6 Things You Must Know About the 2026 UK AML/CTF Draft Amendments
Compliance people who work in the UK don't usually read laws for fun in the morning. They read them because things are about to change. You should also think about The Money Laundering and Terrorist Financing (Amendment) Regulations 2026 in this way. The text on legislation.gov.uk is a draft law. The way it changes the 2017 Money Laundering Regulations and the daily expectations for customer due diligence, enhanced due diligence, internal controls, country risk, and cryptoasset oversight is what makes it so important. It also makes changes to the Terrorism Act 2000 and the Proceeds of Crime Act 2002 that are related. That means not just changing the law, but also the way things are done.
Let’s go over these important changes divided by below sections:
- Which UK Laws Are Changed by the 2026 Regulations?
- Changes to Customer Due Diligence and Enhanced Due Diligence
- Changes to Internal Controls, Policies, and Governance
- New Cryptoasset Compliance Obligations
- Changes to FATF-Based Country Risk and Trigger Events
- Related Amendments Affecting Enforcement and Supervisory Exposure
- What Compliance Teams Should Review Now
- Conclusion
1. Which UK Laws Are Changed by the 2026 Regulations?
The first thing to do is to get the structure right. This is not a brand new system for AML and CTF law that works by itself. The draft 2026 instrument's Regulation 2 says that Regulations 3 to 37 change the Money Laundering, Terrorist Financing, and Transfer of Funds (Information on the Payer) Regulations 2017. In other words, the 2017 framework is still important. The 2026 text makes some changes to it.
Part 3 of the draft instrument also makes changes to Schedule 3A of the Terrorism Act 2000 and Schedule 9 of the Proceeds of Crime Act 2002. The note that explains it makes the same point and adds that some of the changes have to do with enforcement under Part 9 of the 2017 rules. For instance, the "relevant requirements" framework now includes new rules 30ZA and 34A. That matters for business because once a requirement is part of that enforcement structure, companies are no longer dealing with a soft expectation or a nice to have control. They have a clear duty that they must fulfill.
There is also an important side to cryptoassets. The draft instrument replaces Schedule 6B with a new one that covers changes in the control of registered cryptoasset businesses. The note says that this is to make the Money Laundering Regulations work with the new rules for cryptoasset financial services that come into effect in 2026 under the Financial Services and Markets Act 2000 (Cryptoassets) Order. The 2026 instrument is officially changing the 2017 MLRs, but it's clear that it's doing so with a bigger set of rules in mind. Compliance teams need to find changes like this early on because the legal change might be in one document and the operational effect might be in another.
2. Changes to Customer Due Diligence and Enhanced Due Diligence
The most important question for most compliance professionals is simple: What is the difference between Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)?
Some of the changes are in the numbers. Regulation 27 has been changed so that some euro limits are now sterling limits. The old limit of €1,000 in regulation 27(1)(b) is now £800, and the old limit of €15,000 in regulation 27(2) is now £12,000. This is one of the biggest changes. There are also pound equivalents for other thresholds, like £10,000 and £2,000. The same £800 threshold is used in some parts of the crypto transfer framework later in the instrument. This is more than just making money look different. Changes to the threshold change how onboarding, event based reviews, and rules that run on their own work. A control that is set to yesterday's euro values might not work well with a rule based on sterling for tomorrow.
But the most interesting changes are the ones that don't have numbers. Regulation 33 says that EDD must be used, but it doesn't use the term "high risk third country" in the same way anymore. Instead, the draft uses the term "FATF call for action country," which means a country on FATF's list of High Risk Jurisdictions that is currently subject to a Call for Action. Regulation 39 on reliance does the same thing. That makes the country trigger more specific and useful for a compliance team. It means that your country risk logic, EDD triggers, and third party reliance framework all need to match the FATF call for action list exactly. This is different from the older or more general "high risk third country" idea that was used in earlier versions of the rules.
There is one more change that doesn't seem like much on paper but makes a big difference in how things work. Regulations 19 and 33 change the old phrase "complex or unusually large" to "unusually complex or unusually large in each case given the nature of the transaction." This new wording is important because it tells reviewers to judge size and complexity based on the transaction itself, not on a general idea of what looks strange. This makes institutions pay more attention and tell better stories about each case in real life. A control that only uses the words "large" or "complex" to describe transactions in general may not work well with the new standard.
