The Top Emerging AML Threats Facing the UK
Financial crime, from money laundering to terrorist financing, remains deeply embedded in the British economy. But it’s changing.
According to the 2025 National Risk Assessment, there are three emerging compliance threats facing the UK: electronic money institutions (EMIs), crypto assets, and artificial intelligence (AI).
In 2017, these were seen as low-risk. By 2025, they’re flagged as high-risk, driven by mass adoption, regulatory blind spots, and rapid innovation outpacing enforcement.
This article breaks down:
Why each threat has escalated so quickly
Real-world case studies from the UK’s own AML frontline
What financial crime teams can do to stay ahead, with specific, actionable tactics.
The AML risks of fintech
The scale of fintech adoption directly correlates with its rising risk level. While adoption increased gradually up to 2020, the onset of the pandemic, with its accompanying mandate to stay indoors, drove many banking customers to look for online bank account onboarding.
As Jonathan Fu pointed out in his study, “the pandemic's spread has led to between a 21% and 26% increase in the relative rate of daily downloads of finance−related mobile applications.”
In 2024 alone, the British payments platform Monzo increased its customers by 25%, a whole 4 million new customers. Considering it was founded in 2014, it’s easy to see the fast rate of change in such a short space of time.
Adoption has been fast, but the rate at which financial crime professionals and government authorities have been able to keep up with advances in technology has not been fast enough.
Fintechs have several vulnerabilities
High-risk by design: EMIs are designed to service businesses from high-risk jurisdictions and sectors, often relying on compliance software to “bank the unbankable”. This exposes them to bad actors.
Loose regulatory requirements: EMIs are subject to less stringent regulatory requirements than retail banks.
AML outsourcing: EMIs often outsource AML checks to third parties unfamiliar with their product. However, EMIs must also assess their risk level. It’s a counterintuitive system.
Use of virtual IBANs: EMIs offer virtual IBANs as a product, which, without robust UBO verification, enables bad actors to exploit the system.
Links to crypto: Many fintechs are either directly or indirectly involved with crypto asset firms, particularly via e-money agents.
Weak AML systems: As the NRA noted, analysts at EMIs often skip “vital steps” during the onboarding process.
As the NRA notes, “banks are subject to more stringent regulatory requirements in non-MLR regulations, such as the Financial Services and Markets Act 2000. As a result, criminals may have more opportunity to find an MLR-regulated firm in the EMIs/PSPs sector with weaker onboarding controls.”
The FCA enables EMIs, for example, to assess their risk level and build systems calibrated against that risk level.
This means they can unwittingly onboard businesses registered in high-risk jurisdictions like Malta, Cyprus or the British Virgin Islands owing to limited available information. Fintechs claim they can ‘bank the unbankable’ through technology, but this means they often fall short.
According to the 2025 NRA, the problem for fintechs is that businesses operating in jurisdictions like Malta and Cyprus often have “complex arrangements” associated with “high value overseas predicate offences, including corruption and fraud, where funds are routed through varying combinations of transit and end points”. Verifying beneficial owners, therefore, is extremely difficult, time-consuming, and resource-intensive.
Fintechs like Klarna, Revolut and Starling have all been fined for failing to verify beneficial owners, often a result of siloed systems and reliance on static data sets. Use a trusted provider of official corporate registry data like Kyckr, with access to 300+ official corporate registries.
The compliance problem with virtual IBANs
Another issue is the product offering of virtual IBANS, which can be used across borders. In one case pointed out by the NRA, a shadow banking platform incorporated in a high-risk jurisdiction issued virtual IBANs to over 60,000 UK companies, mostly Mini Umbrella Companies (MUCs).
There were no customer checks, leading to £2.5 billion laundered annually in its final year, and £500 million lost to UK tax authorities. Criminals loaded prepaid cards with dirty money and fooled both the EMI and the three UK safeguarding banks. HMRC shut it down, froze £40 million in assets, and struck off 20,000 MUCs. That case is still ongoing.
