| Guvnor

What this means for your business

40 obligations

24 penalties

8 can imprison

11 guides

Enforced by: HMRC, FCA, SRA, LSB, Home Office
Applies to: United Kingdom
On this page: 40 compliance obligations, 11 practical guides across 4 topics

Read full text on legislation.gov.uk

What you must do

40 compliance obligations under this legislation — 8 can result in imprisonment.

Appointments 1

If the FCA decides you need a specialist report about your crypto‑exchange or wallet‑custody business, you must either appoint a qualified person yourself or accept one the FCA appoints. You must give that person any assistance they reasonably need and pay any costs the FCA recovers from you.

Trader/Business Report by a skilled person: cryptoasset businesses FCA When the FCA reasonably considers a report by a skilled person is …

Risk assessment 2

If your business is covered by the Money Laundering Regulations, you must identify and evaluate any risk that your customers, products, locations or delivery methods could be used to fund weapons of mass destruction. Use the Treasury’s guidance and consider factors such as who your customers are, where you operate, what you sell, the types of transactions and how you deliver services. Keep a written, up‑to‑date record of the steps you take and be ready to show it to the regulator if they ask.

Any Person Risk assessment by relevant persons in relation to FCA

You must identify and evaluate the risks of money laundering and terrorist financing that affect your business. This includes looking at who your customers are, where you operate, what products or services you offer, the types of transactions you handle and how you deliver them. You also have to keep a written record of the steps you’ve taken and show it to the regulator if asked.

Any Person s.18 FCA

Management duties 13

If your bank or financial firm wants to set up or keep a correspondent banking link with a foreign institution, you must carry out detailed checks on that institution – its business, reputation, supervision and anti‑money‑laundering controls – get senior‑management sign‑off, record each party’s responsibilities and make sure the foreign bank vets its own customers and can share those records with you. You also must not deal with any shell bank or with a bank that allows a shell bank to use its accounts.

Trader/Business s.34 FCA When establishing or continuing a correspondent relationship with a third‑country credit or …

You may use lighter AML checks on a customer or transaction only if you have assessed it as a low risk for money laundering or terrorist financing. Even then you must keep the basic AML checks, adjust them as needed, monitor the relationship for anything suspicious and stop the simplified approach if the risk rises or you have doubts.

Any Person s.37 FCA When a specific business relationship or transaction is assessed as low risk …

If your business provides payment services, you must have systems and trained staff in place so you can answer any questions from accredited investigators, Scottish Ministers' enforcement officers, or police about information required under the funds transfer rules. In practice this means keeping relevant records accessible and being ready to reply promptly when contacted.

Trader/Business s.64 FCA

When your business receives a cryptoasset from another cryptoasset firm, you must make sure you have all the information that Regulation 64C requires before you move it on. If any required details are missing, you have to ask the sender for them, decide whether to delay or return the cryptoasset, and report repeated failures to the FCA.

Trader/Business Missing information: intermediaries FCA When you receive a cryptoasset as part of an inter‑cryptoasset business transfer

The FCA can issue a written direction to your crypto‑asset exchange or custodian‑wallet business at any time, telling you to take specific actions or to stop certain activities. You must follow that direction and, if the FCA sends you a notice, you have a set period to make representations and must keep records of what you did. Failure to comply can lead to enforcement action, including prosecution.

Trader/Business Directions: cryptoasset businesses FCA When the FCA issues a written direction to your crypto‑asset exchange or …

You must have written policies, controls and procedures that identify and manage the risk of money laundering and terrorist financing in your business. These must be proportionate to the size and nature of your activities, approved by senior management, reviewed and updated regularly, and you must keep written records of the policies, any changes and how you communicated them to staff.

Trader/Business s.19 FCA

If the FCA (or other supervisory authority) gives your company a direction, you must comply. The direction can stop or end a business relationship, a type of transaction, or even your operations in a third country. You must act by the date set in the notice and keep records of the order and your compliance.

Employer s.25 FCA When the FCA issues a supervisory direction to your business.

If your business is the parent of a group, you must make sure the anti‑money‑laundering policies, controls and procedures required by the Regulations are applied to every subsidiary and branch, even those located abroad. You also need to set up group‑wide rules for data protection and information sharing, review them regularly, keep written records of the policies, any changes and how they were communicated, and ensure equivalent measures are in place for overseas subsidiaries in weaker jurisdictions or, if that isn’t possible, notify the regulator and add extra safeguards.

Director/Officer s.20 FCA If you are a relevant parent undertaking of a group that is …

If your organisation acts as a self‑regulatory body that supervises firms or individuals under the Money Laundering Regulations, you must set up independent supervisory functions, handle sensitive information correctly, staff those functions with qualified people, have clear disciplinary rules and conflict‑of‑interest procedures, allocate sufficient resources and appoint a compliance officer to liaise with regulators and respond to information requests.

