The United Kingdom has been making headlines this year for changes that directly affect how organizations verify customers and users. Laws such as the Online Safety Act 2023 are introducing new guidelines for age assurance, while AML reforms continue to tighten expectations around KYC requirements in the UK.
Overall, the country’s strategy is now leaning hard on the idea that stronger identity checks will help close gaps in customer due diligence, corporate transparency, and reporting.
For organizations that touch UK customers, assets, or payment flows, these changes must be monitored and adapted to. In this article, we will not only walk through the main legal pillars of the UK’s KYC regulations, but also the latest shifts the landscape has seen.
Subscribe to receive a bi-weekly blog digest from Regula
1. Money Laundering Regulations 2017
The Money Laundering Regulations 2017 (MLRs) are still the operational backbone of KYC in the UK, with small updates being released on a regular basis.
The five 2025 revisions are modest in scope: they mainly tidy cross-references and definitions and fold in the latest high-risk country mechanics and list changes, rather than changing what firms must do day-to-day.
Overall, the guidance still expresses the core KYC duties in plain language: identify each customer, verify that identity, identify any beneficial owner, understand the purpose and intended nature of the relationship or transaction, and keep evidence and records for at least five years after it ends.
At the same time, there is a lot of groundwork being done for a separate draft, the Money Laundering and Terrorist Financing (Amendment and Miscellaneous Provision) Regulations 2025. It leaves the basic structure of the MLRs intact, but it does tighten how UK’s KYC regulations are expected to work in real systems:
Pooled and intermediary accounts: The draft clarifies when firms must “look through” pooled client accounts to the underlying customer, instead of treating the intermediary as the only client. This targets business models where one account hides many real users and pushes KYC stacks to capture and link verified identities, risk grading, and screening results for everyone in the chain.
Simplified and enhanced due diligence: Conditions for simplified due diligence (SDD) are narrowed, closing off product-only justifications for light checks. At the other end, mandatory enhanced due diligence (EDD) is focused more tightly on FATF “call for action” countries, while “increased monitoring” countries are to be treated as strong risk factors inside firm-specific scoring.
The draft also converts euro thresholds into sterling (e.g., €10,000 and €15,000 figures for occasional transactions and high-value dealers) and folds in adjustments around trusts, company service providers and crypto registration. Even though the draft is still going through the formal process, supervisors and larger firms are already working on the assumption that these features, or something close to them, will land.
In practice, this nudges firms and vendors towards:
Centralized, versioned configuration: Thresholds, FATF-driven country groupings and SDD/EDD rules need to live in one governed configuration layer that compliance teams can update with proper change history, instead of being scattered as constants in code.
Structured evidence: Each KYC decision has to leave a time-stamped, machine-readable trail: which documents were checked, which data sources were used, which risk rules fired, and why SDD or EDD was applied. An IDV platform that can only say “document recognised: yes/no” and output a PDF gives very little comfort when a file is reconstructed five or ten years later.
2. Online Safety Act 2023
Besides AML legislation, one newer statute is now reshaping expectations around online UK identity verification: the Online Safety Act 2023.
Under the Act, Ofcom is phasing in duties on services to tackle illegal content and protect children. For the largest user-to-user and search services, 2025 has been the year when those duties stopped being theoretical. By spring 2025, major platforms were required to carry out formal risk assessments for illegal content and put proportionate systems and processes in place to reduce those risks, with Ofcom able to investigate and impose fines where they fall short.
The most visible shift has been around pornography services. Ofcom’s age-assurance guidance for Part 5 services sets a high bar for keeping under-18s out, using methods that overlap heavily with modern KYC: remote document checks with face matching and liveness detection, facial age estimation, and checks that rely on trusted third-party attestations such as mobile network data or digital ID providers. Final guidance on age assurance was followed by commencement regulations so that, from July 2025, commercial pornography sites accessible from the UK are expected to have “highly effective” age-assurance in place or face enforcement action.
The Online Safety Act has gained much coverage in the media over the recent months.
In parallel, Ofcom has been developing children’s safety codes for a wider group of services “likely to be accessed by children.” Those codes crystallize duties to carry out children’s risk assessments and, in higher-risk settings, to adopt some form of age assurance rather than relying purely on self-declaration. Combined with public discussion about using facial age estimation to keep under-13s off social media, this has made age checks and biometrics a mainstream topic rather than a niche technical choice.
For online platforms and IDV vendors, there are several practical takeaways:
Evidence and metrics: Regulators now ask for concrete numbers on false-acceptance and false-rejection rates, information on demographic performance, and clear explanations of testing methods — not only high-level claims about accuracy. Age-assurance buyers have started to ask the same questions as AML and gambling supervisors.