As regulatory compliance expert Pierre Simon said of virtual IBANs, “Money can actually be routed to an account, maybe outside of the EU or any other part of the world. We cannot see that booking, and also, law enforcement cannot see how the money flow is going. From an AML perspective, it makes it risky.”
Another central issue is business accounts, which are, as the NRA notes, “increasingly targeted by money mules” and now account for 1 in 5 cases reported to Cifas. The transfer of large amounts of money in business accounts isn’t suspicious, especially in cash-intensive enterprises.
Take the National Crime Agency’s Operation Destabilise, which targeted a multi-billion-dollar money laundering operation, using business accounts via a company called ISM Scaffolding Limited.
How to mitigate fintech risks
1. Enforce due diligence on third-party EMI/PSP partnerships: If your institution offers safeguarding or banking services to EMIs or PSPs, demand visibility into their AML programmes, particularly around customer due diligence (CDD) standards, use of virtual IBANs, and outsourced KYC vendors.
2. Treat ‘tailored risk frameworks’ from fintechs as a red flag: When onboarding new fintech clients, consider any self-assessed low-risk classification as suspect. Apply your own quantitative risk scoring models using transaction data and behavioural patterns.
3. Build a model to flag bulk onboarding behaviour: The example of 60,000 UK companies being issued virtual IBANs with no checks suggests a pattern. Create heuristics or unsupervised models to detect unusually high velocity of new corporate customers, repeated use of the same business address or IP ranges, and correlation between dormant accounts and high-risk jurisdictions.
4. Develop non-siloed due diligence: Many EMIs and fintechs rely on fragmented access points to multiple corporate registers, which makes onboarding time-consuming and makes it harder to verify beneficial owners of complex corporate structures. Use a trusted source of official company register data like Kyckr, with API access points to hundreds of different registers, to easily verify beneficial owners.
The AML risks of crypto
Crypto assets’ risk level also directly correlates with their adoption and wider integration within the financial system.
The NRA judged the risk level of crypto assets as low in 2017, medium in 2020, and high in 2025. This relates to the increasingly popular usage of crypto in Britain. According to the Financial Conduct Authority (FCA), 12% of the population in 2025, up from 4.4% in 2021.
It also relates to crypto’s increasing legitimacy in public institutions, with popular high-street brands like Argos and Costa Coffee accepting bitcoin for in-store gift cards.
As crypto assets have grown in their popularity, so too have incidents of crypto money laundering, which have increased rapidly since 2020. The NCA estimates up to $5.1 billion in dirty crypto linked to the UK each year. Chainalysis puts the global total at $22.2 billion, but that’s only what’s been identified.
AML risks posed by cryptoexchanges
Privacy-enhancing tools: mixers, tumblers, wallets that scramble transaction data. Criminals use them to hide the origins of funds.
Decentralised Finance (DeFi): no intermediaries, automated transfers, and public-facing code anyone can exploit.
Unregulated cryptoexchanges: Many offshore or unregulated crypto exchanges offer services with limited oversight. In April 2025, 32 firms appeared to be offering crypto services illegally. That’s likely an undercount. Investigators lack resources, training, and access to overseas platforms.
Disparate global AML rules: There are no worldwide crypto governance rules, as retail banks adhere to SWIFT rules. Many countries haven’t implemented crypto AML rules, and overseas exchanges, especially decentralised ones, offer no central authority to liaise with.
Privacy by design: Privacy coins like Monero, along with mixers and crowdfunded platforms, offer new ways to raise and mask terrorist funds.
A central component of cryptoassets is what the NRA calls the “pseudo-anonymity” they afford. Crypto providers are often reluctant to work with law enforcement and are perhaps ideologically predisposed to not implementing robust AML measures. This is perhaps why only 14% of the firms applying for an FCA-registered status met the requirements.
Crypto’s link to terrorist financing
According to the NRA, “the greatest threat in terms of cryptoasset money laundering” is unregistered crypto exchanges falling outside the FCA’s remit, a similar challenge faced by financial crime professionals when it comes to EMIs.
Terrorist financing is also a significant threat, evidenced by cases like that of Hisham Chaudhary, who, in 2021, was convicted of terrorist financing. He converted £55,000 of legitimate income into Bitcoin, sending it to Türkiye to support Islamic State extractions from Syrian camps.
