The Witness Model · Architectural Brief

The framework already permits it. The practice has not yet caught up.

If the AML Paradox set out the symptoms - £38.3bn spent, under 1% intercepted, identity-fraud volumes rising every year - this brief sets out the architectural cause and what the existing UK regulatory framework, read coherently, supports as the response.

Reg 28 · reliable independent source·DUAA 2025 · framework on statutory footing·Reg 40 · five-year retention, medium-agnostic

The architectural cause behind the paradox

Where the present model came from

The figures in the AML Paradox describe a system whose unit economics no longer hold. They do not, on their own, explain why. The explanation is architectural, and it is recent.

Before 2020, identity verification was concentrated at institutional choke points. A new bank account, a new mortgage, a new commercial relationship - each required identity work, but the work was performed by entities equipped to do it: banks, large professional firms, regulated institutions with compliance teams, secure infrastructure, and the statutory accountability that comes with both. The model had friction, but the friction was contained.

The pandemic moved the entire economy remote in months. Estate agents who had taken passport photocopies across a desk were now receiving them by email. Tax accountants who had verified clients face-to-face were now relying on phone-camera scans. The Money Laundering Regulations did not change; the operational reality of complying with them did. Document collection migrated outward - to every obliged entity, in every sector, at every scale - and stayed there.

The result is the surface the Paradox piece describes. Identity documents now sit in tens of thousands of small-business inboxes, shared drives, and consumer-grade cloud storage. The regulatory framework was written for the pre-2020 model; the operational reality is post-2020. The gap between the two is where the £38.3bn spend lives - and where the fraud volumes have grown.

8.3%

Digital onboarding attempts H1 2025

Flagged as suspicious in early 2025. Synthetic-document fraud - fabricated payslips, statements, invoices, tax records built with realistic formatting and signatures by generative AI - rose 311% between Q1 2024 and Q1 2025. 44% of organisations now rank synthetic identity fraud as their top-tracked fraud type. The document-centric verification model is being defeated, and the documents are getting better.

AI did not create the post-Covid PII proliferation. It made it impossible to ignore. A document-collection regime that had been merely inefficient is now also evidentially unreliable: the documents arriving at every obliged entity are increasingly forged, the forgeries are increasingly hard to detect, and the entities receiving them increasingly cannot tell which is which. The system is stumbling not because effort has fallen, but because the architecture has been outflanked.

What the existing framework actually permits

A coherent reading of Reg 28, the DUAA, the UK GDPR, and Reg 40

The regulatory text has not moved. Read in isolation, each requirement appears settled. Read together, in light of the direction UK data-protection law has been taking, the framework supports an architecture that current practice has not built.

Regulation 28 requires verification from a reliable source independent of the person being verified. The Regulations do not prescribe a method; they require reliability and independence. A UK Tier 1 bank regulated by the FCA and PRA, or a Tier 2 crypto-asset firm registered with the FCA under the modern crypto-asset framework, satisfies both: each has performed identity verification under its own statutory obligations and continues to maintain that relationship under ongoing supervision. The document the individual hands over is not the reliable source. The institution behind them is.

Regulation 40 requires five-year retention of CDD evidence. The Regulation is medium-agnostic. An immutable on-chain reference to the verification event exceeds the five-year minimum and remains independently verifiable by a regulator without reliance on either provider or firm - while containing no personal data on the chain itself. Retention and minimisation, treated as competing duties under the document-centric model, become consistent under the witness model: the personal data is not what is retained; the verification fact is.

The Data (Use and Access) Act 2025, whose main data-protection provisions came into force on 5 February 2026, modernises UK data-protection law and places the Digital Identity and Attributes Trust Framework on a statutory footing. The trajectory of UK data-protection law is towards stronger minimisation, clearer purpose limitation, and tighter alignment between processing and necessity. None of these point towards more document collection at more obliged entities; all of them point away from it.

The HM Treasury and DSIT Joint Guidance on Digital Identity, published on 26 February 2026, recognised certified Digital Verification Services as one route to satisfying Regulation 28. WhyAML is not a DVS and does not rely on that route. Regulation 28 remains technology-neutral - it requires a reliable source independent of the person, not a particular product - and the regulated institution that has already verified the individual is that source. The Guidance is addressed to digital identity products; it does not displace the Regulations' underlying reliable-source standard, and it does not require firms to collect more documents.

