Rules vs Enforcement: Demystifying the UK’s Financial Crime Architecture

On 26 January 2026, the Home Secretary published a policing reform white paper that proposed the most significant restructuring of UK law enforcement in nearly two centuries. At its centre was the creation of a National Police Service (NPS), a single national force that would absorb the National Crime Agency (NCA), Counter Terrorism Policing and Regional Organised Crime Units into one organisation. The white paper, titled From Local to National: A New Model for Policing, described a system that is too fragmented, too duplicative and no longer fit for purpose.

Yet the fragmentation the white paper sought to address is not confined to policing structures. It runs through the entire architecture of the UK’s financial crime regime. Regulators and law enforcement agencies operate under different legal thresholds, pursue distinct outcomes and answer to different accountability structures. The boundaries between supervision, civil enforcement and criminal prosecution are rarely drawn with the clarity that firms need.

For many organisations, particularly those operating across regulated and lightly regulated sectors, this creates genuine confusion. Who sets the rules, who enforces them, and why can similar conduct trigger regulatory censure in one case and criminal investigation in another? These are not academic questions. They are essential to designing proportionate, defensible and effective financial crime frameworks.

This article unpacks the UK’s financial crime architecture as it stands in early 2026. It clarifies the respective roles of regulators and law enforcement, and examines the hybrid position of HM Revenue and Customs (HMRC). It situates the Office of Trade Sanctions Implementation (OTSI) within the sanctions regime and considers the trajectory of NCA reform.

Regulation and enforcement serve different purposes

A persistent misconception within financial services is that regulators function as extensions of law enforcement. They do not. Regulators exist to set standards, supervise firms and intervene where governance, systems and controls fall short of expectations. Their role is preventative and supervisory, not prosecutorial. Regulatory enforcement is civil or administrative in nature, designed to correct behaviour and deter future misconduct.

The Financial Conduct Authority (FCA) provides the clearest example. Its statutory objectives under the Financial Services and Markets Act 2000 (FSMA) centre on consumer protection, market integrity and competition. Financial crime prevention sits within this mandate. The FCA does not need to prove that money laundering, fraud or sanctions breaches have occurred in order to act. It assesses whether a firm has taken reasonable and proportionate steps to manage risk.

Law enforcement operates on a fundamentally different footing. Agencies such as the NCA, the Serious Fraud Office (SFO) and regional police forces investigate suspected criminal offences and pursue prosecution through the courts. Their focus is retrospective and case-driven. They must establish that a specific offence has been committed and meet the criminal standard of proof.

Conflating these functions leads to flawed compliance strategies. Firms that assume regulatory action will only follow criminal investigation underestimate regulatory risk. Those that treat supervisory engagement as quasi-criminal overcorrect, embedding controls that are rigid, costly and operationally brittle.

The FCA supervises systems, not criminal outcomes

The FCA sits at the centre of the UK’s financial crime regulatory framework for authorised firms. It supervises banks, investment firms, payment institutions, electronic money institutions and cryptoasset businesses registered under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). Its remit encompasses anti-money laundering (AML), counter-terrorist financing, sanctions systems and broader financial crime controls.

The FCA’s approach remains explicitly risk-based. Firms are expected to understand their inherent exposure, implement proportionate controls and demonstrate effective oversight by senior management. Enforcement action has consistently focused on systemic failings rather than isolated breaches. High-profile cases against banks for AML and sanctions weaknesses illustrate the regulator’s willingness to intervene where deficiencies persist over time.

Crucially, the FCA does not prosecute financial crime offences. Criminal liability for money laundering under the Proceeds of Crime Act 2002 or for sanctions breaches lies with law enforcement bodies. This separation underlines a point that compliance teams frequently overlook: regulatory compliance cannot be assessed by reference to criminal outcomes alone. A firm may never face prosecution and still be subject to significant regulatory censure.

Criminal enforcement remains selective by design

The UK’s law enforcement response to financial crime is deliberately distributed. The NCA leads on serious and organised crime, including complex money laundering networks, sanctions evasion and international illicit finance. The SFO investigates major fraud, bribery and corruption. HMRC and regional police forces pursue a wide range of economic crimes, often linked to tax evasion and proceeds of crime.

Only a small proportion of reported economic crime results in prosecution. The National Audit Office’s 2022 report, Progress Combatting Fraud, concluded that the government did not know the full scale of the fraud threat and was not yet leading an effective cross-government strategy to tackle it. The Public Accounts Committee has repeatedly raised concerns about enforcement capacity and coordination across the system.

The NCA has consistently emphasised that Suspicious Activity Reports (SARs) function primarily as intelligence. They feed strategic assessments, support asset denial and enable disruption activity. They do not automatically trigger prosecution. For regulated firms, the implication is clear: law enforcement activity is episodic and outcome-driven, while regulatory supervision is continuous and systemic. Treating one as a substitute for the other remains a strategic error.

The NPS will reshape national enforcement

The January 2026 white paper represents the most significant proposed restructuring of national law enforcement since the NCA was established under the Crime and Courts Act 2013. The stated objective is to reduce fragmentation, improve coordination and strengthen the response to crime types that operate across force boundaries, including economic crime.

