KYC requirements for the UK refer to the legal obligations placed on banks, fintechs, and all regulated businesses to verify the identity of their customers, assess risk, and monitor transactions on an ongoing basis. 

 

These requirements are mandated by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), enforced by the Financial Conduct Authority (FCA), and shaped by global standards set by the Financial Action Task Force (FATF).

 

What do KYC Requirements in the UK Mean?

 

KYC requirements in the UK mean that any regulated business operating in the UK must know who its customers are before entering a business relationship with them and must continue monitoring that relationship for signs of financial crime. The process involves collecting, verifying, and documenting customer identity information, understanding the nature of the customer's transactions, and assessing the risk they pose.

 

In the UK, KYC is not a standalone regulation. It sits within the broader Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) framework. The FCA enforces KYC obligations primarily through MLR 2017, which requires firms to implement Customer Due Diligence measures, maintain records, and report suspicious activity to the National Crime Agency (NCA) via Suspicious Activity Reports (SARs).

 

Why KYC Matters for UK Regulated Firms in 2026

 

KYC is important for UK banks and businesses because it protects regulated firms from being used as conduits for financial crime, and it protects consumers from the downstream harm that financial crime causes.

 

Money laundering is estimated to cost the UK economy billions of pounds each year, with London consistently identified as one of the world's highest-risk financial centres for illicit financial flows. Against this backdrop, KYC verification serves as the first and most critical line of defence. 

 

The FCA's enforcement record makes the stakes clear. Between 2015 and 2025, the FCA issued over £1.07 billion in AML-related fines across 27 cases. The direction of travel is equally important: from 2024 onwards, fintechs and challenger banks have topped the enforcement list, demonstrating that the FCA expects every firm, regardless of size or business model, to maintain robust KYC controls.

 

What Are the Key KYC Regulations for Banks in the UK?

 

UK KYC regulations are built on a multi-layered legal architecture, combining primary legislation, secondary legislation, and regulatory rules.

 

1. Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017)

 

MLR 2017 is the cornerstone of UK KYC compliance. It replaced the previous Money Laundering Regulations 2007 on 26 June 2017, introducing a stronger risk-based approach to customer due diligence, more detailed beneficial ownership requirements, and expanded coverage of sectors including cryptoassets, which came into scope from 10 January 2020. MLR 2017 mandates that every regulated firm must:

 

  • Apply Customer Due Diligence (CDD) when establishing a business relationship or conducting an occasional transaction worth EUR 15,000 or more
  • Identify and verify the identity of the customer and any beneficial owner
  • Understand the nature and purpose of the business relationship
  • Conduct ongoing monitoring of the business relationship

 

The Money Laundering and Terrorist Financing (Amendment) Regulations 2023 introduced a clearer distinction between domestic and foreign Politically Exposed Persons (PEPs), requiring proportionate but not automatically enhanced scrutiny for domestic PEPs.

 

2. The Proceeds of Crime Act 2002 (POCA)

 

POCA establishes the criminal offences of money laundering in the UK and creates the reporting obligations that underpin the SAR regime. Under POCA, it is a criminal offence to conceal, disguise, convert, or transfer criminal property. It also covers failure to report and tipping off. A failure to disclose suspicions of money laundering carries a maximum penalty of five years imprisonment and an unlimited fine.

 

3. The Terrorism Act 2000 and Anti-Terrorism, Crime and Security Act 2001

 

These statutes criminalise terrorist financing in the UK and require regulated businesses to report suspicions of terrorist financing to the NCA. They work alongside MLR 2017 to prevent terrorist access to financial systems.

 

4. The Financial Services and Markets Act 2000 (FSMA)

 

FSMA governs the regulation of financial services in the UK and gives the FCA its powers to supervise firms, issue guidance, and enforce penalties for non-compliance. The Financial Services and Markets Act 2023 expanded FSMA's remit to include cryptoassets as regulated financial instruments, with full authorisation requirements for crypto firms expected to be in force by 2026.

 

5. The Economic Crime (Transparency and Enforcement) Act 2022

 

This Act introduced the Register of Overseas Entities (ROE), requiring overseas entities that own UK property to identify and register their beneficial owners. It represents a significant expansion of beneficial ownership transparency requirements beyond the financial sector.

