What are the UK’s Money Laundering Regulations 2017?

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) are the UK’s core legal framework requiring certain businesses, including accountants, legal professionals, TCSPs, property businesses and high-value dealers, to actively prevent money laundering, terrorist financing and proliferation financing within their work.

They do this by requiring firms to:

• Train all staff and agents;
• assess money laundering, terrorist financing and proliferation financing risk for both the business and all clients;
• identify and verify clients and beneficial owners;
• monitor transactions and client relationships;
• keep records;
• report and escalate suspicious activity concerns where required;
• operate internal controls and procedures; the AML policies, controls and procedures are a key part of this.

These are legal obligations, not guidance. They define what regulated firms must actually do in practice.

They also support the UK’s wider anti-money laundering regime, alongside the Proceeds of Crime Act 2002 (POCA) and supervision by industry regulators.

Who do the MLRs apply to?

The MLRs apply to “relevant persons”, which include financial institutions and designated non-financial businesses and professions (DNFBPs) such as:

• Accountants and tax advisers
• Independent legal professionals (including solicitors, barristers and legal executives, when they assist with property transactions, company or trust work, or manage client money or assets)
• Estate agents and letting agents
• Trust and company service providers
• High-value dealers
• Art market participants
• Insolvency practitioners

Being a “relevant person” means you are considered a gatekeeper to the financial system. The MLRs assume your services could be used to move, legitimise or conceal criminal funds. 

It doesn’t depend on firm size. A sole practitioner is just as obligated to follow the MLRs as a large multi-office business.

The core obligation: take a risk-based approach

At the centre of the MLRs is a legal requirement to assess and manage risk. Firms must:

• assess their exposure to money laundering, terrorist financing and proliferation financing risk;
• adopt policies, controls and procedures proportionate to their business;
• ensure those controls reflect their risk assessment.

This is why AML is described as risk-based. The MLRs do not prescribe identical actions in every case. Instead, they require firms to understand risk and apply appropriate controls.

Customer due diligence

Customer due diligence, often called CDD, is one of the most important legal requirements.

The MLRs require firms to:

• identify the customer;
• verify their identity using reliable, independent information;
• understand the purpose and intended nature of the relationship;
• identify and verify beneficial owners;
• understand ownership and control structures;
• complete a detailed risk assessment on all clients. 

This applies when:

• starting a business relationship;
• carrying out certain transactions;
• reviewing existing clients where risk changes.

Verification and the risk assessment must be carried out before the relationship starts or the transaction takes place.

Identifying beneficial owners

Where a client is a company or trust or of a similar structure, the MLRs require firms to identify beneficial ownership: this means the individual who ultimately owns or controls the entity. Firms must:

• identify beneficial owners;
• take all reasonable measures to verify their identity and document any issues experienced during the process;
• understand ownership and control structures.

Importantly, the MLRs make clear that firms cannot rely solely on Companies House PSC (Persons of Significant Control) register information. Additional verification is required. This reflects a key principle: AML responsibility sits with the regulated firm, not with public registers.

Ongoing monitoring

Customer due diligence is not a one-off exercise. The MLRs require ongoing monitoring of business relationships, including:

• reviewing transactions to ensure they match the firm’s understanding of the client;
• keeping client information up to date;
• reviewing risk assessments when circumstances change or to the schedule documented in your PCPs.

This means AML continues throughout the client relationship rather than being limited to onboarding.

Enhanced due diligence for higher-risk situations

Where risk is higher, firms must apply enhanced due diligence. This generally applies where:

• the client is connected to a high-risk country;
• the client is a politically exposed person;
• transactions are unusually large or complex;
• risk factors indicate increased exposure;
• there is suspicion of money laundering or terrorist financing, regardless of thresholds;
• there are doubts about previously obtained identification information.

Enhanced due diligence can include:

• obtaining more information about the client;
• understanding source of funds and source of wealth;
• obtaining senior management approval;
• increasing monitoring.

If you can’t complete due diligence, you can’t proceed with the relationship or the transaction. At that point, you also need to consider whether the circumstances create suspicion. 

The MLRs require you to escalate concerns internally to your MLRO. If knowledge or suspicion of criminal property is formed, the reporting obligation arises under the POCA, and a suspicious activity report (SAR) may be required.

Reporting suspicions

If concerns amount to knowledge or suspicion of criminal property, the reporting obligation is triggered under POCA. In practice, that means:

1. The individual must make an internal escalation report to the MLRO as soon as possible.
2. The MLRO acknowledges the internal SAR report and decides if an external report is appropriate.
3. If it is, a SAR is submitted to the National Crime Agency.
4. The decision, whether to report or not, is documented with clear reasoning.

The MLRs support this by requiring that your business has clear internal reporting routes, an MLRO and staff who understand when to escalate concerns. 

Once a SAR has been submitted, or is being considered, the tipping off rules mean you must handle conversations with the client carefully, particularly where delays or additional checks arise.

Record-keeping requirements

The MLRs expect you to keep a clear audit trail of what you did, when you did it and why, so that someone independent, like your supervisor, can pick up the file and understand your reasoning.

That usually means retaining:

• identity and verification evidence for clients and relevant individuals;
• beneficial ownership details and how you checked them;
• business and client risk assessments and all updates;
• key transaction records linked to the work;
• internal SAR notes and any external reporting decisions.

In most cases, you keep these records for five years after the relationship ends or an occasional transaction completes.

Internal controls and AML governance

These should be built into how the business runs, with clear ownership and consistent ways of working. This includes:

• a fully customised and documented business-wide risk assessment;
• fully customised AML policies, controls and procedures that reflect the actual risks identified in your business-wide risk assessment;
• nominated officer(s) responsible for everyday compliance and SAR reporting;
• training that keeps staff confident and up to date;
• internal reporting routes that staff can use quickly and safely;
• staff screening relevant to the role and the risk.

Supervisors tend to focus on whether these things work in practice. They’ll want to see that people understand what to do, that risk assessments are kept live and that your policies match the reality of your client base and services.

Supervision and enforcement

The Regulations are backed by active supervision. Depending on your sector, your supervisor may be a professional body or HMRC. They carry out inspections to:

• monitor AML compliance;
• maintain registers of AML regulated firms;
• investigate AML breaches;
• impose civil penalties where required.

In practical terms, this means your AML framework has to stand up to independent scrutiny. Your documentation, reasoning and internal controls need to show clearly how you meet the legal requirements.

Final thoughts

In practice, the MLRs are aimed at making it harder for criminals to use legitimate professional services to move and clean money. They do that by pushing transparency around identity and control, and by requiring firms to apply a risk-based approach that adapts when things are higher risk or harder to understand.

This is why good due diligence goes beyond collecting documents. It helps you understand who you’re dealing with, who benefits, where the money is coming from and whether the overall story makes sense.