WhyAML?

You're not a small part of the economy.
You ARE the economy.

5.7 million firms. 16.9 million workers. £2.8 trillion of turnover.
So why do the rules treat you like Barclays?

The workforce

16.3 million

people work in small firms

60%of all UK jobs

Every third person you meet earns their living from a small firm. Sole traders, family businesses, two-person agencies - they're the backbone of the UK workforce, not the margin.

Source: Business Population Estimates 2025, Department for Business and Trade.

A vast crowd of figures lit by an ochre sunset behind a city skyline, representing the 16.9 million people who work in UK small firms

The turnover

£2.8 trillion

generated by small firms

51%of all UK business turnover

More than half of every pound the UK business economy produces flows through small firms. Barclays, HSBC, and the FTSE 100 combined generate less turnover than the 5.7 million small firms under "the same rules".

Source: Business Population Estimates 2025, Department for Business and Trade.

A pair of cupped hands holding a small pile of British pound coins, representing the £2.8 trillion of turnover generated by UK small firms

The growth engine

27%

more UK firms than in 2010

15+years, year on year

Almost every new job, every new product, every new export since 2010 came from a small firm. You are where the economy grows. And yet the compliance rules treat you like you have the same resources as Barclays, the same budget as Coinbase, the same team of lawyers as Kraken.

Source: Business Population Estimates 2025, Department for Business and Trade.

Top-down view of a car engine bay rendered in a paper-cutout illustration style, representing the growth engine of the UK economy driven by small firms

Recognised sources include

WhyAML works with any FCA-regulated institution that has performed KYC.

Logos shown for reference. WhyAML is not affiliated with or endorsed by these institutions.

Two different worlds

Same rules. Different reality.

The law calls everyone an "obliged entity." But look at the difference.

Aerial view of Canary Wharf at night with banking towers (HSBC, Citi, Barclays) lit gold against a black sky

Their World

8,335

Built for the rules.

$78M compliance budgets. 2,500-strong AML departments. The regulations were written for them. They built themselves to meet them.

Same Rules Apply

Your World

5.7M

Run by 5.7 million.

Owner is also admin and compliance. No legal team on retainer. No enterprise system. Same rules apply.

A small estate agent's high-street shopfront, brick building with signs reading 'Julie Twist Properties' and '30 Years of Service'

Same fines. Same liability. Same regulations. Different reality.

170

Estate agent fines

April - September 2025

134

Accountant fines

April - September 2025

+177%

Increase over 4 years

Enforcement accelerating

Source: HMRC enforcement data, April - September 2025.

What the rules created

The rules were meant to protect people.
They did the opposite.

Shield with AML CREATED TO STOP banner above three icon circles labelled terrorists, bad actors, and financial crime

The intent

Real threat.

Rules written to stop criminals.

Anti-money laundering exists for good reasons. To stop criminals from cleansing their money. This is serious. This matters.

Overstuffed filing cabinet with paper folders spilling out from open drawers

The rule

5 years.

Collect everything. Store it all.

The rules required 5.7 million small firms to collect passports, utility bills, and proof of address. Store them for five years.

An open passport on a dark surface, photo and identity pages exposed

The reality

Tens of thousands of honeypots.

Each one a target.

Across tens of thousands of regulated offices, filing cabinets, email folders, and local drives are stuffed with sensitive identity documents. Each one a target. Each one a honeypot for hackers.

Why stored documents are a standing liability

The honeypot problem: why stored documents are a liability

Document-based AML asks firms to collect identity documents - passport scans, utility bills - and retain them. Held across tens of thousands of regulated property, legal and accounting offices, that material becomes a distributed set of breach targets: a honeypot of precisely the data identity thieves want. (Not all 5.7 million UK businesses are AML-obliged; the regulated, document-holding population is in the tens of thousands.)

Holding it is also a standing data-protection liability. Under UK GDPR, personal data must be limited to what is necessary (Article 5(1)(c)) and kept secure (Article 32); a passport scan sitting in an inbox or shared drive meets neither test well. The UK has had more than 140 million files breached since 2013.

WhyAML's answer is structural: verify the individual through their authenticated relationship with a regulated institution - the Witnessing Model™ - without retrieving or storing the underlying documents. Data that is never collected cannot be breached.

Network diagram of small UK businesses connected by dotted lines, with a hooded hacker in a crosshairs target at the centre, and four labelled stat icons below

The cost

£4B / year.

Stolen. Every year. Growing.

140 million UK files breached since 2013 - twice the UK population. £4 billion stolen every single year, growing every year. Real lives. Real families. Real fraud investigations. All because the rules told small firms to hoard documents they never needed to keep.

The chain of consequence

5.7M

Firms storing data

Each one a target

5 yrs

Storage required

Years of liability

140M+

UK files breached

2x UK population

£4B

Annual theft cost

Growing every year

Sources: ICO UK breach data, UK Finance Annual Fraud Report, HMRC MLR register.

The pivot

What if you didn't have to collect
documents at all?