The NRA outlined three emerging cryptoasset threats in terrorist financing:
Crypto hacking
Crowdfunding donation-based platforms. The FATF recently highlighted that crowdfunding incorporates virtual asset providers.
Use of privacy-enhancing services. Coins like Monero are building technology that masks individuals.
While attempts at regulating cryptoassets in the UK are far from perfect, there has been progress.
As the NRA noted, there have been increased attempts to regulate and enforce against crypto providers.
After FCA intervention, some crypto firms have introduced improvements. The UK government introduced a ‘travel rule’ in September 2023, requiring crypto exchanges to collect, verify and share information about senders and receivers of asset transfers.
How to mitigate crypto risks
1. Risk-weight crypto counterparties by FCA registration status: Actively ingest and maintain a list of FCA-registered Virtual Asset Service Providers (VASPs). Model transaction risk based on registration status, known history of mixers or tumblers, and exposure to privacy coins.
2. Incorporate Chainalysis-style heuristics in monitoring tools: If you bank crypto-adjacent businesses, train models to detect common laundering patterns like rapid inflows, activity spikes during high-volatility crypto periods, and use of high-risk tokens (Monero, Tornado Cash histories).
3. Develop typologies of crypto-to-fiat conversions: Use clustering techniques to detect "cash-out" rings, especially those linked to prepaid card loads, merchant settlement flows, or P2P networks.
The AML risks of Artificial Intelligence (AI)
As the NRA noted, AI poses both the greatest threat and benefit in the fight against money laundering.
Since 2020, AI has been adopted rapidly across the private and public sectors. It wasn’t mentioned in the 2020 edition of the NRA. However, much has changed since then. ChatGPT was rolled out in 2022, and now, in 2025, 67% of Londoners are using AI.
Compliance risks posed by AI
Automated money mule recruitment: AI runs end-to-end money mule recruitment, from using automated tools to scrape data from platforms by age, occupation and income level to chatbots that communicate with mules.
Fraud: AI enhances fraud by creating realistic fake IDs, automating credit checks, and auto-filling onboarding forms.
Moving funds: Trained AI models can move illicit funds in believable ways, mimicking real customer behaviour.
AML noise: Swamp AML detection systems with low-value synthetic accounts to create noise and obscure criminal activity.
At the same time, AI is changing law enforcement and regulated firms. AI can reduce the volume of false positives, analysing huge, complex datasets, from social media to financial records, connecting the dots between people and companies, and flagging suspicious behaviour.
How to mitigate AI risks
1. Harden onboarding processes against synthetic identity attacks: Introduce biometric liveness testing or real-time selfie/video validation, and use anomaly detection (e.g. timestamp clustering, IP geolocation mismatches) to catch auto-generated KYC form fills.
2. Train models to detect ‘AI-like’ behaviour in transaction patterns: This includes unusually consistent or statistically unlikely transaction patterns that mimic legitimate behaviour, and use adversarial learning, simulate AI-generated laundering flows and use them to test the robustness of your monitoring systems
3. Build NLP models to monitor mule recruitment surfaces: Deploy crawlers to scrape job boards and social platforms for keywords used in mule recruitment (e.g. “remote cash handling”, “payment forwarding”) and Cross-reference with customer metadata to flag high-risk customers being targeted or engaging with these sources.
Companies can’t assess risk without verification
The tools of financial innovation are escalating threats, each bringing its own set of vulnerabilities.
Fintechs are banking the unbankable with outsourced AML and fragmented risk controls. Crypto platforms offer pseudo-anonymity, decentralisation, and cross-border velocity that traditional systems weren’t built to track. And AI is creating new frontiers in both fraud and detection, depending on who wields it.
You can’t assess risk if you can’t verify who you’re dealing with. That’s why access to trusted, official company data is foundational to any robust AML framework.
Kyckr gives you real-time access to over 300 company registries worldwide, allowing compliance teams to verify UBOs, cross-check entity data, and spot inconsistencies at the source.