We have updated our Privacy Policy, click here for more information.

Contact

    Thank you

    MLR 2026: Is This the Moment the Risk-Based Approach Finally Becomes Reality?

    Published: July 3, 2026

    Kody McDowell

    Principal Consultant

    First Derivative

    Kody McDowell

    The UK’s Money Laundering Regulations have evolved once again. On the surface, the Money Laundering and Terrorist Financing (Amendment) Regulations 2026 introduce a series of targeted amendments rather than wholesale reform. It would be easy to view them as another routine regulatory update.

    That would be a mistake.

    Beneath the individual amendments lies a broader message: regulators are increasingly challenging firms not simply to demonstrate compliance, but to evidence that their financial crime frameworks are effective, proportionate and genuinely risk driven.

    The concept of a risk-based approach has dominated financial crime compliance for well over a decade. Every policy references it. Every risk assessment claims to follow it. Every audit expects to see it.

    Yet many organisations have gradually drifted towards something different.

    In response to regulatory scrutiny, firms have understandably added more controls, more reviews and more enhanced due diligence. Over time, frameworks designed to focus attention on higher-risk activity have often expanded into increasingly broad populations, creating operational complexity without necessarily improving financial crime outcomes.

    In many respects, the industry has become highly effective at proving compliance. The more difficult question is whether it has become equally effective at reducing financial crime risk.

    The 2026 amendments may signal a subtle but important shift in emphasis.

    From Activity to Effectiveness

    Perhaps the clearest example is the revised approach to high-risk third countries.

    Rather than automatically driving a uniform response across a wider range of jurisdictions, the amendments place greater emphasis on firms exercising judgement and applying controls based on their own assessment of risk.

    Importantly, this is not a relaxation of AML obligations.

    If anything, it places greater responsibility on firms. Organisations must be capable of understanding their risks, justifying their decisions and demonstrating why certain customers, products or jurisdictions require enhanced scrutiny while others do not.

    The expectation is not less diligence – it is better-targeted diligence.

    This reflects a broader regulatory trend that is gradually moving the industry away from activity-based compliance and towards demonstrable effectiveness.

    Is Compliance Ready to Move Beyond Blanket Controls?

    For years, success has often been measured through operational activity:

    • How many reviews were completed?
    • How many alerts were investigated?
    • How many EDD cases were performed?
    • How many documents were collected?

    These metrics tell us whether work has been completed – they tell us far less about whether financial crime risk has been reduced.

    As financial crime threats become increasingly sophisticated, simply doing more is no longer enough. Firms must be able to demonstrate that resources are being directed towards the areas of greatest risk and that controls are producing meaningful outcomes.

    This requires organisations to ask different questions:

    • Are we focusing our strongest controls on our highest-risk customers?
    • Are our products carrying different levels of inherent financial crime risk?
    • Are our customer journeys proportionate to that risk?
    • Are we generating meaningful alerts, or simply creating operational noise?
    • Can we clearly evidence why one customer requires enhanced scrutiny while another does not?

    This is what a genuinely risk-based approach looks like.

    Not treating every customer the same but applying the right level of scrutiny to the right customer at the right time.

    The Technology Challenge

    For many organisations, the greatest challenge may not be regulatory – it may be operational.

    Policies can be updated relatively quickly but technology is often a different story.

    Many KYC, onboarding and case management platforms were designed during a period when standardisation and consistency were the primary objectives. While these remain important, a more mature risk-based approach requires systems that can support differentiation, flexibility and informed decision-making.

    Firms should therefore consider whether their technology estate is capable of supporting this shift.

    • Can risk models evolve as threats change?
    • Can workflows adapt to different customer risk profiles?
    • Can investigation teams prioritise genuinely higher-risk activity?
    • Can data be used to drive decisions rather than simply record compliance activity?

    These questions increasingly sit at the intersection of Financial Crime, Operations, Technology and Transformation.

    An Opportunity for Change

    The 2026 amendments should not be viewed solely as a compliance exercise.

    They represent an opportunity to challenge long-standing assumptions about how AML programmes are designed, measured and operated.

    Many firms continue to devote substantial resource to lower-risk activities because existing policies, processes and systems demand it. In some cases, highly skilled analysts spend significant time completing mandatory activities that add limited value to overall risk mitigation.

    Redirecting that effort towards genuinely higher-risk customers, products and behaviours has the potential to improve both regulatory outcomes and operational efficiency.

    That represents a far more meaningful measure of success than increasing the volume of due diligence activity.

    Looking Ahead

    Financial crime continues to evolve at pace. Criminal methodologies are becoming increasingly sophisticated, while customers expect faster, simpler and more seamless interactions.

    Against this backdrop, success will not come from applying more controls indiscriminately.

    It will come from applying the right controls, to the right customers, at the right time.

    Perhaps the most important question raised by MLR 2026 is not: ”What has changed?”

    It is this: Have we spent the last decade proving that we are compliant, when we should have been proving that we are effective?

    For organisations willing to embrace genuine risk-based decision-making, MLR 2026 may prove to be more than a regulatory update.

    It could mark the point at which compliance begins to be measured not by the volume of controls performed, but by the effectiveness of the outcomes those controls deliver.

    If you would like to discuss the practical implications of MLR 2026 for your organisation, please reach out to our team. We’d be delighted to share our perspectives and experience supporting firms across the Financial Crime lifecycle.

    Explore

    More Insights

    Your rate of change

    Starts here