides further clarity on the requirements.
FCA’s Updated Guidance and Enforcement
The FCA has been actively enforcing AML/CFT regulations, with significant fines imposed in recent years. In 2025, the FCA imposed fines exceeding £36.7 million, with notable penalties including £1,107,306.92 on James Edward Staley. In 2026, the FCA has continued to enforce AML/CFT compliance, with fines totalling approximately £2,756,023, including £237,700 on Richard John Howson and £2,037,892 on Darren Anthony Reynolds.
These enforcement actions demonstrate the FCA’s commitment to ensuring that financial institutions have adequate AML/CFT systems and controls in place. The regulator’s focus on crypto-asset firms, debanking concerns, and financial-crime systems and controls highlights the evolving risks in the sector.
Customer Due Diligence and KYC
The MLR 2017 requires financial institutions to conduct customer due diligence, including verifying the identity of customers and assessing their risk profile. The regulations mandate a risk-based approach to KYC, with enhanced due diligence required for high-risk customers.
The FCA expects institutions to maintain accurate and up-to-date records of customer information, including beneficial-ownership and control structures. Ongoing monitoring and periodic review of relationships are also required.
Sanctions Screening
The UK’s sanctions regime is enforced by OFSI, which implements and enforces financial sanctions. Financial institutions must screen transactions and customers against UK, EU and UN sanctions lists.
The FCA expects firms to have documented systems to detect and report suspicious activities related to sanctions evasion, and to keep sanctions-screening policies under continuous review.
SAR/STR Reporting
Suspicious Activity Reports (SARs) must be filed with the NCA’s Financial Intelligence Unit using the SAR Online portal. The FCA expects firms to have adequate systems and controls to detect and report suspicious activities, and to retain accurate SAR records.
Under the MLR 2017, firms must file SARs promptly. The FCA stresses “without undue delay” - effectively a same-day or next-working-day standard - and expects detailed, accurate information to be supplied.
Risk-Based Approach
The MLR 2017 obliges firms to adopt a risk-based approach, beginning with a full risk assessment covering customers, products, services, and delivery channels. The FCA requires documented risk-assessment processes and evidence that controls are proportionate to identified risks.
Ongoing monitoring, periodic reassessment, and senior-management oversight are essential components of a compliant risk-based framework.
Crypto-Assets
The FCA has sharpened its focus on crypto-asset firms, treating them as “high-risk” under the MLR 2017. Firms must conduct enhanced due diligence, maintain documented transaction monitoring, and ensure that any crypto-related services are covered by a FCA-approved registration.
The regulator’s 2025-2026 enforcement priorities target crypto-asset firms that fail to implement adequate AML/CFT controls, especially where sanctions-evasion risk is present.
Recent Enforcement
| Date | Institution | Penalty | Basis |
|---|---|---|---|
| 2026 | Richard John Howson | £237,700 | AML/CFT compliance failures |
| 2026 | Darren Anthony Reynolds | £2,037,892 | AML/CFT compliance failures |
| 2025 | James Edward Staley | £1,107,306.92 | AML/CFT compliance failures |
These cases illustrate the FCA’s willingness to impose substantial penalties for systemic weaknesses, delayed SAR filing, and inadequate customer-due-diligence processes.
Practical Compliance Checklist
Minimum Documentation Set Under the MLR 2017
- Risk-assessment report and risk-based approach policy (Section 5 MLR 2017)
- AML/CFT policy and procedures manual (Section 6 MLR 2017)
- Customer due-diligence and KYC procedures (Section 11 MLR 2017)
- Sanctions-screening policy and procedures (Section 12 MLR 2017)
- SAR/STR filing procedures, including use of the NCA SAR Online portal (Section 13 MLR 2017)
- Training and awareness programme for staff (Section 6(2) MLR 2017)
- Record-keeping schedule (Section 15 MLR 2017)
- Governance framework - designated Money-Laundering Reporting Officer (MLRO) and senior-management oversight (Section 7 MLR 2017)
- Crypto-asset specific controls where applicable - wallet-address verification, blockchain analytics, and enhanced monitoring (FCA Crypto-Asset Guidance 2025)
- Outsourcing register and oversight procedures (Section 6(7) MLR 2017 and DORA where relevant)
Common Pitfalls
Three patterns dominate recent enforcement files. The first is insufficient AML/CFT systems and controls: firms that have not implemented documented, risk-based systems are hit with large fines.
The second is inadequate customer due-diligence: failure to verify identities, beneficial-ownership information, or to conduct ongoing monitoring leads to enforcement action.
The third is poor reporting of suspicious activities: delayed or incomplete SARs trigger penalties, as demonstrated in the 2025-2026 cases.
The UK’s AML/CFT regime will continue to evolve, with particular emphasis on crypto-asset regulation, sanctions-evasion risk, and the implementation of the Economic Crime and Corporate Transparency Act 2023. Firms should treat the next 12-18 months as a critical window to align policies, technology, and governance with the FCA’s heightened expectations.
How RegMantle Helps
RegMantle generates jurisdiction-specific AML/CFT documentation for UK institutions, citing the MLR 2017, POCA 2002, FCA guidance and the Economic Crime and Corporate Transparency Act 2023 directly in the text. Generated documents include an institution-wide risk-assessment, AML/CFT policy manual, KYC/CDD procedures aligned with FCA expectations, sanctions-screening policy referencing UK, EU and UN lists, SAR/STR procedures keyed to the NCA SAR Online portal, and a staff-training programme required under the MLR 2017. All outputs are exportable as branded DOCX files ready for board approval and FCA inspection.
Generate your UK AML documentation in minutes
Stop paying £15,000 to £50,000 for templated consultancy outputs. RegMantle produces audit-ready, MLR 2017-compliant documentation in under ten minutes.
Start Free →