The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, usually shortened to the MLR 2017 or simply the Regulations, are the main instrument that turns the UK's AML framework into day-to-day compliance obligations. POCA and the Terrorism Act 2000 create criminal liability. The MLR 2017 set out the systems, controls and processes that regulated firms are expected to have in place.

This session explains what the MLR 2017 require, how they have changed since 2017, and the structural reform now underway in the supervisory regime. It also places the UK position alongside the equivalent frameworks in New Zealand and Australia.

The MLR 2017 are a living instrument. They have been amended several times since coming into force in June 2017, including material amendments that took effect in January 2024 and March 2025. Further reforms were consulted on in 2024, followed by a consultation response in July 2025, a draft amending instrument in September 2025 and draft 2026 amending regulations. This session reflects the position as of May 2026 and flags where reforms are proposed but not yet final.

What the MLR 2017 are and where they come from

The MLR 2017 came into force on 26 June 2017, implementing the EU's Fourth Money Laundering Directive into UK law. They replaced the Money Laundering Regulations 2007 and substantially updated the UK's compliance framework.

Following Brexit, the UK's AML framework ceased to automatically track EU directives. Some elements of the EU's Fifth Money Laundering Directive were implemented through targeted UK amendments, including the Money Laundering and Terrorist Financing (Amendment) Regulations 2019. The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020 then made the technical changes needed to ensure the regime worked as standalone UK law after the end of the transition period. Since then, the framework has continued to evolve through domestic amendment rather than wholesale replacement.

The framework is now distinctly UK in character. It no longer moves in step with EU legislative cycles. Reform is instead driven by domestic priorities, FATF recommendations and the wider economic crime agenda.

Who the MLR 2017 apply to

The MLR 2017 apply to relevant persons, defined in regulation 8 to include credit institutions, financial institutions, auditors, insolvency practitioners, external accountants and tax advisers, independent legal professionals, trust or company service providers, estate agents, letting agents, high value dealers, art market participants and casino operators.

This is a deliberately broad scope. The Regulations extend well beyond banking to any business or profession that may come into contact with criminal property. For many professional services firms, the challenge is applying AML duties alongside other regulatory obligations, legal privilege and duties of confidentiality. The MLR 2017 try to manage that balance, but the tension is real.

The six core obligations

The MLR 2017 impose six core obligations on relevant persons. Every relevant person must meet them. The way they are met should be proportionate to the business's nature, size and risk profile.

Customer due diligence in detail

Customer due diligence sits at the heart of the framework. It is how firms work out who they are dealing with, understand the purpose of the relationship and gather enough information to spot unusual or suspicious activity.

The MLR 2017 distinguish between three levels of CDD: standard, simplified and enhanced. The appropriate level is determined by the firm's assessment of the risk presented by the specific customer and relationship.

Standard CDD

Standard CDD applies to most business relationships and occasional transactions. Under regulation 28, a firm carrying out standard CDD must:

• Identify the customer and verify their identity using documents, data or information from a reliable, independent source.
• Identify the beneficial owner of the customer where the customer is not an individual, and take reasonable measures to understand the ownership and control structure of the customer.
• Obtain information on the purpose and intended nature of the business relationship.
• Conduct ongoing monitoring of the relationship, including scrutiny of transactions.

For individual customers, identification typically means obtaining a name, address and date of birth and verifying these against reliable documents such as a passport or driving licence. For corporate customers, identification extends to the entity itself, its directors and senior management, and the individuals who ultimately own or control it.

The beneficial ownership threshold in the MLR 2017 is 25%. Any individual who owns or controls more than 25% of a corporate entity is a beneficial owner for CDD purposes. Where no individual meets that threshold, the senior managing official is treated as the beneficial owner. That is workable in straightforward cases but creates real difficulty in complex group structures and in arrangements involving trusts or nominees.

Simplified due diligence

Regulation 37 permits a relevant person to apply simplified due diligence (SDD) where the business relationship or transaction presents a low degree of risk. SDD does not mean no CDD: it means that the level and frequency of verification checks may be reduced, subject to adequate monitoring.

SDD may be appropriate where the customer is a regulated financial institution, a listed company subject to disclosure requirements in a trusted jurisdiction, a UK public authority, or in another situation identified in regulation 37. The firm must still carry out and document an initial risk assessment showing why SDD is appropriate.

Pooled client accounts have been a live reform issue. HM Treasury confirmed in July 2025 that it would amend the regulations in this area and published draft provisions for technical consultation in September 2025. As of May 2026, firms should treat this as an area of active reform rather than settled law, and should follow the current regulations alongside up-to-date sector guidance.

Enhanced due diligence

Regulation 33 requires a relevant person to apply enhanced due diligence (EDD) in specified higher-risk situations. EDD means obtaining additional information about the customer and the relationship, carrying out additional verification, obtaining senior management approval, and conducting enhanced ongoing monitoring.