There is also a new rule that says you need a pooled account. For customers with a pooled account, the changes add new paragraphs to regulation 29. Businesses need to do their best to find out what the pooled account is for and how the customer plans to use it. They also need to make sure that this is in line with what they know about the customer, their business, and their risk profile. They also need to think about the risk of money laundering and terrorist financing that comes with using this. They also need to show the supervisory authority that the actions they are taking are right. In the meantime, the customer must keep accurate records for five years and, if asked, give information about the beneficial owners and the people whose money is being held. Things really have changed. You can no longer treat pooled structures like regular account opening cases with a higher risk label if your institution works with them. The rules now say that use cases should be looked at in a more organized way and that there should be a clearer record trail.
3. Changes to Internal Controls, Policies, and Governance
Usually, compliance teams start by onboarding and keeping an eye on things. But the draft law’s effects on internal governance are significant.
Regulation 19, which is about policies, controls, and procedures, has been changed. As well as Regulation 19A, which talks about policies, controls and procedures in relation to proliferation financing. The phrase "unusually complex or unusually large in each case given the nature of the transaction" is used in both places. That means that companies shouldn't think of the change as just another piece of legal writing. Internal policy documents, monitoring rationales, procedural guides, and training materials that still use the old language are no longer in line with the new standard. Not only should this kind of wording change be noted in a quiet legal note, but it should also be noted in a documentation update for a mature compliance function.
Regulation 23 also gives governance a new job. If an authorized person has already given information to the Financial Conduct Authority (FCA) under regulation 23, they must now tell the FCA within 30 days if there is a significant change that affects that information or if it later becomes clear that the original information was wrong. This is a good example of a change that might not seem like a big deal at first, but when you think about how it will affect how things work, it becomes clear that it is. It makes a system for getting notifications all the time. Companies now need to be more clear about who is responsible for spotting changes, making sure they are important, and bringing them up in time. If no one is in charge of that workflow, the 30 day clock becomes a problem very quickly.
Regulation 34A and other new references are also added to Schedule 6, which lists the "relevant requirements" for enforcement. That doesn't just make the rules clean again. It tells compliance teams which new tasks are most likely to be seen as core enforceable controls. That should change how the board writes reports, how assurance plans are made, and what comes first in second line testing.
4. New Cryptoasset Compliance Obligations
This is one of the most obvious changes to the previous law.
The changes add the words "cryptoasset business" to regulation 3, which is related to the meaning of regulation 64B. They also add a new rule, 34A, about EDD for cryptoasset exchange providers, custodial wallet providers, and correspondent relationships. Under the new rule, a cryptoasset exchange provider or custodian wallet provider acting as the "correspondent" and entering into a correspondent relationship with a similar provider from a third country must gather enough information about the respondent to understand its business, check its reputation and the quality of its supervision from reliable public sources, assess its controls to stop money laundering and terrorist financing, and get approval from senior management before setting up a new correspondent relationship. The note says that this is in line with FATF Recommendations 13 and 15.
This is a big change for crypto. The UK rulebook makes crypto correspondent relationships more like correspondent banking. That means that compliance teams at crypto companies will have to change the way they do things. For instance, onboarding questionnaires for third country counterparties will need to be more detailed, approval chains will need to be formalized, and senior management sign off can't be an afterthought. This is a reminder for traditional businesses that work with crypto companies that crypto rules are starting to look more like regular rules against money laundering and terrorism.
Timing is also important here. Regulation 20, which adds new Regulation 34A, will go into effect on February 1, 2027. On that day, the Schedule 6 amendment that talks about 34A will also go into effect. Changes to Schedule 6B for registered cryptoasset businesses will then be phased in over time, with different timing for different parts. The new control of registered cryptoasset business framework will go into effect on October 25, 2027. Right now, compliance teams should pay attention to that staggered schedule. It gives businesses time to get things done, but it also means that having just one "project go live" date might not be the best way to plan.
5. Changes to FATF Based Country Risk and Trigger Events
If you only take one operational theme away from the changes made in 2026, it should be that the UK's framework is becoming more closely linked to FATF risk categories.
