Centralised AML Supervision in the UK: What FCA Reform Means for Enterprise Compliance Architecture

Key Takeaways

• Centralised AML supervision in the UK is shifting oversight toward data-driven, population-level scrutiny.
• Merchant onboarding now functions as a core AML compliance control, not just an operational process.
• Risk-based onboarding, automated due diligence and structured risk scoring are essential under FCA supervision.
• Scaling merchant onboarding without unified architecture increases regulatory exposure for payment providers.

‍

The UK government’s plan to move Anti-Money Laundering and Counter-Terrorist Financing (AML/CTF) supervision of legal services under the FCA, as reported by The Guardian in January 2026, has been framed as a major regulatory shake-up. But for senior compliance and risk leaders, the real story isn’t the structural change itself, but rather what this signals about the direction of travel for AML compliance and enterprise risk management. 

Regulatory oversight isn’t just being reorganised; it’s being recalibrated. The question is no longer who supervises, but how expectations, accountability and scrutiny are evolving across the system, and whether firms can evidence risk-based onboarding and automated due diligence in a defensible way.

In its October 2025 consultation response, HM Treasury describes the current framework as “complex and disjointed”, pointing to 23 supervisors for professional services and arguing that this “inevitably” leads to inconsistent supervision and enforcement. That word matters.  Inevitably suggests the issue is structural rather than operational. Fragmented compliance and digital onboarding systems do not merely create inefficiency. They create blind spots.

For payment providers and other regulated financial services firms, this shift has direct implications. AML compliance is increasingly evaluated not as a collection of policies, but as a data-driven architecture that begins at merchant onboarding and extends across the customer lifecycle. Firms that cannot evidence this architecture risk supervisory friction, delayed growth and reputational exposure at precisely the moment they are trying to scale.

The shift is clear. Regulators increasingly need to see risk across entire populations. A Single Professional Services Supervisor, built on consistency and comparability, is the mechanism. Not firm by firm; not silo by silo. 

That level of visibility cannot be produced from fragmented onboarding systems, disconnected data flows or risk definitions that vary between teams. It requires structured, comparable and defensible information from the point of merchant onboarding onwards.

Centralised AML supervision means regulators move from supervising individual firms in isolation to analysing structured risk data across entire populations. The focus shifts from whether controls exist to whether risk can be rendered visible, comparable and demonstrably effective at scale.

The direction is set. For regulated enterprises, the question is whether internal architecture can meet it through integrated AML compliance, structured risk scoring, and unified merchant onboarding compliance frameworks. Firms that rely on reassembled data or inconsistent risk logic will find that supervisory expectations move faster than their internal systems.

‍

Traditional merchant onboarding pitfalls under centralised AML supervision 

This reform doesn’t sit in a marginal risk landscape. Economic Crime Plan 2 frames the challenge in systemic terms: a “realistic possibility” that £100bn is laundered through and within the UK, or through UK corporate structures, each year, including £12bn in cash. At this scale, financial crime stops being a compliance issue and becomes a credibility issue for leadership, systems and risk governance. In that context, tolerance for structural weakness narrows rapidly. The Plan references system-wide disruption and 3,756 money laundering convictions in 2024. 

The figures matter less as statistics than as signals. They describe volume, scale and persistence. They also expose a constraint. Sustained prevention at scale is far harder to demonstrate, especially where risk management depends on fragmented systems and inconsistent data. In that context, fragmentation isn’t an administrative inconvenience, but a structural risk that weakens AML compliance before a regulator ever intervenes.

When risk operates at that volume, supervision can’t rely on file-by-file inspection. It has to rely on structured data, comparable metrics and trend analysis across populations. For payment providers and regulated enterprises, onboarding decisions now sit under regulatory microscopes. Weak automated due diligence or inconsistent risk scoring can expose firms in FCA reviews, damage trust and slow revenue from day one.

The same pressure is visible internationally. The UK’s next FATF on-site visit is scheduled for August 2027. This round places greater weight on measurable outcomes, meaning supervisors will look beyond policies to the quality of risk decisions at onboarding. Weak risk scoring or superficial due diligence can make control failures visible at the worst possible moment.

Supervisory expectations are already tightening across the sector. In February 2026, the SRA informed businesses that AML-regulated entities will be asked to complete a government survey to support the 2027 assessment, with expanded data collection extending beyond standard supervision returns.

The direction is coherent. Oversight is becoming more centralised, more data-led and more comparative. Fragmentation is no longer just inefficient. It weakens risk visibility and increases expectations that payment providers justify onboarding decisions with structured, defensible data.

‍

Regulatory requirements under FCA data-driven AML supervision 

The consultation response makes the point plainly: supervision is becoming data-driven. It refers directly to the FCA’s “data driven approach to supervision”. The November 2025 powers consultation shows what that means operationally: maintained risk profiles, targeted desk-based and on-site reviews, structured information requests, intelligence sharing across domestic and international authorities, improved exchange of suspicious activity report data with the National Crime Agency, and firmer perimeter policing, including the possibility of a public register of supervised firms.