The MLR 2017 specify circumstances in which EDD is mandatory, including:

• Business relationships and transactions involving a customer established or residing in a high-risk third country as designated by HM Treasury under regulation 33(3).
• Business relationships and transactions with politically exposed persons (PEPs) and their family members and known close associates.
• Business with a correspondent relationship with a third-country respondent institution.
• Any transaction or business relationship that by its nature presents a higher risk of money laundering or terrorist financing.

The list is not exhaustive. If a firm's risk assessment points to a higher level of risk, EDD should follow even where the exact facts are not listed in regulation 33. That is what the risk-based approach means in practice: it requires judgment, not just box-ticking.

Politically exposed persons

A PEP is an individual who is, or who has been at any time in the preceding twelve months, entrusted with a prominent public function. This includes heads of state, members of parliament, members of the governing bodies of political parties, senior government officials, senior judicial or military officials, senior executives of state-owned enterprises, and members of the governing bodies of international organisations.

Family members and known close associates of PEPs are also subject to enhanced requirements. EDD is mandatory for PEP relationships, including senior management approval before the relationship is established, establishing a source of wealth and source of funds, and enhanced ongoing monitoring. For former PEPs, the twelve-month rule is a floor, not a ceiling.

When CDD must be applied

Regulation 27 specifies the trigger points at which CDD must be applied:

• When establishing a business relationship.
• When carrying out an occasional transaction amounting to €15,000 or more (whether as a single transaction or several linked transactions), or a cash transaction of €10,000 or more for high-value dealers.
• When there is a suspicion of money laundering or terrorist financing, regardless of any exemption or threshold.
• When there is doubt about the veracity or adequacy of documents, data or information previously obtained.

The threshold amounts in the MLR 2017 were originally denominated in euros, reflecting their origin in the EU Directive. HM Treasury has confirmed, as part of the July 2025 consultation response, that it intends to convert these thresholds into sterling equivalents as part of the forthcoming amendment regulations. The practical effect should be minimal, but it will remove a persistent source of confusion.

What happens when CDD cannot be completed

Regulation 31 is clear. Where a relevant person is unable to apply the required CDD measures, it must not carry out a transaction or establish a business relationship. If a relationship has already been established and CDD cannot be completed, the relationship must be terminated. The relevant person must also consider whether to make a suspicious activity report.

A long-standing client relationship that suddenly fails to stand up to scrutiny may raise broader concerns. That is exactly why the Regulations require firms to consider a SAR in these circumstances. Difficulty obtaining CDD information can itself be a red flag.

Timing of CDD

CDD must generally be conducted before establishing a business relationship or carrying out a transaction. Regulation 30 permits CDD to be completed during the establishment of the relationship in limited circumstances, provided that the verification is completed as soon as reasonably practicable, the delay is necessary not to interrupt the normal conduct of business, and there is little risk of money laundering or terrorist financing occurring during the delay.

This concession exists for limited practical reasons, for example in sectors where transactions are time-critical. It is not a general licence to defer CDD. If a firm relies on it routinely outside the narrow circumstances intended, that is likely to be a compliance failure.

The MLRO and nominated officer

Regulation 21(3) requires every relevant person to appoint one individual, at the level of senior management, as the officer responsible for compliance with the MLR 2017. In practice this person is almost always referred to as the Money Laundering Reporting Officer, or MLRO.

The MLRO has three overlapping functions under the MLR 2017 and POCA. First, they act as the nominated officer for POCA purposes: internal suspicious activity reports are submitted to them, and they decide whether to disclose to the NCA. Second, they are responsible for maintaining the firm's AML compliance programme. Third, they are the main point of contact with the firm's supervisor.

The nominated officer's function is personal and cannot be delegated, although the practical work in a larger firm will often involve a team. What cannot be delegated is the decision on whether to make an external SAR. That remains with the MLRO or an authorised deputy.

Record keeping

Regulation 40 requires records to be kept for five years from the end of the business relationship or the date of an occasional transaction. Records must include a copy of, or references to, the evidence of the customer's identity obtained during CDD, and supporting documents obtained in connection with the business relationship or transaction.

The five-year retention period is a minimum. Some regulators and sectors apply longer periods. Records must be kept in a form that allows them to be produced promptly in response to a request from the firm's supervisor or law enforcement.

Record keeping is one of the most common weak points in supervisory reviews. Usually not because the rule is unclear, but because records sit in systems that were never designed for AML review, or in paper files that are hard to retrieve quickly. Building record keeping into CDD processes from the outset is far easier than trying to fix it later.

Supervision under the MLR 2017

The MLR 2017 assign supervision across a large number of bodies. In broad terms, the system has consisted of three statutory supervisors and twenty-two professional body supervisors. The statutory supervisors are the Financial Conduct Authority, HMRC and the Gambling Commission. The professional body supervisors cover the legal and accountancy sectors, as well as other professional services activities within scope.