 

Table 1: UK KYC Regulatory Bodies and their Obligation

RegulationKey KYC Obligation
MLR 2017 (as amended)CDD, EDD, ongoing monitoring, record-keeping
POCA 2002SAR filing, criminal offences for ML involvement
Terrorism Act 2000CTF reporting, asset freezing
FSMA 2000/2023FCA supervision, crypto regulation
Economic Crime Act 2022Beneficial ownership transparency for overseas entities

 

 

What Are the Important KYC Documents in the UK?

 

The following are the important KYC documents required for verification in the UK depending on the risk profile of the customer:

 

1. For Individual Customers

 

Proof of Identity (one of the following):

 

  • Valid UK or international passport
  • UK photo driving licence (full or provisional)
  • National identity card (EEA nationals)
  • Biometric Residence Permit (BRP) for non-EEA nationals
  • HM Forces identity card
  • Firearms or shotgun certificate with photograph
  • Identity card issued by the Electoral Office for Northern Ireland

 

Proof of Address (one of the following, issued within the last 3 months):

 

  • Utility bill (gas, electricity, water)
  • Council tax bill
  • Bank or building society statement
  • Mortgage statement
  • HMRC correspondence (tax coding notice, self-assessment statement)
  • Tenancy agreement (signed and dated)

 

Proof of Income (required in high-risk or EDD scenarios):

 

  • Recent payslip or employment letter
  • Tax return or HMRC tax statement
  • Bank statements showing income patterns
  • Business accounts or audited financial statements (for business owners)

 

The FCA accepts digital identity verification (eKYC) provided it meets the regulatory standards on accuracy, fraud prevention, and data privacy under the UK GDPR.

 

2. For Corporate Clients

 

In addition to verifying the legal entity, UK KYC requirements mandate verification of the people behind it.

 

Entity verification documents:

 

  • Certificate of incorporation (or equivalent for overseas entities)
  • Memorandum and Articles of Association
  • Latest filed accounts or audited financial statements
  • Business licence or operating permit (sector-specific)
  • Company VAT or tax registration number

 

Beneficial ownership documents:

 

  • Register of persons with significant control (PSC Register, filed at Companies House)
  • Identity documents and proof of address for each Ultimate Beneficial Owner (UBO) holding 25% or more
  • Ownership structure chart for complex corporate structures
  • Board resolution authorising the account relationship

 

Who Must Comply with UK KYC Requirements?

 

Financial institutions, credit institutions, designated non-financial busineses, must comply with uk kyc requirements.

The firms that must comply with UK KYC requirements include:

 

1. Financial Institutions and Related Services

 

  • Banks and building societies
  • Credit institutions
  • Insurance companies and intermediaries
  • Stockbrokers and investment firms
  • Payment service providers and e-money institutions
  • Cryptoasset exchange providers and custodian wallet providers (from January 2020)
  • Consumer credit firms
  • Mortgage lenders and brokers

 

2. Designated Non-Financial Businesses and Professions (DNFBPs)

 

  • Solicitors and legal professionals when handling client money or property transactions
  • Accountants, tax advisers, and auditors
  • Estate agents (for sales and lettings above certain thresholds from 2020)
  • High-value dealers (selling goods worth EUR 10,000 or more in cash)
  • Casinos and gambling operators (regulated separately by the Gambling Commission)
  • Art market participants (from January 2020)
  • Virtual asset service providers (cryptoasset firms)

 

3. Appointed Money Laundering Reporting Officers (MLROs)

 

Every FCA-regulated firm must appoint a Money Laundering Reporting Officer (MLRO). The MLRO is responsible for managing the firm's overall AML compliance, reviewing internal SAR referrals, deciding whether to make disclosures to the NCA, and liaising with the FCA on compliance matters. Firms must also appoint a Nominated Officer, who handles internal disclosures. One person can hold both roles. Failure to appoint a qualified MLRO is itself an FCA breach.

 

What Are the Penalties for Non-Compliance with KYC Requirements in the UK?

 

The FCA does not operate a fixed penalty scale. Instead, it uses a five-step methodology to calculate penalties based on the severity, duration, and scale of non-compliance. The absence of a cap means penalties are, in practice, unlimited.

