The government has published draft Money Laundering Regulations 2017 (MLR 2017), due to come into force in June 2017. They implement the EU’s 4th Directive on Money Laundering. In doing so, they will replace the Money Laundering Regulations 2007 currently in force (MLR 2007).

As implemention of MLR 2017 is on an accelerated timeframe, it is best for persons subject to MLR 2017 to consider the changes now, which are unlikely to change substantially from the current draft.

It should be noted that this is not a root and branch change. MLR 2017 constitutes an evolution of content and a reorganisation of structure. The intention is for MLR 2017 to improve upon and plug certain gaps in MLR 2007, including:

  • changing the approach to customer due diligence
  • seeking to prevent new means of terrorist financing, including through e-money and prepaid cards
  • improving transparency of beneficial ownership of companies and trusts
  • effectively enforcing sanctions.

Who is covered by MLR 2017?

For the most part, those persons covered by MLR 2017 (“relevant persons”) will remain the same as under the existing rules. However, there are a few differences:

  • All gambling providers will now be caught by MLR 2017, rather than simply holders of a casino operating licence, as under MLR 2007.
  • Trustees will have greater obligations relating to transparency of beneficiaries in their trusts. This point is dealt with below.

MLR 2017 will not apply to those engaging in financial activity on a very occasional basis, with a turnover of under £100,000. This is an increase from £64,000 under MLR 2007.

What are the new requirements?

A key difference is that relevant persons will be obliged to adopt a more risk-based approach towards anti-money laundering, in particular in how they conduct due diligence. Determining the appropriate level of due diligence will require analysis of risk factors based on the EU Directive and which are set out in MLR 2017. Sector-specific guidance will also follow.

Key changes for MLROs to consider include:

  • General risk assessment: Whereas MLR 2007 required firms to keep policies relating to risk assessment and due diligence, MLR 2017 is more prescriptive, particularly when it comes to risk mitigation procedures. MLR 2017 sets out the procedure that must be taken by a relevant person to analyse the business’s potential exposure to money laundering or terrorist financing. This means that a relevant person must produce a written AML risk report addressing its customers, countries of operation, products and services, transactions, delivery channels and the size and nature of the business. The relevant person must then translate the findings of this process into written policies.
  • Risk mitigation policies: These policies and controls must be in writing, be proportionate to the risks identified and be approved by the relevant person’s senior management. They must include internal controls over money laundering and terrorist financing risks (e.g. appointing a board member responsible for MLR 2017, screening agents and training staff). The must also include revised customer due diligence procedures as well as reporting, record keeping and monitoring requirements.
  • Level of due diligence: The circumstances in which simplified customer due diligence is permissible will become more restricted under MLR 2017. In a significant departure from MLR 2007, and as part of the risk based approach, there will cease to be "automatic" simplified due diligence requirements for any transactions. Instead, a relevant person will need to consider both customer and geographical risk factors in deciding whether simplified due diligence is appropriate. Another major change in MLR 2017 is the creation of a "black list" of high risk jurisdictions which, if involved in a transaction, will make enhanced due diligence and additional risk assessment compulsory.
  • Reliance on third parties: Relevant persons will still be able to rely on the CDD carried out by a third party if that third party is either subject to the MLR 2017 or an equivalent regime. However, the conditions for doing so are prescriptive. The third party must effectively provide the CDD information it has obtained and enter into a written agreement under which it agrees to provide within two working days copies of all CDD documentation in respect of the customer and/or its beneficial owner.
  • Politically exposed persons (PEPs): The parts of MLR 2007 which applied only to foreign PEPs will now also apply to local PEPs. This will in practice mean enhanced due diligence requirements for a broader range of individuals who have been trusted with prominent public functions both in the UK and overseas.

Timeframe for changes

The consultation is open for comments which can be submitted until 12 April 2017. MLR 2017 will come into effect by 26 June 2017 at the latest.


As stated above, it is likely that the content of MLR 2017 will not change drastically (as this is the second consultation) so affected persons should work towards making any necessary changes now. This should include:

  • familiarisation with MLR 2017
  • review and revision of AML written risk assessments
  • review and revision of AML policies and procedures
  • planning training for front line staff conducting AML
  • look out for the new JMLSG general and sectoral guidance.