Data handling and purpose limitation: Services in scope must be able to explain why particular data points (images, templates, device signals) are collected, how long they are kept, and how they are separated from uses such as profiling or marketing.
User experience under pressure: Age checks on high-traffic sites have exposed familiar problems: users dropping out, confusion about who sees their documents, and resistance to biometrics. So far, regulators’ response has not been to lower the standard, but to insist that services must meet it and invest in better design and support.
With that, we are seeing growth in the importance and value of age assurance solutions that can effectively protect minors and operate across various demographics. For example, Regula Face SDK has topped the list of IDV vendors as the most accurate age estimator across six geographic regions (as per the August 2025 edition of NIST’s FATE-AEV).
3. ECCTA and Companies House ID checks
The Economic Crime and Corporate Transparency Act 2023 (ECCTA) and the related Companies House reforms are turning the UK corporate register into a much more useful KYC asset. For banks, payment firms, marketplaces, professional practices, and any business onboarding UK entities, this is one of the biggest shifts between 2023 and 2026.
As of November 18th, 2025, identity verification at Companies House has become a legal requirement:
New directors and people with significant control (PSCs) need to verify their identity before incorporation or appointment.
Existing directors and PSCs are given a transition period of around 12 months, broadly tied to confirmation-statement cycles, to complete verification.
Verification is done either directly, through GOV.UK One Login, or via an Authorised Corporate Service Provider (ACSP) supervised under the MLRs.
Successful verification links an individual to an identity document and produces a personal code that must be used in certain filings. ECCTA also gives Companies House stronger powers to question, annotate or reject suspicious filings, and brings it formally into the information-sharing framework for AML supervisors.
This is not only a concern for large banks. Platforms that provide B2B services, PSPs working with small companies, and professional firms selling company-formation or trust services all encounter the same requirement: KYC that can handle real-world ownership and control.
Otherwise, KYC systems that treat registries as an afterthought will struggle to keep up. The direction of travel is towards:
Entity-aware workflows: Full models of corporate trees and trust relationships, with directors, PSCs, trustees and beneficiaries tied back to personal identity checks.
Registry and KYC alignment: Automated comparisons between client-provided structures and what Companies House shows, with clear escalation paths when the two do not match.
4. Cryptoassets (Regulated Activities) Order
Our last pillar of UK KYC regulations lies at the border between traditional financial services and newer business models: cryptoassets, cross-border payments and the “technical” changes to the MLRs that sit around them.
For example, the draft Cryptoassets (Regulated Activities) Order states that operating a crypto trading venue, providing custody for qualifying cryptoassets, or arranging certain deals will become activities regulated under the Financial Services and Markets Act (FSMA).
Crypto firms serving UK customers in these roles would require full FCA authorization, bringing them under conduct, prudential and market-abuse standards closer to those applied to securities markets, with AML registration under the MLRs forming only one part of the picture.
Commentary on the draft highlights several things:
Re-basing fit-and-proper tests for registered cryptoasset firms on FSMA-style “controller” concepts, making it harder to hide influence behind complex ownership structures.
Introducing a new provision (commonly referred to as Regulation 34A) that treats certain B2B arrangements between crypto exchanges and custodians in a correspondent-banking-style way, with EDD and a ban on “shell bank”-type counterparties.
Converting thresholds across the MLRs to sterling, bringing TCSP sales of off-the-shelf companies clearly into scope, and extending TRS coverage of UK-linked trust.
That’s why IDV and KYC stacks that can join up document and biometric checks, registry information, wallet attribution, device and IP data, and payment details are better placed to meet these expectations than those that treat each channel in isolation.
How Regula helps companies stay compliant in the UK
For organizations that plan to grow in the UK, KYC is consistently narrowing its compliance gate at the start of the customer journey. That’s why it’s becoming increasingly crucial to have an identity verification solution that will:
Capture and verify identities to a standard compatible with forensic document scrutiny and modern biometric expectations.
Keep configuration and risk logic aligned with the latest regulations.
Bind together individuals, entities, registries, trusts, and payment flows into records that will still be defensible when revisited years later.
Regula IDV Platform can be that solution for you: it is an end-to-end framework for identity verification and user lifecycle management with flexible orchestration and configurable workflows that can be adapted to all KYC compliance needs.
It brings together the core capabilities required for robust KYC in the UK, including:
Document and biometric verification, backed by one of the industry’s largest databases containing 16,000 templates from 254 countries and territories, along with advanced face matching and liveness detection.
Configurable KYC and onboarding workflows, allowing organizations to adjust in line with evolving regulatory requirements and risk policies.
Automated AML and PEP screening as well as custom watch lists, using trusted global data providers.
Structured user data management and audit-ready evidence for ongoing monitoring.
Smooth integration with your existing tech stack via flexible connectors.
To learn more about how Regula can support your UK identity verification, contact our team.
