The NRA underpins the UK’s risk-based approach to AML/CTF. As such, it informs policy development, regulatory priorities, and supervisory focus. Market conduct regulators and money laundering supervisors expect firms to respond to the evolving risk landscape, and (given the MLRs’ risk based approach) to reflect changing national risks in their own risk assessments.

The 2025 NRA’s descriptions of common money laundering typologies is useful.  Below, we have summarised the information in the NRA in a table of threat typologies that seem to us most relevant to the regulated financial services sector and shown how these have developed. 

The NRA emphasises that some of the greatest vulnerabilities come from cross-cutting enablers and emerging threats, including:

• an evolving risk from new technologies like artificial intelligence (AI) which has been implicated in synthetic bank account creation, synthetic identity creation or synthetic account activity; 
• increasing money-mule activity fuelled by AI-enabled selection and recruitment, using social media;
• abuse of the higher education sector, including layering as a technique to hide the proceeds of crime, and recruiting money mules from financially vulnerable student populations;
• exploitation of football clubs and agents e.g. providing loans or refinancing debt.

• Consider updating enterprise-wide risk assessments to reflect changed NRA assessments, particularly around high-risk and cross-cutting risks;
• Assess how typologies should inform development of procedures including transaction monitoring rules, onboarding procedures, and staff training; and 
• Prioritise AI-driven monitoring, blockchain analytics, and biometric verification to stay ahead, but recognise that technology-based solutions cannot form a total solution to the risks identified in the assessment.

AG regularly advises a wide range of businesses on AML compliance. If you would like to discuss any of these risks or mitigations with us further, please reach out to the authors.

The 2024 consultation covered four main themes:

• making customer due diligence more proportionate and effective, focusing efforts on high-risk activities;
• strengthening system coordination on economic crime;
• providing clarity on the scope of the MLRs; and
• reforming registration requirements for the Trust Registration Service.

The July 2025 consultation response and subsequent Policy Note responds to all of these.  

From a compliance perspective, we see the following changes in respect of customer due diligence (CDD) and enhanced due diligence (EDD) as the most critical (this is our selection rather than an exhaustive list).

Customer due diligence reforms 

In relation to customer DD for letting agents and art market participants, the government appears to have accepted that these non-financial firms may experience practical difficulty in applying the MLRs’ current requirements (particularly as to when the requirements are triggered) to their businesses models.  Therefore, minor changes to r 19A of the MLRs are planned to align the requirements with those of high value dealers.

In relation to due diligence on customers wishing to open and operate pooled client accounts (PCAs): for credit institutions and financial institutions, r 29 of the MLRs is to be amended to include new CDD requirements for PCA providers to take reasonable measures to understand the purpose of the PCA, gather sufficient information about the customer’s business, and conduct an overall assessment of the risk associated with the account. This amendment therefore fully breaks the previous statutory link between PCAs, simplified due diligence (SDD) and “low-risk” activities. In scope firms will therefore need to establish the purpose of the PCA, assess the ML/TF risk associated with the account and ensure information on underlying clients is available on request at the outset, albeit that many PCA providers will already have taken account of the very similar guidance in Annex V of the JMLSG Guidance which has been in place since mid-2020.

In relation bank insolvency situations, new r 30ZA of the MLRs will create an exception which allows credit institutions to verify the identity of customers from insolvent banks after account opening (where the insolvency is the reason for the checks not being possible prior to that), conditional upon D verification being completed as soon as practicable, and notify the FCA so that it can supervise. This does not extend to customers who are subject to EDD.

In relation to customer due diligence more generally, HM Treasury plans to work with AML supervisors and industry bodies to improve the guidance available as to what should be seen as ‘the establishment of a business relationship’.  We can expect more sector-specific guidance on e.g. when source of funds checks should be seen as ‘necessary’ under the MLRs.  In relation to digital ID, HM Treasury and the Department for Science, Innovation and Technology (DSIT) are to produce guidance on using digital identities for MLRs identity verification checks, which we believe will be significant in light of technological change.  

In relation to Enhanced Due Diligence (EDD), the current list of risk factors for EDD will remain, however the government intends to work with sectoral regulators to improve clarity in guidance around where EDD is mandatory, and where these factors instead act as a guide.  The government found that there were issues with the current requirement in the MLRs to carry out EDD on all “complex or unusually large” transactions, a phase which was leading to over-compliance, especially in sectors where complexity is routine (e.g. corporate property sales, tax transactions, M&A). Specifically, the term “complex” was seen as too broad and ambiguous, leading to inconsistent application across sectors. We can expect amendments to the MLRs to clarify that EDD is required only for “unusually complex” transactions, rather than all complex transactions. 

