Document Compliance Guide for Businesses in 2026
Document compliance obligations for UK and EU businesses: KYC, AML, GDPR, eIDAS 2, DORA. Penalties, regulations and automation. Updated 2026 guide.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokDocument compliance is the set of legal obligations requiring businesses to collect, verify, and retain official documents about their clients, partners, and transactions. In the UK, these obligations sit primarily under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), the UK GDPR, and sector-specific rules from the FCA, HMRC, and the Home Office. At EU level, AMLD6, DORA, eIDAS 2, and MiCA add further layers for cross-border businesses. Non-compliance triggers penalties that can reach tens of millions of pounds.
In 2024, the FCA imposed over ยฃ176 million in fines for AML and KYC control failures, including a ยฃ29 million penalty against Metro Bank and a ยฃ29 million fine against Starling Bank (FCA Enforcement Annual Performance Report 2023-24). Document compliance is not an administrative burden โ it is a condition of lawful operation.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for guidance specific to your situation.
KYC: The Foundation of Client Identity Verification
KYC (Know Your Customer) requires every obliged entity to verify a client's identity before establishing a business relationship. Under the MLR 2017, Regulation 28, firms must apply Customer Due Diligence (CDD) comprising three pillars: identification, verification using reliable independent sources, and ongoing monitoring. Obliged entities include banks, insurers, fintechs, estate agents, solicitors, accountants, and high-value dealers.
Manual KYC processes consume 3 to 5 full-time equivalents in a mid-sized firm. Rejection rates for non-compliant documentation reach 15 to 25% depending on the sector.
The EU Anti-Money Laundering Authority (AMLA), established by Regulation (EU) 2024/1620, became operational on 1 January 2026 and will directly supervise the highest-risk obliged entities across the EU from 2028 (Regulation (EU) 2024/1620). For a full overview of the process, see our complete KYC guide for businesses and the update on KYC requirements for 2026.
AMLD6: The New European Anti-Money Laundering Framework
The Sixth Anti-Money Laundering Directive (AMLD6, Directive 2024/1640) harmonises AML obligations across EU Member States with a transposition deadline of July 2027. It broadens the list of obliged entities, strengthens due diligence requirements, and mandates greater transparency around beneficial ownership. For UK firms with EU operations or EU-based clients, AMLD6 compliance is a practical requirement regardless of post-Brexit regulatory divergence.
Three changes stand out: the expansion of predicate offences for money laundering (now covering all offences punishable by imprisonment of more than one year), harsher criminal penalties (up to four years' imprisonment for individuals), and the harmonisation of beneficial ownership registers across all Member States. The declaration threshold remains at 25% of capital or voting rights.
AMLD6 also introduces mandatory sanctions for aiding and abetting money laundering, and extends liability to legal persons. Companies can face fines of up to EUR 5 million or 10% of total annual turnover, whichever is higher. The directive requires Member States to ensure that competent authorities have adequate powers to access beneficial ownership information without alerting the entity concerned.
Our AMLD6 compliance guide for obliged entities covers the full timeline and measures to anticipate. The specific issue of beneficial ownership verification under AMLD6 warrants particular attention, as the centralised EU register is expected to be operational by 2028.
Anti-Money Laundering and Due Diligence Obligations
Anti-money laundering (AML) and counter-terrorist financing (CTF) rely on a tiered vigilance framework. The MLR 2017, Regulations 27-33, define three levels of Customer Due Diligence: simplified, standard, and enhanced. Enhanced Due Diligence (EDD) applies to Politically Exposed Persons (PEPs), high-risk third countries listed by the FATF and the EU, and transactions that are unusually complex or large.
| Due Diligence Level | Trigger Criteria | Measures Required |
|---|---|---|
| Simplified | Low-risk client, standard product | Reduced identification, periodic review |
| Standard | Standard business relationship | Government-issued ID + proof of address + risk assessment |
| Enhanced | PEPs, high-risk countries, unusual transactions | In-depth documentation, senior management approval, ongoing monitoring |
Due diligence is the operational arm of these obligations. It involves collecting, verifying, and archiving supporting documents for every business relationship. The MLR 2017 requires firms to keep records of CDD measures and supporting evidence for at least five years after the business relationship ends (Regulation 40). Failure to maintain adequate records is itself a sanctionable offence.
In the UK, Suspicious Activity Reports (SARs) must be filed with the NCA when there is knowledge or suspicion of money laundering or terrorist financing. The NCA received over 900,000 SARs in 2024 โ a 22% increase on 2023 โ underscoring the operational burden on compliance teams. Automated document verification reduces the time spent investigating false alarms by pre-screening documents against risk indicators before they reach human analysts.
For a structured implementation framework, see our anti-money laundering compliance guide and the due diligence checklist for businesses.
Europol estimates that identified money laundering flows within the EU represent between 0.7% and 1.28% of annual European GDP โ EUR 133 to 245 billion (Europol, Financial Crime Threat Assessment 2024).
