AML requirements for covered institutions and individuals

Enforcement and regulation

Which government entities enforce the AML regime and regulate covered institutions and persons in your jurisdiction? Do the AML rules provide for ongoing and periodic assessments of covered institutions and persons?

Businesses operating in the regulated sector are subject to the Regulations and are monitored by a supervisory authority. Each supervisory authority is responsible for monitoring and taking appropriate action to ensure compliance with the Regulations and must provide guidance to businesses in its sector.

The Financial Conduct Authority (FCA), HMRC, the Gambling Commission and 22 other professional bodies act as supervisory authorities under the Proceeds of Crime Act 2002 (POCA) and the Regulations. Breaches of the Regulations or their own regulatory rules may be pursued civilly or criminally. Supervisory authorities may also take other regulatory action in relation to failures in money laundering systems and controls.

The Office for Professional Body Anti-Money Laundering Supervision was established in 2018 and is based within the FCA. Its objective is to improve the consistency of professional body AML supervision. It has the power to ensure that the professional bodies acting as supervisory authorities meet the standards required by the Regulations.

Covered institutions and persons

Which institutions and persons must have AML measures in place?

Regulated sector businesses are required to implement extensive compliance programmes as set out in the Regulations. A business is a regulated business if it is involved in one of the activities listed in Part 1 of Schedule 9 of POCA and if it is a ‘relevant person’ under Regulation 8 of the Regulations.

The regulated sector includes:

  • credit institutions;
  • financial institutions;
  • auditors, insolvency practitioners, external accountants and tax advisers;
  • independent legal professionals;
  • trust or company service providers;
  • estate agents and letting agents;
  • high-value dealers;
  • casinos;
  • art market participants;
  • crypto-asset exchange providers; and
  • custodian wallet providers.


Those in the regulated sector also have an obligation to report suspicions or knowledge (subjective or objective) of money laundering under criminal penalty.

Non-regulated businesses, although not under an obligation to implement AML measures, may nevertheless consider it prudent to put measures in place to mitigate AML risk. Non-regulated businesses can commit the substantive money laundering offences and the ‘prejudicing an investigation’ offence under POCA. Section 332 of POCA also creates an additional ‘failure to disclose’ offence for nominated officers of non-regulated businesses; however, the offence only applies if a nominated officer has actually been appointed. Liability only attaches to a nominated officer and not to other employees. The offence is not committed unless the nominated officer has actual knowledge or suspicion of money laundering.


Do the AML laws applicable in your jurisdiction require covered institutions and persons to implement AML compliance programmes? What are the required elements of such programmes?

Regulated sector businesses are required to implement extensive compliance programmes as set out in the Regulations.

The Regulations contain a large number of requirements. Failure to comply with such requirements can lead to penalty provisions. The requirements include, but are not limited to:

  • carrying out a risk assessment that identifies and assesses the risk of money laundering and terrorist financing to its business;
  • establishing and maintaining policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified in the risk assessment; and
  • the application of customer due diligence (CDD) measures on a risk-based approach.


The policies and procedures must be risk-based and proportionate to the size and nature of the business. The approach must be approved by senior management and subject to proper record-keeping practices.

Breach of AML requirements

What constitutes breach of AML duties imposed by the law?

The law covers the substantive money laundering offences, regulated sector reporting obligations, tipping off and breaches of the requirements of the Regulations.

Customer and business partner due diligence

Describe due diligence requirements in your jurisdiction’s AML regime.

Under the Regulations, a business in the regulated sector must carry out CDD in circumstances including the following:

  • when establishing a business relationship (before it is established unless it would interrupt the normal conduct of business, and there is little risk of money laundering or terrorist financing);
  • when carrying out an occasional transaction that amounts to a transfer of funds within the meaning of article 3.9 of the Funds Transfer Regulation exceeding €1,000 (before the transaction is carried out unless it would interrupt the normal conduct of business, and there is little risk of money laundering and terrorist financing);
  • where money laundering or terrorist financing is suspected;
  • where there are doubts about the veracity or adequacy of documents or information obtained for the purposes of identification or verification;
  • at other appropriate times to existing customers on a risk-based approach;
  • when the regulated person becomes aware that the circumstances of an existing customer relevant to its risk assessment for that customer has changed; and
  • when the relevant person has any legal duty in the course of the calendar year to contact an existing customer to review information that is relevant to the business's risk assessment for that customer, and relates to the beneficial ownership of the customer.


The CDD measures must include identifying and verifying the customer (unless the customer is known and has been verified) and assessing the purpose and intended nature of the business relationship or occasional transaction. 

A risk-based approach should be taken to CDD. The Regulations contain provisions for applying enhanced customer due diligence (EDD) on higher-risk customers and simplified customer due diligence (SDD) on lower risk customers.

Where the customer is a corporate, CDD must include verification of certain details. Reasonable steps must also be taken to determine and verify the law to which the corporate is subject, the names of the directors on the Board or equivalent body, and the senior persons responsible for the operations of the body corporate (unless the customer is a business listed on a regulated market).

