HMRC’s AML Guidance for the UK Art Market, Part 1: What has changed for the sector

July 8, 2026
by ArtAML™ Team

On 8 July 2026, HMRC published a new internal manual, ‘Anti-money laundering guidance for supervised businesses’ (AMLG). While Part 1 — providing general AML guidance across sectors supervised by HMRC for AML compliance, has been published, Part 2 — providing guidance specific to the art market — is yet to be published. Part 3 is HMRC’s Risk Assessments for each of the sectors it supervises, for which the AMP risk assessment had already been published on gov.uk.

The British Art Market Federation (BAMF) Guidelines (February 2023) take precedence and continue to apply in full unless a specific point is added or contradicted by the new guidance, Part 1. AMP-specific rules covered in Part 2 require sign-off from HM Treasury before publication. Once that happens, BAMF’s Guidelines will be superseded in their entirety. Until then, what follows is a mix: some points update or add to BAMF, and some simply confirm what was already good practice. This post walks you through such updates, clarifications and additions.

Rest assured, the ArtAML™ CDD platform as well as business-wide policies produced by our team are being updated to reflect changes in requirements.

Threshold confirmed: GBP 10,000 in force

Statutory Instrument 2026/621 amended Regulation 14(d) of the MLRs directly, replacing the EUR 10,000 threshold with GBP 10,000. BAMF’s Guidelines still state the threshold in euros throughout. AMPs no longer need to track exchange rate movements to determine whether a transaction crosses the threshold — the figure is now a fixed GBP 10,000, including for linked and aggregated transactions.

For full details, see our blog post on the recent update to the ML Regulations linked under ‘Further Reading’ below.

[AMLG reference: AMLG11300 §13.7 — Customer due diligence (CDD), “CDD and occasional transactions”]

High-risk third countries: FATF ‘black list’ is the automatic trigger

BAMF’s guidance still points AMPs to the European Commission’s list of high-risk third countries — a rule that hasn’t reflected the UK’s legal position for some time. The same 30 June 2026 SI that changed the threshold also narrowed Regulation 33(3)(a): the automatic trigger for enhanced due diligence is now the FATF Call for Action list specifically — also known as the FATF ‘black list’ — rather than either FATF list. At the time of publication, countries included are Iran, Myanmar and North Korea.

This is a narrower automatic trigger, not a lower bar overall: exposure to a country on FATF’s Increased Monitoring list (the ‘grey list’) no longer automatically triggers EDD, but it remains a legitimate factor in your own risk-based assessment alongside other red flags. Any policy or checklist still pointing to the EU list needs updating regardless. 

For full details, see our blog post on the recent update to the ML Regulations linked under ‘Further Reading’ below.

[AMLG reference: AMLG11640 — FATF Call for Action Countries; AMLG11410 — Reliance]

UK politically exposed persons start from a lower-risk baseline

Under the new guidance, a UK-based politically exposed person “must be treated as lower risk unless other factors… indicate a higher risk.” BAMF’s text, published the same month the underlying regulatory change took effect, doesn’t reflect this presumption.

The basis is Regulation 35(3) that was enforced as of 10 January 2024. In practice, this changes the default level of enhanced due diligence applied to domestic PEPs — not who counts as a PEP in the first place.

This change to domestic PEPs not presenting a higher risk of money laundering unless other factors are present is similar to the approach now also being taken with the assessment of high-risk third countries. Moreover, it mirrors the FATF’s own risk-based approach: under the Interpretive Note to Recommendation 10, risk variables apply “either singly or in combination” (para. 19), so a single lower-risk factor — such as domestic PEP status — need not on its own trigger enhanced due diligence

[AMLG reference: AMLG11650 — Politically Exposed Persons (PEPs)]

Training: An explicit annual requirement and who needs to take it

HMRC sets an explicit floor for refresher training: at least annually, with higher-risk businesses expected to train more often. On top of that calendar-based minimum, retraining is also expected whenever something changes — a competency gap identified after an AML training session, a new or emerging risk, a change to the Regulations or your PCPs, an employee moving into a new role that changes their responsibilities in context of AML compliance, or a new product, service or delivery channel that impacts upon risk or due diligence. BAMF’s language (“repeated sufficiently often”) never puts a number on it; the new guidance does.

