UK's 2025 National Risk Assessment Signals New Era of Threat-Informed Financial Crime Compliance

Key Takeaways

• Crypto and EMI/PSP Risks Elevated: Both sectors were upgraded from medium to high risk in the 2025 NRA.
• System Prioritization Introduced: Firms must align with national threat priorities to guide resource allocation.
• AI and Geopolitical Risk Spotlighted: Rapid tech adoption and geopolitical developments have reshaped the threat landscape.
• New Tools and Laws in Force: Recent legislation and reforms boost enforcement power and intelligence sharing, particularly around cryptoassets and corporate structures.
• Compliance Frameworks Must Evolve: The NRA demands dynamic, threat-informed risk assessments and cross-sector collaboration.

Deep Dive

The UK’s newly released 2025 National Risk Assessment of Money Laundering and Terrorist Financing (NRA) marks a critical turning point in how financial crime risk is expected to be understood, assessed, and managed.

Produced by HM Treasury and the Home Office, this is the fourth iteration of the NRA, and it aligns more closely than ever with the UK’s wider economic crime strategy. Most notably, it introduces System Prioritization, a new mechanism under the Economic Crime Plan 2 (2023–2026) that aims to help regulated firms more effectively allocate resources in line with national threat assessments. With this move, the UK is making clear that it expects a more dynamic, risk-informed approach to compliance, not a check-the-box exercise.

While many long-standing threats remain, such as cash-based money laundering, misuse of UK-registered companies, and the purchase of property to conceal illicit wealth, the 2025 NRA places growing emphasis on the impact of new technologies and geopolitical developments.

The report elevates the money laundering risk rating for both cryptoasset firms and electronic money institutions (EMIs) and payment service providers (PSPs) from medium to high. The expansion of these sectors since 2020, combined with their global reach and evolving services (like virtual IBANs), has significantly increased their exposure to abuse by criminals.

Retail banking and money service businesses (MSBs) continue to carry a high risk. Criminals are drawn to the scale, speed, and convenience of these services to store, move, and integrate illicit proceeds into the legitimate economy. Meanwhile, cash (though declining in legitimate use) remains a favored tool for laundering, often pooled and deposited via gambling services, high-value purchases, or post offices.

New and emerging typologies identified in the NRA include:

• Crypto laundering and theft through ransomware, cybercrime, and illicit exchange use
• Trade-based money laundering, exploiting the UK’s role in global trade
• AI misuse in financial services, an area noted for further scrutiny going forward
• Informal value transfer systems (IVTS) such as hawala networks, seen as weakly regulated and transnational
• Professional enablers, including lawyers and accountants, who may knowingly or unknowingly assist in laundering schemes

Evolving Terrorist Financing Risks

The 2025 NRA also underscores a more layered understanding of terrorist financing (TF). It notes that many TF activities occur outside the UK, even if the funds originate domestically. Often, these funds are raised through legitimate sources (like salaries, student loans, or small donations) and then transferred abroad to groups, causes, or individuals aligned with extremist ideologies.

Rather than focusing solely on attack planning, the NRA breaks terrorist financing down into four stages i.e., generation, movement, storage, and spending of funds. It identifies which regulated sectors are exposed at each stage and calls on firms to understand how their products or services may be exploited in this cycle.

The most striking change is the integration of the NRA with System Prioritization, which for the first time publishes annual threat priorities. These priorities are designed to give firms a national-level benchmark for risk alignment and resource allocation, particularly for those in the financial, legal, and tech sectors.

Complementing this is a suite of legislative and regulatory reforms introduced since the 2020 NRA:

• The Economic Crime (Transparency and Enforcement) Act 2022 established a Register of Overseas Entities and strengthened unexplained wealth orders.
• The Economic Crime and Corporate Transparency Act 2023 introduced mandatory identity verification for directors and empowered Companies House with enhanced enforcement capabilities.
• Crypto regulation has tightened, with the FCA issuing 1,700+ alerts and removing over 900 scam websites in 2023 alone. Law enforcement now has more tools to seize crypto assets tied to crime or terrorism.
• Suspicious Activity Report (SARs) reform is well underway, with a digital system being rolled out to improve reporting, feedback, and intelligence-sharing.
• Over £940 million in criminal assets were recovered from 2021–2024, with additional funding allocated via the Economic Crime Levy to expand law enforcement capacity.

What This Means for Regulated Firms

The message from government is that risk-based compliance must become more proactive, data-driven, and threat-informed.

Regulated firms are expected to:

• Reevaluate risk assessments in light of the NRA’s newly identified threats and typologies
• Consider how their products, services, and jurisdictions may be vulnerable across the ML and TF lifecycles
• Align internal priorities with System Prioritisation to ensure resources are focused on the most relevant risks
• Enhance controls in areas such as customer due diligence, crypto exposure, and cross-border transactions
• Stay alert to how AI may be exploited in both ML and TF, even if regulatory guidance is still evolving

For firms operating in higher-risk sectors (especially crypto, EMIs, and PSPs) the expectations are especially high. Even sectors where risk ratings haven’t changed are being asked to rethink their controls, given the broader context of how criminals adapt to regulatory gaps and exploit weak links in the financial system.

As FINTRAIL CEO Robert Evans noted, “If we are honest with ourselves, to date the UK (and international) framework has been inherently ineffective and inefficient... So it is fantastic to see that this latest iteration is going to be complemented by annual typology and threat updates.”

The 2025 NRA may not offer all the answers, but it sets a new standard for what a modern, risk-aware compliance approach should look like. Firms that treat it as a regulatory formality may find themselves increasingly out of step. Those that engage with it as a strategic roadmap will be better equipped to detect, deter, and disrupt financial crime in an increasingly complex landscape.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.