Any Person s.49 FCA When you are a self‑regulatory organisation supervising persons covered by the Money …

If your crypto‑asset business processes an unhosted wallet transfer, you must ask the customer for the AML information set out in the regulations. For transfers of €1,000 or more where you are the beneficiary, you also need the originator’s details. If the customer does not provide the required info, you must refuse to deliver the crypto‑assets.

Trader/Business Requesting information: unhosted wallet transfers FCA When you are involved in an unhosted wallet transfer (or a €1,000‑plus …

If you run a crypto‑asset business that falls under the Money Laundering Regulations, you must have a clear, documented process for receiving and dealing with any requests for information from the regulator or law‑enforcement. This means logging each request, assessing it, and ensuring the right person responds promptly.

Trader/Business Duty to establish mechanism for requests FCA If your business is a crypto‑asset service provider subject to the Money …

When your cryptoasset business receives cryptocurrency from another crypto business, you must check that you have all the information required by the regulations and that it matches the details you verified during customer due‑diligence. If any information is missing or doesn’t match, you must ask the sender for the missing details, decide whether to delay or return the cryptoasset, assess the associated risk, and report repeated failures to the FCA.

Trader/Business Missing or non-corresponding information: the cryp FCA When receiving a cryptoasset as part of an inter‑cryptoasset business transfer

When you start a new business relationship, open an account or carry out a transaction, you must check the identity of the customer, anyone acting for them and any beneficial owner first. You can only postpone this check if the risk of money‑laundering or terrorist financing is very low and you have safeguards in place to stop transactions until verification is complete.

Any Person s.30 FCA When you are a “relevant person” required to carry out customer due‑diligence …

Notifications 1

If the Money Laundering Commissioner offers to review a decision that affects your business, you must tell them you accept the offer within 30 days. If you have already appealed the decision to a tribunal, you cannot accept the review.

Any Person s.95 FCA When the Commissioners have offered you a review of a decision and …

Other requirements 5

If your business receives a decision from the Money Laundering Commissioner and you want to contest it, you must lodge an appeal to the tribunal within the time limits set out in the regulations (normally 30 days from the notice, or from the conclusion of any review). Missing the deadline means you’ll need special permission to appeal later.

Any Person s.100 FCA When you receive a decision from the Money Laundering Commissioners and wish …

If you run a crypto‑asset exchange or custodial wallet service, you must tell any customer, before you start a business relationship or transaction, whether that activity is outside the Financial Ombudsman Service’s jurisdiction and not protected by the Financial Services Compensation Scheme. This lets customers know they have no recourse to these protection schemes.

Trader/Business Disclosure by cryptoasset businesses FCA When establishing a business relationship or entering into a transaction that is …

If the FCA sends your business a warning notice under the Money Laundering Regulations, you must not publish the notice or any details about it. This means you cannot put the information on your website, in press releases, or share it publicly in any form.

Any Person s.84 FCA When the FCA issues a warning notice to you under regulation 81(2)

When you start a business relationship or an occasional transaction with a new customer, you must give them a clear statement that any personal data you collect will only be used to prevent money laundering, terrorist financing or proliferation financing (or other permitted uses). This statement must be provided before the relationship begins, alongside the GDPR information you already give.

Any Person s.41 FCA Before establishing a business relationship or entering an occasional transaction with a …

If the regulator offers you a review of a decision but you don’t accept the offer in the time you’re given, you can still ask to have it reconsidered – but only if you had a reasonable excuse for missing the deadline. You must tell the Commissioners in writing that you want the review out of time as soon as your excuse is over.

Any Person s.97 FCA You missed the regulator’s review deadline with a reasonable excuse

Payments and fees 1

If your business is subject to FCA supervision, the regulator can charge you for the cost of overseeing you. You must pay the charge when the FCA sends it, and keep proof of payment. The charge can be any amount the FCA decides, but it is not a criminal fine.

Any Person s.102 FCA When the FCA or Commissioners levy a supervision charge against you

Policies 1

Your business must put in place written policies, controls and procedures that stop money being used to fund weapons of mass destruction. You need to keep these documents up‑to‑date, record any changes and make sure they are communicated throughout the organisation and to any overseas branches. Senior management must approve the policies and they must be proportionate to the size and nature of your business.

Trader/Business Policies, controls and procedures in relation to p FCA

Offences and prohibitions 8

If you act as a manager, officer or beneficial owner of an auditor, solicitor, estate agent, high‑value dealer, art market participant or similar regulated firm, and you have not been approved (or do not have a pending approval application) by the relevant supervisory authority, you commit a criminal offence. On conviction you can be sentenced to up to three months in prison and a fine on summary conviction, or up to two years in prison and an unlimited fine on indictment.

