Anti-Money Laundering (AML) Obligations for UK Businesses
AML in Brief
Proceeds of Crime Act 2002 and Money Laundering Regulations 2017 apply to regulated firms - financial services, accountancy, property, legal, high-value dealers. Customer due diligence, suspicious activity reporting and a written risk assessment are the core duties.
What Money Laundering Means in Law
Money laundering is defined broadly under UK law. It is not just the classic image of cash being run through a casino or front company - it includes any handling, possession, transfer, conversion or use of property that represents the proceeds of crime, whether the crime was the launderer's own or someone else's. The principal offences sit in Part 7 of the Proceeds of Crime Act 2002:
- Section 327 - concealing, disguising, converting, transferring or removing criminal property from the UK
- Section 328 - entering into or becoming concerned in an arrangement which facilitates money laundering
- Section 329 - acquisition, use or possession of criminal property
These offences apply to any person, in any organisation, in any sector. Conviction carries up to 14 years' imprisonment. There is no minimum value threshold and no requirement that the underlying crime be a serious one - the proceeds of any criminal conduct count.
Sitting alongside the principal offences are reporting obligations. Under sections 330 to 332 of the Proceeds of Crime Act 2002, regulated-sector businesses must submit a Suspicious Activity Report (SAR) to the National Crime Agency where they know or suspect money laundering is occurring. Failure to report is itself a criminal offence.
The Money Laundering Regulations and the Regulated Sector
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 - usually shortened to MLR 2017 - apply to specific business types listed in Regulation 8. These include:
- Banks, building societies and other financial institutions
- Auditors, external accountants and tax advisers
- Independent legal professionals
- Trust or company service providers
- Estate agents and letting agents
- High-value dealers (cash transactions of €10,000 or more)
- Casinos and gambling operators
- Cryptoasset exchange providers and custodian wallet providers
- Art market participants (transactions of €10,000 or more)
If the organisation is in this list, the MLR 2017 sit on top of the POCA offences and require a structured anti-money laundering programme: a written risk assessment, customer due diligence on every business relationship and transaction above the relevant threshold, ongoing monitoring, record-keeping for at least five years, training, and a nominated officer responsible for receiving and acting on internal reports.
If the organisation is not in the list, the MLR 2017 do not apply directly. The POCA offences still do, and a proportionate framework still makes sense - particularly for organisations with international supply chains, large cash transactions or sectors known for laundering risk.
The first thing I check on AML is whether the organisation is regulated under MLR 2017 or not. The two answers lead to very different audit expectations. A regulated firm needs the full structured programme - documented risk assessment, customer due diligence files, ongoing monitoring records, the nominated officer in post, the SAR register, the training records. A non-regulated firm needs a proportionate framework that recognises the POCA offences apply, without all the regulated-sector machinery.
What I see most often in non-regulated firms is the assumption that AML is somebody else's problem. It is not. Anyone who handles a payment, signs an invoice, or receives goods can commit a Section 328 offence if they suspect the funds or goods are criminal proceeds and do nothing about it. The control is awareness and a reporting route, not a full regulated-sector programme.
Most folk who hear money laundering picture organised crime. The reality for most businesses is simpler. It is the customer who pays a much-too-large invoice in cash. It is the supplier who only takes payment to an unrelated third-party account. It is the procurement deal that moves through three jurisdictions for no obvious commercial reason. None of these mean money laundering for certain - but they all mean asking the question, and recording the answer.
Risk-Based Approach
Both the regulated and non-regulated approaches start with a risk assessment. The MLR 2017 require this formally; outside the regulated sector it is good practice. The risk assessment looks at:
- Customer risk - politically exposed persons, customers in higher-risk jurisdictions, complex ownership structures, customers introduced by unverified third parties
- Geographic risk - jurisdictions on FATF grey or black lists, jurisdictions known for high levels of corruption or organised crime
- Product or service risk - high-value transactions, transactions involving cash or anonymous instruments, products that allow rapid international transfer
- Channel risk - non-face-to-face onboarding, transactions through third-party intermediaries, transactions outside the organisation's normal patterns
The output is a tailored set of controls - more rigorous due diligence and monitoring for higher-risk situations, lighter-touch checks for lower-risk ones. This is what regulators and auditors mean by a risk-based approach.
Customer Due Diligence
For regulated organisations, customer due diligence (CDD) is the central operational control. The MLR 2017 require:
- Identifying the customer and verifying the identity from a reliable independent source
- Identifying any beneficial owner and taking reasonable steps to verify their identity
- Obtaining information on the purpose and intended nature of the business relationship
- Conducting ongoing monitoring of the relationship
The depth of CDD scales with risk. Simplified due diligence applies in low-risk situations - well-known listed companies, public authorities, customers regulated under equivalent regimes elsewhere. Enhanced due diligence applies to politically exposed persons, customers in high-risk third countries, complex or unusually large transactions, and transactions with no apparent economic or legal purpose. The default is standard CDD; the risk assessment determines which scaling applies.
Suspicious Activity Reports
SARs are the formal mechanism for reporting suspected money laundering. In the regulated sector, the obligation to report is statutory and personal - any individual who knows or suspects money laundering must submit an internal report to the nominated officer, who decides whether to escalate to the National Crime Agency. Failure to report can itself be a criminal offence under section 330 of the Proceeds of Crime Act 2002.
Outside the regulated sector, there is no positive duty to report - but the substantive offences still apply. If staff suspect criminal proceeds are involved in a transaction and proceed regardless, they may commit a section 328 offence. The safe response is to seek consent to proceed by submitting a Defence Against Money Laundering (DAML) request to the NCA, which provides legal protection if granted.
