UK businesses in regulated sectors must comply with the Money Laundering Regulations 2017 (MLR 2017) and the Proceeds of Crime Act 2002 (POCA 2002). This guide covers registration, customer due diligence, suspicious activity reporting, and ongoing compliance requirements.
Who needs to comply? You must register for AML supervision if your business is an 'obliged entity' under the regulations. This includes:
Banks and financial services firms (FCA supervised) Money service businesses (currency exchange, money transfer) Trust or company service providers Estate agents High-value dealers (accepting cash over £10,000) Accountants and tax advisors Legal professionals Casinos and gambling providers Cryptoasset businesses
AML Transaction Thresholds
Transaction amounts that trigger customer due diligence requirements under MLR 2017.
Customer due diligence must be conducted when transactions meet these thresholds, or at any amount if money laundering is suspected.
Occasional transaction threshold
£10,000 (€15,000)
Money transfer threshold
£1,000 (€1,000)
High-value dealer threshold
£10,000 (€10,000) in cash
Casino chip threshold
£2,000 (€2,000)
Suspicious activity threshold
Any amount if suspicion exists
MLR 2017 Regulation 10 - Customer due diligence
💰
PROFESSIONAL & FINANCIAL…
Requirement
If your firm is authorised by the Financial Conduct Authority (FCA), you must comply with both the Money Laundering Regulations 2017 and the FCA's rules on financial crime systems and controls (SYSC 6.3). The FCA conducts its own AML supervision alongside the statutory requirements.
FCA-specific requirements include:
FCA SYSC 6.3 systems and controls requirements Senior Managers and Certification Regime (SM&CR) accountability Regular FCA regulatory returns on financial crime FCA thematic reviews and supervision visits
Who this applies to: All FCA-authorised firms including banks, investment firms, payment services, e-money institutions, and cryptoasset businesses with FCA registration.
Enforcement: FCA can impose unlimited financial penalties, public censure, variations of permission, and cancellation of authorisation. Senior managers can face personal accountability under SM&CR.
Registering for AML supervision Before commencing business in a regulated sector, you must register with the appropriate AML supervisor. Registration with HMRC is free. FCA-supervised firms pay application and annual fees.
Register for Money Laundering Supervision
Step-by-step process to register with HMRC for money laundering supervision under MLR 2017.
All businesses in regulated sectors must register for AML supervision before commencing business. This process applies to HMRC-supervised businesses. FCA-supervised firms follow separate FCA authorisation procedures.
Check if you need to register
– Determine if your business is an 'obliged entity' under MLR 2017. This includes money service businesses, trust/company service providers, estate agents, high-value dealers, accountants, and tax advisors. If supervised by the FCA, register through FCA processes instead.
Appoint a Money Laundering Reporting Officer (MLRO)
– Before registering, appoint an MLRO who will be responsible for receiving internal reports and filing SARs to the NCA. This person must have sufficient authority and resources.
Create AML policies and procedures
– Draft your firm's anti-money laundering policies and procedures covering customer due diligence, risk assessment, training, and reporting. These must be in place before registration.
Complete fit and proper checks
– Conduct criminal record checks for beneficial owners (25%+ ownership), officers, and managers. Gather documentation proving they are 'fit and proper' persons.
Register online with HMRC
– Go to gov.uk/guidance/money-laundering-regulations-registration and complete the online registration form. Provide business details, beneficial owner information, MLRO details, and information about your policies. Registration is free.
Receive registration confirmation
– HMRC will review your application (typically within 45 days if complete) and send registration confirmation. You cannot legally operate in a supervised sector without this registration.
Renew annually
– Renew your registration annually (no fee). Confirm that all details remain accurate and update HMRC of any material changes to your business, beneficial owners, or MLRO.
Register for money laundering supervision
AML Registration Fees
Fees for registering with AML supervisors (HMRC free, FCA varies by firm type).
Registration with HMRC for money laundering supervision is free. FCA-supervised firms pay application fees based on their category.
