KYC for Payment Service Providers: PSP Compliance Guide 2026

Payment service providers (PSPs) operating in the UK must comply with Know Your Customer (KYC) and anti-money laundering (AML) obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) and the Payment Services Regulations 2017 (PSRs 2017), both enforced by the Financial Conduct Authority (FCA). The FCA issued over £1.07 billion in AML-related fines across 27 enforcement cases between 2015 and 2025 — with challenger banks and fintechs increasingly prominent in that list. In 2026, PSPs must simultaneously maintain current FCA compliance and begin preparing for the EU AMLD6 framework (Directive (EU) 2024/1640, transposition deadline 10 July 2027) and the provisional PSD3/PSR agreement reached in April 2026.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for your specific situation.

Which PSPs Are Subject to KYC Obligations in the UK?

The MLR 2017 defines "relevant persons" subject to AML/KYC obligations. For PSPs, this covers:

Under Regulation 27 of the MLR 2017, Customer Due Diligence (CDD) must be applied before establishing a business relationship, and when carrying out an occasional transaction of €15,000 or above (or its sterling equivalent). For PSPs with ongoing customer relationships, ongoing monitoring is required throughout the relationship regardless of transaction size.

The PSRs 2017 define eight categories of payment service activity that require FCA authorisation or registration. PSPs operating in the UK without proper authorisation face criminal penalties under both the PSRs 2017 and the Financial Services and Markets Act 2000 (FSMA).

The Regulatory Framework: MLR 2017, PSRs 2017, and EU Developments

Money Laundering Regulations 2017 (MLR 2017) The MLR 2017 impose CDD, enhanced due diligence (EDD), ongoing monitoring, and suspicious activity reporting obligations on PSPs. Regulation 18 requires PSPs to carry out a written risk assessment of their AML/CTF exposure. Regulation 19 mandates AML policies, controls, and procedures approved by senior management.

Transfer of Funds (Information on the Payer) Regulations 2017 Implementing EU Regulation 2015/847 in UK law, these regulations require PSPs to collect and transmit payer and payee information on electronic fund transfers. Where a transfer exceeds £1,000, full identifying information must accompany the transaction. Source: UK Transfer of Funds Regulations, legislation.gov.uk

Regulation (EU) 2023/1113 on Information Accompanying Transfers of Funds Applicable from 26 December 2024, this EU regulation (which the UK has not retained post-Brexit but which affects UK PSPs operating in the EU) requires accompanying payer and payee information on all electronic fund transfers regardless of currency and amount. PSPs offering instant payment services must filter their customer databases immediately after any modification to EU or national sanctions lists, and at a minimum daily. Source: Regulation (EU) 2023/1113 on EUR-Lex

AMLD6 (Directive (EU) 2024/1640) and AMLR (Regulation (EU) 2024/1624) These EU texts, with a transposition deadline of 10 July 2027, directly affect UK PSPs with EU operations. They extend the AML perimeter to additional crypto-asset service providers, harmonise CDD thresholds across Member States, and establish the EU Anti-Money Laundering Authority (AMLA), operational since early 2026. Source: Directive (EU) 2024/1640 on EUR-Lex

For a full overview of the AMLD6 compliance requirements, see our AMLD6 compliance guide for obliged entities.

CDD Requirements for PSPs: What the FCA Expects

Standard Customer Due Diligence

Under Regulation 28 of the MLR 2017, PSPs must identify and verify the identity of their customers before establishing a business relationship. For individual customers, this means collecting and verifying:

• Full name, date of birth, and residential address
• A government-issued photo ID (passport, UK driving licence, or national identity card)
• For non-EEA nationals: biometric residence permit or equivalent

For legal entities (companies, partnerships, trusts), CDD extends to verifying:

• Legal name, registered number, and registered address
• Nature of business and ownership structure
• Identity of beneficial owners — individuals who ultimately own or control more than 25% of shares or voting rights, or who otherwise exercise control
• Verification against Companies House records and the Register of Overseas Entities where applicable

The FCA's 2026 supervisory focus has shifted from checking whether controls exist to assessing whether they work. Firms are expected to demonstrate control effectiveness through robust testing, internal audit trails, and documented risk assessments.

Enhanced Due Diligence: When and How

EDD is mandatory under Regulation 33 of the MLR 2017 in higher-risk situations, including:

• Politically Exposed Persons (PEPs): senior political figures, government ministers, members of supreme courts, senior executives of state-owned enterprises, and their close family members and known close associates
• High-risk third countries: customers with connections to FATF-blacklisted or grey-listed jurisdictions (FATF High-Risk Jurisdictions list)
• Complex or unusual transactions: high-value, cross-border, or opaque transactions with no clear legitimate purpose
• Non-face-to-face business relationships: customers onboarded entirely remotely

EDD measures must include obtaining additional information on the customer's source of wealth and source of funds, and obtaining senior management approval before establishing or continuing the business relationship with a PEP.

