The Money Laundering Regulations 2007 (the Regulations), which came into force on 15 December 2007, give effect, in part, to the Third European Money Laundering Directive and aim to prevent the use of the financial system for the purpose of money laundering and terrorist financing. The Regulations repeal and replace the Money Laundering Regulations 2003 (2003 Regulations) and require the financial, accountancy and legal community and other entities in the regulated sector to apply risk-based customer due diligence measures and take other steps to counter money laundering and terrorist financing.

Among the changes introduced by the Regulations are more detailed customer due diligence obligations such as ongoing monitoring and identifying the beneficial owner of a customer. In addition, they allow varying customer due diligence depending on the risk of money laundering and permit greater reliance on other regulated firms’ procedures, as well as clarifying supervision arrangements for regulated firms in previously unsupervised sectors.

Corporate bodies will have to demonstrate to their supervising authorities that the customer due diligence measures they have taken are appropriate regarding the risk of money laundering and terrorist financing. Directors and other officers can be criminally liable if they neglect to comply with certain mandatory provisions of the Regulations.

Application of the Regulations

The Regulations apply to the following persons acting in the course of business (‘relevant persons’): 

  • credit institutions; 
  • financial institutions; 
  • auditors, insolvency practitioners, external accountants and tax advisers; 
  • independent legal professionals;
  • trust or company service providers;
  • estate agents;
  • high value dealers; and 
  • casinos.

Customer due diligence

Customer due diligence measures

Regulation 5 sets out the meaning of customer due diligence measures (these were called ‘identification procedures’ in the 2003 Regulations). The identity of a customer must be verified on the basis of documents, data or information obtained from a reliable and independent source. Guidance published by the Joint Money Laundering Steering Group (JMLSG) in November 2007, entitled Prevention of money laundering/ combating terrorist financing, suggests that evidence of identity can be in documentary or electronic form and an appropriate record of the steps taken. It also suggests that copies of, or references to, the evidence obtained to identify the customer must be kept. Importantly, Regulation 5(2) sets out a new obligation to identify the beneficial owner of client trusts, companies and partnerships (see box).

Customer due diligence also includes obtaining information on the purpose and intended nature of the business relationship.

The term ‘customer’ is not defined in the Regulations. The JMLSG guidance suggests that the customer will be the party the business relationship is established with, or the transaction is carried out for.

A relevant person must apply the customer due diligence measures when: 

  • establishing a business relationship; 
  • carrying out an occasional transaction worth C15,000 or more; 
  • suspecting money laundering or terrorist financing; or 
  • doubting the veracity or adequacy of documents, data or information previously obtained for the purposes of identification or verification.

A relevant person must also apply customer due diligence measures at other appropriate times to existing customers on a risk-sensitive basis. Credit and financial institutions must apply customer due diligence measures to all anonymous accounts and passbooks as soon as possible after 15 December 2007. Apart from these two situations, the JMLSG guidance does not require immediate application of customer due diligence measures to existing customers after 15 December 2007. However, the obligation to report suspicions of money laundering applies to all a relevant person’s customers.

The Regulations allow varying customer due diligence and ongoing monitoring according to the risk of money laundering or terrorist financing posed by that particular customer. Regulation 7(3)(a) provides that the extent of customer due diligence measures depends on the type of customer, the business relationship and the product or transaction. The relevant person must demonstrate to his or her supervising authority that the extent of the measures taken is appropriate in view of the risks of money laundering and terrorist financing.

Generally, a relevant person must verify the identity of the customer (and any beneficial owner) before the establishment of a business relationship or the carrying out of an occasional transaction. However, less stringent procedures are permitted where the risk of money laundering is reduced. For example, where a relevant person’s assessment of the risk of money laundering is low and it is necessary not to interrupt the normal conduct of business, a customer’s identity may be identified during (rather than before) the establishment of the business relationship.

Due to the risk-based approach, the Regulations are not explicit on what is and is not acceptable evidence of identity.

Ongoing monitoring

A relevant person will also have to conduct ongoing monitoring of its business relationship with its customers. This requires: 

  • scrutinising transactions undertaken throughout the course of the relationship to ensure they are consistent with the relevant person’s knowledge of the customer; and 
  • keeping the documents, data or information obtained for the purpose of applying customer due diligence measures up-to-date.

The JMLSG guidance suggests that if an existing customer is seeking to establish a new relationship, it might prompt a relevant person to seek appropriate evidence. It also states that the up-to-date customer information will enable the firm to spot unusual transactions and judge whether they represent something suspicious. Higher risk customer relationships require more frequent or intensive monitoring.

Simplified due diligence

Under Regulation 13, simplified due diligence may be applied to the following:

  •  credit or financial institutions subject to the requirements of the money laundering directive and non-European Economic Area (EEA) supervised institutions subject to equivalent requirements; 
  • companies whose securities are listed on a regulated market subject to specified disclosure obligations; 
  • certain independent legal professionals; 
  • public authorities in the UK; 
  • other public authorities that fulfil certain criteria; 
  • transactions involving certain specified insurance, financial or electronic money products; and 
  • transactions involving a child trust fund.