HMRC registration fee (new)
Free (no charge)
HMRC annual renewal fee
Free (no charge)
FCA registration fee
Varies by firm type (£280 to £222,940)
Registration timing
Must register before commencing business
Appointing a Money Laundering Reporting Officer (MLRO) Every obliged entity must appoint an MLRO who is responsible for receiving internal suspicious activity reports and deciding whether to submit SARs to the National Crime Agency. The MLRO must have sufficient authority and resources to fulfil the role.
Money Laundering Reporting Officer (MLRO) Requirements
Statutory requirements for appointing and maintaining an MLRO under MLR 2017 Regulation 21.
Every business subject to the Money Laundering Regulations must appoint a Money Laundering Reporting Officer (MLRO) with sufficient authority and resources to fulfil the role.
MLRO appointment
Mandatory for all obliged entities
Deputy MLRO
Recommended (mandatory for larger firms)
MLRO notification to supervisor
Within 14 days of appointment
Authority level
Officer level with sufficient authority and resources
Fit and proper test
Required for FCA-regulated firms
MLR 2017 Regulation 21 - Nominated officers
Customer due diligence (CDD) Customer due diligence is the process of identifying and verifying your customers before establishing a business relationship. CDD must be completed before providing services, unless there is low risk and it would interrupt normal business conduct.
Standard CDD Standard CDD applies to most customer relationships and occasional transactions above the relevant threshold.
Conduct Customer Due Diligence (CDD)
Step-by-step process for standard customer due diligence under MLR 2017 Regulations 27-30.
Customer due diligence must be conducted before establishing a business relationship or carrying out occasional transactions above the threshold. You cannot proceed if CDD cannot be completed.
Identify when CDD is required
– CDD must be conducted when establishing a business relationship, carrying out an occasional transaction of £10,000 or more (£1,000 for money transmission), or when you suspect money laundering regardless of amount.
Identify the customer
– For individuals, obtain full name, date of birth, and current address. For companies, obtain company name, registration number, registered office, and nature of business. For trusts/partnerships, understand the structure and control arrangements.
Verify customer identity
– Use reliable, independent sources to verify identity. For individuals, use passport, driving licence, recent utility bill, or bank statement. For companies, check Companies House records. Electronic verification services can be used where appropriate.
Identify beneficial owners
– Identify all beneficial owners (anyone with 25% or more ownership or control). Obtain their full name, date of birth, nationality, and country of residence. Understand the ownership and control structure.
Verify beneficial owner identity
– Verify the identity of each beneficial owner using the same documentary standards as for customers. Understand the nature and extent of their beneficial ownership.
Assess the purpose of the relationship
– Understand why the customer needs your product or service, what the expected transaction pattern will be, and (for higher-risk customers) the source of funds and wealth.
Conduct ongoing monitoring
– Scrutinise transactions to ensure they are consistent with your knowledge of the customer. Keep CDD information up to date and review the relationship periodically based on risk.
Document all CDD measures
– Retain copies of identification documents, record all verification steps taken, and document your decision-making process. Keep these records for 5 years after the relationship ends.
If CDD cannot be completed
– Do not establish the business relationship or carry out the transaction. Consider submitting a SAR. Terminate any existing relationship. It is a criminal offence to proceed without completing CDD.
MLR 2017 Regulation 27 - Customer due diligence
Enhanced due diligence (EDD) Enhanced due diligence is required for higher-risk customers including politically exposed persons (PEPs), customers from high-risk countries, and correspondent banking relationships. EDD requires additional verification, senior management approval, and enhanced ongoing monitoring.
Conduct Enhanced Due Diligence (EDD)
Step-by-step process for enhanced due diligence for PEPs and high-risk scenarios under MLR 2017 Regulations 33-35.
Enhanced due diligence is required for politically exposed persons (PEPs), customers from high-risk third countries, correspondent banking relationships, and other high-risk scenarios. EDD requires additional steps beyond standard CDD.