The interpretive position

The framework, read coherently, does not require the document-centric model. It permits - and the direction of travel supports - an architecture that observes the user's authenticated relationship with a regulated institution rather than re-collecting documents the institution has already verified.

This is not an argument for regulatory reform. The legal anchors are in force today: Reg 28's source-of-verification standard, Reg 40's medium-agnostic retention, the DUAA 2025's minimisation direction, and Reg 19(4)(c)'s documented risk-based adoption route. What is missing is not permission. It is implementation.

The witness model

What the architecture actually does

The platform observes - passively, without retrieving documents, without contacting institutions, without taking custody of personal records - that the user demonstrably controls an authenticated relationship with a regulated institution. The verification is composed of independent signals: a lite identity-assurance check; dynamic knowledge-based questions generated from the user's own observable history; cryptographic verification of a DKIM-signed institutional communication, validated inside a hardware-isolated enclave; and, where the risk profile requires it, evidence of a regulated-threshold transaction with the institution. No single signal is determinative. Their composition is what evidences the relationship.

The architecture is rail-agnostic. For Tier 2 crypto-asset firms, the observed rail is on-chain activity. For Tier 1 banks - entering through Phase 1 under WhyAML's certified RAISP registration - the observed rail is read-only Open Banking, accessed only with the user's authorisation, observing only what the institution exposes to the user themselves. The principle is the same: witness the authenticated relationship; collect no document.

What the firm receives is a Broker Compliance Certificate: a regulator-ready record of the determination, the confidence band, the timestamped flow of the verification steps, and the regulations satisfied. The certificate withholds, by design, the data that would create new risk if it were shared - the user's wallet address, the institution's name, the underlying behavioural assessment. The user receives an encoded on-chain token containing no personal data, anti-fraud-protected, in their own control.

The firm holds no identity documents. The provider holds the operational minimum needed to perform and monitor the verification, and the encoded record on the chain contains no personal data at all. The honeypot of document-grade PII at every obliged entity - the surface the Paradox piece identified as the cost-and-attack centre - is eliminated by the architecture, not reduced by it.

The audit trail of substance

What AML was built to enable, and what the document model defeats

Anti-money-laundering exists, at its purpose, to enable the investigation and tracing of illicit value flows. The document-centric verification model produces, as its evidential artifact, a copy of an identity document examined at the moment of acceptance. When that document is synthetic - increasingly likely, in 2026 - there is nothing behind it for an investigator to follow. The trail terminates at the moment of acceptance, because the artifact itself is the only substance, and the artifact is fabricated.

This is the structural inversion the Paradox piece points at without naming. AML's front door now routinely accepts artifacts that defeat AML's investigative purpose. The same regime that exists to enable financial investigation produces, at its first checkpoint, the one kind of evidence financial investigation cannot use.

The witness model produces the opposite artifact. A passed verification evidences a real, authenticated, ongoing relationship with a regulated institution - one with its own statutory record-keeping, its own ongoing-monitoring obligations, its own transaction surveillance, and its own subpoena-able audit trail. When fraud is later detected, an investigator has somewhere to go: the institutional relationship, the institution's records, the regulated custodian's own monitoring. The trail has substance. It points back, by design, into the institutional surface that AML was built to use.

Document-centric verification

Where does the trail go?

An obliged entity examined an identity document at the moment of onboarding. The document is in a file. If the document is synthetic, the file contains nothing the institution it appeared to be from would recognise as theirs.

Trail ends at: the moment of acceptance.

Witnessing verification

Where does the trail go?

An obliged entity received evidence that the customer holds an authenticated, ongoing relationship with a regulated institution. The institution holds its own record of that relationship, under its own statutory retention, supervised by its own regulator, and is reachable by an investigator following the trail upstream.

Trail leads to: the regulated custodian's own records.

This is the substantive AML argument for the architectural shift, and it is the one that survives the simplest test. If fraud is discovered after the verification, where does the trail go? The document model has an answer that fails when the document is synthetic. The witness model has an answer that holds because the substance was never in the artifact in the first place; it was always in the institutional relationship the artifact pointed to.