 

Table 2: FCA 2024 and 2025 fines

 

InstitutionYearFineSpecific Failure
NatWest2021FCA AML/KYC fines £264.8 millionFailed to monitor £264m in suspicious cash deposits from jewellery business Fowler Oldfield; first criminal AML prosecution of a UK bank
Santander UK2022£107.8 millionInadequate transaction monitoring, poor customer risk management
Starling Bank2024£28.9 millionSanctions screening misconfiguration; failure to screen 3,049 of 3,088 designated persons; repeatedly opened accounts for high-risk customers
Metro Bank2024£16.7 millionAutomated transaction monitoring system failure; failed to detect suspicious activity
Monzo Bank2025£21.1 millionFinancial crime control weaknesses
Barclays2025£39.3 millionFinancial crime systems and controls failings

 

The pattern from 2024 to 2025 is unmistakeable. Fintechs and challenger banks are no longer given the benefit of growth-phase leniency. The FCA is holding every firm to the same standard.

 

Recent enforcement trends highlight the rising cost of non-compliance, with FCA 2024 fines already signaling equal stricter oversight, and FCA 2025 fines expected to reinforce even tougher penalties for firms that fail to meet regulatory standards.

 

Types of Sanctions Beyond Fines

 

Beyond financial penalties, non-compliant firms face:

 

  • Licence suspension or revocation by the FCA, HMRC, or Gambling Commission
  • Criminal prosecution for serious AML failures, including imprisonment of up to 14 years under POCA
  • Public censure through FCA Final Notices, creating lasting reputational damage
  • Business restrictions limiting the products or services a firm can offer
  • Personal liability for senior managers and MLROs under the Senior Managers and Certification Regime (SM&CR)

 

Under SM&CR, individuals in senior management roles bear personal responsibility for ensuring their firm's AML controls are adequate. This means compliance failures can result in individual fines, bans, and criminal prosecution, not just institutional penalties.

 

What Are the KYC Requirements for UK Banks and Financial Institutions?

 

Banks and financial institutions face the most prescriptive KYC requirements of any regulated sector in the UK. The CBK Guideline equivalent in the UK context is the FCA's Financial Crime Guide (FCG), which provides detailed expectations for how banks should structure their KYC programmes.

 

1. Customer Identification Programme (CIP)

 

Every bank must have a documented CIP that sets out the minimum information to be collected from customers at onboarding. For individual customers, this includes full legal name, date of birth, residential address, and government-issued ID number. For business customers, it extends to company registration details, nature of business, and UBO information.

 

2. Customer Due Diligence in the UK (CDD)

 

Customer due diligence in the UK sits at the heart of every bank's KYC obligations. CDD must be applied when:

 

  • Establishing a new business relationship
  • Conducting an occasional transaction of EUR 15,000 or more (EUR 10,000 for high-value dealers)
  • There is suspicion of money laundering or terrorist financing
  • There are doubts about the accuracy or adequacy of previously obtained identification information
  • A customer's circumstances change materially (ownership structure, transaction patterns, or business activity)

 

CDD requires the bank to verify the customer's identity using reliable, independent sources, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring. Standard CDD is applied to the majority of customers. Our comprehensive article details how to verify identities in the UK.

 

3. Simplified Due Diligence (SDD)

 

SDD is a lighter-touch verification process permitted where the risk of money laundering is demonstrably low. It applies to:

 

  • Customers who are public authorities or UK government departments
  • Low-risk products with restricted access and usage (such as basic bank accounts with spending limits)
  • Customers resident in low-risk jurisdictions with strong AML controls

 

SDD does not mean no verification. It means proportionate verification, with basic identity checks from reliable sources.

 

4. Enhanced Due Diligence (EDD)

 

EDD is required for all high-risk customers. MLR 2017 mandates EDD for:

 

  • Politically Exposed Persons (PEPs): individuals who hold or have held prominent public positions, including their family members and close associates. From 2024, domestic PEPs are subject to proportionate rather than automatically enhanced scrutiny; foreign PEPs remain high-risk by default
  • Customers from high-risk third countries identified by the UK government or FATF
  • Complex or opaque ownership structures where beneficial ownership is unclear
  • High-value transactions with no obvious economic purpose
  • Non-face-to-face customers where identity verification cannot be conducted in person

 

EDD requires obtaining additional information about the customer and their source of wealth, applying enhanced ongoing monitoring, and obtaining senior management approval before establishing or continuing the relationship.