Complete standard CDD first
– Before conducting EDD, complete all standard customer due diligence measures including identification, verification, and beneficial ownership checks.
Screen for PEPs
– Screen customer against PEP databases/lists. If a PEP is identified, determine if they are a domestic, foreign, or international organisation PEP. PEPs include senior government officials, judges, military officers, and their family members and close associates.
Obtain senior management approval
– For PEPs and other high-risk customers, obtain senior management approval to establish or continue the business relationship. Document this approval.
Establish source of wealth
– Determine where the customer's overall wealth originated. This may require documentary evidence such as inheritance records, business ownership, investment history, or employment records.
Establish source of funds
– For the specific transaction or relationship, determine where the funds come from. This is separate from source of wealth and relates to the immediate origin of funds.
Apply enhanced ongoing monitoring
– Conduct more frequent reviews (e.g., quarterly vs annually), set lower thresholds for transaction scrutiny, use automated monitoring with tighter parameters, and regularly refresh source of wealth/funds information.
Check high-risk third countries
– Check if the customer or beneficial owner is from a FATF-identified high-risk jurisdiction. If so, obtain additional information on the purpose of the relationship, source of funds and wealth, and reasons for transactions.
Document enhanced measures
– Record all additional steps taken, document senior management approval, and explain why EDD was triggered and how risk is mitigated.
Continue EDD after PEP status ends
– Continue enhanced due diligence for at least 12 months after a PEP ceases to hold a prominent public function.
Suspicious activity reports (SARs) If you know, suspect, or have reasonable grounds to suspect money laundering or terrorist financing, you must submit a Suspicious Activity Report (SAR) to the National Crime Agency. Failure to report is a criminal offence punishable by up to 5 years imprisonment.
Key points about SARs No minimum threshold - report any suspicious activity regardless of amountDo not tip off - informing the customer you have filed a SAR is a criminal offenceConsent SARs - if you need to proceed with a suspicious transaction, submit a consent SAR and wait for NCA responseProtected disclosure - filing a SAR provides a legal defence against money laundering charges
Submit a Suspicious Activity Report (SAR)
Step-by-step process for submitting SARs to the National Crime Agency under POCA 2002.
If you know, suspect, or have reasonable grounds to suspect money laundering or terrorist financing, you must submit a Suspicious Activity Report (SAR) to the National Crime Agency. Failure to report is a criminal offence.
Identify suspicious activity
– If you know, suspect, or have reasonable grounds to suspect that property represents proceeds of crime or is related to terrorist financing, you must report it. This includes unusual transactions, red flags, or suspicious customer behaviour.
Report internally to your MLRO
– Immediately report the suspicious activity to your Money Laundering Reporting Officer (MLRO). Do not delay. Document the suspicious activity and your reasons for suspicion.
MLRO reviews and decides
– The MLRO will review the internal report and supporting evidence to decide if an external SAR to the NCA is required. The threshold is knowledge, suspicion, or reasonable grounds for suspicion. Document the decision even if no SAR is filed.
Prepare the SAR
– If a SAR is required, gather all relevant information about the subjects involved, suspicious transactions, amounts, dates, accounts, and specific red flags that triggered the suspicion.
Submit SAR to NCA online
– Access the NCA's SAR Online system at ukciu.gov.uk and complete the SAR form. Choose 'Standard SAR' (suspicion only) or 'Consent SAR' if you need permission to proceed with a transaction. Include a detailed narrative explaining why the activity is suspicious.
For consent SARs, wait for response
– If you submitted a consent SAR, do not proceed with the transaction until NCA grants consent, or 7 working days pass without NCA issuing a refusal notice (deemed consent). If NCA refuses, a 31-day moratorium applies.
Maintain confidentiality (avoid tipping off)
– Do not inform the customer or any other person that a SAR has been filed. Tipping off is a criminal offence punishable by up to 5 years imprisonment. Continue normal customer relations if safe to do so.
