Financial Crime Risk Management

Money Laundering - FAQ

May not cover factors relevant to a particular situation or circumstance.


Frequently Asked Questions

Click Questions to see example responses, some of which include embedded links to reference sources.

The full name is The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which came into force on 26th June 2017 (‘MLR 2017’) and as amended by The Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (‘MLR 2019’). The Regulations transpose much of the Fourth and Fifth EU Money Laundering Directives into UK law.

To access a copy of MLR 2017 - Click here

To access a copy of MLR 2019 - Click here

The Regulations apply to a wide range of business sectors, including:

  1. Banks, asset managers, some insurers, crypto-businesses and certain other firms which provide relevant financial services. Many are supervised for compliance with the Regulations by the Financial Conduct Authority (‘FCA’).
  2. Some professional service providers, such as law firms and accountants, are members of professional bodies like the Law Society or Institute of Chartered Accountants in England and Wales (‘ICAEW)’. Schedule 1 to the Regulations lists Professional Bodies known as “self-regulatory organisations”, which also are, supervisory authorities for their respective members’.
  3. Casinos (i.e. holders of a ‘casino operating licence’ per section 65(2)(a) of the Gambling Act 2005). The Gambling Commission is supervisory authority for Casinos.
  4. Other businesses subject to the Regulations are monitored by HM Revenue & Customs (‘HMRC’) as their supervisory authority. These include:
    • Money service businesses (‘MSB’) - If not supervised by the FCA. Note also, a money service business is required to register with HMRC and if carrying out money transmission, will also need to be registered or authorised with the FCA under the Payment Services Regulations 2009.
    • High value dealers (‘HVDs’) - Any business or sole trader that accepts or makes high value cash payments of €10,000 or more (or equivalent in any currency) in exchange for goods. This includes when a customer deposits cash directly into a bank account, or when they pay cash to a third party for the benefit of a business or sole trader.
    • Trust or company service providers (‘TCSP’) - If not supervised by the FCA or a professional body. TCSP services can be provided by anyone including company formation agents, professional trustees, large franchise operations providing mail holding and forwarding services, accountants and solicitors.
    • Accountancy service providers - If not supervised by a professional body. Services they provide include, reviewing, analysing, calculating and reporting on financial information for other people.
    • Estate agency businesses - When acting on instructions from a customer who wants to buy or sell an interest in land, in the UK or abroad, and introducing customers to third parties who want to buy or sell an interest in land; also includes when acting after such an introduction to secure the sale or purchase of the interest in land.
    • Letting Agents – If not supervised by a professional body listed in Schedule 1 to the MLR 2017. Activity covered includes where a letting agreement is concluded for a term of at least one month and at a rent of at least 10,000 euros in any one month.
    • Art market participants – Where a business transaction (i.e. sale or purchase) is worth 10,000 euros or more, or the value of works of art stored by a freeport operator (i.e. for a person, or a series of linked persons) is worth 10,000 euros or more.
    • Bill payment service providers – If not supervised by the FCA. A bill payment service provider facilitates payment of utility bills or other household bills, when acting on behalf of the payer. Gas, electricity, water rates and sewage charges come within the definition of utility bills. Other household bills include council tax payments and household insurance.
    • Telecommunications, digital and IT payment service providers not supervised by the FCA.

The Regulations have a number of ‘must-do’ requirements which apply to firms/businesses that provide regulated activity. The UK allows a risk-based-approach (‘RBA’) to compliance with many of the requirements. But, the onus is on each firm and its senior management to be able to demonstrate how and why their approach is risk-based. In overview, the key requirements cover:

  • A need to conduct a money laundering and terrorist financing risk assessment
  • Implement a framework of policy and procedure, with appropriate systems and controls designed to address money laundering and terrorist financing risk (and which satisfy Regulatory requirements)
  • Apply the framework consistently across your firm’s group structure (if relevant)
  • Implement appropriate internal controls - relevant to the size, nature and complexity of your business
  • Provide staff with the right level of training
  • Implement and maintain compliant customer due diligence (‘CDD’), enhanced due diligence (‘EDD’) and simplified due diligence (‘SDD’) requirements (i.e. sufficiently get to know your customer (‘KYC’), in order to aid your assessment and response to identifiable money laundering and terrorist financing risk they might present)
  • Comply with higher level KYC requirements which apply to customer relationships having a nexus with a politically exposed person (‘PEP’) and/or other higher-risk factor
  • Appoint a ‘Nominated officer’ - A person nominated to receive disclosures under Part 3 (terrorist property) of the Terrorism Act 2000 or Part 7 (money laundering) of the Proceeds of Crime Act 2002
  • Ensure staff are aware of their obligation to report any suspicion of money laundering or terrorist financing to the ‘Nominated Officer’
  • Keep KYC information and transaction records in compliance with requirements of the Regulations and Data Protection law