The best proof of this is that "high risk third country" has been changed to "FATF call for action country." This is important because the call for action list is the most detailed part of FATF's public country risk architecture. This is not the same as the general idea of a high risk country or FATF's bigger list of countries that need more attention. That means that lists of sanctions, bad press, and internal country risk ratings will still be important for compliance teams. But now the legal reason for mandatory EDD in this part of the regime is more specific to FATF. If your onboarding forms, country taxonomies, or monitoring rules still use the old category name, you'll need to change them.
The changes to crypto and the more specific language used for big and complicated transactions also follow the same FATF logic. The framework wants companies to think about controls that are based on risk, take the situation into account, and follow international standards. The changes don't change the spirit of it, but they do make it clearer how it works. Your workflows also need to change when the law changes. The language used in risk rules, playbooks, training, and management information should be the same as the language used in the law.
6. Related Amendments Affecting Enforcement and Supervisory Exposure
The changes to the Terrorism Act 2000 and the Proceeds of Crime Act 2002 are easy to miss, but they are important because they change what supervisors and police can do.
Part 3 of the draft instrument changes Schedule 3A of the Terrorism Act 2000 and Schedule 9 of the Proceeds of Crime Act 2002 so that they are in line with the new Money Laundering Regulations from 2017. It does this by changing the names of regulated sectors and hooks for supervisory authorities. The note that explains these changes says that they are all related to the new MLR framework, like the new Schedule 6 "relevant requirements" structure. This has less to do with giving frontline customers new tasks and more to do with keeping the enforcement perimeter clear. But for compliance teams, it's still important to have a consistent enforcement architecture. It changes how breaches are classified, how managers report their findings, and how businesses should think about assurance for new obligations that have been changed.
There is also a more limited but still important special case for bank customers who are bankrupt under the new rule 30ZA. Sometimes, a credit institution will let a bank customer who is in debt open and use an account before they finish all of the CDD steps. The credit institution must, however, first identify the customer and then finish the rest of the due diligence as soon as possible. If a regulation 33 trigger happens later, you can't do any more transactions until the CDD is done. Related changes to regulations 30 and 30A get rid of the usual time limits for verification and move back the deadlines for reporting discrepancies in those cases. This change is very helpful for businesses that might have customers who are moving out of bankruptcy. It's not a lowering of standards; it's a controlled exception. This means that all of the operations, onboarding, and financial crime teams need to know when and how to use the exception.
What Compliance Teams Should Review
You should be considering how to develop a plan of action by now.
A gap assessment against the new MLR rules is a good first step. Not a general "Are we following the rules?" exercise. A focused look at your current framework to see if it still has euro thresholds, old country risk terms, old transaction complexity wording, or crypto assumptions from before 2026.
After that, businesses should look at four things at once.
First, the CDD and EDD triggers. The new rules must work with the threshold values, pooled account onboarding, reliance frameworks, and the FATF's call for action country logic.
Second, the rules for notifications and governance. Regulation 23 says that someone needs to be in charge of FCA updates. That person needs a clock, a workflow, and a way to keep track of what they do.
Third, rules for cryptoassets. If your business is a cryptoasset exchange provider, a custodian wallet provider, or has correspondent style relationships with crypto firms in other countries, you should already have Regulation 34A in your implementation plan.
Fourth, stories about training and watching over things. Frontline analysts, onboarding reviewers, and second line teams need to know that some of these changes are more than just changes to the words. When the law says "unusually complex or unusually large in each case given the nature of the transaction," it changes how you explain an alert, how you justify EDD, and how you defend a decision later.
You shouldn't think of the UK's 2026 changes to money laundering and terrorist financing as a separate legal event. It tells you how the 2017 MLR framework works now. It changes the boundaries. It changes what sets off each country. It gives pooled accounts new duties. It makes a new EDD requirement for people who send and receive cryptocurrency. It needs an update from the FCA. It also keeps the enforcement structure in line by changing the Terrorism Act 2000 and the Proceeds of Crime Act 2002.
The most important thing to remember is that this is a workflow story for compliance teams. Companies that do well won't just file the legal memo and then forget about it. They will map the changes into onboarding, EDD, transaction review, governance, crypto controls, and supervisory reporting before those pressure points show up in an exam or an incident.
