The U.K. government has published the Money Laundering and Terrorist Financing (Amendment) Regulations 2026 (The 2026 Regulations), introducing targeted but meaningful amendments to the 2017 Money Laundering Regulations (MLRs). The reforms place deliberate emphasis on crypto asset firms, higher‑risk relationships and governance-trigger events like changes in control. With implementation phased across 2026–2027, now is the time to pay attention.
The 2026 Regulations focus on areas where crypto business models have historically relied on operational workarounds rather than structural controls, including enhanced due diligence, information gaps in cross‑border transactions, and opacity around ownership and control. The direction of travel is unmistakeable, and crypto-asset firms are expected to meet the same standards of traceability, governance and accountability that apply across traditional financial services.
Regulatory scrutiny is also evolving. The question no longer is whether policies exist but whether firms can consistently capture, transmit and rely on high‑quality counterparty information at scale, including when transactions involve jurisdictions or counterparties with weaker implementation. The uncomfortable reality is that many crypto anti-money laundering (AML) programmes still pass muster because people and manual exceptions are quietly absorbing the gaps. The U.K.’s reforms make that model increasingly difficult to defend, and reliance on manual review or “best efforts” arguments is no longer acceptable as a primary control approach.
This isn’t just a U.K. tightening. While the U.K. and EU differ in supervisory architecture, the intent is aligned. At the EU level, the Anti-Money Laundering Authority (AMLA) is already framing crypto as a priority risk area and expects crypto asset service providers (CASPs) to have effective AML systems from day one. Incomplete counterparty information, uneven Travel Rule implementation and reliance on manual intervention are now being used to assess whether control frameworks are operating as intended and, in particular, whether they remain effective as volumes increase and operating complexity grows.
Together, AMLA and the 2026 Regulations signal the same outcome: crypto is being normalised into the financial system’s control expectations. Firms will need to get comfortable with fewer excuses around crypto gaps, home in on fixing messy data, and apply more scrutiny of governance and ownership structures. That operational reality explains why crypto is now being used as the proving ground for a tougher, less forgiving phase of AML supervision, and crypto’s “no excuses” moment reflects not only a crypto‑specific recalibration but also a broader evolution in how AML supervision is being applied.
This shift is also changing how supervisors engage with firms and what they expect senior leadership to know and oversee. Reviews are becoming more evidence‑driven and iterative, with regulators testing how issues are identified, escalated, tracked and resolved over time. For boards, that increasingly means being able to demonstrate visibility into recurring AML weaknesses, clarity on ownership and remediation timelines, and confidence that management information reflects how controls operate in practice, not just how they are designed.
So, what should boards, chief risk officers, chief compliance officers and chief technology officers actually do with this? Three key questions should already be on the agenda:
First: If regulators removed the benefit of the doubt tomorrow, could we defend our crypto AML framework end‑to‑end? That means not just having policies but also being able to demonstrate how we handle incomplete Travel Rule information, high‑risk counterparties, cross‑border flows and vendor reliance without reverting to “best efforts.”
Second: Does our crypto AML control environment scale, or does it collapse into manual judgment at volume? Growth doesn’t just expand revenue, it also expands exposure, and regulators are increasingly unimpressed by programmes that operate with only today’s transaction levels in mind.
Third: When crypto AML weaknesses surface, are there clear senior ownership and decision rights to act upon, or do issues stall somewhere between and amongst compliance, product, technology and commercial teams? The expectation is that firms are able to demonstrate who is accountable at the senior leadership level, how issues are escalated with speed and authority, and whether governance structures drive action rather than tolerance when controls fall short.
For chief compliance officers, this marks a shift from framework design to operational credibility. Many crypto AML programmes still rely heavily on people and judgment. Regulators now expect AML controls to function predictably and repeatably.
For chief risk officers, crypto is no longer a contained compliance topic – it is an enterprise risk. Weaknesses in customer due diligence, ownership transparency or cross‑border controls can quickly intersect with sanctions exposure, national-security considerations and broader market-integrity risks.
For chief technology officers, crypto AML programmes have become a core design responsibility rather than a downstream compliance input. What AMLA and the MLRs are signalling is that regulators are increasingly intolerant of architectures that rely on remediation rather than prevention. The question for technology leaders is whether AML controls are embedded into platforms, data flows and change governance from the outset, or whether compliance continues to inherit structural limitations for which no amount of policy or review can fully compensate.
For boards, normalisation of crypto reframes governance expectations entirely. Boards are expected to demonstrate clear ownership of financial crime risk in crypto businesses, including how AML considerations influence growth decisions, geographic expansion, product design and investment priorities.
The bottom line
The 2026 Regulations signal a maturing phase in the U.K.’s approach to crypto financial crime: fewer new ideas, less tolerance for variability and clearer articulation of what “good” looks like in practice. While the rules themselves have not changed dramatically, the room for interpretation has narrowed considerably. Consistency, transparency and governance are now the defining themes, and expectations are becoming more explicit, and less flexible.
