Skip to content
Case studiesPricingSecurityCompareBlog
GlossaryCountry guidesChecklistsROI Calculator

Europe

Americas

Oceania

All guides
๐Ÿ‡ฌ๐Ÿ‡ง

KYC Obligations in the United Kingdom โ€” Complete 2026 Guide

Comprehensive guide to KYC and anti-money laundering obligations in the UK: FCA requirements, Money Laundering Regulations 2017/2022, document verification, and best practices.

Regulators:FCA
Key laws:MLR 2017, MLR 2022, Proceeds of Crime Act 2002
Last updated 2026-03-28

Regulatory Framework

The United Kingdom has one of the most mature anti-money laundering frameworks in the world, driven by the City of London โ€” the world's leading financial centre โ€” and by a regulatory framework in constant evolution. Since Brexit, the UK has charted its own regulatory path while maintaining standards aligned with FATF recommendations. The framework rests primarily on the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), substantially amended by the MLR 2022, which introduced new requirements for crypto-assets and trust services.

The criminal law foundation comprises the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000, which define money laundering and terrorist financing offences and reporting obligations. The Sanctions and Anti-Money Laundering Act 2018 (SAMLA) provided the post-Brexit framework for developing autonomous AML regulations.

The Financial Conduct Authority (FCA) is the primary regulator for financial services firms. It supervises MLR compliance by banks, investment firms, payment institutions, electronic money issuers, and registered crypto-asset firms. The FCA has extensive investigative, supervisory, and sanctioning powers. The Prudential Regulation Authority (PRA), a subsidiary of the Bank of England, provides prudential supervision of major banks and insurers.

The National Crime Agency (NCA) houses the UK Financial Intelligence Unit (UKFIU), which receives Suspicious Activity Reports (SARs) and Defence Against Money Laundering (DAML) requests. HMRC supervises AML obligations for non-financial sectors (estate agents, high-value dealers). The Solicitors Regulation Authority (SRA) and the Bar Standards Board supervise legal professions.

Who Must Comply

The MLR 2017 define entities falling within scope (relevant persons):

  • Credit institutions: banks, building societies, branches of foreign institutions
  • Financial institutions: investment firms, life insurers, fund managers
  • Electronic money institutions and payment institutions: fintechs, payment providers
  • Crypto-asset exchange providers and custodian wallet providers: registered with the FCA since 2020
  • Auditors, external accountants, and tax advisers: accountants, auditors, tax consultants
  • Independent legal professionals: solicitors, barristers, conveyancers, notaries
  • Trust or company service providers (TCSPs): trust and company service providers
  • Estate agents: for residential and commercial property transactions
  • High value dealers: dealers accepting cash payments of EUR 10,000 or more
  • Casinos: land-based and online gaming establishments
  • Art market participants: art dealers for transactions of EUR 10,000 or more

The UK is notable for a particularly strict registration regime for crypto-asset firms, with a rejection rate exceeding 80% in the first years of the regime.

Customer Due Diligence Requirements

Standard Due Diligence (CDD)

Customer Due Diligence obligations are defined in Regulations 27 to 38 of the MLR 2017:

Customer identification: for natural persons, identification data includes full name, date of birth, residential address, and where applicable a unique identifier (National Insurance Number). Verification relies on official documents or reliable electronic data sources. Accepted documents include the UK passport, driving licence, Biometric Residence Permit (BRP), and EEA/EU identity cards.

Identity verification: the MLR recognise two approaches: document-based verification and electronic verification. The FCA has published detailed guidance on acceptable verification methods, including the use of data providers (credit reference agencies, electronic ID verification services). Video identification is accepted under conditions.

Beneficial owner identification: any natural person who directly or indirectly holds more than 25% of shares, voting rights, or effective control. Verification is carried out via the Companies House register (which includes PSC โ€” Persons with Significant Control) for UK companies and through appropriate documentation for foreign entities. The Register of Overseas Entities (ROE), created by the Economic Crime (Transparency and Enforcement) Act 2022, requires foreign entities owning UK property to declare their beneficial owners.

Understanding the business relationship: assessment of risk profile, activity, source of funds, and wealth sources.

Ongoing monitoring: transaction monitoring and information updating throughout the relationship.

Enhanced Due Diligence (EDD)

Enhanced Due Diligence applies in the following situations:

  • Politically Exposed Persons (PEPs): the UK definition covers domestic, foreign, and international PEPs. However, the FCA has clarified that domestic PEPs generally present lower risk than foreign PEPs, encouraging a proportionate approach (Finalised Guidance FG17/6).
  • High-risk third countries: countries identified by the UK government via statutory instruments (post-Brexit, the UK maintains its own list, distinct from the EU list).
  • Complex or unusual transactions: transactions whose nature, size, or modalities are unusual.
  • Correspondent banking: correspondent relationships with third-country institutions.
  • New products, technologies, or delivery channels: innovations presenting specific AML risks.

