KYC in the UK: FCA Rules, the Online Safety Act, and the Digital ID Debate (2026)
UK identity verification in 2026: FCA and MLR requirements, Online Safety Act age checks, the digital identity trust framework, and where the ID debate stands.
The UK runs three verification regimes at once in 2026: financial KYC under the Money Laundering Regulations and FCA supervision, mandatory age assurance under the Online Safety Act with Ofcom enforcing, and a national digital identity program advancing through a contested public consultation.
Businesses touching UK users usually answer to at least one of the three, and increasingly to all of them. Here is the map.
Financial KYC: MLRs, FCA, and JMLSG
The Money Laundering Regulations 2017, as amended, set the statutory due diligence duties: identify the customer, verify identity from documents or information from a reliable independent source, identify beneficial owners, and apply ongoing monitoring. The [FCA](https://www.fca.org.uk/) supervises financial firms and has been explicit that electronic identity verification, document plus biometric with appropriate fraud controls, can satisfy the regulations, with JMLSG guidance describing accepted approaches. Crypto firms registered with the FCA carry the same obligations plus Travel Rule compliance. Enforcement is real: UK regulators have levied nine-figure penalties for systemic AML control failures at major institutions.
Age assurance: the Online Safety Act era
Since Ofcom's enforcement of the Online Safety Act's age assurance duties began in mid-2025, services hosting adult or otherwise age-restricted content must deploy "highly effective" age checks, facial age estimation, document verification, or equivalent, not self-declaration. Gambling operators answer to a parallel, older regime: the Gambling Commission requires verified age and identity before play. The technical bar keeps rising as synthetic media spreads; age checks defeated by a deepfaked face fail the "highly effective" test, which makes injection-attack-resistant detection part of the compliance argument, not just the fraud one.
The digital identity layer: DIATF and the national debate
The UK's Digital Identity and Attributes Trust Framework certifies identity service providers for right-to-work, right-to-rent, and DBS checks, making certified digital verification legally effective in employment and housing. Above it sits the national digital ID debate: the government's consultation on a broader digital identity scheme closed in May amid significant industry and civil-liberties pushback, with deliberative work continuing. The practical takeaway for businesses is to build on what is certain, certified verification flows and the trust framework, while treating any national scheme as upside rather than a plan.
The architecture for all three regimes
One stack can serve all three regimes if it produces regime-appropriate evidence: MLR-grade identity verification with screening and monitoring through [Arbiter](/arbiter), Online-Safety-grade age assurance with deepfake-checked liveness, and trust-framework-aligned flows for workforce checks, every result anchored and independently verifiable at [proof.deepidv.com](https://proof.deepidv.com). With [published pricing](/pricing) from $0.50 per verification, the economics work for fintechs and platforms alike.
UK KYC FAQ
- What are the KYC requirements in the UK?
- Under the Money Laundering Regulations, firms must verify customer identity from reliable independent sources, identify beneficial owners, screen, and monitor on an ongoing basis, with the FCA supervising financial firms and JMLSG guidance describing accepted methods.
- Is electronic identity verification accepted in the UK?
- Yes. Document-plus-biometric electronic verification with appropriate fraud controls is an accepted approach under the MLRs and FCA expectations.
- What does the Online Safety Act require for age verification?
- Services with age-restricted content must use highly effective age assurance, such as facial age estimation or document-based verification, with Ofcom enforcing and self-declaration explicitly insufficient.
- What is the UK digital identity trust framework?
- DIATF certifies identity service providers whose digital checks are legally effective for right-to-work, right-to-rent, and criminal-record checks.
- Do crypto companies in the UK need KYC?
- Yes. FCA-registered cryptoasset firms carry full AML obligations including customer due diligence, ongoing monitoring, and Travel Rule compliance.
Relevant Articles
eIDAS 2.0 and the EU Digital Identity Wallet: What Businesses Must Do Before 2027
The EUDI Wallet deadline is December 2026 and mandatory acceptance follows in 2027. What eIDAS 2.0 requires, who must accept the wallet, and how to prepare.
Jun 11, 2026
KYC in Germany: BaFin, the GwG, and the New Rules of Remote Identification (2026)
GwG requirements, BaFin's video identification rules, the eID alternative, and what AMLA's Frankfurt era changes for onboarding German customers.
Jun 11, 2026
What is deepidv?
Not everyone loves compliance — but we do. deepidv is the AI-native verification engine and agentic compliance suite built from scratch. No third-party APIs, no legacy stack. We verify users across 211+ countries in under 150 milliseconds, catch deepfakes that liveness checks miss, and let honest users through while keeping bad actors out.
Learn More