United Kingdom Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in United Kingdom?

The Financial Conduct Authority is the UK's primary AML supervisor, overseeing around 90,000 regulated firms: retail banks, investment managers, payment institutions, e-money firms, and crypto asset businesses. Its supervisory expectations are set out in the Financial Crime Guide (FCG), supplemented by the Joint Money Laundering Steering Group (JMLSG) guidance, which the FCA treats as reflecting good industry practice. The FCA holds direct enforcement powers: unlimited fines, public censures, variation of permissions, and criminal prosecution. The NatWest case in December 2021 was the first criminal prosecution of a bank under the money laundering regulations in UK history.

The Prudential Regulation Authority (PRA), a subsidiary of the Bank of England, supervises approximately 1,500 deposit-takers, insurers, and major investment firms. Its AML role is secondary to the FCA's, but the PRA expects firms to maintain governance structures that address financial crime risk within the broader prudential framework.

HM Treasury sets the policy framework. It transposed the EU's Fourth and Fifth Money Laundering Directives into MLR 2017 and its 2019 amendment, and following Brexit now controls UK sanctions policy through the Sanctions and Anti-Money Laundering Act 2018 (SAMLA). The Office of Financial Sanctions Implementation (OFSI), sitting within HM Treasury, administers the UK consolidated sanctions list and holds civil penalty powers up to £1 million or 50% of the breach value under the Policing and Crime Act 2017.

The National Crime Agency (NCA) houses the UK Financial Intelligence Unit (UKFIU), which receives and processes all Suspicious Activity Reports from the private sector. The NCA leads complex money laundering investigations and works with the Crown Prosecution Service on prosecution decisions. The UKFIU now receives over 900,000 SARs per year, making it one of the busiest financial intelligence units in the world.

What are the key AML and fraud laws in United Kingdom?

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) is the primary statutory instrument. It implements FATF Recommendation 10 in domestic law, requiring covered entities to conduct customer due diligence at onboarding and at defined trigger points, maintain records for five years after the end of a business relationship, appoint a Money Laundering Reporting Officer (MLRO), and submit Suspicious Activity Reports (SARs) to the UKFIU. Coverage extends to banks, payment institutions, e-money firms, accountants, solicitors, and estate agents. The 2019 amendment (SI 2019/1511) strengthened beneficial ownership verification requirements and expanded enhanced due diligence obligations for high-risk third countries.

The Proceeds of Crime Act 2002 (POCA 2002) creates the underlying criminal offenses. Sections 327-329 cover money laundering. Section 330 imposes a mandatory failure-to-disclose obligation on the regulated sector: anyone in a regulated business who knows or suspects another person is engaged in money laundering must report it to their MLRO or face criminal prosecution. The tipping-off offense under section 333A prohibits disclosing that a SAR has been made or that an investigation is underway.

POCA's Defence Against Money Laundering (DAML) consent regime is operationally significant and has no real equivalent in most other jurisdictions. A firm that identifies proceeds of crime and needs to proceed with a transaction can submit a DAML SAR to the UKFIU and obtain a legal defence if the NCA grants consent within 7 working days, or the 7-day notice period expires without refusal. A further 31-day moratorium period can extend that window. Proceeding without consent, or inadvertently disclosing the SAR to the subject, is a criminal offense.

The Criminal Finances Act 2017 introduced Unexplained Wealth Orders (UWOs), allowing the NCA to require a person to explain the source of assets worth more than £50,000. It also created the corporate offense of failure to prevent facilitation of tax evasion. The Terrorism Act 2000 covers terrorist financing offenses and applies to all persons, not just the regulated sector.

The risk-based approach mandated by MLR 2017 and aligned with FATF Recommendation 1 means firms must calibrate their controls to their specific customer, product, channel, and geographic risk profile. The JMLSG guidance provides detailed sector-specific implementation direction.

