AML Compliance and Forged Document Detection: What the Law Requires

Does AML compliance require detecting forged documents? Yes. Under Regulation 28 of the Money Laundering Regulations 2017, firms must verify customer identity using "reliable, independent source documents, data or information." A forged document is not a reliable source. Accepting one does not fulfil the Customer Due Diligence obligation — it is a CDD failure, and one the FCA and HMRC treat seriously. This article explains what the law actually requires, what forged documents do to your AML programme, and what a compliant detection process looks like in practice.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the date of publication. Consult a qualified professional for guidance specific to your situation.

Editorial disclosure: CheckFile provides document fraud detection solutions. Internal benchmarks cited in this article are drawn from CheckFile platform data and are identified as such.

What UK AML Law Says About Document Verification

MLR 2017 Regulation 28 sets the core Customer Due Diligence obligation: firms must identify their customer and verify that identity using reliable, independent source documents. The word "reliable" is load-bearing. A forged document is not reliable. The verification obligation is unfulfilled regardless of whether the firm acted in good faith.

MLR 2017 Regulation 28(2) (legislation.gov.uk) requires identity to be verified using documents that are reliable and independent — a forged document satisfies neither criterion, meaning the CDD obligation is legally unfulfilled and the firm is exposed to civil and criminal enforcement under the Proceeds of Crime Act 2002.

FATF Recommendation 10 — which underpins the UK's AML framework — requires that verification be carried out using "reliable, independent source documents, data or information." The accompanying FATF guidance notes that this standard means the firm must take "reasonable measures" to establish that the document is authentic. Good faith reliance on a forged document does not meet this standard if the forgery would have been detectable with proportionate checks.

The Economic Crime and Corporate Transparency Act 2023 strengthened the UK's anti-fraud and AML architecture. It introduced new corporate criminal liability for failure to prevent fraud, which extends to identity fraud enabled by forged documents. For regulated firms, the link between document authenticity and corporate criminal exposure is now direct.

FATF Recommendation 13 on correspondent banking and Recommendation 10 on CDD both require that verification measures be sufficient to ensure the firm knows who it is dealing with. Where a forged document creates a false identity, the entire AML chain — transaction monitoring, suspicious activity reporting, sanctions screening — operates against a fiction.

For background on the broader compliance framework, see our document compliance guide and our AMLD6 compliance guide for obliged entities.

Document types and verification requirements

The table below sets out key document types, the verification requirement under MLR 2017, and the inherent risk level for AML purposes:

Why Forged Documents Undermine AML Compliance

A forged identity document does not merely introduce error into the KYC process — it makes the entire CDD exercise void. The firm believes it knows its customer. In reality, it has onboarded an identity that does not exist or belongs to someone else. Every subsequent AML control — transaction monitoring alerts, PEP and sanctions screening, suspicious activity reports — is then applied to a phantom.

CheckFile's internal analysis shows that over 40% of document fraud attempts involve identity documents where security features have been altered. The most common targets are the machine-readable zone (MRZ), the photograph, and the biographical data fields. These are exactly the elements that a surface-level visual check — without dedicated tooling — is least likely to catch.

FATF's typologies on money laundering through false identities (FATF, Money Laundering Using False Identities) identify the following recurring patterns:

• Mule account networks: Forged identity documents enable criminals to open accounts in fictitious or stolen names, used to layer and transfer illicit funds.
• Sanctions evasion: Individuals on HM Treasury or UN sanctions lists use fabricated identities to access the financial system undetected.
• Terrorist financing: Operatives create substitute identities to conduct financial activity without triggering watchlist alerts.
• Organised credit fraud: Document forgery networks produce internally consistent sets — identity card, payslip, and utility bill — to pass automated onboarding checks.
• Generative AI-enabled fraud: Since 2024, AI-generated identity documents have entered commercial fraud operations. These documents can pass OCR validation while containing fabricated personal data.

The Proceeds of Crime Act 2002 makes clear that a firm that facilitates money laundering through inadequate CDD — even without knowledge of the underlying crime — can face civil recovery proceedings. MLR 2017 creates strict regulatory liability on top of that criminal framework.

FCA and HMRC Expectations on Document Authenticity

The FCA's position is that identity verification must be effective, not merely procedural. Performing a check that cannot detect common forgeries does not satisfy MLR 2017, even if the check was formally completed and recorded.

The FCA has issued multiple "Dear CEO" letters and enforcement decisions specifically criticising inadequate document verification processes in retail banking, payments, and crypto-asset sectors — establishing that a CDD process without anti-forgery controls is a systemic weakness, not an acceptable risk-based decision (FCA, Financial Crime Guide).

FCA enforcement actions relevant to document verification include:

• The FCA's 2023 review of e-money institutions found that a significant proportion had CDD processes that could not detect altered identity documents, leading to supervisory intervention across multiple firms.
• In its 2024 Anti-Money Laundering Annual Report, the FCA identified "inadequate document verification" as one of the top five systemic weaknesses across supervised firms.
• The JMLSG Guidance (Joint Money Laundering Steering Group) — which the FCA treats as industry best practice — explicitly states that firms should use "appropriate technology or other means" to verify that documents are genuine, not merely that they contain the right information.