And that's the pivot. FCA AML supervision is shifting from asking whether controls exist to testing whether risk, including ongoing customer due diligence (OCDD), can be rendered visible, structured and compared across an entire population.

In structural terms, this results in four clear supervisory expectations.

Centralised AML supervision increasingly expects:

• A single, consistent view of risk across the customer or merchant lifecycle.
• Decisions that are traceable and defensible beyond the originating team.
• Fewer handoffs, fewer blind spots, fewer functional boundaries where risk diffuses.
• Data that can be aggregated, segmented and assessed comparatively.

Those aren't preferences. They’re design requirements. And once supervision is designed this way, fragmented internal models stop being inconvenient, and become exposed.

‍

Merchant onboarding as a structural AML control 

For many regulated enterprises, merchant onboarding is still viewed primarily as an operational process. It sits between sales, underwriting and compliance. It is measured by time-to-activation and drop-off rates. It is rarely described as a compliance infrastructure of risk management architecture.

Under modern centralised AML supervision, it cannot remain operational. 

That framing no longer holds. As supervision becomes effectiveness-driven, merchant onboarding moves from operational gateway to strategic control point. It is where risk-based onboarding decisions are made, where automated due diligence is applied and where risk scoring models are first tested against real-world behaviour.

The exposure is immediate. If onboarding architecture cannot produce consistent, defensible outcomes, the firm’s broader risk management claims lose weight under supervisory scrutiny. Weak merchant onboarding compliance does not remain contained within a team. It shapes regulatory dialogue, influences supervisory confidence and determines whether growth can proceed without interruption.

Meanwhile, financial crime does not rely on complexity. HM Treasury assessment that money laundering risk in the sector remains persistently high, with vulnerabilities largely unchanged in recent years, carries an uncomfortable implication. Criminals are not exploiting innovation. They are exploiting trust. 

Regulated service providers offer credibility, structure and perceived integrity. When merchant onboarding compliance fails to apply consistent risk-based onboarding and disciplined automated due diligence, that credibility becomes the entry point. What appears operational internally can translate externally into systemic exposure.

This is where the tension now sits. Payment providers are expected to accelerate payments modernisation and improve time-to-revenue, while simultaneously strengthening fraud detection in onboarding and evidencing control effectiveness. Merchant onboarding is the point at which those competing pressures either reconcile or collide.

‍

Scaling merchant onboarding under centralised AML supervision

Anyone who has sat through an internal review of onboarding handoffs knows this tension. Regulators are centralising oversight, building data-driven models that compare firms across entire populations. Internally, compliance still moves through silos: data captured here, risk scored there, reviews completed in a third system. It worked well enough when supervision meant file checks. That era is ending. It breaks down when onboarding must scale across expanding merchant portfolios while maintaining consistent risk-based decision making.

OPBAS’s 2023–24 report highlights uneven enforcement and inconsistent control application. For payment providers expanding across products and jurisdictions, scaling merchant onboarding without aligned risk scoring and automated due diligence creates widening gaps between growth and control. Variability does not dilute under expansion. It compounds, and becomes harder to defend.

When supervision operates at that scale, unified onboarding architecture is no longer optional. Merchant onboarding must deliver consistent, defensible outcomes at volume, or scalability becomes exposure. 

At MVSI, that distinction is the starting point. OnBoard by MVSI integrates merchant onboarding, AML controls and risk scoring into a single framework designed for scale. Not simply to automate, but to ensure merchant onboarding compliance remains coherent as portfolios grow and supervisory expectations intensify.

‍

End-to-end merchant onboarding architecture for UK AML compliance

The model is no longer theoretical. Centralised supervision, population-level visibility, comparative oversight—these are not experiments. They are the operating model.

For compliance leaders, the question is no longer whether your controls exist. It is whether your internal architecture can produce a single, coherent view of risk when the regulator asks to see it. Not fragmented across systems. Not reassembled manually. Just there.

Merchant onboarding, AML compliance and risk management cannot remain loosely connected processes. They need to function as the same infrastructure.

The reform does not impose that requirement. It just makes it impossible to ignore.

OnBoard by MVSI is an end-to-end merchant onboarding and compliance platform for regulated payments, fintech, and financial services. It unifies digital onboarding, KYB, KYC, AML controls, underwriting, configurable risk scoring, and ongoing customer due diligence (OCDD) within a single, scalable system.

The solution enables payment providers to standardise merchant onboarding compliance across products and jurisdictions, automate KYB and KYC workflows, apply consistent risk-based onboarding rules and maintain structured audit trails from first application through ongoing monitoring.

By unifying onboarding, underwriting and AML/CTF onboarding automation within one architecture, OnBoard reduces operational silos while preserving defensible control evidence under supervisory review.

This alignment allows firms to accelerate payments modernisation and improve time-to-revenue in payments without weakening fraud detection in onboarding or compromising payments risk management. In a supervision model that tests effectiveness at scale, that balance is no longer optional. It determines whether growth proceeds with confidence or stalls under scrutiny.

‍

This article is based on publicly available UK government consultation responses and supervisory publications as at February 2026. It does not constitute legal advice.