 

5. Ongoing Monitoring Requirements

 

KYC is not a one-time event. MLR 2017 requires banks to continuously monitor the business relationship to ensure transactions are consistent with the institution's knowledge of the customer. Reviews must be conducted periodically, with higher-risk customers reviewed more frequently. Typical review cycles are annually for high-risk, every two to three years for medium-risk, and every three to five years for low-risk customers.

 

6. SAR Filing

 

Where a bank knows, suspects, or has reasonable grounds to suspect that a customer is engaged in money laundering or terrorist financing, a SAR must be filed with the NCA's Financial Intelligence Unit (UKFIU). The SAR must be submitted before proceeding with the transaction where this is possible, or as soon as practicable. Failure to file a SAR when one is required is a criminal offence under POCA.

 

KYC Requirements for Beneficial Ownership in the UK

 

Beneficial ownership transparency is one of the most important and actively enforced areas of UK KYC law. The UK has consistently been identified as a jurisdiction where complex corporate structures are used to obscure the origin of illicit funds, and regulators have responded with increasingly prescriptive beneficial ownership requirements.

 

The 25% Threshold

 

Under MLR 2017, a beneficial owner is any individual who holds, directly or indirectly, more than 25% of the shares or voting rights in a corporate entity, or who otherwise exercises control over the entity's management. Banks and regulated firms must identify every UBO meeting this threshold and verify their identity through the same documents used for individual KYC.

 

Companies House and the PSC Register

 

All UK-incorporated companies are required to maintain a Register of Persons with Significant Control (PSC Register) at Companies House. Regulated firms can and should use the PSC Register as a cross-reference during corporate KYC, though they must not rely on it as the sole source of verification. If the PSC Register information cannot be verified or is inconsistent with other information, the firm must seek independent clarification.

 

The Register of Overseas Entities (ROE)

 

The Economic Crime (Transparency and Enforcement) Act 2022 established the ROE, which requires overseas entities owning UK land or property to disclose their beneficial owners. For banks facilitating property transactions or commercial lending secured on UK property involving overseas entities, ROE verification is now a required step in the KYC process.

 

Risk-Based Approach and Customer Due Diligence Requirements

 

The risk-based approach (RBA) is the central organising principle of UK KYC compliance. Rather than applying the same verification and monitoring intensity to every customer, MLR 2017 requires regulated firms to calibrate their KYC effort proportionate to the risk each customer and each business relationship actually presents.

 

What the Risk-Based Approach Requires in Practice

 

A compliant risk-based approach requires firms to:

 

1. Conduct and document a firm-wide risk assessment identifying the money laundering and terrorist financing risks inherent in the firm's products, services, customer base, delivery channels, and geographies.

 

2. Develop written policies and procedures setting out how customer risk is identified, assessed, and managed.

 

3. Assign a risk rating to each customer at onboarding (typically low, medium, or high) based on factors including jurisdiction, occupation, source of funds, and transaction type.

 

4. Apply proportionate CDD, SDD, or EDD based on that risk rating.

 

5. Review and update risk assessments periodically and whenever circumstances change materially.

 

The FCA evaluates firms not just on whether they have policies, but on whether their risk assessments are genuinely reflective of the risks their business faces. Applying standard CDD to a customer who clearly warranted EDD is itself a compliance failure, regardless of whether fraud or money laundering subsequently occurred.

 

Customer Due Diligence in the UK: The Three Tiers

 

The table shows the 3 stages of customer due diligence

Due Diligence LevelWhen AppliedCore Requirements
Simplified (SDD)Low-risk customers, restricted products, public authoritiesBasic identity confirmation from reliable sources
Standard (CDD)Most customers; default levelIdentity verification, address verification, purpose of relationship, ongoing monitoring
Enhanced (EDD)PEPs, high-risk third countries, complex structures, large/unusual transactionsAll CDD plus source of wealth, senior management approval, enhanced monitoring

 

Best Practices for KYC in the UK

 

1. Build a Real Risk Assessment, Not a Template One

 

The FCA's enforcement actions consistently reveal a common failure: firms produce risk assessments that look comprehensive on paper but do not reflect the actual risks of their specific business. Starling Bank, for example, rated its sanctions risk as low without factoring in high-risk payment flows from crypto-related platforms. A genuine risk assessment starts from the firm's own customer base and product mix, not from industry templates.

