Resources / AML Compliance / AML in Practice

Introduction

Anti-money laundering compliance is one of the most heavily regulated areas of financial services. The legislation is complex, the regulatory expectations are demanding, and the consequences of getting it wrong are significant. For the people responsible for making it work, the challenge is not understanding what the law requires. It is understanding how to apply it in practice.

This guide is written for compliance professionals, MLROs, senior managers, and anyone who needs to understand AML obligations at a practical level. It covers the legislative framework, the risk-based approach, customer due diligence, suspicious activity reporting, staff training, and a practical implementation checklist.

It is focused on the UK regime. The core framework consists of the Proceeds of Crime Act 2002 (POCA), the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (the MLRs), and the Criminal Finances Act 2017. The MLRs have been amended several times, and in early 2026 a further set of amendments was laid before Parliament, implementing the government's 2025 response to its review of the AML regime.

Where relevant, the guide notes where that regulatory landscape is changing and what organisations need to be aware of.

This guide reflects the position as of May 2026.

The legislative framework

It is important to understand the sources of AML obligations before considering how to implement them. The UK framework draws from international standards, primary legislation, secondary legislation, and regulatory guidance. Each layer interacts with the others.

International standards

The Financial Action Task Force (FATF) is the international body that sets the global standards for combating money laundering and terrorist financing. Established in 1989, it has developed a set of Recommendations that are recognised as the benchmark in over 200 jurisdictions. The UK is a FATF member and its domestic framework is designed to meet those standards.

FATF monitors member countries through a mutual evaluation process, assessing both technical compliance (whether the right rules are in place) and effectiveness (whether those rules are actually working). The UK's most recent mutual evaluation highlighted specific weaknesses, and the 2026 amendments to the MLRs are partly a response to those findings.

Two earlier international conventions are also relevant context. The Vienna Convention of 1988 was the first major international effort to target money laundering. The Palermo Convention of 2000 established broader frameworks for prevention and enforcement.

The Proceeds of Crime Act 2002

POCA is the principal piece of UK money laundering legislation. The core offences are found in three sections.

Section 327 makes it an offence to conceal, disguise, convert, transfer, or remove criminal property from the UK.

Section 328 makes it an offence to enter into or become concerned in an arrangement that you know or suspect facilitates the acquisition, retention, use, or control of criminal property by another person.

Section 329 targets the acquisition, use, and possession of criminal property.

POCA also introduced the Suspicious Activity Report (SAR) regime, requiring regulated businesses to report suspicions of money laundering to the National Crime Agency (NCA). The Serious Crime Act 2015 amended POCA to provide protection from civil liability for people who make disclosures to the NCA in good faith. This is an important protection for compliance professionals and front-line staff who report suspicions.

The Criminal Finances Act 2017

The Criminal Finances Act 2017 significantly strengthened the UK's ability to combat money laundering and economic crime. Its key provisions include Unexplained Wealth Orders (UWOs), which can require individuals to explain the source of assets that appear disproportionate to their known income, and the corporate offence of failure to prevent the facilitation of tax evasion, creating liability for organisations whose associated persons facilitate tax evasion.

The Money Laundering Regulations 2017

The MLRs are the secondary legislation that turns the UK's AML framework into day-to-day compliance obligations. POCA and the Terrorism Act 2000 create criminal liability. The MLRs set out the systems, controls, and processes that regulated firms are expected to have in place.

The MLRs came into force on 26 June 2017, implementing the EU's Fourth Money Laundering Directive into UK law. They have been amended several times since, including material amendments in January 2024 and March 2025. Following Brexit, the UK framework has continued to evolve through domestic amendment rather than wholesale replacement, and reform is now driven by domestic priorities, FATF recommendations, and the wider economic crime agenda.

The MLRs require regulated firms to carry out a firm-wide risk assessment, maintain policies and controls proportionate to that assessment, conduct customer due diligence, monitor transactions on an ongoing basis, train staff, keep records, and appoint a nominated officer (typically the MLRO).

A further set of amendments was laid before Parliament in early 2026, implementing the government's 2025 response to its review of the AML regime. These include clarifications on off-the-shelf companies, refinements to pooled client account rules, removal of duplicative registration requirements for some cryptoasset firms, and the removal of reinsurance contracts from scope.