Any Person s.26 FCA

If you reveal information that is protected under the Money Laundering Regulations (i.e., you breach the confidentiality duty in regulation 52A), you commit a criminal offence. On a summary conviction you can be sentenced to up to three months in prison and an unlimited fine, while on conviction on indictment the maximum is two years’ imprisonment and an unlimited fine. The offence applies to any person who discloses the information, so businesses and their staff are both at risk.

Any Person Obligation of confidentiality: offence FCA

If you breach any AML requirement that applies to you – for example by not following FCA guidance or other supervisory guidance approved by the Treasury – you commit a criminal offence. On summary conviction (Magistrates’ Court) you can be sentenced to up to three months’ imprisonment, a fine or both; on conviction on indictment (Crown Court) the maximum is two years’ imprisonment, an unlimited fine or both. A defence is available only if you took all reasonable steps and exercised due diligence to avoid the breach.

Any Person s.86 FCA

If you acquire or increase your control of a registered cryptoasset exchange provider or custodian wallet provider, you must give the FCA a notice as required by the Money Laundering Regulations. Not giving the notice (or breaching a restriction notice) is a criminal offence. On conviction you face an unlimited fine, and for the most serious breach up to two years’ imprisonment.

Any Person Schedule 6B FCA

If a person gives false testimony while under oath, they commit perjury under the Perjury Act 1911. A conviction can lead to imprisonment, an unlimited fine, or both.

Any Person Schedule 3 FCA

If your company commits a money‑laundering offence, any officer who gave consent, turned a blind eye or was negligent is also guilty. The officer can be prosecuted and faces the same penalties as the firm itself.

Director/Officer s.92 FCA

If you knowingly disclose information or destroy/hide documents that are likely to prejudice an FCA, PRA, PSR or other appropriate officer’s investigation into a possible breach of the Money‑Laundering Regulations, you commit a criminal offence. Conviction can lead to up to two years’ imprisonment and an unlimited fine (on indictment) or up to three months’ imprisonment and a fine on summary conviction.

Any Person s.87 FCA

If you give regulators false or misleading information when you think you are complying with the Money Laundering Regulations, or if you disclose information that you are not allowed to under those rules, you commit a criminal offence. On conviction you can be sentenced to up to two years in prison, an unlimited fine, or both. The offence can be tried either in the magistrates’ court or the Crown Court.

Any Person s.88 FCA

Record keeping 2

When your business transfers cryptoassets to another party, you must make sure all the information the regulator has asked for is sent together with the cryptoasset. If you receive any additional required information after the transfer, you must forward it to the receiving business as soon as possible.

Trader/Business Retention of information with an inter-cryptoasset FCA Whenever you make an inter‑cryptoasset business transfer under the Money Laundering Regulations

If you act as a trustee, you must keep up‑to‑date written records of who the beneficial owners and any potential beneficiaries are, share that information with anyone you deal with or who asks for it, tell them promptly if anything changes, and keep the records for five years after the trust ends (unless you have to keep them longer).

Any Person s.44 FCA When you are acting as a trustee of a relevant trust

Reporting and filing 6

If you act as a trustee of a taxable relevant trust you must give the tax authorities detailed information about the trust, its owners, beneficiaries and advisors, and keep that information current. You must send the first set of details by the deadline that applies to your trust and notify any changes within the specified time‑frames.

Any Person s.45 FCA You are a trustee of a taxable relevant trust (i.e. a trust …

If a regulator such as the FCA asks you for information under the Money Laundering Regulations, you must give it to them promptly and keep a record of what you supplied. Failing to do so can lead to an unlimited fine and possibly imprisonment.

Any Person Duty to respond to requests for information FCA When a competent authority or regulator makes a request for information under …

If you run a crypto‑asset exchange or a custodial wallet service, you must give the FCA any information it asks for about your anti‑money‑laundering compliance, supervision fees or any other supervisory matters. The FCA decides what, when and how you must supply and verify that information.

Trader/Business Reporting requirements: cryptoasset businesses FCA

If a police or other law‑enforcement body sends your crypto‑asset business a written request for information, you must give them all the information they reasonably need, and you must do it straight away. Ignoring or delaying the request can lead to criminal prosecution.

Trader/Business Provision of information FCA When a law enforcement authority makes a written request for information that …

If your organisation is a self‑regulatory body (for example, a financial sector regulator), you must produce and publish an annual report. The report must set out how you encourage breach reporting, the number of breach reports you receive, and what you do to monitor and enforce AML compliance by the firms you oversee.

Any Person Annual reports by self-regulatory organisations FCA

When you start a business relationship with a company, partnership, trust or overseas entity, you must check the public register for its beneficial‑owner details and compare it with the information you hold. If you find any material difference, you must report that discrepancy to the appropriate registrar (Companies House, the Commissioners, or the registrar of overseas companies). You must repeat this check during ongoing monitoring of the relationship.

Any Person Requirement to report discrepancies in registers FCA When establishing or ongoing monitoring a business relationship with a customer that …