The Foundation Framework for AML Compliance in UK Regulated Firms

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 — commonly known as the Money Laundering Regulations 2017 or MLR 2017 — are the foundation of UK anti-money laundering compliance. They set out who is in scope, what AML measures regulated firms must take, how firms must structure their AML governance including the MLRO function, and the record-keeping and reporting obligations that underpin the regime. Every UK financial services firm subject to MLR 2017 must have an AML framework that complies with these regulations, supervised by the FCA (or other relevant supervisor) and reinforced by the Proceeds of Crime Act 2002.

This guide explains how MLR 2017 actually works in practice — the structure of the regulations, the firms that fall within scope, the key compliance obligations including risk assessment, CDD, MLRO duties, record-keeping and training, and the enforcement framework that applies to non-compliance. It also covers the recruitment dimension — what financial crime teams need to look like to deliver MLR 2017 compliance effectively, and the senior management roles the regulations create.

What’s missing from most online explanations of MLR 2017 is the practical operational detail. The regulations describe what firms must do; this guide describes what good MLR 2017 compliance actually looks like in modern UK regulated firms — including the documentation discipline, the team capability, and the governance integration that distinguishes effective compliance from documentary compliance.

The Structure and Background of MLR 2017

MLR 2017 came into force on 26 June 2017, transposing the EU’s Fourth Money Laundering Directive (4MLD) into UK law. The regulations replaced the Money Laundering Regulations 2007. Subsequent amendments transposed the Fifth Money Laundering Directive (5MLD) in January 2020 and have continued to update specific aspects since the UK left the EU.

The regulations operate in conjunction with:

The Proceeds of Crime Act 2002 (POCA) — the underlying criminal framework defining money laundering offences, requiring suspicious activity reporting, and creating the consent (DAML) regime
The Terrorism Act 2000 — the equivalent framework for terrorist financing
The FCA Handbook — particularly SYSC and the Financial Crime Guide, which provide the FCA’s expectations on implementation
The Sanctions and Anti-Money Laundering Act 2018 — providing the framework for sanctions and aspects of AML supervision
The JMLSG Guidance — industry-recognised practical implementation guidance approved by HM Treasury

For SARs specifically, see our SARs Guide. For the broader MLRO function, see our MLRO Guide.

Who Is in Scope — Regulation 8

Regulation 8 of MLR 2017 sets out the firms that fall within scope. The principal categories include:

Credit institutions — banks, building societies and similar deposit-taking institutions
Financial institutions — including investment firms, insurance intermediaries (for life insurance and similar), payment institutions, e-money institutions, and asset managers
Auditors, insolvency practitioners, external accountants and tax advisers — when undertaking specified AML-relevant work
Independent legal professionals — solicitors, notaries, and similar when handling specific transaction types
Trust or company service providers — entities providing services around setting up or managing companies, trusts, or similar arrangements
Estate agents — handling specific property transactions above thresholds
High value dealers — businesses dealing in goods accepting cash payments over €10,000
Cryptoasset exchange providers and custodian wallet providers — added under 5MLD transposition
Art market participants — added under 5MLD transposition for transactions above €10,000

For UK regulated firms, the question of scope is rarely ambiguous — most FCA-regulated firms are explicitly within scope. The exceptions are typically firms whose activities fall outside MLR 2017’s specific definitions (for example, certain non-life insurance intermediaries).

The Six Core MLR 2017 Compliance Obligations

MLR 2017 imposes six core compliance obligations on in-scope firms. Each is operationally significant and FCA-supervised.

1. Risk Assessment (Regulation 18)

Every in-scope firm must conduct and document a written risk assessment of the money laundering and terrorist financing risk it faces. The assessment must consider:

Customer types and customer base composition
Geographic exposure including high-risk third countries
Products and services offered
Distribution channels including direct, intermediated, and digital channels
Transaction types and volumes

The risk assessment must be reviewed and updated regularly — typically annually at minimum, with updates triggered by material changes to the firm’s business profile.

2. Policies, Controls and Procedures (Regulation 19)

Firms must establish and maintain policies, controls and procedures appropriate to mitigate the risks identified in the risk assessment. These include:

Customer due diligence procedures
Ongoing monitoring procedures
Reporting procedures
Record-keeping procedures
Internal control framework including the MLRO function
Risk assessment methodology
Reliance and outsourcing arrangements
Communication and training

The specific procedures must be approved at senior management level and reviewed regularly.

3. Customer Due Diligence (Regulations 27-37)

Firms must conduct CDD when establishing business relationships, when carrying out occasional transactions above relevant thresholds, when there is suspicion of money laundering, or when there is doubt about previously obtained customer identification. CDD includes:

Identifying the customer and verifying identity from reliable independent sources
Identifying beneficial owners (for corporate customers and trusts)
Understanding the purpose and intended nature of the relationship
Ongoing monitoring of the relationship throughout its lifetime

For detail on CDD, see our CDD Guide and KYC Guide. For Enhanced Due Diligence (Regulation 33), see our EDD Guide.