The risk-based approach

The risk-based approach is the central organising principle of modern AML compliance. It is required by FATF standards and embedded in the UK regulatory framework. Understanding what it actually means in practice, rather than simply what it says in the regulations, is one of the most important things a compliance professional can develop.

The core principle

Not all customers, products, channels, and jurisdictions pose the same level of money laundering or terrorist financing risk. A risk-based approach requires organisations to identify, assess, and understand those risks, then design controls that are proportionate to them.

This means applying enhanced scrutiny where risk is high, and proportionate, lighter-touch measures where risk is genuinely low. It explicitly does not mean applying the same level of scrutiny to every customer regardless of their actual risk profile. FATF is clear that over-compliance, blanket measures applied without reference to actual risk, is not good compliance practice. It is inefficient, it pushes costs onto customers who present no material risk, and it can contribute to financial exclusion.

The firm-wide risk assessment

The starting point for any effective AML programme is a firm-wide risk assessment. Regulation 18 of the MLRs requires every relevant person to carry out one. The assessment should consider the types of customers the firm serves and their risk profiles, the products and services offered and the financial crime risks they present, the channels through which products and services are delivered, the jurisdictions in which the firm and its customers operate, the nature, volume, and pattern of transactions, and the sources and destinations of funds.

The complexity of the risk assessment should be proportionate to the complexity of the business. A smaller firm with a straightforward client base needs a less elaborate assessment than a large multinational with diverse products and high transaction volumes. What matters in both cases is that the assessment is genuine, documented, and used to drive decisions about controls.

The risk assessment should be a living document. It needs to be updated when the business changes, when new products are launched, when new customer segments are targeted, and when the external threat environment shifts. An assessment that sits in a folder and comes out only when regulators ask to see it is not fit for purpose.

Where the risk-based approach falls short

In practice, the risk-based approach fails for a consistent set of reasons. None of them are difficult to understand. Most of them are difficult to fix without genuine organisational commitment.

The risk assessment is treated as a document rather than a tool. Many organisations complete a firm-wide risk assessment to satisfy a regulatory requirement and then update it annually as a compliance exercise. The assessment does not meaningfully drive how controls are designed or how resources are allocated.

Risk ratings become formulaic. Customer risk ratings are often produced by automated systems applying a fixed set of criteria. The score determines the level of due diligence applied, and the process runs largely on autopilot. Nobody asks whether the model still captures the right risks, whether the criteria remain appropriate, or whether the output reflects the reality of the customer relationship. Financial crime is adaptive. The methods used by money launderers change over time, and the risk indicators that were relevant three years ago may no longer be the most important.

Compliance and the business operate in separate lanes. A genuine risk-based approach requires the compliance function to understand the business well enough to identify where financial crime risk actually arises in practice, not just in theory. Where those relationships are distant or adversarial, the risk assessment reflects what compliance thinks the risks are, rather than what is actually happening at the customer interface.

The process becomes a tick-box exercise. Organisations optimise for documentation rather than outcome. Enhanced due diligence is completed because the customer's risk rating requires it, not because anyone is genuinely asking whether there is a concern about financial crime. The process runs, the checks are completed, and nothing meaningful is learned.

What good looks like

Organisations that implement the risk-based approach effectively share a number of characteristics that go beyond having the right policies in place.

Their risk assessment genuinely drives decision-making. When a new product is launched, the AML team is involved early enough to identify the financial crime risks it presents and to design appropriate controls from the outset.

Customer risk ratings are reviewed and challenged. Automated models are treated as a starting point, not a definitive answer. There is a process for human review of ratings that seem inconsistent with what relationship managers or transaction data are showing.

Enhanced due diligence is meaningful. When a customer is identified as high risk, the investigation asks practical questions. What is the source of funds? Does the transaction activity make sense given what is known about the customer's business? Are there inconsistencies that warrant further investigation? The process produces a real judgement, not just a completed checklist.

Simplified due diligence is genuinely applied. Low-risk customers are not subjected to the same scrutiny as high-risk ones. Proportionality is treated as an obligation.

