Anti-Money Laundering: Complete AML Compliance Guide

Anti-money laundering (AML) refers to the laws, regulations, and institutional controls that prevent criminals from converting proceeds of crime into apparently legitimate funds. For UK-regulated businesses, non-compliance carries criminal liability, unlimited fines, and loss of FCA authorisation — consequences that make a robust AML programme a commercial necessity, not a regulatory checkbox.

This guide sets out the UK AML framework as of February 2026, identifies who bears legal obligations, and explains how to build a programme that withstands regulatory scrutiny.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.

What Is Anti-Money Laundering?

Anti-money laundering is the collective term for controls that detect and disrupt the process of making illegally obtained funds appear legitimate. Money laundering proceeds through three recognised stages:

1. Placement: criminal proceeds enter the financial system (cash deposits, asset purchases)
2. Layering: complex transactions obscure the money trail (wire transfers, shell companies)
3. Integration: funds re-enter the legitimate economy as apparently lawful income

The UK National Crime Agency estimates that money laundering costs the UK economy over £100 billion annually (NCA National Strategic Assessment 2023). This scale explains why AML enforcement has intensified significantly since the Proceeds of Crime Act 2002 (POCA).

UK Legal Framework for AML Compliance

UK anti-money laundering obligations derive from three primary legislative instruments:

• Proceeds of Crime Act 2002 (POCA): creates the core money laundering offences (ss.327-329) and the failure to disclose offences (ss.330-332)
• Terrorism Act 2000: covers terrorist financing obligations
• Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs 2017, as amended): sets out the operational compliance obligations for regulated firms

As of 26 June 2017, MLRs 2017 transposed the EU Fourth Anti-Money Laundering Directive (SI 2017/692) and have since been amended multiple times, including by the Money Laundering and Terrorist Financing (Amendment) Regulations 2023 to align with FATF Recommendation 24 on beneficial ownership transparency.

The FCA's Role

The Financial Conduct Authority (FCA) supervises AML compliance for the majority of financial services firms under the MLRs. The FCA's 2023/24 Annual Report identified financial crime — including money laundering — as one of its top three supervisory priorities, with 48 enforcement cases resulting in financial penalties totalling £52.8 million (FCA Annual Report 2023/24).

HMRC supervises accountants, estate agents, and high-value dealers. The Gambling Commission supervises casinos and gambling operators.

Who Must Comply with UK AML Regulations?

MLRs 2017, Regulation 8 defines "relevant persons" subject to the full compliance obligations:

Users on compliance forums frequently ask: does my fintech startup need to register with the FCA for AML purposes? Any firm that qualifies as a "cryptoasset exchange provider" or payment institution under the Payment Services Regulations 2017 must register with the FCA and comply with MLRs 2017 in full — regardless of company size.

The Five Pillars of AML Compliance

1. Customer Due Diligence (CDD)

CDD is the bedrock of AML compliance. MLRs 2017, Regulation 27 requires firms to verify customer identity before establishing a business relationship or carrying out an occasional transaction.

Standard CDD requires:

• Identifying the customer and verifying that identity using reliable, independent source documents
• Identifying the beneficial owner (BO) — any individual owning or controlling more than 25% of a legal entity
• Understanding the nature and purpose of the business relationship

Enhanced Due Diligence (EDD) is mandatory for Politically Exposed Persons (PEPs), customers connected to high-risk third countries, and relationships assessed as higher risk (MLRs 2017, Reg. 33). EDD requires senior management approval before establishing or continuing a business relationship.

Automated document verification reduces the time spent on CDD by validating identity documents, extracting data via OCR, and checking for signs of tampering — all within seconds of document submission.

2. Risk-Based Approach (RBA)

The MLRs do not prescribe identical obligations for all customers. Firms must apply a risk-based approach: calibrating the intensity of due diligence to the money laundering risk each customer, product, geography, or transaction presents.

MLRs 2017, Schedule 3 lists risk factors for enhanced due diligence, including customers in jurisdictions on the FATF grey or black lists, complex corporate structures with no clear economic purpose, and transactions inconsistent with the customer's known profile.