A ‘beneficial owner’ in relation to a body corporate that is not a listed company is any individual who exercises ultimate control over the management of the body corporate, or who ultimately owns or controls (directly or indirectly) more than 25 per cent of the shares or voting rights, or an individual who controls the body corporate (Regulation 5 of the Regulations). The Regulations include an obligation to take reasonable measures to understand the ownership and control structure where the customer is a legal person, trust, company, foundation or similar legal arrangement (Regulation 28(3A) of the Regulations).

Unless the customer is a business listed on a regulated market, where it is beneficially owned by another person, the beneficial owner must be identified and reasonable measures taken to verify the identity of the beneficial owner, including information that enables the regulated entity to understand the ownership and control of the beneficial owner if it is a legal person, trust, foundation or similar legal arrangement.

There is also an obligation to report to Companies House any discrepancy found in relation to beneficial ownership between information collected from Companies House during the CDD process and information that otherwise becomes available in the course of carrying out the duties under the Regulations (Regulation 30A(2)).

Credit and financial institutions are subject to additional CDD obligations in relation to certain transactions (Regulation 29).

Where a regulated business is unable to comply with the CDD requirements, the Regulations require that the business relationship must not be established, the transaction not be carried out or an existing business relationship must be terminated. The business must also consider whether it must file a SAR (Regulation 31).

High-risk categories of customers, business partners and transactions

Do the AML rules applicable in your jurisdiction require that covered institutions and persons conduct risk-based analyses? Which high-risk categories are specified? What level of due diligence is expected in relation to customers assessed to be high risk?

Regulation 18 requires regulated sector businesses to carry out a written risk assessment and to identify and assess the risk of money laundering or terrorist financing to which its business is subject. In carrying out the risk assessment, the business must take into account:

  • guidance and other information issued by the relevant regulator; and
  • risk factors relating to:
    •  the business’s customers;
    • countries and geographic areas in which the business operates;
    • its products or services and transactions; and
    •  its delivery channels.


The risk assessment must be provided to the regulator on request. The Regulations require a risk-based approach to CDD, with standard, SDD and EDD levels based on the assessed money laundering and terrorist financing risk. EDD must be applied where there is a high risk of money laundering or terrorist financing (Regulation 33). ‘High risk’ includes, amongst others, where the relationship is with a person in a high-risk third country or the customer is a PEP; in relation to a correspondent banking relationship with a credit or financial institution; or where a transaction is complex or unusually large.

A PEP is defined in Regulation 35 as a person entrusted with a prominent public function. Family members and known close associates of a PEP will also be subject to EDD. Where the person is no longer a PEP, EDD continues to apply for a period of at least 12 months after the date the person ceased to be entrusted with that prominent public function, or for such longer period as the business considers appropriate. PEPs face a higher level of scrutiny, including a focus on their source of wealth and funds, because of the risk that they can abuse their position.

High-risk third countries are those considered by HM Treasury to be jurisdictions with unsatisfactory money laundering and terrorist financing controls. HM Treasury’s list replicates those countries listed by the Financial Action Task Force (FATF) as high risk or under increased monitoring.

Under the Regulations, a credit or financial institution must not enter into or continue a correspondent relationship with a shell bank.

Record-keeping and reporting requirements

Describe the record-keeping and reporting requirements for covered institutions and persons.


The Regulations require that a regulated business must keep certain documents for five years from the date on which the business knows or has reasonable grounds to believe that the transaction is complete or that the business relationship has come to an end. Once the period has expired, all personal data obtained for the purposes of the Regulations must be deleted, except in certain limited circumstances.


Reporting requirements

As discussed above, there are a number of reporting requirements under POCA. In broad terms, where a person operating in the regulated sector knows, suspects or has reasonable grounds to know or suspect money laundering activity, a SAR must be filed with the National Crime Agency (NCA).

The disclosure, made via a SAR, must be made as soon as practicable after the information or grounds for belief came to them. No offence is committed if there is a reasonable excuse for not making the disclosure, or the information came to a legal adviser or relevant professional adviser in privileged circumstances.

Under section 331 of POCA, a nominated officer, usually the money laundering reporting officer (MLRO), commits an offence if they fail to inform the NCA of disclosures received under section 330 of POCA, where they know or suspect, or have reasonable grounds to know or suspect, that another person is engaged in money laundering.

In practice, a person in the regulated sector is expected to be subject to an AML policy that requires suspicions to be escalated to the MLRO. The MLRO will then consider matters by reference to CDD materials and other information, and then decide whether to file a SAR. The MLRO will also consider whether a DAML SAR is required. In practice, it is not expected that the MLRO will file a SAR in relation to every escalation they receive. They are expected to review matters and consider whether a SAR is required.

Privacy laws

Describe any privacy laws that affect record-keeping requirements, due diligence efforts and information sharing.

The General Data Protection Regulation (Regulation (EU) 2016/679 (GDPR)) has direct effect across the European Economic Area. Following the end of the Transition Period under the UK-EU Withdrawal Agreement on 1 January 2021, the GDPR is no longer directly applicable in the UK, but has been implemented into the national laws applicable in the UK by virtue of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018 (DPA 2018) and the Data Protection, Privacy and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019 (the 2019 Regulations). The version of the GDPR that applies in the UK is defined in the DPA 2018 (as amended) as the UK GDPR. The vast majority of the compliance requirements under the UK GDPR are functionally identical to those that exist under the (EU) GDPR.