Required Documents

For natural persons:

  • Valid UK or foreign passport
  • UK or EU/EEA driving licence (photocard)
  • Biometric Residence Permit (BRP) for non-British residents
  • Proof of address: bank statement, utility bill less than 3 months old, council tax bill
  • National Insurance Number (where applicable)

For legal persons:

  • Certificate of incorporation from Companies House
  • Up-to-date articles of association and memorandum of association
  • Recent confirmation statement (formerly annual return)
  • PSC (Persons with Significant Control) extract from Companies House
  • Identity documents of directors and persons with significant control
  • Where applicable, certificate of good standing

For trusts:

  • Trust deed
  • Identification of settlors, trustees, protectors, and beneficiaries
  • Registration with HMRC's Trust Registration Service (TRS) (mandatory since 2022 for all UK trusts)

Retention period: 5 years after the end of the business relationship or the occasional transaction.

Reporting Obligations

Suspicious Activity Reports (SARs): the MLR require obligated entities to submit a SAR to the NCA/UKFIU when they know or suspect that a person is engaged in money laundering or terrorist financing. SARs must be submitted via the NCA's SAR Online portal.

Defence Against Money Laundering (DAML): when an obligated entity has a suspicion but wishes to proceed with a transaction, it may submit a DAML request to the NCA. The NCA has 7 working days to refuse consent (notice period), extendable by a moratorium period of 31 calendar days during which a restraining order may be obtained.

Tipping off: informing a person that a SAR has been filed, or that investigations are underway, constitutes a criminal offence under sections 333A and 342 of POCA, punishable by 5 years' imprisonment.

Threshold reports: there is no automatic cash transaction threshold report in the UK (unlike some other jurisdictions). Reporting is based solely on suspicion (suspicion-based regime).

In 2024, the UKFIU received more than 900,000 SARs, a volume in constant growth, reflecting sector awareness and strengthened detection systems.

Penalties for Non-Compliance

Regulatory sanctions (FCA):

  • Public censure
  • Financial penalties: no legal cap on FCA fines โ€” it uses a proportionate calculation framework based on relevant revenue and severity of breach
  • Variation or cancellation of activity permissions
  • Prohibition orders: prohibition from performing functions in financial services
  • Restitution orders: disgorgement of unlawfully obtained profits

Notable examples: the FCA has imposed significant fines: NatWest was fined GBP 264.8 million in 2021 for systemic failures in AML controls, the first FCA criminal prosecution under the MLR.

Criminal sanctions:

  • Money laundering (sections 327-329 of POCA) is punishable by 14 years' imprisonment and/or an unlimited fine
  • Failure to report (section 330 POCA) is punishable by 5 years' imprisonment
  • Tipping off is punishable by 5 years' imprisonment
  • Terrorist financing (section 17 Terrorism Act 2000) is punishable by 14 years' imprisonment

Corporate Criminal Offence: the Economic Crime and Corporate Transparency Act 2023 introduced a new "failure to prevent fraud" offence for large organisations, further strengthening corporate responsibility.

How CheckFile Helps

The UK's KYC framework, one of the most demanding in the world, requires high-quality document verification, reinforced by the FCA's increasing expectations regarding systems and controls. CheckFile offers an AI-powered document verification solution perfectly suited to the UK market.

The platform verifies the authenticity of UK identity documents (biometric passport, photocard driving licence, BRP) and more than 6,000 international document types, analysing physical and digital security features. The AI performs automatic cross-validation with Companies House data (PSC register) and the Trust Registration Service, facilitating beneficial owner verification and complex structure checks.

To meet the FCA's requirements for AML systems and controls, CheckFile generates a complete audit trail including timestamps, check details, risk scoring, and alert reasons. The solution integrates via API with UK banking platforms and onboarding systems. Processing complies with the UK GDPR (Data Protection Act 2018) with data hosted in the UK or EU according to client preference.

FAQ

What documents are required for KYC in the United Kingdom?

For natural persons, a valid passport, photocard driving licence, or Biometric Residence Permit are accepted, supplemented by proof of address less than 3 months old. For legal persons, the certificate of incorporation, articles of association, PSC extract from Companies House, and directors' identity documents are required. Retention is 5 years after the end of the business relationship.

What are the penalties for KYC non-compliance in the United Kingdom?

FCA fines have no legal cap: NatWest paid GBP 264.8 million. Money laundering is punishable by 14 years' imprisonment and an unlimited fine. Tipping off and failure to report carry 5 years' imprisonment. The Economic Crime Act 2023 added a "failure to prevent fraud" offence for large organisations.

How often must KYC checks be updated in the United Kingdom?

The FCA expects a risk-based approach. High-risk customers (PEPs, high-risk third countries, complex structures) should be reviewed annually. Standard-risk customers every 3 years and low-risk customers every 5 years. The FCA systematically checks remediation programmes during thematic inspections and expects firms to demonstrate effective ongoing monitoring.

Frequently asked questions

Automate your compliance

CheckFile simplifies document verification compliant with local requirements.