The architectural implication

Differential capacity, not differential obligation

Identity verification at scale concentrates somewhere. The post-Covid drift concentrated it across hundreds of thousands of obliged-entity nodes - every estate agent, every tax accountant, every small lender - each holding sensitive personal data the firm has neither the resources nor the staffing to protect to institutional standard. This is not a criticism of the firms. The regulatory regime asks them to perform an institutional security function on a non-institutional budget, against an adversary (AI-generated forgery) the regime did not anticipate when it was drafted.

The witness model concentrates the load-bearing work where it can be done properly: at the Tier 1 or Tier 2 regulated institution, which has already performed the underlying identity work, has the infrastructure to protect the data, and has the statutory accountability to do so. Every downstream obliged entity witnesses the result rather than re-collecting the documents. The custody surface shrinks to one - the institution that was always going to hold the data anyway - and the rest of the regulated economy holds none.

This implies, in the longer term, a recognition in regulatory practice of the differential between institutions equipped to custody identity data and those that are not. It does not require new law. The existing framework permits firms to satisfy Regulation 28 through any reliable and independent source, and to record their adoption of new technologies under Regulation 19(4)(c). What it implies is a different default - one where the obliged entity's first move, when CDD is required, is to witness, not to collect.

Adoption does not wait for that recognition. The framework as it stands today supports the architecture as it operates today. The provision-by-provision evidence is set out in the WhyAML Regulatory Compliance Mapping.

Why we wrote this brief

The Paradox piece established the diagnosis. This brief sets out the architecture the framework already supports.

Both pieces are written in the same spirit: read the figures, read the regulations, draw the structural conclusion. We make no claim that the law needs to change. We claim that an architecture the framework already supports has not yet been built at scale - and that the cost of the gap is what the AML Paradox quantified.

The diagram lays the comparison out visually; the companion brief sets out how the architecture behaves when it meets a real customer; and the platform itself is one step on.

← The AML Paradox See the architectural diagram →How it works in operation →See the platform →

Sources

Oxford Economics / LexisNexis - "True Cost of Compliance" 2024. UK AML compliance spend: £38.3bn. (Referenced via the AML Paradox data brief.)
National Crime Agency, National Strategic Assessment 2025 - Conservative laundering estimate £36bn+/year; 3.9m fraud incidents recorded in the year to September 2024. (Via AML Paradox.)
Basel Institute on Governance, AML Index 2024 - Under 1% of illicit financial flows globally are intercepted; FATF effectiveness rating 28%, down from 30% in 2021. (Via AML Paradox.)
CIFAS Fraudscape 2026 - UK National Fraud Database 2025 filings: 444,993 (record high); identity fraud 242,003 (54% of all filings); account takeover up 6%; SIM-swap fraud up 1,055%. (Via AML Paradox.)
Sumsub 2025 - 311% increase in synthetic identity document fraud, Q1 2024 to Q1 2025. (Via AML Paradox.)
Home Office Economic & Social Cost of Fraud 2023-24 - Total fraud cost £14.4bn; individuals £9.2bn, businesses £5.2bn. (Via AML Paradox.)
BIIA / industry survey data, H1 2025 - 8.3% of digital onboarding attempts flagged as suspicious; 44% of organisations rank synthetic identity fraud as the top-tracked fraud type; 67% of financial institutions report rising fraud rates in 2025.
ACFE Top Fraud Trends 2025 - Synthetic-document fraud now produced as fully fabricated payslips, statements, invoices, and tax records with realistic formatting and signatures designed to bypass document checks.
HM Treasury & Department for Science, Innovation and Technology - Joint Guidance on the use of Digital Verification Services for AML purposes under the Money Laundering Regulations 2017, published 26 February 2026. Confirms DIATF-certified DVS as a route to satisfy Regulation 28; the risk-based approach under Regulation 19(4)(c) remains available to non-certified methodologies.
Data (Use and Access) Act 2025 - Royal Assent 19 June 2025; main data-protection provisions in force from 5 February 2026 under SI 2026/82. The Act places the Digital Identity and Attributes Trust Framework on a statutory footing and modernises UK data-protection law.
Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) - Regulations 28 (CDD identity verification), 19(4)(c) (risk-based assessment of new technologies), 40 (five-year record retention).