This fragmented structure has long been criticised as a weakness in the UK's AML regime. The problem is not just complexity. It is inconsistent supervision, uneven enforcement and slower coordination with law enforcement.

Penalties under the MLR 2017

The MLR 2017 provide for both civil and criminal penalties.

On the civil side, regulation 76 allows supervisors to impose financial penalties and issue public statements. Regulation 77 allows suspension or removal of authorisation or registration. Regulation 78 allows prohibitions on senior managers. The FCA has used these powers extensively against financial services firms, with penalties reaching hundreds of millions of pounds in major cases.

Criminal liability arises where a relevant person breaches the Regulations without reasonable excuse. Regulation 86 creates an offence of breaching a relevant requirement, punishable by up to two years' imprisonment and an unlimited fine. Regulation 87 creates an offence of prejudicing an investigation. Regulation 88 creates an offence of providing false or misleading information. The FCA also retains its powers under the Financial Services and Markets Act 2000 to withdraw authorisation and impose requirements on regulated firms independently of the MLR 2017 enforcement powers.

The MLR 2017 reform programme

HM Treasury published its consultation response in July 2025, then published draft amending regulations and a policy note for technical consultation in September 2025. Draft 2026 amending regulations have since appeared. The practical point is to separate changes already in force from changes that remain in draft.

CDD risk-based approach. The framework should work in a clearer, more risk-based and proportionate way. Some of this will be addressed through legislative amendment, and some through updated supervisory and sector guidance.

Currency thresholds converted to sterling. The euro-denominated thresholds will be converted to sterling equivalents, removing a persistent source of confusion.

Trust registration. The triggers for registration of non-UK trusts with the UK Trust Registration Service will be changed, including removing Stamp Duty Reserve Tax from the list of relevant taxes that trigger registration.

Off-the-shelf companies. The MLR 2017 will clarify that the sale of an off-the-shelf company triggers CDD requirements, addressing a gap where some company service providers concluded they were not required to conduct CDD where there was a gap between initial formation and subsequent sale.

Pooled client accounts. Draft provisions published in 2025 proposed clearer rules for pooled client accounts. This remains an area to watch closely, particularly for legal and financial services firms.

Cryptoasset firms. Firms authorised for new cryptoasset activities under the Financial Services and Markets Act 2000 will not be required to also register as cryptoasset exchange providers or custodian wallet providers under the MLR 2017, removing duplication for firms already subject to robust regulatory oversight.

Reinsurance contracts. These will be removed from the scope of the MLR 2017, in line with FATF's position that reinsurance does not pose a money laundering or terrorist financing risk.

The equivalent regulatory frameworks: New Zealand and Australia

New Zealand

In New Zealand, the equivalent framework is mainly set out in the AML/CFT Act 2009, supported by regulations and codes of practice made under the Act. Unlike the UK, New Zealand does not rely on a separate regulations instrument in the same way. The primary statute does more of the work, with detail added by associated instruments.

The AML/CFT (Definitions) Regulations 2011, the AML/CFT (Requirements and Compliance) Amendment Regulations 2017 and various subsequent amendment regulations set out specific obligations on reporting entities. Codes of practice issued by supervisors, including the DIA Code of Practice 2011 (as amended) and the FMA Code of Practice, provide sector-specific guidance.

The core obligations are broadly similar to those in the MLR 2017: risk assessment, AML/CFT programme, CDD, ongoing monitoring, suspicious transaction reporting and record keeping. The thresholds and detailed rules are different, and the three supervisors apply them with varying degrees of prescription across their sectors. If you are working in New Zealand, start with the primary legislation, the regulations and the guidance from the relevant supervisor rather than assuming UK parameters apply.

Australia

In Australia, the position has moved on significantly. The old AML/CTF Rules Instrument 2007 has effectively been superseded by the reformed AML/CTF Rules 2025, together with the 2026 amending and transitional rules made under the AML/CTF Act 2006.

The reforms introduced by the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2024 began taking effect for existing reporting entities on 31 March 2026, with further obligations applying to newly regulated Tranche 2 sectors from 1 July 2026. Those sectors include lawyers, accountants, real estate professionals and trust and company service providers.

AUSTRAC continues to publish practical guidance, including material on the 2026 transitional rules. For entities newly brought into scope, the best starting point is the amended Act, the current Rules and AUSTRAC's implementation guidance at austrac.gov.au.

Coming up in Session Four

Session Four covers customer due diligence in more depth. This session has covered the CDD framework as part of the MLR 2017 obligations, but CDD deserves a session of its own given the range of customer types, the complexity of beneficial ownership, and the practical challenges of electronic verification, reliance on third parties and ongoing monitoring.

Session Four also introduces KYC in its proper regulatory context, distinguishing between KYC as a requirement under the MLR 2017 and the wider risk management practice that good CDD supports.

Further reading and resources

The following primary sources are recommended alongside this session. All are publicly available.