KYC Requirements in the UK 2026: MLR 2017, FCA Rules and ECCTA Explained

Fraud now accounts for more than 43% of all crime in England and Wales, according to HM Treasury’s National Risk Assessment 2025. At the same time, FCA fines for AML and KYC failures reached a record £124 million in 2025 with individual enforcement actions landing firms as large as Barclays with a £39.3 million penalty. For UK-regulated businesses, the message could not be clearer: KYC requirements are being enforced with more force than ever, and the legal landscape is still shifting.

This article breaks down exactly what UK KYC requirements demand today. It covers the foundation in the Money Laundering Regulations 2017 (MLR 2017), how FCA rules sit on top of that framework, and what the Economic Crime and Corporate Transparency Act 2023 (ECCTA) adds to the picture including two obligations that came into force in 2025.

What Are the KYC Requirements Under MLR 2017?

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 universally known as MLR 2017 form the legal bedrock of UK financial compliance. Understanding which MLR 2017 regulations UK entities fall under is the starting point for any compliance programme: they implement the EU’s Fourth Anti-Money Laundering Directive into domestic law and apply to a wide range of entities  banks, credit institutions, accountants, legal professionals, estate agents, and any firm providing financial services.

Under MLR 2017, UK businesses subject to the regulations must apply a risk-based approach to Customer Due Diligence (CDD). Standard CDD requires verifying a customer’s identity, understanding the nature and purpose of the business relationship, and keeping records up to date. Where a customer or transaction presents higher risk politically exposed persons (PEPs), cross-border correspondent relationships, unusual transaction patterns Enhanced Due Diligence (EDD) applies. EDD demands deeper source-of-funds checks, senior management approval, and heightened monitoring. Conversely, the regulations permit Simplified Due Diligence (SDD) for low-risk scenarios, though this can never be applied as a blanket excuse to skip verification.

Every entity in scope must also screen customers against sanctions lists and PEP registers at onboarding and on an ongoing basis. Failing to update records when a customer’s risk profile changes is itself a breach of MLR 2017 static, one-time checks are not enough.

AML transaction screening UK businesses must perform sits at the intersection of MLR 2017 obligations and the Proceeds of Crime Act 2002. Together they create an obligation not just to know your customer at onboarding but to understand, and report, suspicious activity throughout the relationship.

How FCA KYC Rules Tighten the Obligation in 2026?

The Financial Conduct Authority (FCA) does not create KYC requirements independently; it supervises and enforces compliance with MLR 2017 for the firms it regulates. In practice, FCA KYC rules layer significant operational expectations on top of the statutory baseline.

The FCA’s expectations are published in its Financial Crime Guide, which is updated periodically and functions as a detailed compliance standard. The FCA expects firms to document their risk appetite, operate a governance structure with senior management accountability, maintain audit-trail evidence of every CDD decision, and be able to demonstrate how their systems respond to emerging risks. Firms cannot rely on checking a box the regulator looks at whether controls are proportionate, tested, and genuinely effective.

The 2025 enforcement record makes the stakes concrete for any firm assessing their UK AML compliance 2026 standing. Monzo was fined £21.1 million by the FCA for AML control weaknesses, adding to a pattern of sanctions against high-growth digital banks that scaled faster than their compliance functions. The regulator has signalled it will hold boards personally accountable where senior management oversight of KYC processes is found to be inadequate.

For identity verification uk fintech firms specifically, the FCA’s scrutiny has intensified. Fast-growing neobanks and payments businesses are expected to demonstrate the same rigour as traditional institutions and are frequently judged against those same standards in supervisory reviews.

What ECCTA 2023 Adds: Director IDV and Failure to Prevent Fraud?

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced two new obligations that are now in effect and represent a material change to the UK’s ECCTA regulations UK compliance environment.

Director and PSC identity verification became mandatory from 18 November 2025. Anyone wishing to incorporate a new company at Companies House, and all existing directors and persons with significant control (PSCs) of UK-registered companies, must now verify their identity. Verification must be completed through a UK Digital Identity Service or directly through Companies House. The intent is to close a longstanding gap where fraudsters could register shell companies using false identities. For any business conducting KYC verification in the UK as part of onboarding due diligence on corporate counterparties, this creates a new authoritative data source: a Companies House verified director identity is a strong signal in a corporate CDD file.

