HM Treasury published a draft statutory instrument (SI) on 2 September 2025 that proposes targeted amendments to the UK Money Laundering Regulations (the MLRs). The draft SI and accompanying policy note are pitched at making the regime more risk-based and proportionate while closing some identified gaps from market participants. The technical consultation closed on 30 September 2025 and subject to feedback and Parliamentary scheduling, the final instrument is expected to be published in early 2026 and will come into force 21 days after. This blog post focuses on the proposed changes under the MLRs specific to customer due diligence (CDD) and enhanced due diligence (EDD) requirements.
Summary of Current Requirements under the MLRs
In order to understand the proposed changes, it’s useful to recap the baseline framework under the existing MLRs:
Customer Due Diligence (CDD) Triggers: Under Regulation 27, firms must carry out CDD when establishing a business relationship or undertaking a relevant transaction.
Verification and “Acting on Behalf of”: Under Regulation 28, firms must identify and verify the customer, beneficial owner(s), and anyone acting on behalf of the customer. Where someone acts on behalf of the customer, firms must understand that person’s authority and verify their identity.
Source of Funds / Source of Wealth Checks: Regulation 28 allows (but does not always require) source of funds checks as part of ongoing monitoring where “necessary”. Regulation 33 requires firms to obtain source of fund and source of wealth information on the customer or beneficial owner in higher risk situations.
EDD: EDD is mandated in higher-risk situations. Under current rules, firms must apply enhanced CDD under Regulation 33 in business relationships or transactions involving parties in High Risk Third Countries (HRTC)*. The MLRs currently require regulated businesses to carry out EDD on any customer established in, or in relation to any relevant transaction where either of the parties to the transaction is established in, a HRTC.
Ongoing Monitoring & Review: Under Regulation 28, firms must monitor transactions and review the CDD information over time. Where circumstances change or new risks emerge, additional checks or re-verification may be required.
* The MLRs definition of an HRTC refers to two lists: the FATF’s ‘Increased Monitoring’ List (IML) of countries whose AML/CTF regimes have been found to be deficient after FATF assessment; and the list of countries subject to a ‘Call for Action’, i.e., those with the most serious strategic deficiencies.
Market Sentiment
CDD plays a pivotal role in the UK’s anti-money laundering and counter-terrorist financing (AML/CTF) framework. For regulated firms, CDD is the backbone of their AML/CTF framework as effective CDD allows firms to understand their customers and establish a standard for normal behaviour as well as use this as a benchmark to detect suspicious activity and provide essential intelligence for law enforcement through Suspicious Activity Reports (SARs).
The Consultation indicated that many market participants perceive certain CDD and EDD requirements as ambiguous or lacking clear purpose, with some respondents reporting that the current requirements were not as effective as they could be in identifying money laundering or terrorist financing. Specific pain points were around the trigger points for CDD for non-financial firms, the requirements in cases where a third party is acting on behalf of a customer, and source of funds checks as part of ongoing monitoring.
Below highlights the key themes stemming from the Consultation as well as the proposed changes and Government response on how it intends to sharpen and clarify the CDD/EDD regime. Here are the most salient proposals for financial services firms to watch.