4. MLRO and Senior Management (Regulation 21)

Firms must appoint a Money Laundering Reporting Officer (MLRO) responsible for the firm’s compliance with MLR 2017. The MLRO is the firm’s point of contact with the National Crime Agency for SAR purposes and the senior individual accountable for the AML framework. For FCA-regulated firms, the MLRO is the SMF17 holder under SM&CR — see our SMF17 Guide.

Beyond the MLRO, Regulation 21 requires:

Designation of a senior management individual responsible for ensuring compliance with MLR 2017 (often the SMF1 CEO or SMF16 Compliance Oversight)
Adequate independence and authority for the MLRO
Adequate resources for the AML programme
Regular reporting to senior management on AML matters

5. Training (Regulation 24)

Firms must ensure that relevant employees receive training on:

The law relating to money laundering and terrorist financing
The data protection requirements relevant to MLR 2017
The firm’s own policies and procedures
How to recognise and deal with transactions and other activities that may be related to money laundering or terrorist financing

Training must be appropriate to the employee’s role, refreshed regularly, and documented.

6. Record-Keeping (Regulation 40)

Firms must keep records of CDD documentation and AML-relevant transactions for at least five years after the relationship ends or the transaction is completed. Records must be retrievable and provided to relevant authorities on request.

The MLRO Function — Regulation 21

The MLRO function is one of the most operationally significant features of MLR 2017. The regulation requires the appointment of a “nominated officer” for the purposes of section 330 of the Proceeds of Crime Act and section 21A of the Terrorism Act — meaning the individual to whom internal SARs are made and who decides whether external SARs to the NCA are warranted.

The MLRO function combines:

Internal SAR receipt and decision-making on external filing
NCA relationship management including DAML applications
Overall ownership of the firm’s AML compliance framework
Annual MLRO report to senior management/board on the effectiveness of the AML programme
FCA dialogue on financial crime matters

For FCA-regulated firms, the MLRO must be approved as SMF17 under SM&CR. The role carries personal liability under both SMCR (Duty of Responsibility under section 66B FSMA) and POCA/MLR 2017 (which include criminal sanctions for specific breaches).

High-Risk Third Countries

MLR 2017 (as amended) requires EDD for relationships and transactions involving high-risk third countries. The list of high-risk countries is maintained by the UK Government and reflects FATF identifications of jurisdictions with strategic AML/CTF deficiencies.

The list is updated periodically. Firms need to:

Monitor changes to the list and apply EDD prospectively when new countries are added
Review existing relationships when their country exposure becomes high-risk
Apply EDD measures including enhanced beneficial ownership investigation, source of funds verification, and intensified monitoring

Reliance and Outsourcing — Regulations 39-40

MLR 2017 permits regulated firms to rely on third parties for CDD in certain circumstances and to outsource AML functions, but with conditions:

Reliance on third parties (Regulation 39)

A firm may rely on CDD carried out by certain other regulated entities (banks, financial institutions, auditors, etc.) provided specific conditions are met — including the third party’s consent and immediate availability of documentation. The firm retains liability for any deficiency in CDD.

Outsourcing

Firms may outsource CDD and other AML functions to third parties (including specialist providers, intra-group entities, etc.) but the firm retains regulatory accountability. Strong outsourcing arrangements include detailed contracts, performance monitoring, audit rights, and SMF-level oversight. See our Third-Party Risk Management Guide.

FCA Supervision and Enforcement

For FCA-regulated firms, the FCA is the supervisor for MLR 2017 compliance. FCA supervisory activity includes:

Routine supervisory dialogue — through firm-specific supervisory teams or thematic reviews
Skilled person reviews (s166) — where the FCA commissions an independent review of the firm’s AML framework. See our Section 166 Guide
Enforcement action — where breaches are identified and remediation is inadequate. The FCA has been increasingly active in AML enforcement since 2020, with substantial fines imposed on firms with material AML weaknesses
Personal enforcement — against SMF17 holders and other SMFs where the Duty of Responsibility test is met

Beyond FCA enforcement, MLR 2017 includes specific criminal offences for failures to comply with the regulations themselves — administered by HMRC for non-FCA-supervised firms but available across the regime.

The Effectiveness Standard

FCA enforcement action since 2022 has consistently emphasised that documentary compliance is not enough — the firm’s AML framework must be effective in practice. Frameworks that have all the required policies, procedures and documented training but fail to identify or report suspicious activity, fail to apply EDD substantively, or fail to detect sanctions exposure are at material enforcement risk. The standard the FCA applies is operational effectiveness, not paper compliance.

MLR 2017 Compliance in Different Sectors

Banks and credit institutions

Banking AML compliance is the most extensive and resource-intensive — combining retail customer due diligence at scale, corporate banking complexity, correspondent banking due diligence, transaction monitoring across high volumes, and material sanctions exposure. Banks typically have substantial dedicated financial crime functions with hundreds of professionals.