When the relevant person has reasonable grounds for believing a customer, transaction or product falls within any of the situations above, they can conduct simplified due diligence when establishing a business relationship, carrying out an occasional transaction or doubting the veracity or adequacy of documents, data or information previously obtained for the purposes of identification or verification. However, if the relevant person suspects money laundering or terrorist financing, simplified customer due diligence will be inappropriate.

Simplified due diligence means the relevant person only needs to obtain evidence that a client falls within one of the specified categories for which simplified customer due diligence may be used. The JMLSG guidance suggests that the relevant person will not need to identify the customer, or verify the customer’s identity, identify the beneficial owner or establish the purpose and intended nature of the business relationship. However, it is still necessary to conduct monitoring of the business relationship.

Enhanced customer due diligence

Under Regulation 14, a relevant person is required to apply ‘enhanced’ customer due diligence measures and enhanced ongoing monitoring in the following situations: 

  • the customer was not physically present for identification purposes; 
  • a credit institution has a correspondent banking relationship with a non-EEA institution; 
  • a customer is a politically exposed person (PEP) (see box); or 
  • any situation that presents a higher risk of money laundering or terrorist financing.

Regulation 14 specifies the enhanced due diligence required in the situations above. For example, a credit institution proposing to have a correspondent banking relationship with a respondent institution from a non- EEA state must undertake due diligence to understand the nature of the respondent institution’s business, reputation and quality of its supervision. Other measures are also required including obtaining senior management approval and requirements regarding the respondent’s customers.

Reliance on other professionals or bodies

A relevant person can rely on customer due diligence carried out by certain other persons (such as an authorised credit or financial institution, auditor, insolvency practitioner, external accountant, tax adviser or independent legal professional) if that other person consents to being relied on. Importantly however, the relevant person remains liable for any failure to apply the due diligence measures. Record-keeping, policies, procedures, training and supervision


Regulation 19 retains part of the 2003 Regulations on record-keeping but also requires supporting documents to be retained. Records must be kept of the evidence of the customer’s identity obtained while conducting ongoing monitoring and enhanced due diligence as well as supporting documents on a business relationship or occasional transaction that is subject to customer due diligence measures or ongoing monitoring (such a requirement is likely to apply to all the transactions).

A relevant person is obliged to produce records for someone who relies on the relevant person to carry out customer due diligence and monitoring measures.

Similarly, a relevant person can require a third party who carried out the due diligence measures to produce the necessary information.

Policies and procedures

A relevant person must establish and maintain appropriate risk-sensitive policies and procedures on: 

  • customer due diligence measures and ongoing monitoring; 
  • reporting; 
  • record-keeping; 
  • internal control; 
  • risk assessment and management; and 
  • the monitoring and management of the policies and procedures.

The policies must be aimed at preventing money laundering and terrorist financing. Senior management will be responsible for ensuring appropriate policies and procedures are set up and followed.

As in the 2003 Regulations, Regulation 20(2)(d) provides for the appointment of a nominated officer, who is responsible for receiving disclosures from anyone in the organisation who knows or suspects, or has reasonable grounds for knowing or suspecting, that a person is engaged in money laundering. The nominated officer must decide whether disclosures should be reported to the Serious Organised Crime Agency (SOCA). The JMLSG guidance suggests that any approach to the customer should probably be made by someone other than the nominated officer, to minimise the risk of alerting the customer that a disclosure to SOCA may be being considered.

Staff training

Regulation 21 provides that all ‘relevant employees’ of the relevant person are: 

  • made aware of the law on money laundering and terrorist financing; and
  • regularly given training in how to recognise and deal with the transactions that may be related to money laundering and terrorist financing.

Supervision and enforcement

Detailed provisions are set out in the Regulations about the supervisory authorities for various bodies in the regulated sector. The Regulations also provide extensive powers for certain designated authorities (the Financial Services Authority, the Office of Fair Trading and Her Majesty’s Revenue and Customs) to obtain information on the exercise of their functions under the Regulations. These include powers of entry and inspection of premises.

The designated authority may also impose civil penalties on a relevant person for breaches of the Regulations. Such penalties will be of an appropriate amount, meaning effective, proportionate and dissuasive.


A person who fails to comply with the Regulations can be criminally liable on summary conviction to a fine, and on conviction on indictment, to imprisonment for a maximum of two years, or a fine or both. Regulation 45(2) provides that a court must consider any guidance issued by a supervisory authority, approved by the Treasury and published in a manner approved by the Treasury. If an offence is committed by a corporate body, and can be shown to have been committed with the consent of an officer of such body or attributable to any neglect on his part, the officer as well as the corporate body is guilty of an offence. This provision also applies to partnerships. Hence, directors can be criminally liable for neglecting to comply with certain provisions in the Regulations, including, but without limitation: 

  • failing to apply customer due diligence measures; 
  • failing to conduct ongoing monitoring of a business relationship; 
  • failing to verify the identity of a client and any beneficial owner before a business relationship is established or before an occasional transaction; 
  • failing to carry out enhanced customer due diligence and ongoing monitoring; 
  • failing to keep records and require third party information; 
  • failing to establish and maintain appropriate and risk-sensitive policies and procedures; and 
  • failing to train staff.