The Invisible Regulation: WTR Demands a Risk Assessment of Its Own

When the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) came into force on 26 June 2017, they brought together two distinct regulatory obligations under a single statutory instrument. Part 4 of the MLRs transposed the EU Funds Transfer Regulation (EU) 2015/847 into UK law, establishing detailed requirements for the information that must accompany electronic transfers of funds. For most payment service providers (PSPs), the Wire Transfer Regulations (WTR) were absorbed into existing anti-money laundering (AML) frameworks without ceremony. They were treated as a subset of the broader AML regime, a regulatory annex rather than a discipline in their own right. Yet that assumption, still widespread across the sector, is becoming increasingly difficult to defend.

The WTR are not merely an extension of customer due diligence (CDD) or transaction monitoring. They impose a separate and specific set of obligations on PSPs relating to the information that must travel with a payment, the verification of that information, and the actions required when information is missing or incomplete. These obligations vary by PSP role, by transfer type, and by value threshold. In short, the WTR constitute a regulatory regime with its own internal logic, its own risk drivers, and its own failure modes. Treating them as a line item within a general AML risk assessment is no longer proportionate.

A regulation hiding in plain sight

The tendency to subsume WTR compliance within broader AML frameworks is understandable. The WTR sit within the same statutory instrument as the UK’s core anti-money laundering provisions. The Financial Conduct Authority (FCA) supervises compliance with both. The Joint Money Laundering Steering Group (JMLSG) addresses wire transfer obligations within its Part III guidance, alongside other AML measures. The architecture of the regime invites consolidation.

Yet consolidation has bred complacency. In practice, many firms conduct a single enterprise-wide risk assessment (EWRA) that addresses money laundering, terrorist financing, and proliferation financing risks in broad terms, with the WTR referenced only in passing. The specific risks that the WTR are designed to address, namely the absence, inaccuracy, or incompleteness of originator and beneficiary information flowing through the payment chain, are rarely isolated, quantified, or stress-tested as a distinct category. The result is a compliance framework that acknowledges the existence of the WTR without genuinely interrogating their demands.

Consider what this means in practice. A firm may have robust CDD procedures, effective transaction monitoring, and a well-resourced suspicious activity reporting (SAR) function, and still fail to ensure that the correct information accompanies every transfer it processes. The WTR concern themselves not with whether the customer is who they claim to be, but with whether the right data travels with the payment at every stage of the chain. That distinction is not captured by an EWRA structured around customer, product, and geographic risk categories.

The risk drivers are not the same

Under the WTR, the payer’s PSP must ensure that specified information, including the payer’s name, account number, and address or date of birth, accompanies a cross-border transfer above the €1,000 threshold. The payee’s PSP must detect transfers that arrive without the required information and determine whether to accept, reject, or suspend them. Intermediary PSPs must ensure that originator and beneficiary information is retained throughout the payment chain. Each role carries distinct risks: truncation of data fields during processing, system limitations that strip or corrupt information, reliance on correspondent banking relationships where data quality is inconsistent, and the challenge of applying different information requirements to domestic and cross-border payments processed on the same platform.

These are not theoretical concerns. UK Finance published its Funds Transfer Regulation interpretative guidance precisely because PSPs were struggling with operational questions that their standard compliance frameworks did not address: how to handle truncated data in legacy payment systems, how to manage the transition to ISO 20022 messaging standards, and how to distinguish domestic from cross-border transfers when payments pass through complex clearing arrangements. These issues require dedicated analysis of payment processing infrastructure, message formatting capabilities, and the quality of data received from counterparties across the payment chain.

Post-Brexit divergence has raised the stakes

The case for a dedicated WTR risk assessment has been strengthened considerably by the UK’s departure from the European Union. Prior to Brexit, transfers between UK and EU PSPs were treated as intra-EU payments, subject to lighter information requirements under Regulation (EU) 2015/847. Since 1 January 2021, those same transfers have been classified as cross-border payments to and from third countries, requiring the full complement of originator and beneficiary information. The Funds Transfer (EU Exit) Regulations 2019 equalised the regulatory treatment, meaning that UK PSPs must now provide the same volume of information for transfers to EU member states as they do for transfers to any other jurisdiction.

This is not a minor technical adjustment. It fundamentally altered the risk profile of a significant volume of payment traffic. PSPs that had calibrated their systems and controls on the basis of lighter intra-EU requirements were required to reconfigure their processes, and many have yet to do so with sufficient rigour. A WTR-specific risk assessment would have surfaced this exposure at the point of regulatory change. Generic frameworks, by their nature, did not.

