Dialling up without dialling down: What the new MLR amendments miss

Written By Stefania Cirignano
For our latest risk assessment insights, visit Complyse
 
Close up of woman's eye. Title overlaid reads "Risk assessment reframed - Dialling up without dialling down: What the new MLR amendments miss"

The latest draft amendments to the Money Laundering Regulations sit within a broader policy agenda aimed at “smarter regulation”, including minimising regulatory burden, supporting economic growth, and ensuring regulation works as effectively as possible.

At first glance, there are signs of that. There is some targeted flexibility (notably around insolvent bank customers) and a degree of tidying up, with clearer definitions and alignment to FATF terminology. In isolation, these are sensible changes.

But taken as a whole, it is difficult to conclude that firms will be able to operate materially more efficiently in practice.

What the amendments represent is not simplification, but re-specification. Some friction is reduced at the margins, but new expectations are introduced elsewhere, particularly in areas such as cryptoassets, pooled accounts, and governance. The net effect is familiar: the regime becomes more detailed and incrementally more demanding.

Reform Without Reduction

This points to a broader structural issue in financial crime regulation.

Successive changes are framed as improvements, but there is rarely any mechanism for removing or deprioritising existing requirements. New risks are incorporated, new expectations defined, but very little is taken away.

Over time, this creates cumulative compliance. Each change may be justified, but in aggregate the burden grows, often without clear evidence of improved outcomes.

The draft amendments follow that pattern. Enhanced due diligence for cryptoasset relationships, clearer expectations around pooled accounts, and tighter governance are all defensible. But they are not offset by reductions elsewhere. Introducing enhanced crypto due diligence without removing legacy requirements for lower-risk segments simply increases the overall load.

The missing mechanism: “One in, one out”

If the objective is efficiency, the obvious question is: What has been removed?

There is no clear answer.

A more disciplined approach would be “one in, one out”, not as a blunt rule, but as a forcing mechanism. If a new requirement is introduced, what becomes less relevant?

That question is rarely asked. Without it, the risk-based approach becomes difficult to sustain. Firms are expected to respond to evolving threats, but without any corresponding expectation to scale back activity. The direction of travel is almost always one way.

The measurement problem

Part of the issue is that the regime is difficult to measure.

Much of the language is framed in terms of outcomes (“mitigating risk”, “improving effectiveness”) without clearly defined, observable objects. That makes it hard to assess whether changes improve detection, reduce exposure, or change behaviour.

As a result, requirements are added because they are directionally sensible, rather than demonstrably effective.

An alternative is to ground regulation in more concrete, identifiable objects: specific risk events, exposure drivers, and control mechanisms. This creates a clearer causal chain between intent, response, and effectiveness.

It also enables reprioritisation. As risk shifts, effort can be reallocated, dialling activity up in some areas and down in others.

So what for MLROs?

The implication is not to wait for the regime to change. If anything, the direction of travel suggests the opposite.

If regulation is not creating space to improve efficiency, then the question becomes more direct: what are you going to do to make the role manageable?

Because left unchecked, the system is cumulative. New expectations are added, but very little is taken away. Over time, this is absorbed by the same teams and budgets.

That is not sustainable.

A genuinely risk-based approach requires explicit decisions about where effort is no longer justified. That means asking:

  • What activity are we prepared to stop or scale back?

  • Where are we applying effort that no longer reflects current risk?

  • Which controls would we actively defend, and which persist because they always have?

If regulation is not forcing reprioritisation, MLROs need to lead it, by being clearer, internally and with supervisors, about how effort is allocated in line with risk.

Done properly, this strengthens the MLRO’s challenge role. It shifts the conversation from “are we doing enough?” to “are we focusing on the right things?”, and positions the function as directing scarce resource where it matters most.

Because without a credible mechanism for dialling down, the risk-based approach becomes cumulative rather than selective.

Dialling up without dialling down

That is the gap the amendments do not address. They reflect a regime that is good at identifying where more is needed, but less comfortable specifying where less is acceptable. They mirror what we see in many BWRAs: new risks and controls are added, but very little is removed. The system becomes more complex, not necessarily more effective.

If the regulatory framework will not change that dynamic, firms will need to. Because a model where everything is a priority is not risk-based. It is cumulative.

And over time, cumulative becomes unmanageable.

‍ ‍

Stefania Cirignano
Next

📢 FCA motor finance redress scheme final rules are out (PS26/3): another turn in the road