For data handling, the UK GDPR (retained post-Brexit under the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018 govern how customer data gathered for AML purposes can be processed and shared. The lawful basis for AML processing is typically legal obligation under Article 6(1)(c), and firms must balance disclosure obligations against data subject rights carefully. Post-Brexit, SAMLA gives HM Treasury the power to create UK-specific sanctions regimes that diverge from EU designations.

What controls do United Kingdom regulators expect?

The FCA's Financial Crime Guide sets a detailed control architecture, applied on a risk-proportionate basis.

Customer due diligence (CDD) is the starting point. Firms must verify customer identity, understand the nature and purpose of the business relationship, and identify the beneficial owner for corporate clients down to the 25% ownership threshold prescribed by MLR 2017. Enhanced due diligence (EDD) is mandatory for politically exposed persons and their associates, customers from HM Treasury-designated high-risk third countries, and complex or unusual transactions with no apparent economic purpose.

Transaction monitoring must be ongoing, documented, and calibrated to each customer's risk profile and expected activity. The FCA's 2021 "Dear CEO" letter on transaction monitoring was direct: it found firms with rule sets that hadn't been reviewed in years, thresholds untethered to customer behaviour, and alerts closed without adequate investigation. The FCA expects documented rationale behind every threshold calibration and evidence that monitoring systems are tested periodically.

Sanctions screening against the OFSI consolidated list is mandatory at onboarding and on an ongoing basis. Firms must also screen against OFAC, UN, and EU lists for cross-border and correspondent banking transactions. Record-keeping obligations under MLR 2017 require CDD documents and transaction records to be retained for at least five years after the end of the business relationship.

SAR quality matters as much as volume. The NCA has published guidance noting that vague, incomplete, or late SARs limit the intelligence value of the UK's financial intelligence picture. The FCA expects SAR quality to be tracked as a compliance metric. Adverse media screening is expected as part of the ongoing monitoring obligation, even though MLR 2017 doesn't name it explicitly. The FCA's supervisory visits routinely probe whether firms are identifying negative news about customers and acting on it.

What is unique about compliance in United Kingdom?

Several aspects of the UK regime trip up foreign banks with consistent regularity.

The DAML SAR regime under POCA 2002 is operationally unlike most jurisdictions. When a firm identifies suspected proceeds of crime and needs to proceed with a transaction, it must submit a DAML SAR and wait. The 7-day consent window starts when the UKFIU acknowledges the report, not when it's submitted. In time-sensitive transactions, such as real-time payment rails, the tension between acting and waiting is real. Firms need escalation processes that operate within hours, and they need staff who understand the difference between a standard SAR and a DAML submission.

The UK now runs its own independent sanctions regime under SAMLA. OFSI's consolidated list diverges from the EU's in some designations, particularly in Russia-related sanctions issued since February 2022. Groups that rely on EU sanctions screening processes need a dedicated UK overlay. OFSI operates a strict liability civil penalty standard: a firm that processes a payment to a sanctioned party can face penalties even without knowledge of the designation. That asymmetry requires real-time screening, not batch processing.

The ultimate beneficial owner (UBO) framework is among the more demanding in the G20. The Economic Crime (Transparency and Enforcement) Act 2022 created the Register of Overseas Entities (ROE) at Companies House, requiring foreign entities that hold UK property to publicly disclose their beneficial owners. The Economic Crime and Corporate Transparency Act 2023 substantially expanded Companies House identity verification requirements. Firms should cross-reference these registers when verifying UBO information for corporate clients.

For virtual asset service providers (VASPs), the FCA requires registration under MLR 2017. It's registration, not full authorisation, but the FCA has rejected a significant share of applicants. Any firm onboarding a VASP as a customer should verify the firm's status on the FCA's register before proceeding.

We've seen foreign banks underestimate the domestic PEP scope as well. UK domestic PEPs, including senior civil servants, members of parliament, and senior military officers, are in scope. The FCA's January 2024 finalised guidance provides a proportionality gloss: domestic UK PEPs should be treated as lower risk than foreign PEPs absent other risk factors. But firms must document those risk assessments. The FATF 2018 UK mutual evaluation report, available at https://www.fatf-gafi.org, provides useful context on how UK supervisors approach risk-based supervision at an institutional level.