Under the proposals, the NPS would bring together the NCA, Counter Terrorism Policing, the National Police Chiefs’ Council, the College of Policing and Regional Organised Crime Units into a single national force. A national police commissioner would be appointed to lead the service. As Ropes and Gray observed in their analysis of the white paper, the NPS would become the lead investigative authority for fraud, economic crime and cybercrime, working with and eventually absorbing the NCA.

These reforms are ambitious. The Institute for Government noted that while the proposals for the NPS are on strong ground, the treatment of existing specialist capabilities remains unresolved. The integration of the NCA into the NPS would be significant for money laundering enforcement, potentially reshaping reporting structures and enabling closer coordination with other economic crime investigations.

Separately, reforms to NCA pay and progression structures have already taken effect. The NCA Remuneration Review Body recommended a consolidated pay award of 4.4% for all NCA officers from 1 August 2025, which was accepted and implemented. These changes were designed to address longstanding recruitment and retention challenges in specialist roles, including cyber, financial intelligence and international operations. The NCA’s budget has increased to almost £1 billion for 2025/26, reflecting a £58 million uplift at the most recent Spending Review.

For firms, these developments matter now. The trajectory is towards stronger, better-resourced national enforcement capability, particularly in relation to economic crime, sanctions evasion and cross-border illicit finance. The major reforms are not expected to be fully in force until 2029. Preparation, however, should not wait.

HMRC’s dual role blurs the boundary between supervision and prosecution

HMRC occupies a structurally unique position within the UK framework. It acts as the AML supervisor for sectors including money service businesses, trust and company service providers, estate agents and high-value dealers. In this capacity, it assesses compliance with the MLRs and imposes civil penalties for breaches.

At the same time, HMRC is a criminal enforcement body with extensive investigatory powers. Where supervisory activity uncovers evidence of deliberate wrongdoing, matters may escalate into criminal investigation and prosecution. The boundary between regulatory non-compliance and criminal exposure is therefore less distinct than under FCA supervision.

This dual role materially alters the risk calculus for firms under HMRC oversight. Documentation standards, decision-making discipline and remediation quality carry heightened importance. What might otherwise be treated as a regulatory weakness can rapidly acquire evidential significance.

OTSI adds a new enforcement dimension to trade sanctions

The establishment of OTSI on 10 October 2024 marked a significant evolution in the UK’s sanctions architecture. OTSI, housed within the Department for Business and Trade (DBT), is responsible for the civil enforcement of trade sanctions under the Trade, Aircraft and Shipping Sanctions (Civil Enforcement) Regulations 2024 (TASSCER). Its remit covers the provision and procurement of sanctioned services, the movement of restricted goods outside the UK and ancillary services linked to those activities.

OTSI’s enforcement model mirrors that of the Office of Financial Sanctions Implementation (OFSI), which enforces financial sanctions from within HM Treasury. Both bodies operate on a balance of probabilities rather than the criminal standard of proof. OTSI applies a strict liability standard: it does not need to demonstrate that the person acted knowingly or with intent. Penalties can reach the greater of £1 million or 50% of the estimated value of the breach. Together, OFSI and OTSI reflect a deliberate shift towards more assertive civil enforcement.

For financial institutions, this adds material complexity. Trade sanctions risk often sits outside traditional financial crime frameworks. Financial flows linked to trade transactions can expose firms to enforcement action even where trade compliance failures occur elsewhere in the supply chain. The separation between OFSI and OTSI does not remove the need for integrated oversight; it reinforces it.

Intelligence quality, not volume, now defines the private sector’s value

Ongoing reform of national enforcement capability also has direct implications for the private sector’s intelligence obligations. As coordination improves and resources grow, emphasis is shifting from intelligence volume to intelligence quality.

For many years, firms have submitted SARs defensively, often prioritising completeness over clarity. That approach is increasingly misaligned with enforcement expectations. SARs are now scrutinised more critically as analytical products, not administrative outputs. Poorly articulated narratives, inconsistent risk logic and generic suspicion undermine their utility and erode institutional credibility with enforcement bodies.

The private sector is increasingly viewed as an intelligence partner rather than a passive reporting population. This places greater weight on narrative coherence, typology awareness and contextual judgement. Firms that fail to invest in SAR quality risk falling out of step with an enforcement environment that is becoming more demanding in what it expects and more capable in what it can analyse.

The margin for misunderstanding is narrowing

The UK’s financial crime framework is layered by design. Regulators, law enforcement agencies and hybrid bodies such as HMRC and OTSI each perform distinct functions within a broader landscape of prevention, detection and enforcement. Confusion arises when these roles are misunderstood or treated interchangeably.

The most resilient compliance frameworks acknowledge these distinctions explicitly. They align controls to genuine risk, embed clear escalation and documentation standards, and equip staff to understand why different authorities ask different questions. They are built not for the comfort of hindsight, but for scrutiny in real time.

Financial crime compliance is not about anticipating prosecution. It is about demonstrating integrity, accountability and proportionality within a complex enforcement landscape. As that landscape becomes more assertive, more integrated and more intelligence-driven, the margin for misunderstanding how the system operates is narrowing. The architecture of accountability rewards those who take the time to understand it.

Is your compliance framework aligned to the enforcement landscape as it now operates?

At OpusDatum, we help firms reassess and reframe their financial crime frameworks for a layered enforcement environment. Our advisory services ensure that controls remain proportionate, defensible and credible as regulatory and enforcement expectations continue to harden.

Contact us to discuss how we can help you build financial crime controls that withstand scrutiny from every direction.