 

2. Automate Identity Verification and Screening

 

Manual document checks introduce errors, create delays, and do not scale. Automated KYC verification solutions that cross-check identity documents against government databases, run simultaneous PEP and sanctions screening, and flag discrepancies in real time are now standard for compliant UK firms. The FCA expects firms to demonstrate that their systems can accurately screen against the complete lists they are required to screen against, not partial versions.

 

3. Invest in Ongoing Monitoring, Not Just Onboarding

 

Metro Bank's £16.7 million fine came from a failure in its automated transaction monitoring system. The system that should have been detecting suspicious activity was not working as intended, and for years the bank did not know. Ongoing monitoring must be tested and calibrated regularly, with documented evidence that it functions correctly.

 

4. Train Staff and Embed Compliance Culture

 

Regulatory requirements place obligations on both firms and their employees. The SM&CR makes individual senior managers personally liable for compliance failures in their area of responsibility. Regular, role-specific AML and KYC training is mandatory under MLR 2017. The FCA assesses training quality and frequency during supervisory visits.

 

5. Appoint a Qualified MLRO and Empower Them

 

The MLRO role is one of the most consequential compliance positions in a regulated UK firm. MLROs who lack authority, resource, or management support to make genuinely independent compliance decisions create systemic risk. The FCA looks at whether the MLRO has direct access to senior management and whether their recommendations are acted upon.

 

6. Keep Records Audit-Ready for Five Years

 

MLR 2017 requires firms to retain all CDD documents and records for five years after the end of the business relationship. Records must be sufficient to allow regulators to reconstruct individual transactions and understand how compliance decisions were made. Incomplete or disorganised records are treated as substantive compliance failures.

 

How Youverify Simplifies KYC Compliance for UK Regulated Firms

 

Meeting the FCA's KYC requirements for banks across identity verification, customer due diligence, ongoing monitoring, and beneficial ownership disclosure simultaneously is operationally demanding. Most firms that attract enforcement action are not failing because they do not have policies. They are failing because their systems are fragmented, their screening is incomplete, or their monitoring is not working as intended.

 

Youverify unifies every component of the UK KYC compliance process into a single platform, giving compliance teams full visibility from onboarding through to ongoing monitoring.

 

Here is what Youverify delivers for UK regulated firms:

 

  • Document Verification: Verify UK and international identity documents instantly, with OCR extraction and fraud detection across 13,000+ document types in 140+ countries.
  • Biometric Verification and Liveness Detection: Confirm the person submitting documents is physically present, preventing impersonation and deepfake fraud at onboarding.
  • PEP and Sanctions Screening: Real-time screening against OFAC, UN, HMT, and global sanctions lists, updated continuously, with complete list coverage that addresses the precise failure the FCA identified at Starling Bank.
  • Adverse Media Screening: Ongoing monitoring of open-source intelligence for negative mentions linked to your customer base.
  • KYB with UBO Verification: Automatically map corporate ownership structures, verify UBOs, and cross-reference Companies House PSC data for compliant corporate KYC.
  • AI-Powered Transaction Monitoring: Rule-based and machine learning-driven monitoring that detects behavioural anomalies and reduces false positives by over 50%, helping compliance teams focus on genuine risk.
  • Automated SAR Workflows: Generate case documentation and support SAR filing to the NCA's UKFIU within required timeframes.
  • Ongoing Monitoring and Periodic Review Alerts: Automated triggers for KYC refresh based on customer risk tier, ensuring high-risk customers are reviewed on the correct cycle.

 

Youverify clients report a 60%+ reduction in fraud losses, 90%+ faster onboarding, and 50%+ fewer false positives, while remaining fully compliant with MLR 2017, FCA guidance, and FATF standards.

 

Book a demo with our compliance experts.

 

 

About the Author:

 

Temitope Lawal has spent five years writing for fintech companies and financial institutions across Nigeria and international markets, with a research focus on AML compliance, fraud prevention, and financial crime regulation. Her work covers regulatory developments from the FCA, NCA and FATF, and is informed by ongoing engagement with primary compliance sources and industry research.