Coinbase already verified your client. Kraken already verified your client. Their bank already verified your client. Their proof belongs to them - and the law agrees.

01 - The hook

Your client already proved who they are.

Coinbase already verified your client. Checked the passport. Confirmed the address. Matched the face. Spent millions making sure that person is real.

$78M

Coinbase compliance spend
per year

Hands holding a phone with the Coinbase trading app open, watchlist of cryptocurrencies visible

02 - The logic

Why should you do it again?

The proof already exists. A regulated institution has done the verification to banking standards. Their proof belongs to your client - not to your records.

Documents you need
to store or secure

A man in a navy shirt with hands raised palms-up, expression questioning, on a soft cream background

03 - Reg 28

The methodology satisfies the law.

You must verify identity using a "reliable source which is independent of the person." A regulated financial institution that already verified your client is exactly that source - by law, the most independent and reliable one there is.

Reg 28

MLR 2017
methodology satisfied

The reliable-source basis, in full

Regulation 28: the substantive basis for identity verification

Regulation 28 of the Money Laundering Regulations 2017 requires customer identity to be verified from a reliable and independent source. This is the substantive legal foundation on which WhyAML's verification methodology stands.

A regulated financial institution that has performed customer identity checks under its own regulatory obligations is such a source. At present these are FCA-registered crypto-asset firms, supervised for anti-money-laundering purposes under the Regulations; a later phase extends this to FCA/PRA-authorised banks, accessed through read-only Open Banking. WhyAML does not adopt or rely on that institution's due diligence - Regulation 39 (reliance on third parties) is not engaged - it independently witnesses the individual's authenticated, ongoing control of the relationship.

What the method produces is a verification anchored in a real, regulated relationship with genuine economic activity: a fraud-traceable record at an accountable institution, rather than a static document that can be forged. This is what the anti-money-laundering regime exists to enable.

Regulation 28 is the rule that makes the method lawful. It is distinct from Regulation 19(4)(c), which is the procedural rule under which a firm records its decision to adopt the technology.

A wooden gavel, a brass set of scales, and an open law book in a paper-craft style on a cream background

04 - Reg 19(4)(c)

The TDD Pack covers your decision.

Regulation 19(4)(c) permits you to adopt new technology without DVS certification, provided you document your risk assessment. WhyAML provides the Technological Due Diligence Pack - you attach it to your file and you're covered.

TDD

Pack supplied
with every account

The risk-based adoption basis, in full

Regulation 19(4)(c): the procedural record of technology adoption

Regulation 19(4)(c) requires obliged entities to assess the risks of adopting new or developing technologies for AML purposes, and to record that assessment in writing.

It is the procedural mechanism by which a firm files its decision to use new technology - not the substantive justification for the verification itself. The substantive justification comes from Regulation 28 (reliable and independent source).

WhyAML provides each customer with a Technological Due Diligence (TDD) document that satisfies the Regulation 19(4)(c) assessment requirement out of the box. The firm files it within their Practice-Wide Risk Assessment.

A neat stack of documents bound with bulldog clips, on top of a binder, in paper-craft style

05 - Scope

We do one thing. Done completely.

Identity verification under Reg 28. That is the verification universe. Source of funds, affordability, credit checks, broader financial picture - those remain your professional judgment. We do the one thing every other product makes complicated. And we do it completely.

Thing we do,
done completely

What we verify, and what stays with you

An added capability - designed to run alongside your existing checks

WhyAML is built to sit alongside a firm's existing AML and client-onboarding stack - tools such as SmartSearch, Thirdfort or Credas - and alongside the firm's tax process. It adds two things those tools do not provide: identity verification through the Witnessing Model™, performed without taking custody of identity documents, and CARF-ready economic-residency evidence.

It is not a rip-and-replace. The firm keeps its existing controls, its risk-based approach and its professional judgement; WhyAML adds a capability - document-free verification plus residency evidence - that complements them.

For the obliged entity this means WhyAML can be adopted without unwinding an existing compliance arrangement: it is an additional, regulator-ready evidence source, not a substitute for the firm's framework.

An intricate close-up of a gold watch movement with the words Constant Force visible, in paper-craft style

How WhyAML works

Simple and elegant on top.
Sophisticated underneath.

Four steps for your client. Institutional-grade compliance underneath.

Step 1 - Confirm identity

WhyAML customer-side verification screen showing knowledge-based identity questions: previous addresses, companies the individual has been director of

Your client answers questions only they can answer. Where they've lived. Companies they've been director of. No passport. No selfie.

Step 2 - Connect their wallet

WhyAML customer-side wallet connection screen showing supported institutions including Coinbase, Kraken, and major banks

They link their verified institutional account. The institution did the KYC. WhyAML proves they own it.

Below the line: a confidence engine called G-RADE™.

Where the money came in from

fiat-ramp signals

Which institutions they connect to

KYC-graded relationships

How transactions pattern over time

behavioural rhythm

How their network behaves

connection topology

Four signals from seven. None of them fakeable by AI.