KYB and Onboarding: Verifying Business Partners
KYB (Know Your Business) is the document verification process applied to legal entities. It covers the authenticity of corporate registration documents (Companies House confirmation statements in the UK, Kbis extracts in France, Handelsregister in Germany), verification of articles of association, identification of legal representatives and ultimate beneficial owners (UBOs), and screening against international sanctions lists.
Manual B2B onboarding takes 5 to 20 working days. The most frequently missing or non-compliant documents are: expired company registration extracts (32% of rejections), outdated tax compliance certificates (28%), and incomplete beneficial ownership declarations (21%).
The UK's Persons with Significant Control (PSC) register at Companies House requires companies to identify and record individuals who hold more than 25% of shares or voting rights, or who exercise significant control. Since March 2024, Companies House verification requirements have been strengthened under the Economic Crime and Corporate Transparency Act 2023, imposing identity verification on all directors and PSCs for the first time.
For a structured onboarding process, our guide on KYB business document verification and onboarding details each step. The specific obligation to verify vendor compliance certificates deserves particular attention for organisations with complex supply chains.
GDPR and Identity Documents: Protecting Personal Data
The UK GDPR (retained EU law) and the Data Protection Act 2018 impose specific constraints on the collection and processing of identity documents. Article 5 sets the principle of data minimisation: collect only what is strictly necessary for the declared purpose. Article 17 grants the right to erasure. Article 32 requires technical security measures proportionate to the risk.
For document verification, the GDPR forces three trade-offs: retention periods (five years after the end of the business relationship for AML obligations), scope of collection (no photocopy of the passport if a reference number suffices), and storage security (encryption, restricted access, audit trail).
The tension between AML obligations (which require collecting and retaining documents) and GDPR (which mandates minimisation and deletion) is a recurring challenge. In practice, the legal basis for AML document processing is "legal obligation" (UK GDPR, Article 6(1)(c)), which overrides the right to erasure for the duration of the mandatory retention period. After that period expires, organisations must delete the data unless another lawful basis applies.
Data Protection Impact Assessments (DPIAs) are recommended by the ICO for any large-scale processing of identity documents, particularly when deploying new automated verification systems. The DPIA should evaluate necessity, proportionality, and the risks to data subjects, and document the safeguards in place.
The ICO issued ยฃ15.2 million in fines during 2024, with a growing proportion linked to disproportionate processing of identity documents and inadequate data security (ICO Enforcement Actions). Our article on GDPR compliance for identity documents provides an operational framework for balancing verification obligations with data protection.
DORA and the Financial Sector: Digital Operational Resilience
The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) has been applicable since 17 January 2025. It imposes an ICT risk management framework on financial entities: credit institutions, investment firms, insurance undertakings, asset managers, and their critical ICT third-party providers.
DORA covers five pillars: ICT risk governance, incident management and reporting, resilience testing, third-party risk management, and information sharing. The impact on document verification is direct: automated solutions used for compliance must meet the continuity, auditability, and security requirements defined by the regulation.
For document verification specifically, DORA requires that any third-party service used for compliance purposes undergoes a due diligence assessment covering: business continuity provisions, data security measures, incident notification procedures, exit strategies, and audit rights. Financial entities must maintain a register of all ICT third-party service arrangements and report critical dependencies to their supervisory authority.
The UK has not adopted DORA directly, but the FCA and PRA have implemented parallel requirements through their operational resilience framework (PS21/3), which requires financial firms to identify important business services, set impact tolerances, and test their ability to remain within tolerance during severe disruption. Document verification processes fall squarely within scope if they support a critical business service such as client onboarding or AML compliance.
DORA provides for fines of up to 2% of total annual worldwide turnover for financial entities in breach (Regulation (EU) 2022/2554, Article 50). Our guide on DORA 2026 and document verification in the financial sector specifies the measures to implement.
eIDAS 2: The European Digital Identity Wallet
The eIDAS 2 Regulation (EU 2024/1183) requires Member States to make a European Digital Identity Wallet (EUDI Wallet) available to every citizen by 2026-2027. The wallet will store and share identity credentials, attestations, and official documents in digital form with a high level of assurance.
For businesses, eIDAS 2 transforms document verification: instead of collecting copies of identity documents, organisations can verify certified attributes (age, nationality, tax number) through verifiable presentations. The expected reduction in processing time is estimated at 40% to 60%.
The UK is not bound by eIDAS 2 post-Brexit, but UK firms operating in EU markets or onboarding EU clients must accept EUDI Wallet presentations. The UK's own digital identity framework, the UK Digital Identity and Attributes Trust Framework (DIATF), provides a parallel certification scheme for identity service providers.
Equipment Leasing and Financing Compliance
The leasing and equipment financing sector sits at the intersection of multiple regulatory frameworks: AML/CTF, GDPR, consumer credit regulations, and sector-specific rules. Each financing file requires the collection and verification of 8 to 15 documents covering applicant identity, financial capacity, equipment conformity, and associated guarantees.