For a comprehensive guide to EDD procedures, see our enhanced due diligence compliance guide.

Ongoing Monitoring: Continuous Vigilance Obligations

PSPs must continuously monitor their business relationships under Regulation 28(11) of the MLR 2017:

The risk-based approach requires PSPs to define review intervals by risk tier: annually for high-risk customers (including PEPs and FATF high-risk country nationals), every two years for medium-risk, and every five years for low-risk. These internal benchmarks must be documented in the firm's AML policy.

Key Thresholds for PSPs

Suspicious Activity Reporting to the NCA

PSPs have a legal obligation to submit Suspicious Activity Reports (SARs) to the National Crime Agency (NCA) under the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000. A SAR must be submitted when a PSP knows, suspects, or has reasonable grounds to suspect that a person is engaged in money laundering or terrorist financing.

SARs are submitted via the NCA's UKFIU Online system. Key obligations include:

• Submitting a SAR before processing a suspected transaction where possible (a "consent request")
• Maintaining strict confidentiality — "tipping off" the customer is a criminal offence under Section 333A POCA
• Retaining all records and evidence supporting the SAR for five years
• Appointing a nominated officer (typically the Money Laundering Reporting Officer, MLRO) responsible for SAR submissions

Source: NCA SARs reporting guidance

FCA Enforcement: What Non-Compliance Costs PSPs

The FCA's enforcement powers for AML failings include:

• Financial penalties: no statutory cap — the FCA determines the penalty based on the seriousness of the breach and the firm's financial resources. Recent fines have ranged from hundreds of thousands to hundreds of millions of pounds
• Public censure: published final notices on the FCA's website affecting the firm's commercial reputation
• Suspension or restriction of permissions: limiting specific regulated activities
• Cancellation of authorisation: withdrawing the PSP's ability to operate

Between 2015 and 2025, the FCA issued £1.07 billion in AML-related fines across 27 enforcement cases. Source: FCA enforcement statistics 2025 The most common failings cited include inadequate transaction monitoring systems, failure to conduct adequate CDD at onboarding, and insufficient senior management oversight of AML programmes.

Automating KYC Compliance for PSPs

PSPs processing high volumes of customer onboarding cannot rely on manual verification. CheckFile provides a document verification API that integrates directly into onboarding workflows:

• Verification of over 3,200 document types across 32 jurisdictions, including UK and EU passports, driving licences, and residence permits
• Automated extraction of biographical data with cross-field consistency checks
• Detection of altered, AI-generated, or metadata-compromised documents
• Compliant retention of verification evidence for five years, accessible for FCA audit
• Direct integration with risk management, CRM, and core banking systems

To enhance your risk-based approach to AML customer segmentation, CheckFile automatically assigns risk indicators to each verified document. See our pricing guide for API access options.

For an overview of the full document compliance framework, see the document compliance guide.

Frequently Asked Questions

Must PSPs verify the identity of all customers?

Yes, but the intensity varies. Simplified due diligence applies to low-risk products (e.g. non-reloadable prepaid cards under £150). Standard CDD applies to most customers. Enhanced due diligence is mandatory for PEPs, customers with links to FATF high-risk countries, and transactions with no clear economic rationale.

When must a PSP refresh its customer KYC records?

Records must be refreshed when material changes occur (change of address, new business activity) and at periodic intervals set by internal risk policy. The FCA expects: annual reviews for high-risk customers and PEPs, two-yearly for medium-risk, and five-yearly for low-risk customers.

Are challenger banks and fintechs subject to the same KYC rules as traditional banks?

Yes. Authorised payment institutions and electronic money institutions have the same AML/CDD obligations as banks for the services they provide. The scope of obligations varies only with the nature of the licensed services — not with the firm's technology model or size.

What does PSD3 mean for PSP KYC requirements?

PSD3 and the Payment Services Regulation primarily strengthen governance, IBAN/name verification for SEPA transfers, and fraud liability. The most significant KYC changes will come from AMLD6 and the AMLR, with transposition due 10 July 2027.

What information must accompany a fund transfer under the 2023 EU Transfers Regulation?

For transfers over £1,000, PSPs must transmit: full payer name, payer account number, payer address, payer identification document details, and payer date of birth. For transfers under £1,000, only the name and account number are required, unless the PSP suspects money laundering or terrorist financing.