There will also be changes to enhanced due diligence (EDD) in relation to high-risk third countries. Current requirements to carry out mandatory EDD in relation to both: (i) FATF’s ‘increased monitoring list’ countries; and (ii) FATF’s ‘Call for Action’ countries was seen as not proportionate to the actual risk posed to the UK. HM Treasury intends therefore amend the MLRs to mandate that EDD is only required where the relevant transaction or customer relationship involves a customer or party established in a ‘Call for Action’ country, not an ‘Increased Monitoring List’ country. The ‘Call for Action’ list includes countries with serious strategic deficiencies, while the ‘Increased Monitoring List’ includes countries actively working to improve. Broader requirements around assessing geographic risk will, however, remain, including that regulated firms must consider both FATF lists when carrying out customer risk assessments.  Given the size of the financial services sector in some countries which have recently been under “increased monitoring” such as Malta and the Cayman Islands, this ability to undertake a more tailored, risk-based approach will be welcome in the UK (noting that the EU retains the approach of mandatory EDD for high-risk third countries as set out in Article 18 of Directive (EU) 2015/849 as amended).

Other planned changes arising out of the 2024 consultation include: 

• a number of technical measures to strengthen coordination of the system for AML supervision.  In particular, changes are to be made to the MLRs to enable the Financial Regulators Complaints Commissioner, the Registrar for Companies House and the Secretary of State responsible for Companies House to share information more easily with AML supervisors and other public bodies; 
• changing currency thresholds in the MLRs which are currently expressed in euros, to GBP;
• amending the MLRs to include the sale of off-the-shelf companies within the scope of regulated trust and company service activity;
• addressing dual registration requirements for cryptoasset service providers by amending the MLRs to align them with the equivalent Financial Services and Markets Act (FSMA) framework. The registration and change in control thresholds will also be amended, to ensure consistency; and
• expanding the scope of registration on the Trust Registration Service (TRS) to include all non-UK trusts that hold an interest in UK land and property acquired before 6 October 2020. Trusts will no longer need to register solely on the basis of Stamp Duty Reserve Tax (SDRT)  liability. The Government will also amend Schedule 3A of the MLRs to include an exemption from registration (for two years following the death of the settlor) for:
  
  • co-ownership property trusts and trusts created under s34 Trustee Act 1925 that have become registrable as a result of the death of a trustee; and
  • trusts created by deed of variation during the administration of a deceased persons’ estate.

The consultation closes on 30 September 2025 and the draft Statutory Instrument is expected to be laid before Parliament later this year. The proposed amendments aim to make the MLRs more proportionate, risk-focused, and responsive to evolving threats. Firms should begin preparing by considering how these reforms may impact their AML policies, procedures, and risk assessments.  Firms may also wish to engage with industry representative bodies, as in some areas revised industry guidance may prove to be of more practical significance than the planned changes to the MLRs.

If you need help responding to the consultation, interpreting the changes or updating your internal guidance, please get in touch with David Pygott.

Enforcement by OFSI

The volume and scope of designations in the UK, and the sanctions regimes under which they are made, have increased exponentially in the past five years. Yet, there have been very few reported enforcement actions in the UK. The latest public enforcement by OFSI illustrates some of the challenges. The breach took place in 2018 and was self-reported that same year. OFSI did not commence a civil investigation of this breach until June 2021. The investigation concluded with OFSI notifying the business of its intention to impose a fine on 1 August 2024 and thereafter there was a period of representations and review (the business having exercised its right to a ministerial review) before the decision was finalised in June and publicised in July 2025, some 7 years after the fact. At one level this might appear a slow and reactive response. The average OFSI investigation lasts around 27 months, and a relatively small percentage result in public disclosures or civil monetary penalties.  However, the decision also refers to the involvement of other third parties which appear to have been under separate investigation/consideration at the same time, leading to a slowing of the overall process. The breadth of the UK sanctions regimes, and the potential for multiple parties to be under investigation arising out of the same basic fact pattern, remains a challenge for the authorities.

OFSI has significantly increased its staff and resources dedicated to enforcement and investigations since the Russian invasion of Ukraine in 2022. This has led to a substantial increase in the number of suspected breaches reported and cases opened for investigation (396 cases were recorded and 242 closed in 2023-24, more than tripling the number of closed cases from the previous year, according to its Annual Review). However. the total value of monetary penalties imposed by OFSI has been significantly lower compared to the US Office of Foreign Assets Control (OFAC). Since 15 June 2022, OFSI has published the details of financial sanctions violations. According to its data, between February 2020 and August 2025, OFSI have imposed a total of approximately £1,266,393.45 in monetary penalties across nine enforcements involving breaches of the Russia (Sanctions)(EU Exit) Regulations 2019, or the Ukraine (European Union Financial Sanctions) (No.2) Regulations 2014 or the Ukraine (European Union Financial Sanctions) (No.3) Regulations 2014 and EU Council Regulation 833/2014. In contrast, the seven (known) HMRC compound settlements relating to Russia trade controls now exceeds £2.5m and this figure is likely to increase before the year end. The Financial Conduct Authority (FCA), meanwhile, has fined one bank £28.9 million for financial crime failings related to its financial sanctions controls and screening and has, most recently, fined another bank a total of £42 million for separate instances of failings in its financial crime risk management (including sanctions screening). 

