AML for Fintech — UK guide
FCA-supervised payment services, e-money, cryptoasset firms, challenger banks. The three structural challenges (CDD at scale, transaction monitoring, real-time sanctions screening), and what the FCA expects.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •Fintech is one of the UK's most heavily AML-scrutinised regulated sectors — FCA-supervised cryptoasset firms, payment-services providers, e-money institutions, and challenger banks face higher inspection density than almost any other regulated category.
- •The framework is FCA-supervised MLR 2017 + POCA + SAMLA + sector-specific regulation (PSR 2017 for payment services, EMR 2011 for e-money, Cryptoasset Registration regime for cryptoasset firms).
- •Three areas drive most fintech AML enforcement: customer due diligence (CDD) at scale (consumer-facing fintechs onboard at volume), transaction monitoring (the fintech volume profile makes legitimate suspicion harder to surface), and sanctions screening (real-time payment rails need real-time screening).
- •Cryptoasset firms additionally face the FCA Cryptoasset Registration regime — every UK-active cryptoasset business must be registered, with the application process including substantive AML programme review.
- •Mid-market fintechs (post-product-market-fit, growing user base, multiple products) face the structural challenge of scaling AML programmes faster than the user base — manual workflows that work at 10,000 users break at 100,000.
Answer-first summary
What is AML for fintech?
AML for fintech is the application of the UK MLR 2017 + POCA + SAMLA framework to fintech businesses — payment-services providers, e-money institutions, cryptoasset firms, challenger banks, open-banking fintechs. The regulatory substance is identical to other UK regulated sectors; the operational challenge differs because fintech volume, transaction patterns, and customer-onboarding velocity create scale problems traditional financial-services firms didn't face. Cryptoasset firms additionally need FCA Cryptoasset Registration. Three areas drive most fintech AML enforcement: CDD at scale, transaction monitoring at fintech volume, real-time sanctions screening.
- FCA-supervised across PSPs, e-money, cryptoasset, challenger banks
- Three structural challenges: scale CDD, transaction monitoring, real-time sanctions
- Cryptoasset Registration regime for crypto firms
- Six recurring FCA expectations
Five fintech subsegments
Each has its own regulatory permission type and supervisory regime, but all share the MLR 2017 + POCA framework:
Payment-services providers (PSPs)
Authorised or registered under the Payment Services Regulations 2017. Examples: Wise, Revolut (payments licence), Stripe UK. MLR 2017 + PSR 2017 + FCA supervisory expectations. Real-time payment rails require real-time sanctions screening.
E-money institutions
Authorised under the Electronic Money Regulations 2011. Issue electronic money (prepaid cards, digital wallets). Many consumer-facing fintech apps operate as e-money institutions. FCA-supervised with specific AML obligations.
Cryptoasset firms
Registered under the FCA's Cryptoasset Registration regime (MLR 2017 amended 2020). Cryptoasset exchange providers and custodian wallet providers must be registered. Substantive AML programme review during application; ongoing supervisory expectations afterwards.
Challenger banks and neo-banks
FCA-authorised credit institutions. Operate under the full bank AML framework — MLR 2017, PRA prudential expectations, FCA conduct expectations. Among the most heavily-supervised fintech subsegments.
Open banking and PSD2-enabled fintechs
Authorised under the Payment Services Regulations 2017 as Account Information Service Providers (AISPs) or Payment Initiation Service Providers (PISPs). AML obligations apply but are typically lighter than for direct payment-services providers.
Three structural challenges
These drive most fintech AML enforcement action:
CDD at consumer-onboarding volume
Consumer fintechs onboard at scale — 1,000+ users per day at growth stage. Manual CDD is impossible; automated identity verification is mandatory. The verification provider's quality directly determines the fintech's AML risk position. Inadequate or misconfigured identity verification surfaces as AML weakness during FCA review.
Transaction monitoring at fintech volume
Legitimate fintech transaction patterns (high-frequency, low-value, cross-border, cross-product) make typical money-laundering indicators harder to surface. Rule-based monitoring catches the easy cases; machine-learning-augmented monitoring is increasingly expected at scale. Tuning for false-positive rates is itself a substantive AML workstream.