Keep records
– Keep a copy of the SAR and all supporting documentation for 5 years. Record your internal decision-making process. This provides a legal defence against money laundering offences (protected disclosure).
NCA SAR Online - Submit suspicious activity reports
Risk assessment You must conduct and document a business-wide risk assessment identifying the money laundering and terrorist financing risks to your business. This assessment must be reviewed at least annually and forms the foundation for your policies and procedures.
Conduct AML Risk Assessment
Step-by-step process for business-wide and customer AML risk assessments under MLR 2017 Regulation 18.
You must conduct a written risk assessment identifying and assessing the money laundering and terrorist financing risks to your business. This must be reviewed at least annually or when material changes occur.
Identify inherent risks
– Assess inherent money laundering and terrorist financing risks across five key areas - customer risk factors (types, locations, risk profiles), geographic risk factors (countries where you operate and where customers are based), product/service risk factors (what you offer and how it's delivered), transaction risk factors (types, patterns, volumes), and distribution channel risks (face-to-face vs remote, intermediaries).
Assess your controls
– Evaluate the effectiveness of your mitigating controls including policies and procedures, CDD/EDD processes, transaction monitoring systems, staff training, MLRO oversight, and internal audit coverage.
Determine residual risk
– Calculate residual risk by considering inherent risk minus control effectiveness. Rate your overall business ML/TF risk (e.g., Low, Medium-Low, Medium-High, High) and identify areas of highest residual risk for focused attention.
Document the assessment
– Produce a written risk assessment document including your methodology, findings, and risk ratings. Obtain board or senior management approval. Make this document available to your supervisor (FCA or HMRC) upon request.
Conduct customer risk assessments
– For each new customer relationship, apply your risk-scoring methodology to assign a risk rating (Low, Standard, or High). Document the factors considered and the rating assigned. This determines whether simplified, standard, or enhanced due diligence applies.
Review product and service risks
– Before launching new products or services, assess their ML/TF risk, identify potential abuse scenarios, design mitigating controls, and document your assessment. Periodically review existing products for emerging risks.
Review and update regularly
– Review your business-wide risk assessment at least annually, or whenever material changes occur (new products, new markets, regulatory changes, incidents). Review customer risk ratings periodically based on risk level.
Policies, procedures, and training You must establish written AML policies and procedures approved by senior management, and provide regular training to all relevant staff.
Create AML Policies and Procedures
Step-by-step process for developing comprehensive AML policies and procedures under MLR 2017 Regulation 19.
You must establish and maintain written policies, controls, and procedures to mitigate and manage money laundering and terrorist financing risks. These must be approved by senior management and proportionate to your business.
Conduct risk assessment first
– Your policies must be based on your business-wide risk assessment. Complete this assessment before drafting policies to ensure they address your specific risks.
Draft customer due diligence procedures
– Document procedures for customer identification, verification, beneficial ownership checks, and when to apply simplified or enhanced due diligence.
Draft suspicious activity procedures
– Document how staff should report suspicious activity internally, how the MLRO will assess reports, and procedures for submitting SARs to the NCA.
Draft record keeping procedures
– Document what records must be kept, retention periods (minimum 5 years), secure storage requirements, and procedures for making records available to supervisors.
Draft risk assessment procedures
– Document how customer risk assessments will be conducted, risk rating criteria, and triggers for risk rating reviews.
Draft training procedures
– Document training requirements, content, frequency, assessment methods, and record keeping for staff training.
Draft monitoring procedures
– Document ongoing monitoring requirements including transaction monitoring, periodic customer reviews, and triggers for enhanced scrutiny.
Appoint responsible persons
– Document MLRO responsibilities, deputy MLRO arrangements, and senior management oversight responsibilities.
Obtain senior management approval
– Present policies to the board or senior management for formal approval. Document the approval and date.
Review and update annually
– Review policies at least annually or when material changes occur (regulatory changes, new products, incidents). Document all reviews and updates with approval.
Provide AML Staff Training
Step-by-step process for implementing AML training programmes under MLR 2017 Regulation 24.
