.svg)
In July, the UK’s National Crime Agency (NCA) published its 2025 System Priorities for the regulated financial sector. This is the first time that the NCA has directly communicated a list of priorities to firms. The agency notes that the nine priorities are to be given equal weight, and they are not ranked in order of importance.
The priorities are the product of joint work by the NCA, the Financial Conduct Authority (FCA), the Home Office and HM Treasury.
The NCA noted that these align with its 2025 National Strategic Assessment (NSA), and with the 2025 National Risk Assessment (NRA) of Money Laundering and Terrorist Financing, published in July by the Home Office and HM Treasury.
The priorities are designed to support firms in allocating resources to where they can have the “most impact”, on a “cost-neutral basis”, while “maintaining regulatory responsibilities”, the NCA said.
The bigger picture
Crypto-asset financial crime, fraud and money mule activity are growing in scale and sophistication, and are increasingly interconnected.
The National Risk Assessment notes that fraud is the most commonly experienced crime in the UK, accounting for more than 43 percent of offences in England and Wales. In 2024, an estimated 4.1m fraud incidents took place in the two countries, a 33 percent increase over the previous year.
Moreover, the National Fraud Intelligence Bureau (NFIB) estimates that more than 70 percent of fraud perpetrated against UK citizens and businesses emanates from or is facilitated via overseas jurisdictions.
Accordingly, money muling has grown to accommodate the laundering of victim funds.
In January 2025, an FCA review found that more than 190,000 money mules were offboarded by 25 firms between January 2022 and September 2023.
However, only 37 percent of the offboarded mules were reported to the National Fraud Database (NFD).
A recurring theme of the NCA’s priorities is that the agency wants firms not only to share more data, but also to contribute to new data-sharing models, frameworks and best practices.
Three key areas of concern are crypto-asset financial crime, fraud perpetrated by international offenders against UK victims and the exploitation of money mules within the UK.
The NCA believes firms that are exposed to these risks should make greater use of public and private data-sharing to understand threats, identify offenders and ultimately prevent crime.
For example, it calls on crypto firms to work with UK law enforcement to “identify and embed” awareness of risk factors that indicate illicit crypto activity and to share data sets to create a “fuller intelligence picture” that can be used to strengthen financial crime defences.
This includes sharing data that could allow for more effective identification of criminal proceeds and victim funds, and data that indicates crypto-specific fraud typologies, such as rug pulls and fraudulent initial coin offerings (ICOs).
Wider exchange of this data will allow crypto firms to collectively improve their capabilities to freeze and restrain suspect funds when required.
Fraud perpetrated by international offenders, another priority area, could also be mitigated through similar forms of data sharing.
Much of the private-to-private sector data-sharing encouraged by NCA is protected under the Economic Crime and Corporate Transparency Act (ECCTA) 2023, which allows for the sharing of “relevant customer information” between anti-money laundering (AML) regulated firms to detect, prevent and investigate financial crime.
In December 2024, UK regulators published updated guidance to help firms understand the protections offered by the ECCTA.
In the guidance, they make clear that they want relevant customer information to be shared between firms in “as many cases as possible”.
Firms may share this information directly or indirectly (through third-party intermediaries) and, when doing so, will be protected from civil liability under the General Data Protection Regulation (GDPR).
Those with “significant technological capability” can use application programming interfaces (APIs) for private-to-private sharing, ideally following pilot exercises, with support from statutory supervisors or professional or trade bodies.
Alternatively, the use of third-party intermediaries is encouraged where third-party platforms can demonstrate clear security protocols, transparent governance arrangements and GDPR compliance.
Under the ECCTA, customer information-sharing is protected from civil liability under the “request” and “warning” conditions.
The request condition is met when one firm has reason to believe that another firm holds information about a customer that may assist in preventing, detecting or investigating financial crime.
The warning condition is met when one firm takes “safeguarding action” against a customer in order to prevent, detect or investigate financial crime.
A safeguarding action is defined as terminating a business relationship with a customer, refusing a customer a product or service or restricting a customer's access to elements of a product or service.
Why should you care?
As the NCA’s priorities make clear, the UK remains vulnerable to financial crime threats due to the lack of data and data-sharing among firms and between firms and regulators.
Although the types of data-sharing encouraged by the NCA remain voluntary, firms that engage constructively with the agency’s recommendations stand to benefit in several ways.
As latest guidance on the ECCTA emphasises: “Through regulated firms using the measures to share information, they will gain a network view of the economic crime risk linked to their services and platforms.
“Firms will therefore have a greater ability to take upstream preventative action and disrupt illicit activity.”
In addition, if a wide range of firms make use of these provisions, each will have richer sources of information available when undertaking their reporting obligations, increasing the accuracy, timeliness and effectiveness of suspicious activity and fraud reporting across the sector.
To collaborate with the NCA, firms can take a number of steps:
- Contribute to a new framework for the identification of “emerging” or “changing” jurisdictions that pose risks of fraud to persons in the UK.
- Identify which systems, legislation and recruitment routes criminal networks in these jurisdictions are exploiting to target UK victims.
- Expand their use of private-to-private sector intelligence-sharing in relation to threats from organised criminal groups (OCGs) that operate in priority jurisdictions such as Ghana, Nigeria, India, Cambodia, Laos and Myanmar.
- Work towards an “agreed industry methodology” and “data-sharing model” focused on tackling money mules and mule herders.
Firms should also collaborate with regulators to build an understanding of the methodologies being used to recruit money mules and to cash out funds moved through mule accounts.
