UK MLR 2017: What It Requires and Who It Applies To

What is UK MLR 2017?

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692) is the UK's primary domestic law governing anti-money laundering and counter-terrorist financing obligations for regulated entities. It came into force on 26 June 2017, replacing the Money Laundering Regulations 2007, and transposed the EU Fourth Anti-Money Laundering Directive (4AMLD, Directive 2015/849) into UK law.

HM Treasury issued the regulations under the European Communities Act 1972. Supervision falls across several bodies: the Financial Conduct Authority (FCA) covers banks, insurers, and most financial services firms; HMRC supervises money service businesses, trust or company service providers, and high-value dealers; the Gambling Commission oversees the gambling sector; and approved professional body supervisors, including the ICAEW and the Law Society, handle lawyers and accountants.

Two forces drove the 2017 overhaul. FATF's 2016 Mutual Evaluation of the UK found the country largely compliant but identified weaknesses in legal sector supervision and beneficial ownership transparency. Concurrently, the UK's 2017 National Risk Assessment rated the financial services and professional services sectors as the highest-risk channels for money laundering, with the National Crime Agency estimating £100 billion laundered through the UK each year.

Post-Brexit, the regulations were amended by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 and several subsequent statutory instruments, which cut the formal EU law link. The substance remains aligned with 5AMLD standards. The full text is at legislation.gov.uk.

Who does UK MLR 2017 apply to?

The regulations apply to "relevant persons" as defined in Regulation 8. Coverage is broad and technology-neutral; it applies regardless of whether a firm operates through physical branches, online platforms, or APIs.

Covered entity types include:

• Banks and building societies: All UK-authorised deposit-takers, including challenger banks and neobanks with full banking licences
• Payment and e-money institutions: Any firm authorised under the Payment Services Regulations 2017 or the Electronic Money Regulations 2011, including fintech processors and digital wallets
• Credit firms and consumer lenders: Mortgage lenders and consumer credit firms where lending activity creates AML exposure
• Money service businesses (MSBs): Currency exchange operators, money transfer firms, cheque encashment companies, and remittance providers
• Crypto asset exchange providers and custodian wallet providers: Added by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 under Regulation 14A. These firms must register with the FCA for AML supervision, which made the UK one of the earlier G20 jurisdictions to bring crypto assets within AML scope
• Trust or company service providers (TCSPs): Formation agents, registered office providers, and nominee directors or shareholders
• Legal professionals: Solicitors and barristers engaged in conveyancing, company formation, or managing client funds
• Accountants and auditors: Statutory auditors, tax advisors, and insolvency practitioners
• Estate agents: For property sales, and lettings from 1 January 2020
• High-value dealers: Any business accepting cash payments of €10,000 or more for goods (approximately £8,500 at current rates)

There are no employee count or revenue thresholds. A two-person fintech with an e-money licence carries the same core obligations as a large commercial bank. The distinction is in how risk-based calibration applies, not in whether obligations exist at all.

What does UK MLR 2017 require?

All obligations flow from FATF Rec 1: firms must identify, assess, and manage their money laundering risk in proportion to actual exposure rather than applying uniform controls regardless of risk level. Core obligations, in sequence:

1. Business-wide risk assessment (Regulation 18): Firms must document a written risk assessment covering customers, countries, products, delivery channels, and transactions. It must be updated whenever material changes occur and approved by senior management. A generic downloaded template will not pass FCA scrutiny.

2. Policies, controls, and procedures (Regulation 19): The risk assessment must feed into written policies approved by senior management. Procedures must cover Customer Due Diligence (CDD), ongoing monitoring, record-keeping, internal reporting lines, and staff training.

3. Customer due diligence (Regulations 27-40): Standard CDD requires identifying and verifying customers using reliable, independent source documents. For legal persons, firms must identify the ultimate beneficial owner: any individual with more than 25% ownership or control. Enhanced Due Diligence (EDD) is mandatory for high-risk relationships, politically exposed persons (PEPs), and correspondent banking. Simplified due diligence is permitted only where a firm can demonstrate genuinely low risk, with documented justification.