3. Suspicious Activity Reports (SARs)

The duty to report is one of the most operationally demanding AML obligations. POCA 2002, s.330 creates an offence of failure to disclose if a person in the regulated sector knows or suspects, or has reasonable grounds to suspect, that another person is engaged in money laundering.

Reports are submitted to the National Crime Agency (NCA) via the SARs Online portal. In 2022/23, the NCA received 901,255 SARs — a record high (NCA SARs Annual Report 2023).

A "consent SAR" must be filed before proceeding with a transaction when a firm suspects money laundering — the NCA then has 7 working days to grant or refuse consent.

4. Money Laundering Reporting Officer (MLRO)

MLRs 2017, Regulation 21 requires every regulated firm to appoint a Money Laundering Reporting Officer at senior management level. The MLRO:

• Receives and assesses internal SAR referrals
• Decides whether to submit SARs to the NCA
• Oversees AML training and policy
• Reports to the board on AML effectiveness

The FCA's supervisory visits consistently identify MLRO inadequacy as a root cause of systemic AML failures. The MLRO must have sufficient seniority, resources, and access to management information to fulfil this role effectively.

5. Staff Training and Record-Keeping

MLRs 2017, Regulation 24 requires firms to train all relevant employees on AML risks and their obligations. Records of training completion must be maintained.

Records of CDD, transactions, and SARs must be retained for five years from the end of the business relationship or the date of the transaction (MLRs 2017, Reg. 40).

AML Compliance Programme: Key Requirements Matrix

FATF Standards and International Context

The UK is a founding member of the Financial Action Task Force (FATF), established in 1989. FATF's 40 Recommendations set the global AML standard that the MLRs 2017 implement domestically.

FATF's 2022 Mutual Evaluation of the UK found the country to be "largely compliant" overall but identified weaknesses in beneficial ownership registers and supervision of non-financial gatekeepers (FATF Mutual Evaluation Report UK 2022).

The EU's new AMLA regulation — Regulation (EU) 2024/1620 — does not apply directly to UK firms post-Brexit, but the FCA has indicated it will monitor AMLA's technical standards for potential adoption.

Technology and AML Automation

Compliance professionals frequently raise the question of false positives in transaction monitoring — screening systems generating hundreds of alerts per day that analysts must manually review. The industry average false positive rate exceeds 95%, consuming significant compliance resource for minimal investigative output.

Modern automated document checking platforms integrate with existing onboarding workflows to front-load KYC quality — reducing the number of suspicious alerts generated downstream by ensuring only accurately verified clients enter the system.

For a practical approach to managing document-based KYC at scale, see our guide to document validation for compliance and our KYC 2026 requirements overview.

The CheckFile platform applies AI-based document analysis to detect manipulated identity documents at the point of submission, helping regulated firms meet their MLRs obligations without adding headcount.

Frequently Asked Questions

What is anti-money laundering in simple terms?

Anti-money laundering (AML) is the set of legal obligations that require businesses to check who their customers are, monitor their transactions, and report suspicious activity to authorities. The goal is to prevent criminals from disguising the proceeds of crime as legitimate income.

What is the difference between AML and KYC?

KYC (Know Your Customer) is one part of AML. KYC covers the initial identity verification and customer due diligence steps. AML is broader: it includes KYC, ongoing transaction monitoring, suspicious activity reporting, staff training, and governance requirements.

Who is the MLRO and why do they matter?

The Money Laundering Reporting Officer (MLRO) is the senior individual responsible for a firm's AML programme. Under MLRs 2017, Regulation 21, every regulated firm must appoint one. The MLRO receives internal suspicious activity reports, decides whether to submit SARs to the NCA, and is the primary point of contact for FCA AML supervisors.

What happens if a firm fails to file a Suspicious Activity Report?

Failure to disclose suspected money laundering is a criminal offence under POCA 2002, s.330. Individuals face up to five years' imprisonment. Firms face unlimited fines, reputational damage, and potential FCA enforcement action including loss of authorisation.

How long must AML records be kept?

Under MLRs 2017, Regulation 40, AML records — including CDD documents and transaction records — must be kept for five years from the end of the business relationship. Firms should have a documented retention and disposal policy covering these records.