The UK’s anti-money laundering framework is heading for one of its most important updates in years. The publication of the 2025 National Risk Assessment (NRA) and the government’s formal response to the Money Laundering Regulations (MLRs) consultation together mark a clear turning point in how AML is regulated and enforced.
This is not just a technical rewrite of the rules. It’s a strategic shift towards a smarter, more risk-based regime, one that expects compliance professionals to understand and address the specific threats their sector faces, rather than relying on blanket processes and box-ticking exercises. For those working in AML compliance, the coming months will be defined by preparation, adaptation, and a renewed focus on evidence-based decision-making.
A high-risk environment that isn’t going away
The latest NRA leaves no doubt: the UK remains at a high risk for money laundering. The country’s status as a global financial hub, combined with an open economy, continues to attract illicit finance from across the world. Fraud, particularly cyber-enabled fraud, has overtaken drugs as the most significant source of criminal funds. Sanctions evasion linked to Russia has intensified, with criminals exploiting legal, corporate and real estate services to obscure beneficial ownership.
Technology sits at the centre of the evolving threat picture. Cryptoassets, AI, and instant payments are all being leveraged to move illicit funds faster and with greater anonymity. At the same time, regulators expect firms to harness those same tools to strengthen their detection and monitoring. The message is clear: technology is no longer optional in AML compliance, it’s a requirement.
The NRA also reinforces the importance of sector-specific vigilance. Challenger banks, cryptoasset providers, estate agents, trust and company service providers, and the legal profession remain in the spotlight. While the core risks have not changed since the last NRA in 2020, they have become more sophisticated, better resourced, and harder to detect.
The MLR reforms: flexibility with higher expectations
Alongside the NRA, the government’s consultation response sets out proposed amendments to the MLRs that are expected to be implemented later this year. The intention is to make the regime more proportionate and risk-based, but this does not mean a lighter touch. In many cases, the changes will demand greater professional judgment and more robust documentation.
Customer due diligence (CDD) is a prime example. Enhanced due diligence (EDD) will no longer be automatically triggered for all complex transactions but only where complexity is unusual or high risk. This could reduce unnecessary workload, but firms will now need to justify why a transaction did or did not trigger EDD, and those decisions will need to be defensible to a regulator.
There’s also a more targeted approach to high-risk jurisdictions. Mandatory EDD will be required only for FATF “call for action” countries, currently North Korea, Iran and Myanmar. For other jurisdictions, firms will need to make their own assessments based on the NRA and other intelligence, rather than relying on static lists. While this could theoretically make life easier, it could vastly increase risk exposure. Firms will need to ensure they are fully aware of country risk profiles.
Cryptoasset businesses face perhaps the most significant shift. They will be required to conduct counterparty due diligence similar to the obligations on correspondent banks, assessing the AML/CTF controls of the parties they transact with. With crypto now formally assessed as high risk in the NRA, this is a signal that regulators are moving the sector toward parity with traditional financial services.
There are also important clarifications that will affect a wide range of firms. New rules for pooled client accounts, updated thresholds in GBP, expanded scope for trust and company service providers, and official guidance on using digital ID verification tools will all change the way compliance teams operate day-to-day.
Enforcement is already setting the tone
The regulatory direction is not just theoretical but a serious threat. The Financial Conduct Authority’s £16.7 million fine against Metro Bank for years-long transaction monitoring failures and the Gambling Supervision Commission’s £3.9 million penalty against Celton Manx for systemic AML breaches send a blunt message: outdated systems, ignored red flags, and poor governance will not be tolerated.
In both cases, the failings were not about ignorance of the rules, but about culture and execution. Staff had spotted issues, but concerns were ignored or not escalated. Regulators are increasingly intolerant of firms that can’t demonstrate effective governance, timely remediation, and clear lines of accountability.
Preparing now for the new AML reality
Although the MLR amendments are not yet in force, supervisors may begin adjusting their expectations in line with the consultation response. Compliance teams that wait for formal implementation risk being caught unprepared. The changes offer opportunities to streamline processes, but only for those who can show a deep, documented understanding of their risks and controls.
The next phase of UK AML compliance will be defined by quality over quantity. Less about producing volumes of documentation, and more about demonstrating that the right decisions were made for the right reasons.
Compliance checklist: Preparing for the 2025 AML changes
- Update your risk assessment
- Incorporate the latest NRA typologies, including crypto-enabled laundering, AI misuse, and sanctions evasion.
- Factor in sector-specific risks and geopolitical developments.
- Review CDD/EDD procedures
- Build clear decision frameworks to justify when EDD is applied.
- Ensure rationale is documented and supported by risk evidence.
- Integrate jurisdictional risk analysis
- Move beyond static lists to a dynamic, intelligence-led approach.
- Align with NRA findings on high-risk countries and sectors.
- Enhance governance and escalation routes
- Establish clear lines of accountability to the board.
- Strengthen whistleblowing and issue escalation processes.
- Invest in technology
- Adopt or upgrade digital ID verification and analytics tools.
- Ensure systems can detect anomalies in both fiat and crypto transactions.
- Strengthen training programmes
- Tailor content to your firm’s risk profile and emerging threats.
- Include real-world case studies and escalation protocols.
- Monitor for enforcement trends
- Review recent FCA and sector regulator actions to identify common failings.
- Test your systems against those enforcement scenarios.