Failure to Prevent Fraud, which entered force on 1 September 2025, creates a corporate criminal offence for large organisations. A company is liable if a person associated with it commits fraud for the organisation’s benefit, unless the company can demonstrate it had “reasonable prevention procedures” in place. The Government’s guidance is modelled on the Bribery Act 2010 framework. Firms that cannot show genuine procedural controls, risk assessments, due diligence on third parties, monitoring, and training face unlimited fines and reputational exposure.

Together, these ECCTA additions mean that UK financial compliance now extends well beyond traditional banking. Corporates, insurers, professional services firms, and any business with meaningful exposure to fraud or financial crime need to review whether their KYC and fraud-prevention frameworks would withstand regulatory scrutiny.

Perpetual KYC: Why Ongoing Monitoring Is Now Non-Negotiable

The phrase “perpetual KYC” reflects a shift in regulatory expectation that has been building since MLR 2017 came into force. Rather than treating customer verification as a one-time event, Continuous KYC Monitoring, which UK regulators now explicitly expect, must be built into a firm’s operating model.

The FCA’s Financial Crime Guide states that firms must ensure CDD information is kept up to date and that risk profiles are refreshed when circumstances change. This means a customer who was low-risk at onboarding may become high-risk  if they become a PEP, if their transaction patterns shift significantly, if adverse media coverage emerges, or if they appear on a newly updated sanctions list. Waiting for a scheduled review cycle creates gaps that the FCA considers a compliance failure.

Practically, perpetual kyc uk implementation requires a technology layer capable of triggering re-verification and re-screening automatically. Event-driven monitoring  watching sanctions list updates, adverse media feeds, PEP database changes, and transaction anomalies in real time  replaces annual manual reviews for most customer segments. The Digital Identity Verification UK Banks and fintechs are investing in at scale is precisely this kind of automated, continuous-risk infrastructure rather than point-in-time snapshot checks.

A 36% increase in money laundering prosecutions under the Government’s Economic Crime Plan 2 signals that enforcement is catching up with firms that treat ongoing monitoring as optional.

The UK DVS Trust Framework: What It Means for Digital Identity

Published on 6 March 2026, the UK Digital Identity and Attributes Trust Framework version 1.0 (DVS Trust Framework) is the Government’s certification standard for digital identity service providers. It sets out the technical, security, and governance requirements a provider must meet to be certified as a UK Digital Identity Service.

For businesses, the framework matters in two ways. First, ECCTA director IDV can be completed through a certified DVS provider  meaning that selecting a certified provider is not just a best practice but the mechanism through which the legal obligation is discharged. Second, the framework creates a recognised quality benchmark: a certified Digital Identity Verification service has been independently assessed against government standards for fraud resistance, data protection, and inclusivity.

FCA KYC compliance software vendors and Digital Identity Verification providers are actively seeking DVS certification to remain competitive for UK business. When evaluating technology partners, UK firms should treat DVS certification as a baseline criterion not a differentiator. FCA Approved KYC Software and DVS-certified providers together represent the benchmark the regulator will increasingly use when assessing whether a firm’s technology controls are proportionate and fit for purpose.

How Shufti Supports UK KYC Compliance?

UK-regulated firms face a layered compliance problem: MLR 2017 CDD obligations, FCA audit-trail expectations, ECCTA director IDV requirements, and the demand for continuous monitoring all running simultaneously, often across different customer segments and risk tiers.

Shufti’s unified platform addresses each layer through a single API integration. The KYC solution covers standard and enhanced due diligence workflows, with document verification and face verification running together to produce a match-and-liveness result in under 15 seconds. For corporate counterparties, KYB verification cross-checks director identities against Companies House data, directly supporting ECCTA compliance. AML Screening draws on 100,000+ data sources and 3,500+ global watchlists, including 2.6 million PEP profiles across 215+ sanction regimes so every customer is screened at onboarding and monitored in real time for changes in risk status.

For firms that need electronic identity verification without document uploads, eIDV reaches 85+ countries of database verification and connects to over 30 national eID schemes, including those relevant to UK customers. Every verification produces a structured audit trail  timestamped, tamper-evident, and exportable, providing the kind of documentation the FCA looks for when assessing a firm’s KYC governance.

Shufti processes 280M+ identity checks annually with a 99.3% true detection rate, and is deployable on-premises for firms with data-sovereignty requirements.