Money Laundering Regulations 2017 UK AML Guide

Money Laundering Regulations 2017 (MLR 2017): Complete UK AML Guide

Money laundering and terrorist financing threaten the integrity of financial systems worldwide. To address these risks, the United Kingdom introduced the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, widely referred to as the Money Laundering Regulations 2017 (MLR 2017).

Replacing earlier frameworks, MLR 2017 represents a shift toward a risk-based approach, aligning UK rules with international standards from the Financial Action Task Force (FATF) and the European Union’s 4th Money Laundering Directive (4MLD).

For banks, money service businesses (MSBs), accountants, lawyers, and now crypto-asset providers, these regulations are not optional—they are legally binding. Non-compliance can result in heavy penalties, reputational damage, or even criminal prosecution.

What Are the Money Laundering Regulations 2017?

The Money Laundering Regulations 2017 are the UK’s primary anti-money laundering (AML) framework. They require regulated businesses to:

Conduct due diligence on customers.
Monitor financial activity for suspicious transactions.
Keep detailed records for at least five years.
Report suspicious activity to the National Crime Agency (NCA).

Who Must Comply?

MLR 2017 applies to a broad range of businesses, including:

Financial institutions: banks, building societies, credit unions.
Money service businesses (MSBs): remittance companies, foreign exchange services, payment institutions.
Accountants, auditors, and tax advisers.
Lawyers and notaries handling client funds.
Estate agents and letting agents.
Trust or company service providers (TCSPs).
Crypto-asset exchanges and custodian wallet providers (since the 2020 amendments).

Key Requirements Under MLR 2017

1. Customer Due Diligence (CDD)

Businesses must verify customers’ identities before entering into a business relationship. This includes:

Obtaining proof of identity (passport, driving licence).
Verifying beneficial ownership of companies.
Understanding the purpose and intended nature of the business relationship.

2. Enhanced Due Diligence (EDD)

Higher-risk cases require stricter checks, such as:

Politically Exposed Persons (PEPs) and their associates.
Transactions involving high-risk jurisdictions.
Unusual or complex financial arrangements.

EDD may involve gathering additional information, monitoring transactions more closely, or requiring senior management approval.

3. Ongoing Monitoring

CDD isn’t a one-off exercise. Businesses must:

Continuously monitor customer activity.
Ensure transactions match the customer’s risk profile.
Investigate unusual or suspicious patterns.

4. Risk Assessment

MLR 2017 introduced a risk-based approach, meaning firms must assess risks specific to their sector, geography, customer base, and delivery channels. A documented risk assessment is a regulatory requirement.

5. Record Keeping

Businesses must keep:

Customer due diligence records.
Transaction records.
Internal risk assessments and audit trails.

Records must be retained for at least five years after the business relationship ends.

6. Reporting Suspicious Activity

If a business suspects money laundering, it must submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA) through its MLRO (Money Laundering Reporting Officer).

7. Policies, Controls, and Training

Appoint an MLRO.
Implement internal AML policies.
Train employees regularly to recognize and report suspicious activity.

Key Requirements Under MLR 2017

MLR 2017 establishes several core obligations for regulated entities:

Customer Due Diligence (CDD): Verify identity, beneficial ownership, and business purpose.
Enhanced Due Diligence (EDD): Extra checks for PEPs, high-risk jurisdictions, or unusual transactions.
Ongoing Monitoring: Continuously review customer activity for suspicious patterns.
Risk Assessment: Document sector, geography, and customer-specific AML risks.
Record Keeping: Retain CDD and transaction records for at least 5 years.
Reporting Suspicious Activity: Submit SARs to the NCA via the MLRO.
Policies, Controls, Training: Appoint an MLRO, implement policies, and train staff.

Obligations by Sector

Sector	Main AML Responsibilities	Special Considerations
Banks & Financial Institutions	Full CDD, EDD, monitoring, SARs	High transaction volumes, cross-border risks
MSBs (Remittances, FX)	CDD on customers, transaction monitoring	High risk of structuring and layering
Lawyers & Accountants	Verify client identity, report suspicious activity	Balancing client confidentiality with AML duties
Estate Agents	Verify buyers/sellers, report unusual payments	Property purchases often used for laundering
Crypto Firms	KYC, AML monitoring, SARs	High anonymity risk in digital assets