HMRC supervises a substantial portion of the UK's AML-obliged population — including money service businesses, accountants, estate agents, and high-value dealers. HMRC's AML supervision guidance states that firms must take "reasonable steps" to establish the authenticity of documents. HMRC enforcement actions have increasingly cited failure to detect forged documents as a standalone breach, not merely an aggravating factor.

The NCA's National Economic Crime Centre publishes regular alerts on document fraud typologies. These alerts are not advisory — they inform FCA and HMRC supervisory assessments of whether a firm's AML controls are proportionate to current threat levels.

For context on AML approach and risk segmentation, see our anti-money laundering compliance guide.

Document Forgery Detection in Practice

Effective detection of forged documents requires layered controls. No single method is sufficient.

Manual verification by trained staff remains necessary but is not scalable and cannot detect the growing volume of digitally-manipulated documents submitted through remote onboarding channels.

Manual checks that trained compliance staff should perform include:

• MRZ validation: The machine-readable zone contains a check digit algorithm (ICAO Doc 9303). A manual calculation can identify whether the check digits match the biographical data — a mismatch is a strong indicator of alteration.
• Hologram inspection: UK passports and driving licences carry optically variable devices that shift appearance under different lighting angles. These are absent or poorly replicated on most forgeries.
• Font and layout consistency: Forged documents often contain subtle font inconsistencies, particularly around dates and name fields where data has been substituted.
• Photograph integration: The photograph on a genuine document is embedded in the substrate, not overlaid. Signs of adhesive residue, pixelation around the photo boundary, or lighting inconsistency between photo and document surface are red flags.
• Document number format: UK passports, driving licences, and BRPs follow known numbering conventions. A document number that does not conform to the correct format for its claimed issue date and type is suspicious.

Red flags that warrant immediate escalation include: documents submitted as images with uniform pixel distributions (suggesting digital construction), PDF metadata revealing editing software, inconsistencies between MRZ data and biographical data, documents where the expiry date appears sharper or differently typeset than the rest of the document, and physical documents where UV-reactive features are absent.

Automated verification using AI adds detection capability that manual checks cannot replicate at scale. CheckFile's AI-based deepfake and document forgery detection analyses structural anomalies, compression artefacts, metadata inconsistencies, and font irregularities that are invisible to the human eye at normal screen resolution. The analysis produces a binary signal — authentic or suspect — alongside a structured report that documents the specific anomalies identified, which firms can retain as evidence of their CDD process.

For firms processing high volumes of remote onboarding requests — including payment institutions, crypto-asset service providers, and digital lending platforms — manual-only document verification is no longer proportionate to the risk. The FCA has made this explicit in its supervisory assessments. See our KYC solutions for banking for how automated document verification integrates with existing compliance workflows.

The CheckFile platform provides document authentication analysis as a standalone API or integrated solution, enabling compliance teams to scale document verification without degrading the customer onboarding experience.

Frequently Asked Questions

Does MLR 2017 explicitly mention forged document detection?

MLR 2017 does not use the phrase "forged document detection," but the obligation is implicit in the requirement to verify identity using "reliable, independent source documents" under Regulation 28(2). A forged document is not reliable. The FCA and JMLSG guidance make clear that firms must use methods capable of detecting common forgeries — this is what "reliable" verification means in practice.

Is a firm liable if it accepts a forged document in good faith?

Good faith is not a complete defence under MLR 2017. The FCA's standard is whether the firm's CDD process was proportionate to the risk. If the firm's process could not detect forgeries that would be apparent with standard verification tools, the firm faces regulatory liability regardless of intent. The FCA has fined firms for inadequate CDD processes even where there was no evidence of deliberate wrongdoing by staff.

What documents are acceptable for identity verification under MLR 2017?

MLR 2017 does not prescribe a fixed list. The requirement is that documents be "reliable and independent." In practice, the JMLSG Guidance Part I identifies passports, national identity cards, and driving licences as primary identity documents, supplemented by utility bills or bank statements for address verification. The key is that the documents used must be verified for authenticity — not merely inspected for the presence of the correct information.

Does remote onboarding face the same document verification requirements?

Yes. Remote onboarding is subject to the same MLR 2017 obligations as face-to-face verification. The FCA's guidance on digital identity verification allows for electronic verification as an alternative or supplement to physical document inspection, provided the method achieves an equivalent level of reliability. In practice, this requires AI-based document authentication combined with biometric liveness detection for high-risk onboarding scenarios.

How does the Economic Crime and Corporate Transparency Act 2023 affect document verification obligations?

The ECCTA 2023 introduced corporate criminal liability for failure to prevent fraud. Where forged documents are used to commit fraud and a firm's inadequate verification processes enabled it, the firm may face corporate criminal liability in addition to FCA or HMRC enforcement action. This raises the stakes for document verification beyond regulatory fines — it creates potential criminal exposure for the corporate entity itself. Firms should ensure their document verification procedures are documented, tested, and proportionate to current forgery threat levels.

For where this fits in the CheckFile offering, see our AI and deepfake detection approach.