GuidanceAML UK publishes practitioner guidance for the UK regulated sector. This is not a Government service — read about our independence.
UK regulatory framework

The statute book behind the UK's AML and CFT regime.

A practical reference to the key instruments UK regulated firms must operate under. This page is a working summary; it is not legal advice and should be read together with the current guidance issued by your supervisor and the JMLSG.

Primary framework

Six instruments that define the UK obligation.

The UK anti-money laundering regime is built on layered primary and secondary legislation, enforced by a mesh of statutory and professional supervisors and interpreted through the FCA Financial Crime Guide, the JMLSG Guidance and the sectoral guidance issued by HMRC, the Gambling Commission and the professional body supervisors. The six instruments below carry the majority of the obligation on regulated firms today.

MLR 2017

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017

The core preventative regime for UK regulated businesses. The Regulations require every relevant person to conduct a written firm-wide risk assessment, apply customer due diligence proportionate to risk, monitor business relationships on an ongoing basis, keep records for at least five years and maintain internal controls including a nominated officer and, where appropriate, a board-approved financial crime policy.

Sectoral scope is set by Regulation 8 and covers credit and financial institutions, auditors, insolvency practitioners, external accountants, tax advisers, legal professionals, trust or company service providers, estate and letting agents, high value dealers, casinos, art market participants and cryptoasset exchange and custodian wallet providers. Regulation 105 designates supervisors — the FCA, HMRC, the Gambling Commission and the professional body supervisors — and Regulation 76 sets out the civil sanctions available to them.

POCA

Proceeds of Crime Act 2002

Creates the substantive money laundering offences and the reporting regime. Sections 327 to 329 criminalise concealing, arranging and the acquisition, use or possession of criminal property. Sections 330 to 332 impose the duty on the regulated sector, MLROs and other nominated officers to report knowledge or suspicion of money laundering to the National Crime Agency.

Section 333A creates the tipping-off offence. Sections 335 and 336 provide the appropriate consent — commonly called Defence Against Money Laundering — regime, including the seven working day notice period and the thirty-one calendar day moratorium period. Part 5 provides the civil recovery regime and the Unexplained Wealth Order power. Enforcement sits with the NCA, the CPS, the SFO and specified prosecutors.

TACT

Terrorism Act 2000

The counter-terrorist financing counterpart to POCA. Sections 15 to 18 criminalise fund-raising, use and possession, funding arrangements and money laundering in connection with terrorism. Section 21A imposes the reporting duty on the regulated sector and Section 21ZA introduces the equivalent consent regime.

The Anti-Terrorism, Crime and Security Act 2001 extends the freezing and forfeiture regime, and the Counter-Terrorism Act 2008 grants HM Treasury power to issue directions in relation to specified jurisdictions. Firms must operate against both TACT and the sanctions lists administered by OFSI.

SAMLA

Sanctions and Anti-Money Laundering Act 2018

The primary post-Brexit power for the UK to make and enforce financial, trade, immigration, aircraft and shipping sanctions. Statutory instruments made under SAMLA — including the Russia (Sanctions) (EU Exit) Regulations 2019 and the Global Human Rights Sanctions Regulations 2020 — populate the UK Sanctions List administered by the Office of Financial Sanctions Implementation.

Section 49 of SAMLA also provides the standing power to update the UK AML/CFT framework, meaning changes to the MLR 2017 are now typically delivered by SAMLA-derived statutory instrument. OFSI operates a strict-liability civil monetary penalty regime and can issue disclosure notices.

ECTEA 2022

Economic Crime (Transparency and Enforcement) Act 2022

Established the Register of Overseas Entities holding UK real estate at Companies House, reformed the Unexplained Wealth Order regime to make it more usable by enforcement, and strengthened sanctions enforcement by moving OFSI to a strict-liability standard for civil penalties.

The ROE regime requires overseas entities that own UK property to identify their registrable beneficial owners and update the information annually. Non-compliance restricts the entity's ability to transact in UK land and creates criminal liability for officers of the entity.

ECCTA 2023

Economic Crime and Corporate Transparency Act 2023

The most significant reform to UK corporate transparency in a generation. Grants Companies House new powers to query, reject and remove information, introduces identity verification for directors, PSCs and those filing on behalf of companies, and creates a new failure-to-prevent-fraud offence for large organisations.