Compliance Checklist for MLR 2017

Step	Action	Responsible Party
1	Conduct a business-wide AML risk assessment	Compliance Officer
2	Appoint a Money Laundering Reporting Officer (MLRO)	Senior Management
3	Apply CDD at onboarding and for ongoing customers	Frontline Staff
4	Apply EDD for PEPs/high-risk transactions	Compliance/Operations
5	Monitor transactions continuously	Compliance/AML Systems
6	Submit SARs promptly to NCA	MLRO
7	Maintain records for 5 years	Finance/Compliance
8	Provide AML training annually	HR & Compliance

Common Challenges in Implementing MLR 2017

Data overload: High transaction volumes make monitoring complex.
Beneficial ownership: Identifying ultimate owners of layered corporate structures.
PEP screening: Detecting indirect associations with politically exposed persons.
Technology gaps: Legacy systems make real-time monitoring difficult.
Staff awareness: Employees may miss red flags without proper training.
Compliance costs: Especially challenging for smaller MSBs and startups.

Enforcement and Penalties

Failure to comply with MLR 2017 can result in:

Unlimited fines.
License revocation by regulators.
Criminal liability for directors and MLROs.

Enforcement Examples:

2021: HMRC fined several MSBs millions for AML failings, including poor record-keeping and weak customer due diligence.
2022: The FCA fined a bank £63 million for AML weaknesses related to transaction monitoring.
2023: A UK crypto exchange lost its license after failing to implement proper AML controls.

These cases show regulators are increasingly proactive in enforcement.

Updates and Amendments

2019 Amendments: Strengthened CDD obligations and introduced broader definitions of PEPs.
2020 Amendments (5MLD implementation):
- Brought crypto-asset businesses into scope.
- Introduced stricter requirements on beneficial ownership.
- Enhanced obligations around high-risk jurisdictions.
Post-Brexit adjustments: UK adapted the regulations independently but continues aligning with FATF recommendations.

Guidance for Money Service Businesses (MSBs)

MSBs—such as remittance operators and FX services—are a high-risk sector under MLR 2017. Regulators focus heavily on:

Transaction monitoring for suspicious patterns (structuring, layering).
KYC on both senders and receivers.
Cross-border risk assessments.
Training staff to detect red flags like unusual cash deposits.

For MSBs, robust compliance isn’t just about avoiding fines—it’s critical for maintaining bank relationships and customer trust.

The Future of AML Compliance in the UK

AI & Automation: Machine learning is increasingly used for transaction monitoring and anomaly detection.
Crypto Oversight: Tighter rules are expected as crypto adoption grows.
Global Cooperation: UK regulators collaborate with FATF, Interpol, and EU authorities to track cross-border financial crime.
MLD6 & Beyond: Although no longer bound by EU directives, the UK continues to mirror international AML standards.

Businesses must invest in compliance technology and staff training to remain ahead of regulatory expectations.

Conclusion

The Money Laundering Regulations 2017 (MLR 2017) form the backbone of the UK’s AML regime. They place significant responsibilities on financial institutions, MSBs, professionals, and crypto businesses to prevent money laundering and terrorist financing.

While compliance can be complex and costly, it is essential for protecting both businesses and the wider economy. With regulators tightening oversight and leveraging new technologies, businesses must ensure their AML frameworks are robust, proactive, and future-proof.

FAQs

What is the Money Laundering Regulations 2017 in simple terms?

They are UK rules requiring businesses to check customers, monitor transactions, and report suspicious activity to stop money laundering and terrorist financing.

Who enforces MLR 2017?

The Financial Conduct Authority (FCA), HMRC, and professional supervisory bodies enforce compliance.

What is the difference between CDD and EDD?

CDD is standard identity verification. EDD involves enhanced checks for high-risk customers or transactions.

What is the role of the MLRO?

The MLRO oversees AML compliance, reviews internal reports, and submits SARs to the NCA.

How long must records be kept under MLR 2017?

At least five years after the business relationship ends.

What triggers a Suspicious Activity Report (SAR)?

Unusual, inconsistent, or unexplained transactions that may involve criminal property.

Does MLR 2017 apply to small fintech startups?

Yes, if they operate in a regulated sector such as payments or crypto.

How does Brexit affect AML laws?

The UK is no longer bound by EU directives but continues aligning with FATF standards.

What penalties exist for non-compliance?

Fines, license revocation, and possible criminal prosecution.

Are crypto businesses included?

Yes, since January 2020, crypto exchanges and wallet providers must comply.

What is the difference between MLR 2017 and POCA 2002?

MLR 2017 sets preventive measures for businesses. POCA 2002 defines money laundering offences and enforcement powers.

How often should AML training be done?

At least annually, or whenever regulations or business models change.