All relevant employees must receive AML training at induction and on an ongoing basis. Training must be role-specific and cover your firm's policies, recognising suspicious activity, and legal obligations.
Identify who needs training
– All relevant employees must receive AML training, including customer-facing staff, compliance and AML staff, MLRO and deputy MLRO, senior management, back-office staff handling transactions, and IT staff supporting AML systems.
Develop training content
– Create core training covering what is money laundering and terrorist financing, legal framework (POCA 2002, MLR 2017), your firm's AML policies, CDD requirements, recognising red flags, how to escalate to MLRO, tipping off offences, and consequences of non-compliance. Add role-specific content for different employee groups.
Deliver induction training
– Provide AML training to all new employees within their first month. Use in-person sessions, e-learning modules, workshops, case studies, or scenario-based training depending on the role.
Provide annual refresher training
– Deliver refresher training at least annually for all staff (more frequently for higher-risk roles). Include updates on procedures, new risks, regulatory changes, and lessons from incidents.
Test knowledge
– Include quizzes or assessments after training sessions. Set a minimum pass rate (e.g., 80%). Provide remedial training for employees who do not pass.
Maintain training records
– Keep records of all training for 5 years, including who attended, when, what content was covered, training materials provided, and assessment results. Make these records available to your supervisor (FCA or HMRC).
Evaluate and improve
– Track training completion rates, monitor internal SAR quality to assess if staff are spotting risks, review incidents for training gaps, gather staff feedback, and adjust your programme based on findings. MLRO should report training effectiveness to senior management annually.
MLR 2017 Regulation 24 - Training
Record keeping All AML records must be retained for at least 5 years and made available to your supervisor upon request. This includes customer identification documents, transaction records, and SAR decisions.
AML Record Keeping Requirements
Statutory record retention periods for AML compliance documentation under MLR 2017 Regulation 40.
All AML records must be retained for at least 5 years and made available to your supervisor (FCA or HMRC) upon request.
Customer due diligence records
5 years from end of relationship
Transaction records
5 years from transaction date
SAR records
5 years from submission
Risk assessment documentation
Current plus 5 years
Training records
5 years (recommended)
MLRO appointment records
Duration plus 5 years
MLR 2017 Regulation 40 - Record keeping
Penalties for non-compliance Non-compliance with AML regulations can result in severe criminal and regulatory penalties including imprisonment and unlimited fines.
Penalties for AML Breaches
Criminal and regulatory penalties for failing to comply with Money Laundering Regulations 2017 and Proceeds of Crime Act 2002.
Non-compliance with AML obligations can result in criminal prosecution, unlimited fines, and imprisonment. The FCA and HMRC actively enforce these requirements.
Failure to register
£5,000 (summary) or unlimited fine (indictment)
Failure to conduct CDD
2 years imprisonment and/or unlimited fine
Failure to submit SAR
5 years imprisonment and/or unlimited fine
Tipping off
5 years imprisonment and/or unlimited fine
Prejudicing investigation
5 years imprisonment and/or unlimited fine
False/misleading information
2 years imprisonment and/or unlimited fine
FCA regulatory sanction
Unlimited financial penalty
Online services and resources Use these official services to register your business, submit suspicious activity reports, and verify customer identities.
AML Online Services and Resources
Government services and resources for AML compliance including registration, reporting, and verification.
These official services help you comply with AML requirements including registering your business, submitting suspicious activity reports, and verifying customer identities.
NCA Suspicious Activity Reports System
Online service for submitting SARs to the National Crime Agency under POCA 2002.
The NCA SAR Online system is the official way to submit suspicious activity reports. The system is available 24/7 and provides immediate acknowledgment of submissions.
NCA SAR Online - Submit suspicious activity reports
Identity Verification Resources
Government and authoritative services for verifying customer and beneficial owner identities during CDD.
Customer due diligence requires verification of identity using reliable, independent sources. These services provide authoritative information for verifying UK individuals, companies, and beneficial owners.