Anti-Money Laundering and the ISO 37001 Framework
ISO 37001 is built around bribery, but the management system elements transfer well to anti-money laundering. The same leadership commitment, risk assessment, due diligence, training, monitoring and review activities apply. Many organisations subject to MLR 2017 use a single financial crime management system covering bribery, money laundering, fraud and tax evasion together rather than running four separate compliance silos.
For organisations operating an integrated management system, financial crime is one of the areas where the integration genuinely simplifies things. The bribery risk assessment, the AML risk assessment, the fraud risk assessment and the tax evasion risk assessment all look at the same risk dimensions - jurisdictions, sectors, transaction patterns, third parties - and largely produce the same controls. The policy stack consolidates, the training consolidates, and the monitoring activity covers all four offences from the same evidence.
The exception is the regulated-sector machinery for AML specifically. The nominated officer, the SAR process, the customer due diligence file structure - these are MLR 2017 requirements that do not have direct equivalents in the other financial crime areas, and they need to be built and run as a distinct workstream.
International Context
Money laundering law is significantly internationalised. The UK MLR 2017 implement Financial Action Task Force (FATF) recommendations that 40+ countries have adopted in similar form. EU member states operate under successive Anti-Money Laundering Directives, most recently the AML package adopted in 2024. The US operates under the Bank Secrecy Act and related regulations administered by FinCEN. The high-level concepts - risk-based approach, customer due diligence, beneficial ownership, suspicious activity reporting - are shared across regimes, though the detailed thresholds, schedules and reporting routes differ.
Organisations operating across jurisdictions typically design their AML programme to the highest applicable standard and apply it group-wide, with local additions for jurisdiction-specific reporting and record-keeping requirements.
Practical Advice
The first practical question for any organisation is whether MLR 2017 applies. If it does, a structured anti-money laundering programme is required - the ISO 37001 toolkit gives a strong starting point for the management system elements, with the regulated-sector specifics added on top.
If MLR 2017 does not apply, the practical answer is a proportionate awareness and reporting framework that addresses the POCA offences. The standalone anti-money laundering policy, basic staff training and a clear internal reporting route are usually enough.
| alphaZ document | How to use it |
|---|---|
| ISO 37001 Anti-Bribery Toolkit | The financial crime management system toolkit - while built around ISO 37001, the leadership, risk assessment, due diligence, training and monitoring elements transfer directly to anti-money laundering controls. The documented basis for an integrated financial crime framework. |
| P-107 Anti-Money Laundering Policy | The standalone anti-money laundering policy. Sets out the prohibition on facilitating money laundering, the obligations on staff to report concerns, and the internal reporting route. Suitable for non-regulated organisations and as the policy layer of a regulated AML programme. |
| P-10 Anti-Bribery and Corruption Policy | The companion anti-bribery policy. Most organisations adopt the two together as a financial crime policy stack, with the same control framework underpinning both. |
| ER9 Legal Register | The legal register entry for the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017 sits here, alongside the Bribery Act 2010 and the wider financial crime legislation. |
Note: subscribers to alphaZ documents can download all of the documents above as part of the subscription.
Frequently Asked Questions
Only if the business is in one of the categories listed in Regulation 8 of the Money Laundering Regulations 2017. The main categories are financial services, accountancy and audit, legal services, trust and company service providers, estate and letting agents, casinos and gambling, cryptoasset providers, art market participants and high-value dealers handling cash of €10,000 or more. If the business is not in one of these categories, the MLR 2017 do not apply directly. The substantive offences in the Proceeds of Crime Act 2002 still do, so a proportionate awareness and reporting framework is still sensible.
A SAR is a report submitted to the National Crime Agency where there is knowledge or suspicion of money laundering. In the regulated sector, the obligation to report is statutory under sections 330 to 332 of the Proceeds of Crime Act 2002, with internal reports going to the nominated officer who decides whether to escalate. Outside the regulated sector, voluntary SARs can still be submitted, and a Defence Against Money Laundering request can be made where consent to proceed with a transaction is needed. The NCA publishes guidance on the SAR online portal, which is the standard submission route.
The Money Laundering Reporting Officer (MLRO) - sometimes called the nominated officer in the regulations - is the person to whom internal suspicions of money laundering are reported, and who decides whether to escalate to the National Crime Agency. The role is required under MLR 2017 for regulated firms, with the appointment recorded and the individual notified to the relevant supervisory authority. Outside the regulated sector, there is no formal MLRO requirement, but most organisations nominate someone - often the compliance lead, finance director or company secretary - as the internal reporting point.
For regulated firms, MLR 2017 sets a minimum retention period of five years from the end of the business relationship or the date of the transaction. This covers customer due diligence records, transaction records and internal SARs. Records can be kept longer where there is a legitimate basis - for example where they relate to ongoing investigations or contractual disputes - but UK GDPR data minimisation principles apply, so retention beyond the AML purpose needs its own justification. Outside the regulated sector, retention is governed by the wider record-keeping policy rather than a specific AML requirement.
Tipping off is a criminal offence under sections 333A to 333E of the Proceeds of Crime Act 2002. It applies in the regulated sector and prohibits disclosing, after a SAR has been made, anything likely to prejudice an investigation. In practice this means staff cannot tell a customer that a SAR has been submitted about them, even where the customer asks directly. The rule does not prevent normal interaction with the customer or even the closure of an account - it prevents disclosure of the SAR or the investigation that may follow it. The offence carries up to two years' imprisonment.
UK Legislation
- Proceeds of Crime Act 2002
- Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
- Criminal Finances Act 2017
- Terrorism Act 2000
- Bribery Act 2010
- Economic Crime and Corporate Transparency Act 2023
