Update to the MLR's: 2026

Area

Previous Position

New Requirement

What Financial Services Firms Should Do

Pooled client accounts

No specific AML obligations tailored to newly opened pooled client accounts.

Firms opening new pooled accounts must understand the purpose of the account, ensure it aligns with the customer's risk profile, assess AML/CTF risks, and customers must keep records of all transactions for five years.

Review onboarding procedures, update risk assessments, ensure appropriate record-keeping obligations are built into customer documentation, and train staff on the new requirements.

Enhanced Due Diligence (EDD) threshold

EDD applied to transactions that were "complex or unusually large."

EDD now applies to transactions that are "unusually complex or unusually large", reinforcing a more risk-based approach.

Amend AML policies, transaction monitoring rules and staff guidance to reflect the narrower, risk-focused trigger.

High-risk jurisdictions

Mandatory EDD applied to a broader list of "high-risk third countries", including FATF grey-listed jurisdictions.

Mandatory jurisdiction-based EDD is now limited to countries on the FATF "Call for Action" (black list).

Update country risk matrices, sanctions screening tools and jurisdictional risk assessments to reflect the revised list.

Onboarding customers from insolvent banks

Standard CDD had to be completed before establishing the relationship.

Credit institutions may open accounts and allow transactions before completing full CDD where customers are transferred from an insolvent bank within specified conditions.

Banks should update contingency plans and customer onboarding procedures for bank failure scenarios.

Cryptoasset correspondent relationships

No equivalent detailed correspondent banking requirements.

From 1 February 2027, cryptoasset firms entering correspondent relationships with third-country providers must perform extensive due diligence, obtain senior management approval and prohibit relationships with shell banks.

Cryptoasset firms should begin updating policies, governance, due diligence procedures and approval processes ahead of implementation.

Cryptoasset change in control

Different notification regime under the MLRs.

Change in control requirements are aligned with the Financial Services and Markets Act (FSMA) regime.

Cryptoasset firms and investors should review ownership structures and notification processes.

Reporting material changes to the FCA

No explicit ongoing 30-day reporting obligation for information previously supplied under the MLRs.

Firms must notify the FCA within 30 days of any material change or discovered inaccuracy in information previously submitted under the MLRs.

Introduce governance procedures to identify, escalate and report relevant changes promptly. Consider assigning clear ownership to Compliance or the MLRO.

Monetary thresholds

Various thresholds expressed in euros.

Thresholds have been converted into sterling (generally on a 1:1 basis). For example, €10,000 becomes £10,000, while the crypto occasional transaction threshold becomes £800.

Update systems, customer due diligence triggers, transaction monitoring parameters and internal policies to reflect the new sterling values.

Trust and Company Service Providers (TCSPs)

Sale of off-the-shelf companies was not expressly within regulated TCSP activity.

Selling an off-the-shelf company is now expressly regulated and treated as a business relationship requiring CDD.

Firms involved in company formation or corporate structuring should update compliance frameworks and onboarding procedures.

Information sharing

Cooperation obligations existed between supervisors and HM Treasury.

Companies House and the Financial Regulators Complaints Commissioner are brought into the information-sharing framework to strengthen intelligence sharing.

Consider how enhanced information sharing may affect investigatio