Rejection rates for non-compliant documentation in leasing reach 20 to 30%, generating additional processing delays of 5 to 10 working days. The most frequent errors: expired company registration, incomplete financial statements, and non-conforming insurance certificates.
Our guide on equipment leasing compliance details the specific requirements of this sector.
Right to Work: Employment Document Verification
Right to work checks are a legal obligation for every employer in the UK. Under Section 15 of the Immigration, Asylum and Nationality Act 2006 and the Immigration (Restrictions on Employment) Order 2007 (as amended), employers must verify that every prospective employee has the right to work in the UK before employment begins. Failure to conduct proper checks removes the statutory excuse against a civil penalty.
The documents to verify vary by nationality: UK or Irish passport, share code from the Home Office online checking service, or biometric residence permit. Civil penalties for employing an illegal worker reach up to ยฃ60,000 per worker for a first breach (increased from ยฃ45,000 in February 2024) and up to ยฃ60,000 per repeat breach.
Our right to work check guide for employer compliance covers all scenarios and best practices.
Regulatory Summary by Framework
| Regulation | Sectors Affected | Key Deadline | Maximum Penalty |
|---|---|---|---|
| KYC / AML (MLR 2017) | Finance, insurance, property, legal, accounting | Ongoing | Unlimited fines (FCA) |
| AMLD6 (EU) | All AML-obliged entities | Transposition July 2027 | 4 years' imprisonment + fines |
| UK GDPR / DPA 2018 | All organisations | Applicable | ยฃ17.5M or 4% of global turnover |
| eIDAS 2 (EU) | All businesses (identity verification) | 2026-2027 | National sanctions |
| DORA (EU) | Financial entities and ICT providers | 17 January 2025 | 2% of global turnover |
| Right to Work (UK) | All employers | Ongoing | ยฃ60,000 per illegal worker |
How CheckFile Automates Document Compliance
CheckFile.ai is an AI-powered document verification platform covering the full scope of obligations detailed in this guide. The analysis engine automates the verification of identity documents, corporate registrations, tax compliance certificates, financial statements, and invoices in under 30 seconds per document.
Integration is available via REST API or native ERP/CRM connectors. The compliance dashboard centralises alerts (expired documents, missing items, detected anomalies) and generates the audit trails required by regulators.
Organisations using CheckFile reduce their onboarding time by 70% on average and their file rejection rate by 85%. The platform addresses UK GDPR requirements (encryption, automatic purging, data subject access rights) and DORA standards (auditability, continuity, resilience testing).
Explore our plans and pricing or discover the solution for banking and KYC.
For further reading, see What Changes in 2026-2027 and complete checklist for businesses.
FAQ
What are the main document compliance obligations for UK businesses in 2026?
Obligations cover KYC/KYB (client and partner identification and verification under MLR 2017), AML/CTF (anti-money laundering under the Proceeds of Crime Act 2002 and the Terrorism Act 2000), the UK GDPR (personal data protection), right to work checks (Immigration Act 2006), and โ for firms operating in the EU โ DORA (digital operational resilience for financial services) and eIDAS 2 (European digital identity). Each framework imposes specific requirements for document collection, verification, and retention.
What penalties does a business face for failing to meet document verification obligations?
Penalties vary by framework: unlimited fines from the FCA for AML/KYC failures (NatWest was fined ยฃ264.8M in 2021), up to ยฃ17.5 million or 4% of global turnover for UK GDPR breaches (ICO), up to ยฃ60,000 per worker for right to work failures (Home Office), and criminal prosecution with imprisonment of up to four years for money laundering offences under AMLD6. Regulators publish enforcement decisions, adding significant reputational risk.
How do you reconcile document verification obligations with GDPR data protection?
The principle of data minimisation (UK GDPR, Article 5) requires collecting only what is strictly necessary. In practice: prefer verifying attributes (age, document validity) over storing full document copies, apply legal retention periods (five years for AML), encrypt data at rest and in transit, and implement granular access controls. Automated verification solutions like CheckFile can verify without retaining document images.
Can document compliance be automated without losing human oversight?
AI automation handles standard cases (80% of files) in seconds, while complex or high-risk cases are routed to a human analyst with a pre-assessed dossier. This hybrid model maintains compliance rates above 99% whilst reducing processing time by 70%. The compliance dashboard provides the complete audit trail regulators require.
Will the eIDAS 2 digital identity wallet replace traditional document verification?
Not immediately. eIDAS 2 mandates the progressive rollout of the EUDI Wallet by 2026-2027, but coexistence with physical documents will last several years. UK businesses operating in the EU should prepare for a hybrid model: accepting verifiable presentations from the digital wallet whilst maintaining the ability to verify traditional documents. CheckFile supports both verification modes.