AML and KYC Explained for UK-Regulated Firms

Anti-money laundering (AML) and Know Your Customer (KYC) are often used interchangeably, but they are not the same thing. AML obligations are set by national law and supervisory authorities, with international standards shaped by bodies such as the Financial Action Task Force (FATF). Together, these requirements place a wide range of screening and monitoring obligations on UK-regulated firms. KYC is one component within that AML framework.

Treating AML and KYC as interchangeable creates a critical gap. If a firm focuses only on KYC, treating it as customer identity verification alone, it overlooks the broader AML obligations that sit alongside it: transaction monitoring, risk assessment and suspicious activity reporting. A compliant AML programme requires both.

The legal importance of the compliance function means that firms must understand the differences between AML and KYC and how they relate to each other in practice.

What is the difference between AML and KYC?

AML is the overarching regulatory framework that UK financial institutions must implement to prevent money laundering and terrorist financing. KYC is one component within that framework, focused specifically on verifying customer identities and assessing risk. KYC serves AML; it does not replace it.

In the UK, these obligations are set out in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017), with the Financial Conduct Authority (FCA) acting as the principal supervisor for most financial services firms. The Financial Action Task Force (FATF) Recommendations provide the international standard-setting framework that the UK implements through the MLRs 2017.

To understand how the two differ in practice, consider three areas.

Purpose

AML exists to prevent and detect money laundering and terrorist financing. KYC exists to establish and verify customer identities and monitor financial behaviour.

Process

The AML process involves developing risk-based due diligence plans, assessing ML/TF risk, detecting suspicious transactions and aligning with the MLRs 2017. The KYC process involves collecting and verifying identifying information from customers, including name, address, date of birth and company incorporation documents for business customers.

Features

AML programmes typically include risk assessments, suspicious activity reporting, ongoing transaction monitoring, staff training and the review of internal policies, procedures and controls. KYC covers customer identification and verification, Customer Due Diligence (CDD), beneficial ownership verification and onboarding controls.

What information does a KYC check collect?

What is a KYC check in practice? It is the process a UK-regulated firm uses to verify a customer’s identity and assess their risk profile before and during a business relationship. In practice, firms typically collect and verify information such as the following at the onboarding stage:

• Name: Confirmed via a valid passport or driving licence, and matched against sanctions lists, PEP databases and adverse media sources during screening.
• Proof of address: Typically, a utility bill or bank statement, confirming the customer lives where they say they do and helping verify residential address and assess geographical risk.
• Date of birth: Verified against a government-issued document to confirm the customer is who they claim to be and to distinguish between individuals with similar names during screening checks.

The MLRs 2017 require that these documents be verified against reliable and independent sources, not simply collected. The Joint Money Laundering Steering Group (JMLSG) publishes sector-specific guidance on what constitutes acceptable verification for UK financial services firms, and compliance teams should refer to the relevant JMLSG chapter for their sector when designing their verification procedures.

Where the customer is a business entity, firms must also verify the business itself, a process often referred to as Know Your Business (KYB). This goes beyond collecting company incorporation documents. Firms must understand the ownership and control structure of the business, identify and verify the Ultimate Beneficial Owner (UBO), establish the nature of the business activities and, where required by the firm’s risk assessment, assess the source of funds or source of wealth.

What does KYC mean beyond initial identity verification?

The MLRs 2017 require KYC to extend beyond onboarding alone. Firms must also carry out ongoing transaction monitoring and a range of customer screening checks as part of their broader AML obligations. These include PEP screening, sanctions screening against the UK sanctions list maintained by the Office of Financial Sanctions Implementation (OFSI), and adverse media screening, all of which are commonly implemented by UK-regulated firms as part of their risk-based AML obligations under the MLRs 2017.

What does the AML screening process look like?

The AML/KYC screening process involves gathering customer data, assessing potential risks and monitoring transactions on an ongoing basis. For UK-regulated firms, this process follows four distinct stages.

1. Customer data collection

The process begins with gathering the information needed to assess risk. At onboarding, firms collect and verify identifying information about their customers. This data serves as the foundation for everything that follows. Without accurate customer information, risk assessment cannot be carried out reliably.

2. Risk assessment

Once customer data has been collected, firms must assess the level of ML/TF risk each customer presents. This means evaluating factors such as the customer’s source of funds, geographical location, and history of suspicious activity. Customers assessed as higher risk are subject to greater scrutiny. Those assessed as lower risk may be subject to simplified measures, provided the firm can demonstrate that the assessment has been properly documented.

3. Ongoing monitoring

Risk assessment is not a one-time exercise. Once a customer’s risk level has been determined, firms must maintain a monitoring process that flags suspicious activity throughout the business relationship. This includes large or unusual transfers, sudden changes in account behaviour and transactions involving high-risk jurisdictions.