Monitoring is continuous and intelligence-led. Transaction monitoring is tuned to the actual risk profile of the customer base. Alerts are reviewed by people who understand context, not just criteria. And the outputs of monitoring feed back into the risk assessment.

Customer due diligence

Customer due diligence is how regulated firms identify their customers, understand the nature of the relationship, and assess the risk it presents. It is one of the most operationally significant elements of AML compliance, and one of the areas where the gap between policy and practice is most often found.

When CDD is required

Under the MLRs, CDD must be applied when establishing a business relationship, when carrying out an occasional transaction above the applicable threshold, when there is a suspicion of money laundering or terrorist financing regardless of any threshold or exemption, and when there are doubts about the accuracy or adequacy of previously obtained customer identification information.

The principle is consistent: before entering into a significant relationship or transaction, the firm must know who it is dealing with.

Standard CDD

Standard CDD requires firms to identify and verify the identity of their customers, understand the nature and purpose of the business relationship, and conduct ongoing monitoring throughout the relationship.

For individual customers, this typically means collecting name, date of birth, and address, and verifying those details against a reliable and independent source such as a government-issued identity document or an electronic verification service.

For corporate customers, it means identifying the legal entity, understanding its ownership and control structure, and identifying the individuals who ultimately own or control it (the beneficial owners). The MLRs set the beneficial ownership threshold at 25%. Where no individual meets that threshold, the senior managing official is treated as the beneficial owner.

Understanding the purpose and intended nature of the relationship is as important as identity verification. Knowing who a customer is only helps if the firm also understands what they are trying to do and whether that makes sense given what is known about them.

Enhanced due diligence

Enhanced due diligence (EDD) applies where the risk of money laundering or terrorist financing is higher than normal. The MLRs identify specific circumstances where EDD must be applied, including transactions or business relationships involving high-risk third countries identified by the UK or FATF, transactions or business relationships with politically exposed persons, and correspondent banking relationships with non-EEA firms.

Firms must also apply EDD in other high-risk situations identified by their own risk assessment. What EDD looks like in practice will vary, but it typically involves obtaining additional information about the customer, understanding the source of funds and source of wealth, applying more frequent review cycles, and obtaining senior management approval for the relationship.

EDD should produce a genuine assessment of whether the relationship is appropriate, not just a thicker file.

Simplified due diligence

Where the risk of money laundering or terrorist financing is low, simplified due diligence (SDD) may be applied. This means less intensive checks than standard CDD, but it does not mean no checks at all. The firm must still identify the customer and understand the nature of the relationship. It simply means the level of verification can be proportionately lower.

SDD cannot be applied automatically. The firm must have satisfied itself that the customer or product genuinely presents low risk, and it must be able to justify that assessment if challenged.

Politically exposed persons

PEPs are individuals who hold, or have held, a prominent public position. The category includes heads of state, senior politicians, senior judicial and military officials, senior executives of state-owned enterprises, and senior officials of international organisations. Family members and known close associates of PEPs are also subject to enhanced scrutiny.

Firms are required to have appropriate risk-based procedures to determine whether a customer is a PEP, to obtain senior management approval for establishing or continuing a relationship with a PEP, to take reasonable measures to establish the source of wealth and funds, and to conduct enhanced ongoing monitoring.

The FCA has been clear that PEPs should not be treated as automatically high risk. UK PEPs in particular should generally be treated as presenting lower risk unless there are specific factors suggesting otherwise. The obligation is to apply appropriate scrutiny, not to refuse services.

Beneficial ownership

Identifying the beneficial owners of corporate customers is one of the most challenging aspects of CDD in practice. Money laundering often involves complex ownership structures specifically designed to obscure who ultimately controls or benefits from assets.

The MLRs require firms to identify and verify the identity of individuals who own or control more than 25% of a corporate entity. Where no individual meets that threshold, the firm should identify the senior managing officials. Firms should use Companies House, land registries, and other reliable sources to verify ownership information, and should be alert to situations where ownership structures appear designed to obscure beneficial ownership.

The 25% threshold is a starting point, not an endpoint. A firm that identifies a beneficial owner just over the threshold but has reason to believe that person is acting on behalf of another individual has not completed its CDD simply by ticking the threshold box. The obligation is to understand the ownership and control structure, not just to identify who sits above a numerical threshold.

