Following Board approval in January 2026, the Joint Money Laundering Steering Group (JMLSG) revised Part I of its guidance on anti-money laundering (AML) and counter-terrorist financing (CTF). The revisions were published on 4 February 2026 and consist of controlled amendments to Chapters 3 and 6, addressing the role of the firm's Money Laundering Reporting Officer (MLRO) and data protection requirements. The revised guidance has been submitted to HM Treasury for ministerial approval, which remains pending as of 31 March 2026.
Chapter 3: Monitoring effectiveness of money laundering controls
The provisions in Chapter 3 address factors relevant to the effectiveness of AML controls, including the adequacy of resources, monitoring procedures, internal review processes, and the management of the MLRO. The revised guidance maintains the core requirements for the MLRO while incorporating additional specification of responsibilities in respect of oversight and monitoring.
Under the prior guidance, the MLRO was required to maintain independence, with direct access to the Financial Conduct Authority (FCA) and law enforcement agencies, including the National Crime Agency (NCA). The 2026 revisions retain these requirements and supplement them with explicit references to cross-border/group considerations. The MLRO must have due authority and independence to oversee all aspects of the firm’s AML/CTF activities, including access to all relevant information. This includes oversight of AML/CTF activities undertaken by the group or other entities within or outside the UK, where relevant to the UK regulatory system. The MLRO must be free to have direct access to the FCA and (where the nominated officer) appropriate law enforcement agencies, including the NCA, and to liaise with the NCA on their own authority regarding transactions or suspicious activity.
Oversight of the implementation of the firm’s AML/CTF policies and procedures, including the risk-based approach, remains primarily the responsibility of the MLRO (under delegation from senior management). The MLRO must ensure that effective and appropriate monitoring processes and procedures are established and maintained, including across group entities (within and outside the UK) that undertake UK AML/CTF-specific activities—for example, the ability to test or review such activities. Where oversight activities are delegated, the MLRO retains ultimate responsibility. The effective operation of group systems and controls in branches, subsidiaries, and other group entities outside the UK (where relevant to the UK regulatory system) is influenced by the group’s ability to ensure compliance without local legal or practical restrictions.
For firms with cross-border operations, this may require examination of existing information-sharing protocols, governance arrangements, and the practical ability to conduct monitoring and testing across relevant group entities.
Chapter 6: Data Protection and Subject Access Requests
Chapter 6 provides guidance on the handling of subject access requests where a suspicious report has been submitted. The prior provisions referenced the Data Protection Act 1998, including exemptions for crime prevention and a 40-day response period. The 2026 revisions update this to reflect the applicable framework under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025). Firms are required to evaluate their procedures under this current statutory regime.
Previously, firms were obligated to respond to subject access requests within 40 calendar days. The revised guidance aligns with the UK GDPR, requiring responses within one calendar month from receipt, subject to potential extensions in specified circumstances. This adjustment necessitates that firms implement procedures capable of meeting the reduced timeframe.
Separately, the revisions address the process for withholding material related to subject access requests. The guidance provides that enquiries to the NCA for input on whether disclosure would prejudice an investigation must account for the statutory response deadline. This places the assessment of potential prejudice primarily with the firm. Firms should conduct internal evaluations accordingly to manage associated legal risks.
In summary, the 2026 revisions constitute targeted updates to the JMLSG guidance. They require MLROs to evidence cross-border oversight capabilities and assign firms greater autonomy in decisions regarding disclosures in subject access requests, subject to timing considerations for any NCA enquiries. Pending ministerial approval, firms may review the revised provisions to assess implications for their operations.
Nyah Clark, Trainee, and Lily Kalati, Paralegal, also contributed to this article.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.