✓ Patent Protected·✓ MLR 2017 Reg 28·✓ Zero prior art found

Diagram of the WhyAML verification flow: top row shows the four client-facing steps (create client, send link, client authorises, certificate); bottom row shows the institutional-grade checks WhyAML runs in the background (economic activity, financial behaviour, Tier 1 institution AML/KYC events, event recorded, relationship continues), with a footer about Right to Data, Use, Defend under the Data (Use and Access) Act 2025

Diagram of the WhyAML verification flow (mobile)

What your client experiences

Zero documents collected. Zero PII stored.
The institution already verified your client - WhyAML proves it.

What you walk away with

One check. Two records. Zero documents stored.

Verification flow diagram: a completed proof set passes through WhyAML, producing a human-readable PDF certificate that goes to the SME and a VTX compliance token that goes to the individual

Verification flow diagram (mobile): a completed proof set passes through WhyAML, producing a human-readable PDF certificate that goes to the SME and a VTX compliance token that goes to the individual

The Compliance Certificate is the human-readable PDF the firm keeps for audit.

The Compliance Token is the on-chain record the client owns and can re-use.

What's on the certificate, and why HMRC accepts it

The Broker Compliance Certificate: audit-grade record for HMRC inspection

The Broker Compliance Certificate is the immutable, dated record produced for the obliged entity at the conclusion of every verification. It evidences the identity check performed, the G-RADE™ (confidence scoring) band achieved, the fact that the verification was anchored to a regulated institution, and the date and time of the check. It does not expose the institution's name, the wallet, or the underlying behavioural detail.

The Certificate is the document the firm presents to HMRC during an MLR 2017 inspection. Together with the Technological Due Diligence (TDD) document, it satisfies both the verification requirement of Regulation 28 and the record-keeping requirement of Regulation 40.

The firm retains the Certificate; the underlying personal data does not transfer to the firm. This separation is fundamental to WhyAML's data-minimisation architecture.

Inside your portal - the customer record after verification

WhyAML firm-side customer record for Daniel Kim, showing approval status with conditions, recorded risk level, and activity timeline

Daniel Kim. Approved with conditions. Risk level recorded. Activity timeline kept. Ready for the next HMRC inspection - no filing cabinet required.

The institution did the verification. WhyAML proves it.
Ongoing checks run automatically - you're alerted only if something changes.

An honest trade

Every identity system has a trade-off.

Documents leak.

Once you hold a passport scan, you're a target.

Biometrics intrude.

A face is a key the client can't change.

Self-declaration isn't verifiable.

Your client says it. You write it down. HMRC doesn't accept it.

WhyAML doesn't take any of those things.
WhyAML's Witness Model: we verify your client controls a verified account at an institution that already did the work to banking standards.

Different trade-offs. We think this trade is worth making.

How institutional provenance works, and why it holds

Institutional provenance: the patented method

Institutional provenance is WhyAML's core verification method, patented in the EPO, USPTO, and via the PCT. It verifies identity by confirming an individual's authenticated control of an account at a regulated financial institution that has already performed customer identity checks under its regulatory obligations - at present FCA-registered crypto-asset firms, and in a later phase FCA/PRA-authorised banks.

Control is confirmed by witnessing observable, authenticated evidence of the relationship - including on-chain activity history, a DKIM-verified communication from the institution, and an authenticated control check - without retrieving, copying or storing the underlying identity documents. The method observes whatever rail the institution operates: on-chain for crypto-asset firms; read-only Open Banking for banks.

It satisfies the reliable-and-independent-source requirement of MLR 2017 Regulation 28 by independently witnessing the individual's authenticated control of a regulated relationship - not by collecting and storing identity documents, and not by relying on the institution's own due diligence (Regulation 39 is not engaged).

The movement

This isn't just about your business.

Your firm should be a sanctuary for your clients. Not a data store for hackers. Every account opened with us closes one of 5.7 million doors that criminals use today.

We're not just fixing compliance.

We're closing the honeypots.

1rank

For yourself

Easier compliance. Less risk. No documents to secure.

0passport scans
stored on your servers

2rank

For your clients

Their data isn't sitting on your servers. They're safer.

100%audit ready
from day one

3rank

For other small firms

When one firm changes how it does AML, it's easy to ignore. When thousands do, it's a market signal.

0documents shared

A different way is already here.Every account that opens with us makes it more visible.

Ready to switch?

336 firms were fined for AML failures in six months. There's a different way. Open an account and start verifying clients in 5 minutes.

See pricing Sign up

You're not a small part of the economy.You ARE the economy.

Same rules. Different reality.

The rules were meant to protect people.They did the opposite.

What if you didn't have to collectdocuments at all?

Simple and elegant on top.Sophisticated underneath.

One check. Two records. Zero documents stored.

Every identity system has a trade-off.

This isn't just about your business.

Ready to switch?

You're not a small part of the economy.
You ARE the economy.

The rules were meant to protect people.
They did the opposite.

What if you didn't have to collect
documents at all?

Simple and elegant on top.
Sophisticated underneath.