Ongoing monitoring

CDD is not a one-time exercise at onboarding. The MLRs require firms to conduct ongoing monitoring of the business relationship, including scrutiny of transactions to ensure they are consistent with the firm's knowledge of the customer, and keeping CDD information up to date.

In practice, ongoing monitoring is delivered through transaction monitoring systems that flag activity inconsistent with the customer's profile, periodic refresh of customer information, and event-driven review when something significant changes. The intensity of monitoring should be proportionate to the customer's risk rating.

Suspicious activity reporting

The obligation to report suspicions of money laundering is one of the most important duties imposed by the AML framework, and one of the areas where the gap between the legal requirement and practical reality is most significant.

The legal obligation

Under POCA, a person commits an offence if they know or suspect that another person is engaged in money laundering and fail to disclose that to a nominated officer or to the NCA as soon as practicable. This obligation applies broadly across regulated sectors and is not limited to cases of actual knowledge. Suspicion is enough.

The nominated officer within a regulated business, typically the MLRO, receives internal suspicion reports from staff and decides whether to make an external report to the NCA by submitting a Suspicious Activity Report (SAR). The NCA's Financial Intelligence Unit receives and processes SARs and can grant or refuse consent for transactions to proceed in certain circumstances.

What constitutes suspicion

Suspicion is a lower threshold than certainty or even reasonable belief. A person has a suspicion when they think there is a possibility, which is more than fanciful, that the relevant facts exist. This is a deliberately low bar. Regulated businesses are expected to report suspicions, not to investigate and prove them.

In practice, identifying suspicious activity requires staff to be alert to a wide range of indicators. Common indicators include a customer refusing or being reluctant to provide identification documents, a customer who has no apparent reason for using the business, significant or unexplained changes in a customer's transaction patterns, a customer experiencing a sudden and unexplained improvement in financial position, transactions that are inconsistent with the customer's known business or personal circumstances, requests for transactions that are unusually complex or structured in a way that appears designed to avoid reporting thresholds, and payments to or from high-risk jurisdictions with no clear business rationale.

These indicators are not definitive. Many have innocent explanations. The obligation is to report when there is a suspicion, not when there is certainty.

Internal reporting

Regulated businesses must have clear internal procedures for staff to report suspicions to the nominated officer. Those procedures should be documented, communicated to all relevant staff, and tested periodically. Staff must know who the MLRO or deputy MLRO is, how to make an internal report, and what happens to their report once it is made.

A culture where staff feel comfortable making internal reports is essential. If front-line staff worry that reporting a suspicion will damage a client relationship, cause internal friction, or reflect badly on them, the internal reporting process will break down. Senior management and the MLRO have a responsibility to make clear that reporting suspicions is expected and protected.

Where a nominated officer receives an internal report, they must consider it and decide whether to make an external report to the NCA. The nominated officer should document that consideration and the reasons for their decision, whether or not they decide to report externally.

External reporting and the SAR regime

External reports to the NCA are made through the SAR Online system. A SAR should clearly and accurately describe the suspicious activity, including what happened, why it is suspicious, and the details of the person or transaction involved.

The quality of SARs matters. The NCA has published guidance on submitting better-quality reports. Vague or incomplete SARs reduce the intelligence value of the report and may not adequately protect the reporting firm from liability.

Where a business wants to proceed with a transaction it has reported as suspicious, it must obtain consent from the NCA before doing so. This is known as the defence against money laundering (DAML) process. The NCA has seven days to refuse consent; if it does not refuse within that period, the business may proceed.

Tipping off

A separate and important obligation is the prohibition on tipping off. It is an offence to disclose to a person who is suspected of money laundering that a SAR has been made, or that an investigation is being considered or carried out, in circumstances where that disclosure is likely to prejudice any investigation.

This creates a practical challenge when a customer asks about a transaction that has been frozen or a relationship that has been placed under review. Businesses need clear procedures for handling these conversations without inadvertently tipping off the subject of a report.

Staff training and the MLRO

The training obligation

The MLRs require regulated firms to ensure that relevant employees receive regular training on AML obligations, the recognition of suspicious activity, and the firm's own policies and procedures. Training is not a one-time onboarding exercise. It needs to be refreshed and updated as the regulatory framework changes, as new typologies emerge, and as the firm's risk assessment evolves.