Deliberate sanctions circumvention has also increased. Bad actors are deploying sophisticated techniques including front companies, deceptive shipping practices, the deliberate falsification of end-uses for goods and the use of professional and non-professional enablers to evade sanctions. Legitimate businesses, meanwhile, are at risk of being seen by enforcement as “low-hanging fruit”. The vast majority (225) of cases identified in 2023-24 were related to the financial services sector, where there is significant data available e.g. frozen asset reports. However, regulators know that focussing resources on punishing those who attempt to do the right thing diverts enforcement efforts away from detecting and preventing the most nefarious activities. In the context of sanctions, this can fundamentally undermine the policy objectives. Those with the most to lose have the most to gain by circumventing sanctions. As a reaction, OFSI is moving towards a more proactive, intelligence-led enforcement model to identify breaches, according to its latest Annual Review. This suggests a shift in focus towards uncovering wrong-doing rather than focussing on those who have self-reported compliance failures as key enforcement targets. 

OFSI’s consultation runs to 13 October 2025. It has put forward a suite of reforms to its civil enforcement processes that, if implemented, could significantly alter the way financial sanctions breaches are investigated, assessed, and penalised in the UK. This includes:

At the heart of the proposed changes is a new case assessment matrix, which combines severity of breach and conduct to reach an overall OFSI case assessment. That initial assessment feeds through into approach to enforcement as well as expected penalty. The changes are technical but all tend to make it more likely that cases will be assessed by OFSI at the upper levels of seriousness as well as promising greater predictability for those advising on breaches, as to what the likely outcome will be in financial terms.

By recalibrating penalty discounts, OFSI hopes to better reflect the value of cooperation by reducing the maximum discount for voluntary disclosure from 50% in serious cases, to 30% for all cases, and combining this with a new voluntary disclosure and co-operation discount framework. This would mean that the maximum discount is only available in those cases where there has been prompt and complete self-reporting, a complete account of the circumstances (which may require a thorough internal investigation, which raises challenges around timely reporting) and full cooperation with the subsequent external investigation. In practice, early reporting with a commitment to share the results of any investigation undertaken is likely to be the base expectation. 

A discretionary scheme, modelled on frameworks used by the FCA and PRA, to allow quicker resolution of cases by offering a 20% penalty discount for those who settle during a 30-business-day negotiation period. This is aimed at shortening investigation timelines, delivering faster compliance signals to the market and reducing uncertainty for firms under investigation. Importantly, the scheme would not be available in cases involving intentional breaches or poor conduct.

In conjunction with a settlement scheme, OFSI is proposing a discretionary Early Account Scheme (EAS), which would unlock a larger settlement discount of up to 40%, reflecting the value of early and complete cooperation. To benefit, firms would need to provide a comprehensive factual account of suspected breaches early in the investigation. The challenge with such a scheme in practice is likely to include that it would only work for cases that are not factually complex, less serious in nature or where other regulators are unlikely to be involved.

OFSI proposes publishing indicative penalties (£5,000 or £10,000) for minor breaches to streamline enforcement and is also consulting on whether to introduce statutory fixed penalties for certain offences, providing greater legal certainty but less flexibility. This change acknowledges that not all breaches warrant the same level of scrutiny, and that a fixed penalty approach may be appropriate from a policy perspective, even where in practice it reduces the penalty from what would be payable on a case-by-case assessment. 

OFSI proposes increasing the statutory maximum penalty from £1 million to £2 million and raising the percentage of breach value used to calculate penalties from 50% to 100%. OFSI is also consulting on alternative penalty frameworks, such as basing penalties on turnover or setting maximum penalties per breach rather than per case. The impact of this change is suggested to be an increase in the deterrent effect of civil enforcement and bringing the UK in line with international peers, but in practice will clearly lead to overall higher penalties being imposed, if all the current proposed changes are put into practice.

The proposed "enhancements" promise more efficient resolution of cases, reduction in the burden on both OFSI and investigation targets as well as better transparency. Overall, these changes clearly increase the risk and impact of enforcement of UK sanctions on the civil basis and are likely to lead to a wave of civil enforcement once these changes are worked through.. There's clearly a drive to early self-reporting and incentives to business not to "trample on the scene" which we've seen across all UK enforcement agencies in the last few years.  How this will play out in the context of complex, fact driven enforcement actions involving multiple financial services parties, remains to be seen.

To start a conversation about navigating OFSI’s evolving enforcement landscape and preparing for what’s next in UK sanctions compliance, please contact Harriet Territt.