Customer due diligence
| Theme | Market sentiment | Proposed changes |
|---|---|---|
| CDD for non financial firms | The Consultation revealed that there was some confusion due to the nature of some firms' businesses (such as art market participants) on what constitutes ‘establishing a business relationship’ where a business relationship looks different for those that may be making one off transactions. | The Government plans to make minor changes to the MLRs to clarify the situation in respect of art market participants and letting agents. HM Treasury will align the transaction-based CDD triggers for these sectors in Regulation 27 (for example the requirement for art market participants to apply CDD to any relevant transaction whose value amounts to 10,000 euros or more) with the equivalent provision for high value dealers. This will clarify that CDD should be done for inscope transactions forming part of the establishment of a new business relationship or as an occasional transaction. |
| Source of fund checks for ongoing monitoring | Feedback from respondents revealed that there should be more guidance to clarify the phrase ‘where necessary’. The MLRs require that as part of ongoing monitoring of business relationships, regulated businesses should review transactions, including, ”where necessary”, the source of a customer’s funds, to ensure the transactions are consistent with their understanding of the customer, their business, and overall risk profile. | The MLRs will not be changed to preserve the flexibility of the regulations, but the Government will work with supervisors and industry bodies to refine guidance so that source of fund checks are required only where transactions appear inconsistent with the customer profile. This should reduce over-application of source of funds when it adds little value, but places more burden on firms to justify when checks are not necessary. |
| Verifying whether someone is acting on behalf of a customer | The Consultation highlighted that there was some confusion around when CDD is required on employees, when acting for the companies which employ them and whether these count as ‘acting on behalf of’ and should therefore be subject to CDD. | There will be no changes to the MLRs, however, the HM Treasury clarifies that the ‘acting on behalf of’ provision was intended to apply to entities acting on behalf of individuals (for example when the individual has granted power of attorney to another individual or organisation) or to third parties acting on behalf of an organisation (for example when an agent or intermediary acts for a company). Employees or staff of an organisation acting on its own behalf (for example a member of staff transacting using a company credit card) should be considered to be acting as the organisation, and are not subject to the obligations in Regulation 28(10). HM Treasury will therefore ask supervisors and other guidance authors to review the guidance to ensure regulated firms are clear on their obligations so as to address the risk of over-compliance with the Regulations. |
| Digital identity | The Consultation revealed that many firms are already using digital identity when it comes to their CDD processes. However, there is a need to clarify how digital identities can be used to meet MLRs requirements. | There will be no changes to the MLRs. Instead, much of the refining will come via enhanced guidance from supervisors and industry bodies such as the Department for Science, Innovation and Technology (DSIT) and HM Treasury who will jointly produce guidance on using digital identities for MLRs identity verification checks. |
Enhanced due diligence
It is a regulatory requirement for EDD to be performed in instances where higher money laundering/terrorist financing is identified. There are, however, certain instances where EDD is specifically mandated by the MLRs, such as when a customer or transaction is linked to a high risk third country. Below highlights the proposed changes to the MLRs to provide more guidance on in what scenarios EDD should be applied.
| Theme | Market sentiment | Proposed changes |
|---|---|---|
| Complex or unusually large transactions | Some respondents felt that the requirement to apply EDD on transactions which are “complex or unusually large” was disproportionate to the ML/TF risks and results in EDD being undertaken in low-risk scenarios. | HM Treasury will amend the MLRs to clarify that EDD is required on “unusually complex” transactions, instead of all complex transactions. The requirement for EDD on unusually large transactions will remain unchanged, since responses indicated this remains proportionate and useful in identifying suspicious activity. |
| High risk third countries |
General sentiment was that the mandatory EDD requirements for customers and transactions linked to countries listed by the FATF often did not reflect illicit finance risk to the UK specifically. Respondents agreed that being linked to a jurisdiction listed by the FATF did not automatically make a customer high risk, and advocated for a more targeted approach based on knowledge of the specific customer or business and focused on the countries presenting the biggest illicit finance risks to the UK. For example, in the latest UK National Risk Assessment there were reference to jurisdictions that pose an illicit finance and organised crime risk to the UK such as Albania, China, Russia, the UAE, Nigeria, Ghana, India and South East Asia (Cambodia, Laos, and Myanmar) which could be considered in firms country risk assessments instead. |
The MLRs will be amended so that mandatory EDD applies only to parties established in a “Call for Action” jurisdiction (i.e. those with severe FATF deficiencies), rather than all jurisdictions on the “Increased Monitoring” list. This narrows the set of jurisdictions for mandatory EDD, giving firms more discretion to apply their own country risk assessment specific to their customer, product, transactions and geographic exposure or the jurisdictions which pose the greatest risk to the UK which are not mentioned in the FATF lists. |