Training should be appropriate to the role. The training that a relationship manager who deals with high-risk clients needs is different from the training appropriate for a back-office processing role. Generic awareness training that does not engage with the specific scenarios staff face in their day-to-day work is unlikely to change behaviour.

Common training methods include online learning modules covering the legal framework and the firm's policies, classroom or interactive sessions for staff in higher-risk roles, scenario-based exercises that test how staff would respond to specific situations, and targeted training for specific roles, such as relationship managers or customer service staff, who face particular AML risks in their day-to-day work.

Whatever method is used, training should be updated regularly to reflect changes in legislation, guidance, and the firm's own risk assessment. Records of training, including dates, participants, and topics covered, should be maintained.

The role of the MLRO

The Money Laundering Reporting Officer is responsible for overseeing the firm's AML compliance, receiving and assessing internal suspicion reports, making external reports to the NCA where appropriate, and acting as the primary point of contact with regulators on AML matters.

The MLRO must be a senior person with sufficient authority, knowledge, and resource to carry out these responsibilities effectively. In regulated firms, the MLRO is typically an approved person or a senior manager under the Senior Managers and Certification Regime (SMCR).

The MLRO role carries significant personal liability. An individual who fails to meet their obligations under POCA or the MLRs, or who becomes complicit in a failure to report, faces criminal exposure. This is not a nominal accountability structure. Regulators have demonstrated a willingness to pursue individuals, not just institutions, when AML failures occur.

Internal policies and record keeping

Internal policies and procedures

The MLRs require regulated businesses to establish and maintain internal policies, controls, and procedures to prevent activities related to money laundering and terrorist financing. Those policies must be proportionate to the nature and size of the business, communicated to staff, and kept under review.

A comprehensive AML policy framework typically covers the firm's overall approach to AML risk management, customer due diligence and enhanced due diligence procedures, ongoing monitoring requirements, internal and external suspicious activity reporting procedures, staff training obligations and arrangements, record-keeping requirements, the role and responsibilities of the MLRO, and governance and senior management responsibilities.

Policies should be written in plain language that staff can understand and apply. A lengthy policy document that sits unread on a shared drive is not an effective control. The measure of a good policy is whether the people it is intended to govern understand it and use it.

Record keeping

Record-keeping requirements under the MLRs are specific. Regulated businesses must retain records of all the evidence obtained in the course of CDD, for a period of five years from the end of the business relationship or after a transaction is carried out; records of all transactions carried out in the course of a business relationship, for a period of five years; and copies of SARs submitted to the NCA along with records of the nominated officer's consideration of internal reports.

The five-year retention period is a minimum. Some firms retain records for longer, either because their internal policy requires it or because the nature of their business means that older records may be relevant to future investigations.

Records must be kept in a form that is accessible and retrievable. They must be made available to the relevant supervisor on request. Poor record-keeping is a common finding in regulatory inspections and can itself constitute a breach of the MLRs.

Governance

The senior management of a regulated business is responsible for ensuring that the firm's AML framework is fit for purpose. The MLRs require firms to apply appropriate customer due diligence, to appoint a nominated officer, and to ensure that appropriate policies and controls are in place.

The board or equivalent governing body should receive regular reporting on AML matters, including the volume and nature of internal reports, the number and type of external reports submitted, the outcomes of independent reviews and audits, and any significant changes in the firm's risk profile or control environment. AML compliance is not something that can be delegated entirely to a compliance team. It is a board-level responsibility.

Implementation checklist

The following checklist summarises the practical steps involved in establishing and maintaining an effective AML framework. It is not exhaustive, but it covers the core obligations.

A final note

The AML framework exists for a purpose. Money laundering enables serious organised crime. It allows the proceeds of drug trafficking, fraud, corruption, and human exploitation to re-enter the financial system, funding further criminal activity and causing real harm to real people.

The organisations that take AML compliance seriously are not those with the most elaborate policy frameworks. They are the ones that have genuinely understood their risks, designed proportionate controls, built a culture of awareness, and kept their programme under continuous review.

That is harder than producing a policy document. But it is the only approach that delivers what the risk-based approach was designed to achieve.