Training obligations extend to every ‘relevant employee’ — defined not by seniority but by role: anyone whose work is relevant to the business’s compliance with the Regulations, or otherwise capable of contributing to identifying, mitigating, preventing, or detecting money laundering, terrorist financing or proliferation financing. That explicitly includes administrative, operational, customer-facing, supervisory and compliance staff, not just senior management, and it extends to agents acting on the business’s behalf. Separately, all staff — not just relevant employees — must know who the Nominated Officer and Compliance Officer are and how to raise a concern with them, even if their own role doesn’t otherwise touch AML compliance.

Records must show who was trained, when, the content and format, and some assessment of effectiveness — a four-part minimum BAMF doesn’t specify. The ArtAML™ training courses and AML Training Log are built around this: role-appropriate content, an annual cadence, and a log that captures all four fields against each employee and agent.

[AMLG reference: AMLG11030 — Training]

A new internal screening duty for officers and managers – not just HMRC’s check

Beyond HMRC’s own vetting, AMPs carry their own screening duty whenever someone is appointed as an officer or manager of the business — director, company secretary, or manager generally, not specifically the Nominated Officer or Compliance Officer role — both at that appointment stage and on an ongoing basis once in post.

  • At appointment in the role: a basic DBS check plus a signed declaration confirming no unspent overseas convictions for a relevant offence.
  • Once in post: an annual self-declaration confirming no relevant offence, UK or overseas, plus an immediate duty to notify the business if convicted of one.
  • Beneficial owners sit under a lighter duty: If one is later convicted of a relevant offence, they must immediately stop acting, and both the beneficial owner and the business must notify HMRC within 30 days.

Alongside this, HMRC runs its own approval check on every AMP’s beneficial owners, officers and managers for unspent convictions — narrower than the fuller “fit and proper test” applied to other supervised sectors like MSBs and TCSPs, which also assesses compliance history and skills/probity.

[AMLG reference: AMLG1600 §6.2 — Approval Check]

Telling customers how you use their data: a new GDPR requirement

BAMF’s data protection content is limited to a general principle: personal data collected for AML purposes can’t be reused for other purposes. The new guidance is more specific, requiring AMPs to give new customers a notice in writing that meets the requirements of Article 13 of the GDPR — covering the legal basis for processing, retention periods, and the customer’s rights to access, deletion, and complaint to the ICO.

To support your requirements, we’re updating email templates in ‘Resources’ within the platform, to be released the week commencing 13 July 2026.

[AMLG reference: AMLG1200 — Legislation]

Digital identity verification: DVS now the standard — and Yoti is on the list

BAMF treated a provider’s inclusion on the old DCMS eIDAS trusted list as one factor to weigh when assessing whether an electronic ID verification service was suitable. The new guidance is considerably more direct: a provider that isn’t certified against the UK’s digital verification services (DVS) trust framework “cannot reliably be deemed suitable for identity verification in compliance with the Regulations.”

Yoti, our identity verification provider, is certified under the UK Digital Identity and Attributes Trust Framework and listed on the DVS register — so this change doesn’t require any action on our side, but it’s worth confirming the same if you either don’t use ArtAML™ or make use additional services for ID verification.

[AMLG reference: AMLG11400 §14.5 — Identifying and verifying your customers, “Electronic Verification”]

More detailed SARs for items on the the National Risk Assessment’s ‘System Prioritisation’ list

Part 1 of the new guidance now references the 2025 edition of the National Risk Assessment, which introduces a “System Prioritisation” list — nine economic crime priorities jointly published by the NCA and FCA in July 2025:

  • money laundering through UK corporate structures linked to Albania, China, Russia and the UAE;
  • international fraud linked to Ghana, Nigeria, India and Southeast Asia;
  • criminal cash consolidation into UK banks;
  • money mule exploitation;
  • telecoms and online-platform fraud;
  • terrorist financing;
  • sanctions evasion by UK professional enablers (particularly Russia-linked);
  • transaction flows tied to overseas PEP abuse of power; and
  • cryptoasset resilience.