Real-time sanctions screening
Real-time payment rails (Faster Payments, SEPA Instant, card networks) need real-time sanctions screening. A two-hour batch screening cycle is incompatible with the product offering. Sanctions screening at the transaction level, with sub-second latency, integrated with the payment authorisation flow.
Six recurring FCA expectations
- Documented firm-wide risk assessment under MLR 2017 Reg 18 with explicit fintech-sector risks (technology-enabled rapid scaling, customer remoteness, transaction-pattern complexity)
- Senior management functions (SMF) holders with AML accountability — typically including the MLRO as SMF-17, the CRO/Compliance lead, the CEO, and independent non-executive director oversight
- Three-lines-of-defence model — first line operational AML (front-office, customer-facing teams), second line compliance and AML oversight, third line internal audit
- Specific FCA reporting flows — REP-CRIM annual financial crime return, and the various other SUP-required reports depending on permission type
- FCA's annual Dear CEO letters to the financial-crime sector — substantive expectations that change year-on-year and need to be reflected in the firm-wide programme
- Documented incident response for AML-relevant incidents — system outage during real-time screening, vendor failure, internal compliance breach, etc.
FAQ
Answer-first summary
What is AML for fintech?
AML for fintech is the application of the UK MLR 2017 + POCA + SAMLA framework to fintech businesses — payment-services providers, e-money institutions, cryptoasset firms, challenger banks, open-banking-enabled fintechs. The substance of the regulatory framework is identical to other UK regulated sectors; the operational challenge differs because fintech volume, transaction patterns, and customer-onboarding velocity create scale problems that traditional financial-services firms didn't face.
Answer-first summary
Which fintechs are FCA-supervised?
Authorised payment services providers under PSR 2017; e-money institutions under EMR 2011; cryptoasset firms registered under the FCA Cryptoasset Registration regime; authorised credit institutions (challenger banks) under the FSMA; PSD2-enabled fintechs (AISPs and PISPs). Most consumer-facing UK fintechs sit in one of these categories, with FCA as the AML supervisor. Some B2B fintechs operating outside these regulated permission types may sit outside FCA supervision entirely; HMRC may be the supervisor for some TCSP-adjacent fintech models.
Answer-first summary
What are the FCA's main fintech AML expectations?
Six recurring expectations. Documented firm-wide risk assessment with explicit fintech-sector risks. SMF-holders with AML accountability (typically MLRO as SMF-17). Three-lines-of-defence model. Specific FCA reporting flows including REP-CRIM. Reflection of the FCA's annual Dear CEO letters to the financial-crime sector. Documented incident response for AML-relevant incidents. The FCA publishes ongoing guidance through Final Notices, supervisory letters, and policy statements — currency with these is itself an expectation.
Answer-first summary
What are the three main fintech AML challenges?
Three. CDD at consumer-onboarding volume — manual CDD is impossible at fintech scale, automated identity verification is mandatory, the verification provider's quality determines the fintech's AML risk position. Transaction monitoring at fintech volume — legitimate fintech patterns make money-laundering indicators harder to surface, machine-learning-augmented monitoring increasingly expected. Real-time sanctions screening — real-time payment rails need sub-second sanctions screening integrated with payment authorisation, not batch screening.
Answer-first summary
Do cryptoasset firms have additional AML obligations?
Yes. Cryptoasset exchange providers and custodian wallet providers active in the UK must be registered under the FCA Cryptoasset Registration regime (MLR 2017 amended 2020). The application process includes substantive AML programme review — many applications have been rejected for inadequate AML controls. Ongoing supervisory expectations apply post-registration, including specific cryptoasset-sector reporting flows and FATF Travel Rule compliance for cross-firm transactions.
Answer-first summary
Does Certivus serve fintechs?
Certivus is designed for UK regulated firms operating MLR 2017 — which includes the fintech sector. The product handles the substantive AML workflows (CDD, EDD, beneficial ownership, sanctions screening, monitoring, training, SAR pipeline, audit-ready export). For fintechs needing API-first integration with high-volume real-time onboarding flows, integration is on the roadmap — current Certivus deployment fits B2B fintechs, mid-volume consumer fintechs, and fintechs treating Certivus as the AML system of record alongside specialist real-time screening tools.