The DPA 2018 came into force on 25 May 2018, covering the processing of personal data within and outside the scope of the UK GDPR by competent authorities for law enforcement purposes and by the intelligence services.

The UK GDPR and the DPA 2018 require personal data to be processed in accordance with prescribed principles (article 5 of the UK GDPR). There must be a lawful basis for processing (article 6 of the UK GDPR) underpinning the processing of personal data. This includes when processing personal data to conduct CDD. Subject to certain exclusions, data subjects (the individuals whose personal data are being processed) also have the right to know how their personal data will be handled and with whom it will be shared. This is usually achieved through the publishing of a privacy notice. The principles within the legislation also dictate that information should only be kept for as long as necessary and used in a way that is consistent with the purposes for which it is being held. During the CDD process, careful consideration should be given to the volume and extent of personal data that is shared and whether any additional steps need to be taken before it is shared with a third party.

The 2019 Amendments to the Regulations introduced a requirement to provide a new customer with the information required under article 13 of the UK GDPR. This includes a statement explaining that any personal data received from the customer will be processed only for the purposes of preventing money laundering or terrorist financing or as permitted under the Regulations or the UK GDPR or with the consent of the customer.

Personal data should not be transferred outside the UK or a jurisdiction that the UK has deemed adequate for the purposes of cross-border data transfers (noting that the UK has deemed the whole of the EEA, as well as all jurisdictions that have received an EU adequacy decision as of 1 January 2021, to be adequate for UK purposes) unless appropriate protections are in place; to do so is a breach of the UK GDPR and could lead to fines of up to £17.5 million or four per cent of annual global turnover (whichever is higher).

The UK GDPR imposes a general prohibition on the processing of personal data relating to criminal convictions and criminal offences (including allegations of criminal offences) subject to specific exceptions to this general prohibition. Subject to certain conditions, section 339ZB of POCA enables a regulated sector business to request information about a suspected money launderer from another regulated sector business to assist the business in its enquiries.

Similarly, the DPA 2018 also permits the processing of such personal data where it is necessary for preventing or detecting unlawful acts (paragraph 10, Schedule 1 of the DPA 2018) or complying with or assisting other persons to comply with a regulatory requirement that involves taking steps to establish whether a person has committed an unlawful act or has been involved in dishonesty, malpractice or seriously improper conduct (paragraph 12, Schedule 1 of the DPA 2018). However, an appropriate policy document must be in place when relying on the provision at paragraph 12.

Resolutions and sanctions

What is the range of outcomes in AML controversies? What are the possible sanctions for breach of AML laws?

In addition to the possible outcomes in criminal money laundering cases discussed elsewhere, in some cases, it may be possible to enter into an agreement under the Serious Organised Crime and Police Act 2005 for immunity from prosecution, which usually involves giving evidence in connected criminal proceedings. These agreements are uncommon.

The penalty for corporate defendants is an unlimited fine. Unlike an individual defendant, a corporate defendant can enter into a deferred prosecution agreement (DPA). At the successful conclusion of a DPA, the criminal proceedings against the corporate defendant are concluded.

The UK has a non-conviction-based asset forfeiture regime (the civil recovery regime). Civil recovery investigations and proceedings can be settled.

 The Regulations

A breach of the Regulations may attract a financial sanction from the relevant regulator in such amount as considered appropriate, or a breach may receive a censure in the form of a statement published by the regulator. Civil measures may also include: removing ‘fit and proper’ status from an individual; suspending a firm or individual from undertaking regulated activities; and refusing, suspending or cancelling a business’ registration or authorisation. A regulator can also impose a temporary or permanent prohibition on an individual having a management role within a relevant legal person. An injunction may also be obtained in the High Court where there is or may be a breach of a relevant requirement.

As discussed above, in some instances, a breach is a criminal offence and the offence can be committed by a person or a corporate (eg, breach of a relevant requirement under the Regulations). Where a corporate has committed an offence and it can be shown that it was committed with the consent or connivance of an officer of the corporate, or the offence can be attributed to any neglect on the part of an officer, the officer as well as the body corporate is guilty of the offence. The maximum penalty in each case is two years’ imprisonment or an unlimited fine, or both.

Regulators may also sanction firms or individuals by reference to other regulatory rules that are in place, for example, the Financial Conduct Authority’s Principles for Businesses.

Limitation periods for AML enforcement

What are the limitation periods governing AML matters?

There are no limitation periods for AML-related criminal conduct.


Do your jurisdiction’s AML laws have extraterritorial reach?

The Regulations apply to the regulated sector carrying on business in the UK and to the UK operations of any foreign business.

The Regulations impose an obligation on UK financial institutions to require its non-EEA branches and subsidiaries to comply with measures equivalent to those set out in the Regulations (including CDD measures and ongoing monitoring and record-keeping).

The courts have held that the primary offences under POCA have some extraterritorial application.