JMLSG Revises AML/CTF Guidance for UK Compliance

JD Supra Finance & Banking

Published February 4th, 2026

Detected April 1st, 2026

Summary

The Joint Money Laundering Steering Group published substantive revisions to Part I of its AML/CTF guidance on 4 February 2026, updating MLRO responsibilities to include explicit cross-border and group oversight requirements. The revisions to Chapters 3 and 6 also align data protection provisions with UK GDPR and the Data (Use and Access) Act 2025, replacing the previous 40-day response period with the UK GDPR one-month standard.

View original document View source feed page

What changed

The JMLSG revised Chapters 3 and 6 of its Part I AML/CTF guidance, introducing new requirements for MLRO oversight of cross-border and group activities. Chapter 3 now explicitly requires MLROs to have authority to oversee AML/CTF activities across group entities within and outside the UK, including the ability to test and review such activities. Chapter 6 updates data protection provisions from the Data Protection Act 1998 to align with UK GDPR and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), including changing the subject access request response period from 40 calendar days to one calendar month.

Compliance officers at affected UK financial services firms should review and update AML/CTF policies to address cross-border and group oversight requirements, including information-sharing protocols and governance arrangements. Firms must also update subject access request procedures to comply with UK GDPR timelines and evaluate existing procedures under the current statutory regime. The revised guidance was submitted to HM Treasury for ministerial approval, which remains pending as of 31 March 2026.

What to do next

Review and update AML/CTF policies to incorporate explicit cross-border and group oversight requirements for the MLRO
Update subject access request procedures to comply with UK GDPR one-month response timeline
Assess information-sharing protocols and governance arrangements for group entities conducting UK AML/CTF activities

Source document (simplified)

March 31, 2026

Revisions to JMLSG Guidance

LinkedIn Facebook X Send Embed

Following Board approval in January 2026, the Joint Money Laundering Steering Group (JMLSG) revised Part I of its guidance on anti-money laundering (AML) and counter-terrorist financing (CTF). The revisions were published on 4 February 2026 and consist of controlled amendments to Chapters 3 and 6, addressing the role of the firm's Money Laundering Reporting Officer (MLRO) and data protection requirements. The revised guidance has been submitted to HM Treasury for ministerial approval, which remains pending as of 31 March 2026.

Chapter 3: Monitoring effectiveness of money laundering controls

The provisions in Chapter 3 address factors relevant to the effectiveness of AML controls, including the adequacy of resources, monitoring procedures, internal review processes, and the management of the MLRO. The revised guidance maintains the core requirements for the MLRO while incorporating additional specification of responsibilities in respect of oversight and monitoring.

Under the prior guidance, the MLRO was required to maintain independence, with direct access to the Financial Conduct Authority (FCA) and law enforcement agencies, including the National Crime Agency (NCA). The 2026 revisions retain these requirements and supplement them with explicit references to cross-border/group considerations. The MLRO must have due authority and independence to oversee all aspects of the firm’s AML/CTF activities, including access to all relevant information. This includes oversight of AML/CTF activities undertaken by the group or other entities within or outside the UK, where relevant to the UK regulatory system. The MLRO must be free to have direct access to the FCA and (where the nominated officer) appropriate law enforcement agencies, including the NCA, and to liaise with the NCA on their own authority regarding transactions or suspicious activity.

Oversight of the implementation of the firm’s AML/CTF policies and procedures, including the risk-based approach, remains primarily the responsibility of the MLRO (under delegation from senior management). The MLRO must ensure that effective and appropriate monitoring processes and procedures are established and maintained, including across group entities (within and outside the UK) that undertake UK AML/CTF-specific activities—for example, the ability to test or review such activities. Where oversight activities are delegated, the MLRO retains ultimate responsibility. The effective operation of group systems and controls in branches, subsidiaries, and other group entities outside the UK (where relevant to the UK regulatory system) is influenced by the group’s ability to ensure compliance without local legal or practical restrictions.

For firms with cross-border operations, this may require examination of existing information-sharing protocols, governance arrangements, and the practical ability to conduct monitoring and testing across relevant group entities.

Chapter 6: Data Protection and Subject Access Requests

Chapter 6 provides guidance on the handling of subject access requests where a suspicious report has been submitted. The prior provisions referenced the Data Protection Act 1998, including exemptions for crime prevention and a 40-day response period. The 2026 revisions update this to reflect the applicable framework under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025). Firms are required to evaluate their procedures under this current statutory regime.

Previously, firms were obligated to respond to subject access requests within 40 calendar days. The revised guidance aligns with the UK GDPR, requiring responses within one calendar month from receipt, subject to potential extensions in specified circumstances. This adjustment necessitates that firms implement procedures capable of meeting the reduced timeframe.

Separately, the revisions address the process for withholding material related to subject access requests. The guidance provides that enquiries to the NCA for input on whether disclosure would prejudice an investigation must account for the statutory response deadline. This places the assessment of potential prejudice primarily with the firm. Firms should conduct internal evaluations accordingly to manage associated legal risks.

In summary, the 2026 revisions constitute targeted updates to the JMLSG guidance. They require MLROs to evidence cross-border oversight capabilities and assign firms greater autonomy in decisions regarding disclosures in subject access requests, subject to timing considerations for any NCA enquiries. Pending ministerial approval, firms may review the revised provisions to assess implications for their operations.

Send Print Report

Latest Posts

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.