4. Suspicious activity reporting

Where monitoring identifies activity that raises suspicion of money laundering or terrorist financing, UK-regulated firms are legally required to submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA). This obligation falls under the Proceeds of Crime Act 2002 (POCA), and failure to submit a SAR, where required, is a criminal offence under POCA.

How does the KYC process work?

AML and KYC checks at the onboarding stage require customers to provide documentation that proves their identity. The documents required depend on whether the customer is an individual or a business entity.

For individuals:

• Valid UK passport or driving licence
• Proof of address, such as a utility bill or bank statement
• Date of birth verified against a government-issued document

For business customers:

• Company incorporation documents
• Evidence of ownership and control structure
• Identification and verification of the Ultimate Beneficial Owner (UBO)
• Nature of business activities
• Source of funds or source of wealth information, where required by the firm’s risk assessment

Once collected, this information is verified against independent third-party sources, including government records, Companies House, UK credit reference agencies and other financial institutions. Verification is what distinguishes a compliant KYC process from a tick-box exercise.

Once a customer is verified, their data is stored securely and used as the baseline for transaction monitoring and customer review activities. If account activity deviates from what the customer’s profile would suggest, that deviation is flagged for review. This monitoring serves two purposes: detecting suspicious activity that may indicate money laundering or terrorist financing, and identifying potentially fraudulent activity.

Customers may also be required to provide additional documentation after onboarding. This typically occurs when a customer’s circumstances change, transaction activity raises questions, or a periodic review identifies gaps in the original verification. The FCA expects firms to treat KYC as a continuous obligation rather than a one-time onboarding task.

KYC, Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

AML KYC compliance requires UK-regulated firms to take a risk-based approach, assessing each customer individually to determine whether standard Customer Due Diligence (CDD) or Enhanced Due Diligence (EDD) applies. The depth of scrutiny applied to any given customer depends on that assessment.

The risk-based approach

Not all customers present the same level of risk. The risk-based approach requires firms to calibrate their due diligence accordingly, applying greater scrutiny where risk is higher and proportionate measures where risk is lower. This approach is supported by JMLSG guidance, which provides sector-specific direction on how UK financial services firms should apply it in practice.

Standard CDD

Where a customer is assessed as lower risk, standard CDD applies. UK-regulated firms are required to:

• Identify and verify the customer’s identity using reliable, independent source documents, data or information.
• Identify and verify the beneficial owner’s identity.
• Conduct ongoing customer due diligence throughout the business relationship, scrutinising transactions undertaken.
• Verify that any person claiming to act on behalf of the customer is adequately authorised.

Enhanced Due Diligence (EDD)

Where a customer is assessed as higher risk, Enhanced Due Diligence (EDD) is required. EDD goes further than standard CDD and may involve:

• Collection of additional customer identification materials.
• Verification of the source of customer funds and the source of wealth.
• Close scrutiny of the purpose of transactions or the nature of business relationships.
• Identification and verification of the Ultimate Beneficial Owner (UBO).
• Enhanced review procedures proportionate to the customer’s assessed risk level.

Customer activity should continue to be reviewed throughout the business relationship to identify material changes that may affect the firm’s assessment of ML/TF risk.

KYC and AML obligations apply both at onboarding and throughout the customer relationship as circumstances evolve and transaction activity develops over time.

Evolving KYC for AML compliance

Implementing effective KYC controls while managing the practical demands of customer onboarding is one of the more complex operational challenges facing UK-regulated firms. The pressure to process customers efficiently must be balanced against the level of scrutiny required by the MLRs 2017.

A July 2025 statement by the Wolfsberg Group reaffirmed that the risk-based approach must be defined by three principles: proportionality, prioritisation and effectiveness. Firms should focus resources on higher-risk customers and activities rather than applying a one-size-fits-all, rules-based approach. The focus must be on outcomes, not process for its own sake.

Technology plays a growing role in how UK firms manage AML KYC processes, but the mechanism matters more than the marketing. Three developments are worth noting.

• Machine learning models trained on transaction data can identify anomalies in real time, reducing dependence on static rules-only systems that generate high false-positive rates and supporting continuous transaction review without adding manual review burden.
• Advanced data analysis can flag changes in customer behaviour that rules-based alerts would miss, allowing deviations from a customer’s stated risk profile to be identified and escalated before they become a reporting failure.
• Biometric KYC measures, including document scanning and liveness checks, allow firms to verify identity remotely while maintaining the audit trails FCA supervision requires.

Technology should extend what compliance teams can do, not replace the risk-based judgment UK regulation requires, and RegTech is becoming the primary tool for doing that. Firms evaluating KYC technology should assess whether it produces decisions their compliance function can document, defend under FCA scrutiny and stand behind during audit.

AML and KYC software: What to look for

Evaluating KYC AML software requires UK compliance teams to look beyond feature lists. The right platform should support the full scope of a firm’s AML obligations, from onboarding through to suspicious activity reporting. These are the capabilities that matter most.