4. Ongoing monitoring (Regulation 28): Firms must scrutinise transactions throughout the customer relationship to identify anything inconsistent with the customer's known risk profile. The frequency and depth of review must be proportionate to risk. This obligation generates more enforcement action than any other in the regulations.

5. Record-keeping (Regulation 40): All CDD documents and transaction records must be retained for five years from the end of the business relationship or the date of the occasional transaction, whichever is later.

6. Suspicious activity reporting: Firms must file a Suspicious Activity Report (SAR) with the National Crime Agency where they know, suspect, or have reasonable grounds to suspect money laundering. The DAML (Defence Against Money Laundering) mechanism allows firms to seek NCA consent before completing a transaction where suspicion exists.

7. PEP and sanctions screening: EDD is mandatory for all PEPs and their family members and close associates. Sanctions screening runs alongside under the OFSI regime.

8. Training (Regulation 24): Relevant staff must receive regular AML training proportionate to their role. No frequency is prescribed, but most firms train annually and at onboarding.

9. Nominated officer / MLRO: Firms must appoint a Money Laundering Reporting Officer with sufficient seniority and independence to act without commercial pressure.

What evidence do regulators expect?

FCA AML supervisory visits use the Joint Money Laundering Steering Group (JMLSG) guidance as their practical benchmark. Examiners aren't checking whether documents exist; they're testing whether controls work in the way the documents claim.

Bring this to an audit:

• Business-wide risk assessment: Dated, signed by a named senior manager, with genuine analysis of the firm's actual customer base, geography, products, and delivery channels. Substantive, not boilerplate. Generic templates draw immediate scepticism.
• Written AML policies and procedures: Version-controlled documents with approval dates and the MLRO's name. Policies not updated in three years will attract questions about whether they reflect current business activity.
• Customer risk ratings: Evidence of differentiated risk scores at onboarding, with documented rationale for EDD and simplified due diligence decisions. A flat "medium risk" applied to all customers is a red flag.
• CDD records: Identity documents, utility bills, Companies House extracts, and UBO declarations. Examiners sample these across the book. Missing or expired documents on active accounts is a direct breach.
• Transaction monitoring logs: Alerts generated, alerts reviewed, investigation notes, and outcomes. If 5,000 alerts were closed in under two minutes each, expect intensive questioning about the quality of review.
• SAR records: Internal suspicious activity reports submitted to the MLRO, external SARs filed with the NCA, and the decision log for cases considered but not escalated. Examiners count gaps between internal and external reports.
• Training records: Named employees, training completed, assessment scores, and date of last completion.
• MLRO annual report: Required under Regulation 21. Examiners ask to see it. A missing or purely formulaic report signals dysfunction at the top of the compliance function.

One consistent FCA finding: firms can produce policy documents but cannot demonstrate the operational reality behind them. The FCA calls this "paper compliance." It doesn't pass.

Common failure modes

Real AML failures at UK firms follow a short list of patterns. None of them are surprising in hindsight.

• Inadequate transaction monitoring: The FCA's December 2022 fine against Santander UK (£107.7 million) cited failures in AML systems and controls covering around 560,000 business banking customers, including 40 accounts identified post-investigation as money mule operations. The FCA Final Notice for Santander UK plc, 9 December 2022 sets out in detail how monitoring gaps persisted over multiple years without senior management escalation.

• CDD gaps on existing customers: Firms complete onboarding CDD and rarely revisit it. Examiners routinely find high-risk customers with outdated or missing documentation. Ongoing monitoring is supposed to trigger CDD refresh; in practice, it frequently doesn't.

• Weak beneficial ownership verification: Relying solely on Companies House data without independent verification is a recurring weakness. For higher-risk corporate customers, company registers are a starting point, not an answer. The FCA expects firms to probe beyond filed documents for complex ownership structures.

• Inadequate PEP identification: Many PEP screening systems miss domestic PEPs or second-degree relatives. The FCA's 2021 fine against HSBC (£63.9 million) specifically cited failures in PEP identification and EDD application over a sustained period.

• SAR quality and timeliness: Filing vague, formulaic reports rather than substantive ones. The NCA's 2022-23 SARs Annual Report data shows roughly 460,000 SARs filed that year, with a significant proportion providing insufficient information to support investigation.

