How WhyAML meets the law

Regulatory Compliance

How WhyAML meets UK AML regulations through data ownership and institutional verification.

MLR 2017 Data Ownership GDPR HMRC FCA CARF Compliance Token

Money Laundering Regulations 2017

The MLR 2017 requires obliged entities to verify client identity from a reliable and independent source. WhyAML satisfies these requirements by verifying the user's existing status at regulated financial institutions.

Requirement

How WhyAML satisfies

Identity verification from reliable source (Reg 28)

User's verified status at FCA-regulated institutions serves as reliable, independent source

Risk-based approach for new technologies (Reg 19(4)(c))

Technology risk assessment documented in TDD Report provided with each verification

Proportionate measures (Reg 18)

Tiered verification - depth adjusts based on client risk profile

Ongoing monitoring (Reg 28(11))

Perpetual monitoring included - alerts if risk profile changes

Record keeping (Reg 40)

On-chain Compliance Token provides immutable audit trail exceeding 5-year requirement

Key Regulations

Regulation 28

Reliable and Independent Source

Your client's verified status at an FCA-regulated institution is a reliable, independent source. The institution already verified them. WhyAML's Witness Model proves your client controls that verified account.

Regulation 19(4)(c)

Risk-Based Approach to Technology

The MLR allows businesses to adopt new verification technologies provided they document their risk assessment. WhyAML provides a complete Technological Due Diligence (TDD) pack for your Practice-Wide Risk Assessment.

Regulation 40

Record Keeping

The law requires 5-year retention. WhyAML's on-chain Compliance Token is immutable and permanent - exceeding the regulatory requirement automatically.

Data Ownership

WhyAML's approach is built on a fundamental principle: your client's verified status belongs to them, not to the institution that recorded it.

The traditional model

Collect, store, hope nothing happens

You collect passport copies
You store sensitive documents
You bear the breach liability
Your client's data proliferates
Each firm becomes a honeypot

The WhyAML model

Prove what they already own

No documents collected
Your client proves what they already own
Compliance Token belongs to them
You receive a certificate - not their passport
Nothing for hackers to steal

Under UK GDPR and the Data (Use and Access) Act 2025, your client owns their data - including the fact that they passed KYC at a regulated institution. WhyAML helps them use proof they already own.

Data ownership under UK GDPR and the DUAA 2025

The Data (Use and Access) Act 2025 establishes a statutory framework for individual data portability and ownership. Under DUAA Part 2 and UK GDPR Article 20, individuals hold portability rights over personal data processed about them.

WhyAML's Compliance Token instantiates this right in practice. The verified-status record is held by the data subject, not the obliged entity - eliminating breach-liability exposure under UK GDPR Article 5(1)(c) (data minimisation) and Article 32 (security of processing).

The obliged entity retains an immutable Broker Compliance Certificate as evidence of the check for MLR 2017 / HMRC inspection. The underlying identity data never enters the firm's systems.

We don't ask the institution for permission. We help your client assert a fact.

HMRC Supervision

HMRC supervises estate agents, accountants, and other MLR-obliged entities. WhyAML provides audit-ready documentation that demonstrates you've taken reasonable steps to verify client identity.

What HMRC Inspectors Look For

Evidence of CDD procedures being followed
Risk-based approach documented
Records of identity verification
Ongoing monitoring processes

With WhyAML, you have:

Compliance Certificate for every client
TDD documentation for your PWRA
Timestamped, immutable audit trail
Perpetual monitoring records

FCA Guidance

The FCA provides guidance on AML compliance. WhyAML aligns with FCA expectations for proportionate, risk-based verification.

FCA Principles We Follow

Proportionate measures based on risk
Verification from regulated institutional sources
Clear audit trail and documentation
Ongoing monitoring and review

CARF (May 2027)

The Crypto-Asset Reporting Framework requires tax residency determination for crypto-active clients. WhyAML's behavioural geolocation provides this evidence.

CARF Requirements

Tax Identification Number (TIN) collection
Tax residency determination
Due diligence records
Annual reporting to HMRC (first reports May 2027)

WhyAML's behavioural geolocation helps determine actual tax residency based on transaction patterns - not just self-certification.

Read full CARF compliance guide

The Compliance Token

Every WhyAML verification produces a Compliance Token - an on-chain, immutable record of verification. It belongs to your client, not to you and not to us.

What you receive

Compliance Certificate

A clear, downloadable PDF confirming verification was completed, the confidence level achieved, and when it took place. This is your evidence of compliance.

You store it. You own it. This is what you show HMRC.

What your client receives

Compliance Token

A secure digital record stored in their own wallet. It belongs to them. They control it. They can choose to use it again.

This is data ownership in practice - before the law requires it.

Traditional verification records are stored by businesses who may lose them, get hacked, or go out of business. The Compliance Token is permanent, independently verifiable, and cannot be lost, altered, or deleted.

It exceeds the 5-year retention requirement automatically.

Ready when you are

Ready to simplify compliance?

WhyAML handles the regulations. You handle your business.

See Pricing