1. Integrated KYC and identity verification

A compliant onboarding process begins with knowing exactly who a customer is before the relationship starts.

• Automated identity checks: identity verified at onboarding for individuals and business entities.
• Global sanctions and PEP integration: sanctions and PEP lists, and adverse media sources, are screened during onboarding and monitored continuously.
• Advanced identity proofing: document scanning and biometric checks to support risk-based identity verification and auditability.

Without this foundation, every subsequent stage of the compliance programme is built on incomplete information.

2. Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) workflows

Not all customers present the same level of risk, and a compliant platform must reflect that distinction automatically.

• Centralised risk profiling: customer risk factors evaluated, including geography, transaction behaviour patterns and legal exposure.
• Automated EDD triggers: investigations are escalated automatically when risk thresholds are exceeded.
• Dynamic risk scores: adjusted over time based on activity and compliance events.

A platform that cannot differentiate between standard and enhanced due diligence requirements will consistently either under-screen high-risk customers or over-burden low-risk ones.

3. Real-time transaction monitoring

Identifying suspicious activity after the fact is not enough. UK-regulated firms need monitoring that flags risks as they develop.

• Continuous monitoring: financial activity is reviewed using machine learning models trained on transaction data.
• Anomaly detection: layering, structuring and unusual behaviour identified in real time.
• Compliance dashboards: alerts surfaced quickly so compliance teams can act without delay.

The difference between a timely SAR and a late one often comes down to how quickly a monitoring system surfaces the right information.

4. Risk scoring and advanced analytics

A risk score is only useful if the compliance team can understand and defend it.

• Dynamic risk scores: customer profile, activity, external data, and sanctions exposure, all incorporated into a single score.
• Explainable analytics: results presented in a format that compliance staff can interpret and document for FCA audit purposes.
• Continuous improvement: models refined over time to reduce false positives and improve accuracy.

Opaque scoring systems create as many compliance problems as they solve, particularly under FCA scrutiny.

5. Sanctions, PEP and adverse media screening

Screening is only as effective as the data behind it and the matching logic applied.

• Up-to-date screening: UK and international sanctions lists, Politically Exposed Persons (PEPs) and adverse media sources checked continuously.
• Fuzzy matching and alias resolution: name variations and alternative identities caught before they create compliance gaps.

A missed sanctions match is not a technology failure; it is a compliance failure with regulatory consequences.

6. Case management and investigations workflow

When an alert is raised, what happens next must be documented, defensible and auditable.

• End-to-end investigation tracking: cases followed from alert through to resolution with full audit trails.
• Team collaboration tools: assignment, escalation and case-sharing features for compliance functions.
• Centralised evidence repository: decisions, notes and outcomes stored in a single location that satisfies FCA audit readiness requirements.

A compliance function that cannot demonstrate how it handled an alert is in a weaker position than one that never received it.

7. Regulatory reporting and audit trails

The FCA expects firms to be able to produce a clear account of their compliance activity at any point.

• Transparent compliance logs: actions, alerts, decisions and investigations recorded in full.
• SAR and FCA reporting: exportable data for Suspicious Activity Reports filed with the NCA and responses to FCA requests.
• Continuous record-keeping: audit trail maintained in line with MLRs 2017 requirements.

Firms that cannot produce that account quickly and completely face a harder conversation with their regulator.

8. Integration and scalability

A compliance platform that cannot connect to existing systems creates operational risk rather than reducing it.

• System integration: seamless connection with core banking, CRM and onboarding platforms.
• Modular architecture: capabilities added as the firm’s regulatory obligations grow.
• Flexible deployment: cloud-based or hybrid deployment options suited to FCA-regulated environments.

As a firm grows and its regulatory obligations evolve, its compliance technology must keep pace.

9. User experience and false positive management

A platform that generates excessive false positives does not reduce compliance risk; it redistributes it into manual review queues.

• Intuitive interfaces: minimal noise from false alerts, so compliance teams focus on genuine risk.
• Customisable risk thresholds: manual review burden reduced without compromising programme rigour.
• Transparent analytics: results presented clearly so compliance staff can interpret and act on them easily.

The goal is a compliance function that spends its time on genuine risk rather than on managing the limitations of its own technology.

Managing AML and KYC obligations with RelyComply

The compliance challenge does not end at onboarding. Firms must ensure their AML and KYC programmes remain current, documented and defensible as their customer base grows and their regulatory obligations develop. Under FCA supervision, the question is never whether a firm has an AML and KYC programme. It is whether that programme holds up when it is tested.

For UK-regulated firms looking to manage their AML and KYC obligations more effectively, RelyComply provides a platform built specifically for the compliance functions of regulated financial institutions. To see how it works in practice, book a demo with our team.

Frequently asked questions