• NatWest criminal conviction (2021): The FCA prosecuted NatWest for failing to monitor £365 million in cash deposits by Fowler Oldfield. It ended in a guilty plea and a £264.8 million fine. It was the first criminal conviction of a bank under UK AML law, and it demonstrated that monitoring failures can reach the threshold of corporate criminal liability.

Penalties for non-compliance

The FCA uses all tracks of its enforcement regime. Unlimited civil fines, criminal prosecution, and personal liability for senior managers make UK AML enforcement among the most consequential in the world for financial institutions.

Civil financial penalties: The FCA can impose unlimited fines under FSMA 2000 section 206 using its five-step penalty framework. Recent examples:

Criminal prosecution: Under the Proceeds of Crime Act 2002 and the Terrorism Act 2000, individuals face up to 14 years' imprisonment for money laundering offences. NatWest's 2021 conviction showed that corporate criminal liability for monitoring failures is not hypothetical.

Withdrawal of authorisation: The FCA can cancel or restrict a firm's permissions under FSMA s.45. For a licensed bank or payment institution, this is the most severe sanction short of criminal conviction.

Personal liability under SMCR: The Senior Managers and Certification Regime holds the MLRO and relevant SMF holders personally accountable. The FCA has fined and prohibited individual compliance officers in multiple post-2019 enforcement actions where failures were attributable to their oversight.

Section 166 reviews: The FCA can require a skilled person report into AML controls, at the firm's expense. These reviews are publicly disclosed and typically cost firms £1 million to £5 million to commission, before any fine is applied.

Related regulations and frameworks

UK MLR 2017 sits within a layered obligation structure. Compliance with the regulations is necessary but not sufficient for institutions operating across jurisdictions or using third-party service providers.

FATF Recommendations: The regulations implement the 2012 FATF Recommendations at the national level. FATF Rec 10 maps directly to the CDD obligations in Regulations 27-40. The UK's next FATF mutual evaluation is expected in 2026, which historically accelerates domestic supervisory activity and prompts pre-emptive tightening by the FCA.

FCA SYSC 6.3: SYSC 6.3 (UK-FCA) requires firms to maintain adequate systems and controls to counter financial crime risk. The FCA enforces SYSC 6.3 and MLR 2017 in parallel; final notices almost always cite both. A firm that satisfies the letter of the regulations but fails the SYSC 6.3 systemic control standard will still face action.

Proceeds of Crime Act 2002 (POCA): The criminal statute underlying the entire regime. MLR 2017 sets the regulatory framework; POCA creates the offences. The tipping-off prohibition under POCA s.333A applies to any relevant person under MLR 2017 and must be reflected in SAR procedures.

Economic Crime (Transparency and Enforcement) Act 2022: Strengthened beneficial ownership enforcement and introduced Unexplained Wealth Orders as an investigative tool for the NCA. Treat it as complementary to MLR 2017 UBO obligations, particularly for high-risk corporate structures.

EU 6AMLD and EU AMLR: Post-Brexit, the 6AMLD (EU) and the forthcoming EU AMLR (EU) apply to EU-facing operations. UK firms with EU subsidiaries face dual compliance requirements and should monitor divergence carefully, particularly on beneficial ownership thresholds and virtual asset obligations.

JMLSG Guidance: The Joint Money Laundering Steering Group publishes sector-specific practical guidance the FCA treats as a de facto benchmark. Diverging from JMLSG without documented justification is inadvisable in any enforcement context.

How FluxForce supports UK MLR 2017 compliance

FluxForce maps directly to the obligations regulators test hardest. Nova Sentinel and Aiden Flux automate PEP screening, sanctions checks, and UBO identification at onboarding and at each ongoing review cycle. This removes the manual queue delays that produce CDD gaps. The platform's transaction monitoring generates full decision explanations for every alert. That satisfies the evidentiary standard the FCA expects on audit day. Configurable autonomy means compliance teams set the risk thresholds; AI agents act within them. Every decision is logged and producible on demand.

To see this in practice, explore Identity Verification and KYC/AML Automation or request a demo.