The Illusion of Reform? The Treasury’s MLR Response and the Question of Genuine Effectiveness
In July 2025, HM Treasury published its long-awaited response to the consultation on improving the UK’s Money Laundering Regulations (MLRs). It is, in many respects, a pragmatic and proportionate package of proposed reforms, focused on simplifying compliance burdens, clarifying definitions, and aligning requirements with real-world operational realities.
But does it really move the needle on effectiveness?
If we measure effectiveness not by how neatly regulations are rewritten but by whether financial crime risk is better understood, prioritised, and mitigated, then the answer is, at best, uncertain. And in the context of the UK’s upcoming FATF mutual evaluation, that distinction matters more than ever.
Acknowledging the Risk-Based Approach, But Only Half the Story
To its credit, the Treasury’s response reaffirms the risk-based approach (RBA) as the foundation of the UK’s AML/CTF regime. It acknowledges that rigid rules can drive defensive, low-value compliance. It seeks to recalibrate thresholds, reduce unnecessary Enhanced Due Diligence (EDD), and enable firms to focus their efforts where the real risks lie.
But if the risk-based approach is the foundation, effectiveness must be the structure built upon it. And that’s where the response falls short.
The Wolfsberg Factors: A Missed Opportunity
As I noted in a previous article, the Wolfsberg Group has been clear: technical compliance is not enough. An effective AML/CTF programme requires that firms:
Comply with AML/CTF laws and regulations
Provide highly useful information to government agencies in defined priority areas
Establish a reasonable and risk-based set of controls to mitigate financial crime risk
The Treasury response speaks to the first point, but leaves the second and third largely unaddressed.
There is no requirement for firms to demonstrate how their controls mitigate actual threats. No framework for aligning resource allocation to priority threat areas. No metrics or expectations around whether firms are generating useful intelligence for law enforcement.
What we are left with is a more elegant version of what we already had: a compliance regime that supports the possibility of effectiveness, without demanding its demonstration.
Cosmetic vs. Consequential: A Litmus Test for Reform
The proposed changes, such as limiting mandatory EDD to FATF “Call for Action” countries or redefining “unusually complex” transactions, are sensible. But they are also incremental. They may reduce the burden on compliance teams. But do they materially shift how firms understand their exposure to financial crime risk? Do they compel firms to ask the right questions about whether controls actually work?
Without a meaningful expectation of control effectiveness, the business-wide risk assessment remains a paper exercise. It still reflects how firms manage compliance, not how criminals exploit systems.
What Should Change?
If we are serious about effectiveness, then the BWRA needs to be reimagined, not just revised. That means:
Shifting the unit of analysis from risk factors to risk events: What actually happens when controls fail?
Mapping controls not just to obligations, but to risk events: What specific mitigations prevent, detect, or respond to those events?
Incorporating upstream threat intelligence and downstream control performance: Does the assessment reflect what is actually happening, both externally and internally?
Evaluating residual risk with reference to control effectiveness, not just control presence: Are we assuming our controls work, or testing whether they do?
This is not just a methodological preference. It is what effectiveness requires.
A Call to Raise the Bar
The Treasury’s response is a step in the right direction. It acknowledges the need for proportionality and the relevance of external threat intelligence. But in the absence of a demand for demonstrable effectiveness, we risk reinforcing a system that looks better on paper, without making us safer in practice.
Now is the time for firms, and the technology providers who support them, to raise the bar. We need to reclaim the business-wide risk assessment as a strategic tool: one that reflects how risk is experienced, how controls operate, and how intelligence is acted upon.
Because effectiveness is not a matter of elegant drafting. It’s a matter of real-world outcomes.