For AMPs, the two most relevant are the overseas PEP priority and the professional-enabler/Russia-sanctions priority — both map directly onto long-standing art market risk factors (high-net-worth clients, corporate or trust-held purchases, and Russia-linked sanctions exposure). HMRC now expects a more detailed SAR where suspicious activity touches any of the nine listed.

This list is subject to being updated in future National Risk Assessments. 

[AMLG reference: AMLG1800 — Risk Assessment; AMLG11100 — Reporting Suspicious Activity]

Other updates worth knowing

A number of smaller changes round out the new guidance. None of these are in BAMF, and they’re worth a look next time you review your PCPs — and they’re already being implemented for ArtAML™ clients.

  • Proliferation financing is now a distinct risk category with its own National Risk Assessment document, rather than folded into general money laundering and terrorist financing risk.
    • [AMLG reference: AMLG1100 §1.6 — “What is proliferation financing?”]
  • Beneficial Owners, Officers and Managers (‘BOOMs’) now have explicit change-notification deadlines — 14 days for Nominated Officer/Compliance Officer appointments, 30 days for other changes.
    • [AMLG reference: AMLG11000 §10 — Nominated Officers and Compliance Officers; AMLG1600 §6.2 — Fit and Proper Test]
  • Compliance Officer and Nominated Officer should now be two different people once a firm is large enough to have both roles.
    • [AMLG reference: AMLG11000 §10.2]
  • Penalties for a breach aren’t a fixed fine — and reporting yourself helps. HMRC decides any penalty by weighing how serious the breach was, why it happened, how the business responded, its size, and the harm caused. Reporting your own breach before HMRC finds out can reduce the penalty, and full cooperation once they’re involved helps too. Serious breaches can also mean criminal prosecution, not just a fine.
    • [AMLG reference: AMLG1300 — Civil Penalties and Criminal Prosecution]
  • Individual officers, not just the business, can be held personally liable. HMRC can penalise a director, company secretary, or other officer directly if they knew about a breach and let it continue — even without actively causing it — and this liability isn’t wiped out if the business later becomes insolvent.
    • [AMLG reference: AMLG1400 — Imposing civil penalties on officers of a business]
  • Records must now be deleted, not just retained, once the five-year period expires, subject to narrow exceptions. This is already handled by ArtAML™’s CDD and storage solutions.
    • [AMLG reference: AMLG11700 §17 — Record Keeping]
  • A 14-day deadline for simplified due diligence. Where you’ve applied SDD to a low-risk customer and started the relationship before completing verification, HMRC now expects that verification to be finished within 14 days — not left open-ended. SDD never removes the underlying duty to identify and verify the customer, only when and how thoroughly it’s done.
    • [AMLG reference: AMLG11500 §15.7 — Simplified Due Diligence]
  • A £3,000 exemption for exiting suspicious relationships. Where you already suspect money laundering and are ending the relationship, you can return funds below £3,000 to the customer without waiting for NCA consent (a DAML) first — but you must still file a SAR. It only applies once suspicion exists; it isn’t a general de minimis for routine exits.
    • [AMLG reference: AMLG11100 §11.4 — Reporting Suspicious Activity (DAML exemptions)]

In conclusion

Part 1 doesn’t touch the art-market-specific rules that make BAMF’s guidance distinctive — those still stand until Part 2 arrives. But between the 30 June 2026 statutory changes and the 8 July 2026 guidance update, several of the generic building blocks underneath every AMP’s AML policy have moved: the threshold, high-risk country triggers, PEP treatment, AML training cadence requirement, digital ID standards, and customer notices among them. Reviewing PCPs against these changes now avoids a bigger catch-up exercise once Part 2 is published.

If you’d like support reviewing your CDD process or AML policies against these changes, get in touch with our team.

Further reading

How can we help?

Get in touch with our team for support and advice