Investment firms and wealth managers

Investment firms face high-net-worth and ultra-high-net-worth customer profiles with substantial PEP and EDD exposure. The compliance burden is qualitatively different from retail banking — fewer customers but each more demanding to onboard and monitor.

Asset managers and fund managers

Asset management AML often delegates retail-level CDD to fund administrators and transfer agents, with the firm retaining accountability. Strong frameworks include SMF-level oversight of delegate performance and direct visibility into adverse findings.

Payments firms and e-money institutions

Payments AML focuses on transaction monitoring at scale, fraud-AML integration, sanctions screening on cross-border flows, and increasingly aggressive FCA scrutiny. The post-2022 sanctions environment has substantially increased the compliance burden in this sector.

Cryptoasset firms

Cryptoasset firms registered under MLR 2017 face specific challenges including blockchain-traced source of funds verification, sanctioned wallet address screening, and the FCA’s particular focus on the sector since registration began in 2020.

Common MLR 2017 Compliance Pitfalls

Risk assessment that doesn’t drive controls. Where the firm-wide risk assessment exists as a documentary requirement but doesn’t actually inform the operational AML framework, the cycle is broken.

Policies that don’t reflect practice. Where the firm’s documented policies describe one operational reality and actual practice differs, both are at risk — the policies create exposure if they describe a higher standard than is actually applied; the practice creates exposure if it falls below the regulatory standard.

MLRO under-resourced for the firm’s risk profile. Where the MLRO has limited team resources, limited technology, or limited senior management support, the framework cannot operate effectively regardless of the MLRO’s individual capability.

Training that doesn’t reach the right people. Generic training delivered annually to all staff often misses the specific operational training required for higher-risk roles (front-office advisers, relationship managers, transaction processors).

Record-keeping that fails the retrieval test. Where records are technically retained but cannot be efficiently retrieved on request, the regulatory obligation isn’t being met substantively.

Senior management engagement that’s pro-forma. Where senior management approval of MLRO reports, EDD relationships, and similar is signed off without substantive engagement, the regulatory framework’s intended governance dimension fails.

Reliance and outsourcing without effective oversight. Firms that delegate to third parties without ongoing performance monitoring, contractual audit rights, and direct visibility of adverse findings retain accountability without the oversight needed to discharge it.

MLR 2017 and Recruitment

Effective MLR 2017 compliance requires several specialist roles:

MLRO (SMF17) — see our SMF17 Guide for detail
Deputy MLRO — covering during MLRO absence and providing senior support
Head of Financial Crime — in larger firms, separate from MLRO with broader remit including sanctions and fraud
Head of Sanctions — specialist role increasingly common since 2022
AML and CDD analysts — operational team handling onboarding, transaction monitoring, and SAR investigation
EDD specialists — handling enhanced cases including PEPs
Financial crime technology specialists — owning AML platform effectiveness

For senior financial crime hiring, see our MLRO Recruitment and Financial Crime Recruitment pages.

A Note from Our Founder — Adrian Lawrence FCA

The Money Laundering Regulations 2017 are the foundation of UK AML compliance, and the firms that have built their frameworks well around the requirements typically run effective, defensible programmes. The firms that have built their frameworks as documentary compliance — meeting each requirement on paper without substantive effectiveness — typically run into difficulty when the FCA tests effectiveness through supervisory dialogue or enforcement.

The recruitment angle that comes up most often in our placements is the difficulty of sourcing candidates who understand the operational discipline behind MLR 2017 compliance — not just the regulatory text. Strong candidates are people who have personally implemented risk assessments that drove operational change, designed CDD frameworks that operated effectively at scale, led MLRO functions with engaged senior management support, and managed FCA dialogue on financial crime matters substantively. The candidate pool for senior financial crime leadership is genuinely tight, and demand has grown faster than supply since 2022.

For firms recruiting senior financial crime leadership in 2026, three things to keep in mind: timeline (16-26 weeks end-to-end including notice and FCA approval), compensation (the regulated-firm premium is real), and cultural fit (experienced MLROs evaluate firms carefully and walk away from environments where the framework cannot operate effectively).

At FD Capital we work on senior financial crime mandates regularly across UK regulated firms. If you are recruiting MLRO, Deputy MLRO, Head of Financial Crime, or Head of Sanctions, I’m happy to have a direct conversation about your specific situation.

Speak to Adrian about a financial crime appointment →

Adrian Lawrence FCA | Founder, FD Capital | ICAEW Verified Fellow | ICAEW-Registered Practice | Companies House no. 13329383

Hire MLROs and Financial Crime Leaders

Effective MLR 2017 compliance requires specialist financial crime leadership and team capability. FD Capital places MLROs, Deputy MLROs, Heads of Financial Crime, Heads of Sanctions and senior AML professionals across UK regulated firms.

020 3287 9501

MLRO Recruitment › | Financial Crime Recruitment | Contact Us

The Money Laundering Regulations 2017 (MLR 2017): A Compliance Guide