The divergence extends further. The EU has since recast its own Funds Transfer Regulation through the Transfer of Funds Regulation (EU) 2023/1113, which now sits alongside the Markets in Crypto-Assets Regulation (MiCA) and introduces expanded requirements for crypto-asset service providers. The UK, meanwhile, has taken its own steps. Since 1 September 2023, the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 have extended Travel Rule obligations to UK cryptoasset businesses under FCA supervision, requiring them to collect, verify, and share originator and beneficiary information for all cryptoasset transfers regardless of value. The UK’s approach diverges from the EU’s in both scope and supervisory philosophy, with the FCA applying a risk-based framework rather than the harmonised regime adopted under MiCA. PSPs operating across both jurisdictions face a growing compliance gap that only a dedicated, jurisdiction-specific risk assessment can adequately address.

FATF’s revised Recommendation 16 redefines the baseline

The international context reinforces the argument. In June 2025, the Financial Action Task Force (FATF) adopted a substantially revised version of Recommendation 16 (R16), the global standard on payment transparency formerly known as the wire transfer recommendation. The revisions, agreed at the FATF’s June 2025 Plenary and supplemented by an assessment methodology annex published in October 2025, represent the most significant overhaul of the standard in over two decades.

The revised R16 extends the scope of payment transparency requirements beyond traditional wire transfers to encompass all payments or value transfers and related messages. It introduces enhanced obligations for beneficiary financial institutions, including the requirement to verify beneficiary identity for cross-border transfers above the applicable threshold and to use beneficiary information to detect misdirected payments, including those arising from fraud. It calls for information to be structured in accordance with established standards such as ISO 20022 wherever possible. Crucially, the FATF has set a compliance deadline of the end of 2030, with further guidance on implementation expected in late 2026.

For UK PSPs, the implications are significant. The current UK WTR, rooted in the onshored Regulation (EU) 2015/847, will need to be updated to reflect the revised FATF standard. The scope of covered transactions will expand. The obligations on beneficiary PSPs will intensify. The data quality requirements will become more granular. Without a standalone assessment of current WTR risks, firms will be attempting to calibrate compliance with a moving standard against an unknown baseline. That is not a defensible position.

What a WTR-specific risk assessment should look like

A dedicated WTR risk assessment is not a duplication of the EWRA. It is a different instrument, designed to answer a different question: not whether the firm is exposed to money laundering risk in general, but whether its payment processing infrastructure reliably produces compliant transfers in practice. The distinction matters. The EWRA asks whether the firm knows its customers. The WTR risk assessment asks whether the firm’s systems, message formats, and counterparty relationships deliver the right information, to the right standard, at the right point in the payment chain.

In structural terms, the assessment should be organised around the firm’s specific PSP roles and the payment channels through which it operates. A PSP acting primarily as an intermediary faces a different risk profile from one that originates the majority of its transfers. A firm processing high volumes through SWIFT faces different data integrity challenges from one reliant on Faster Payments or SEPA. The assessment should map these channels against the information requirements of the WTR and test, with operational evidence rather than policy statements, whether those requirements are consistently met.

Governance is equally important. The assessment should identify who within the firm owns WTR compliance as a discrete obligation, how exceptions and breaches are escalated, and how the firm monitors whether its counterparties and correspondents are meeting their own obligations. It should set out clear metrics for measuring control effectiveness: rejection rates, data completeness scores, remediation timescales, and the outcomes of any supervisory engagement. And it should be subject to a defined review cycle, triggered not only by the passage of time but by material changes in the firm’s payment profile, its correspondent relationships, or the regulatory framework itself.

Compliance without comprehension is not compliance

The WTR occupy an unusual position in the UK’s financial crime framework. They are embedded in the same statutory instrument as the MLRs, supervised by the same regulator, and governed by the same overarching risk-based approach. Yet they impose obligations that are operationally and legally distinct, and they reflect international standards that are undergoing their most significant revision in a generation. That combination of proximity and distinctiveness is precisely what makes them so easy to overlook, and so consequential when they are.

The argument for a standalone WTR risk assessment is not an argument for bureaucratic complexity. It is an argument for operational realism. Firms that isolate their WTR obligations are better placed to design controls that work. Firms that measure their WTR exposure with specificity are better placed to respond when the regulatory baseline shifts. And firms that treat payment transparency as a discipline in its own right are better placed to demonstrate to regulators, to correspondents, and to themselves, that their compliance is effective in operation, not merely present on paper. Until the WTR receive that level of scrutiny, they will remain the invisible regulation: critical to the payment chain and insufficiently understood by the firms that are bound by them.

Is your firm confident that its current risk assessment captures the full scope of its wire transfer obligations?

At OpusDatum, we work with PSPs and financial institutions to build WTR-specific risk assessment frameworks that go beyond generic AML compliance. Our approach combines regulatory expertise with operational insight, helping firms identify and address the distinct risks that the WTR present across each stage of the payment chain.

Contact us to discuss how OpusDatum can support your WTR compliance strategy.