Recent enforcement actions in United Kingdom

The FCA's enforcement record is among the most active globally, and the cases are well-documented.

The landmark recent action is NatWest. In December 2021, NatWest pleaded guilty to three offenses under the money laundering regulations, becoming the first bank in UK history to face criminal conviction under those rules. The FCA's press release details a failure to monitor approximately £365 million in cash deposits from Fowler Oldfield, a Bradford gold dealer, between 2012 and 2016. NatWest was fined £264.8 million. The case exposed a fundamental breakdown in how the bank's transaction monitoring rules were designed and maintained for business banking customers.

In December 2022, Santander UK was fined £107.7 million for systemic failures in its business banking AML controls. The FCA found the bank was unable to adequately monitor over 560,000 business banking accounts and had failed to address persistent gaps in its transaction monitoring systems over a four-year period.

The HSBC 2012 enforcement action was primarily a US resolution, but it directly implicated HSBC's UK correspondent banking operations and shaped how the FCA subsequently framed its expectations for global banks operating in London.

The Deutsche Bank 2017 mirror trades case resulted in a £163 million FCA fine. Deutsche Bank's London equities desk was central to the scheme, which moved approximately $10 billion out of Russia through simultaneous buy-and-sell equity orders. The FCA found fundamental failures in Deutsche Bank's AML control framework, including inadequate transaction monitoring and correspondent banking oversight.

The Standard Chartered 2019 sanctions enforcement action involved a global resolution that included UK regulatory requirements alongside the US DOJ and OFAC settlement, requiring extensive remediation of sanctions compliance controls.

What foreign banks operating in United Kingdom need to know

Any foreign bank operating in the UK needs FCA authorisation for a branch or subsidiary, or joint FCA and PRA authorisation for deposit-taking operations. The Temporary Permissions Regime, which allowed EEA firms to continue operating post-Brexit, is now largely wound down. Foreign banks not previously authorised in the UK must go through the full application process.

The MLRO appointment under MLR 2017 is non-negotiable. Every regulated firm must designate an MLRO and a deputy MLRO. For FCA-authorised firms, the MLRO must be approved under the Senior Managers and Certification Regime (SMCR) as a Senior Management Function holder. The FCA has publicly censured and prohibited individual MLROs for personal failings. Don't treat the MLRO role as a designation you assign and revisit annually; it carries personal criminal and regulatory exposure.

Outsourcing AML controls to a group centre of excellence is permitted, but the UK legal entity retains full accountability. The FCA expects local management to understand and be able to challenge the outsourced function's outputs. Group CDD or transaction monitoring processes calibrated for a different market may not adequately address the UK's specific risk categories, including OFSI sanctions, the domestic PEP population, and POCA reporting obligations.

SAR reporting timelines have legal consequences under POCA 2002. There's no formal hourly deadline, but the DAML regime means delay has direct implications for legal protection. Firms need escalation processes that operate within hours for time-sensitive transactions, not days.

Compliance teams used to the United States AML compliance framework or the Singapore AML compliance approach need a specific UK gap analysis before go-live. The DAML consent regime, OFSI's independent sanctions list, and the domestic PEP scope each create operational requirements with no direct equivalent in most other markets.

How FluxForce supports United Kingdom compliance

FluxForce's real-time monitoring capabilities map directly to the UK's core control obligations: continuous transaction monitoring calibrated to MLR 2017 risk categories, automated sanctions screening against the OFSI consolidated list alongside OFAC and UN, and PEP and adverse media checks built for the UK's domestic PEP guidance. The automated SAR drafting module generates audit-ready narratives for both standard disclosures and DAML submissions. Every decision comes with a full evidence trail suited for FCA supervisory visits. To see how this maps to your UK obligations, request a demo.