For AML, Part 5 of the Act creates an information-sharing gateway allowing firms in the regulated sector to share information for the purposes of preventing, detecting or investigating economic crime, subject to safeguards. It also reforms the SAR regime, exempts certain low-value transactions from consent SARs and expands civil recovery powers over cryptoassets.

Customer due diligence

The four modes of CDD under the MLR 2017.

CDD is the operational core of the preventative regime. The MLR 2017 set out when CDD must be applied, what it must consist of, how it must be evidenced and when it must be repeated or enhanced. Failure to apply CDD to the standard required by the Regulations is itself a criminal offence under Regulation 86.

Standard CDD (Reg. 28)

Identify the customer and any beneficial owner and verify identity from a reliable, independent source. Obtain information on the purpose and intended nature of the business relationship and, where the customer is a legal person, understand its ownership and control structure.

Enhanced CDD (Reg. 33)

Mandatory for any transaction or business relationship with a person established in a high-risk third country, for correspondent relationships, for politically exposed persons and their family and close associates, for complex or unusually large transactions, and for any case the firm's own risk assessment identifies as higher risk. EDD measures must include additional information on the customer, the source of funds and wealth, and enhanced ongoing monitoring.

Simplified CDD (Reg. 37)

Available only where the firm has determined, having considered the risk factors in Schedule 3, that the relationship or transaction presents a low degree of risk. SDD is a reduction in the extent, timing or type of verification — it is never an exemption from CDD, from ongoing monitoring or from the reporting obligations under POCA.

Ongoing monitoring (Reg. 28(11))

Scrutiny of transactions throughout the course of the relationship to ensure they are consistent with the firm's knowledge of the customer, their business and their risk profile — including, where necessary, the source of funds — and keeping the documents, data and information held under CDD up to date.

Supervision

Who supervises whom.

Every relevant person is supervised for AML purposes by a designated authority. Statutory supervisors — the FCA, HMRC and the Gambling Commission — supervise the sectors listed against their name. The professional body supervisors regulate the legal and accountancy sectors.

The Office for Professional Body Anti-Money Laundering Supervision (OPBAS), which sits within the FCA, oversees the 22 professional body supervisors to drive consistency of standard and appetite.

Financial Conduct Authority (FCA)
Banks, building societies, e-money institutions, payment services firms, investment firms, consumer credit firms and cryptoasset exchange and custodian wallet providers registered under Regulation 57.
HM Revenue & Customs (HMRC)
Money service businesses, estate and letting agents, high-value dealers, art market participants, trust or company service providers and accountancy service providers not supervised by a professional body.
Gambling Commission
Casino operators — remote and non-remote — under the Gambling Act 2005.
Professional Body Supervisors
22 legal and accountancy bodies including the SRA, CILEx, BSB, Law Society of Scotland, Law Society of Northern Ireland, ICAEW, ACCA, CIOT, ICAS and IPA. Overseen by OPBAS within the FCA.
Reporting

The SAR regime, in one page.

A Suspicious Activity Report is the mechanism by which firms in the regulated sector, MLROs and other nominated officers report knowledge or suspicion — or reasonable grounds for knowledge or suspicion — of money laundering or terrorist financing to the UK Financial Intelligence Unit within the National Crime Agency. Approximately 900,000 SARs are submitted each year, of which a material proportion are Defence Against Money Laundering requests.

Where a firm proposes to carry out a transaction that would otherwise commit a principal money laundering offence, it may seek a DAML under section 335 of POCA. The NCA has seven working days from the day after receipt to refuse consent. If consent is refused, a thirty-one calendar day moratorium period runs during which the transaction may not proceed and law enforcement can take action to restrain or seize the property.

The Economic Crime and Corporate Transparency Act 2023 recalibrated the regime. It introduced an information-sharing gateway that allows firms in the regulated sector to share information for the purposes of preventing, detecting or investigating economic crime, subject to safeguards, and exempted a class of low-value transactions from the requirement to submit a DAML — freeing analyst capacity to focus on higher-value suspicion.

Firms remain exposed to the tipping-off offence under section 333A of POCA and to the failure-to-disclose offence under section 330. Internal SAR governance — how staff escalate suspicion, how the MLRO records the decision to report or not to report, and how the audit trail is preserved for a minimum of five years — is a routine focus of both supervisory inspection and skilled person reviews.