Anti-money laundering guidance has been published by various bodies with a specific sector focus, including:

  1. Banks and other firms supervised by the Financial Conduct Authority (‘FCA’), often utilise:
    • Financial Crime Guidance published by the FCA, which includes content on managing money laundering risk - Financial Crime Guide: A firm’s guide to countering financial crime risks (FCG).
    • Guidance published by the Joint Money Laundering Steering Group - JMLSG Guidance.
    • Guidelines produced by The European Supervisory Authorities (‘ESAs’), which firms should consider when assessing money laundering / terrorist financing risk associated with a business relationship or occasional transaction. The UK Money Laundering Regulations require firms subject to the regulations to take account of ESA guidelines when complying with customer due diligence requirements in Regulations 33 and 37.
  2. The Law Society has published - AML Guidance
  3. The Consultative Committee of Accountancy Bodies published guidance for UK providers of audit, accountancy, tax advisory, insolvency, or trust and company services - AML Guidance.
  4. The Gambling Commission - AML Guidance.
  5. Businesses supervised by HM Revenue & Customs (‘HMRC’) can utilise:

Guidance is guidance – not a prescriptive set of rules or procedures to be followed. A key principle of the UK regime is the ability to implement a ‘risk-based approach’ to systems and controls, when mitigating money laundering and terrorist financing risk:

  • The FCA will consider whether the firm has followed relevant provisions of JMLSG Guidance, guidance issued by the FCA or taken account of the ESA guidelines (see FCG 3.1.8).
  • HMRC and Professional bodies (as supervisors) will also consider whether a firm it is responsible for supervising has adopted AML guidance issued by another trade or professional body, including JMLSG Guidance, where that guidance may better align with specific circumstances faced by a supervised business. Where a business relies on alternative guidance, it must be ready to justify such reliance to their AML supervisory authority.

FCA Enforcement relating to money laundering include:

  • Coutts & Company - Fined £8.75 million in 2012 for failing to take reasonable care to establish and maintain effective AML systems and controls in relation to customers that posed a higher money laundering risk than standard customers (high risk customers).
  • HSBC Group - The Financial Services Authority (‘FSA’), as lead regulator for the HSBC Group globally, took action in relation to issues in respect of HSBC’s compliance with anti-money laundering rules and US sanctions requirements.
  • EFG Private Bank Ltd - Fined £4.2m in 2013 for failing to take reasonable care to establish and maintain effective AML controls for high risk customers. The failings were serious and lasted for more than three years.
  • Guaranty Trust Bank (UK) Ltd - Fined £525,000 in 2013 for failings in its AML controls for high risk customers between May 2008 and June 2010.
  • Standard Bank PLC - Fined £7.6m in 2014 for failures relating to its AML policies and procedures over corporate customers connected to politically exposed persons (‘PEPs’).
  • Sonali Bank (UK) Limited - Fined £3.25m in 2016 and a restriction imposed, preventing it from accepting deposits from new customers for 168 days. It also fined the bank’s former money laundering reporting officer (MLRO) and prohibited him from performing the MLRO or compliance oversight functions at regulated firms. The FCA found serious and systemic weaknesses affected almost all levels of its AML control and governance structure, including its senior management team, its money laundering reporting function, the oversight of its branches and its AML policies and procedures.
  • Barclays Bank - Fined £72 million for poor handling of financial crime risks with a PEP nexus.
  • Habib Bank AG Zurich - Fined £525,000 in 2012 for failing to take reasonable care to establish and maintain adequate AML systems and controls between 15 December 2007 and 15 November 2010.
  • Deutsche Bank AG - Fined £163m in 2017 for failing to maintain an adequate AML control framework during the period between 1 January 2012 and 31 December 2015. The largest financial penalty for AML controls failings imposed by the FCA, or its predecessor the Financial Services Authority (‘FSA’).
  • Canara Bank - Fined £896,100 in 2018 and a restriction imposed, preventing it from accepting deposits from new customers for 147 days. Having failed to maintain adequate AML systems and failed to take sufficient steps to remedy identified weaknesses, despite having been notified of shortcomings in its AML systems and controls.
  • Standard Chartered Bank - Fined £102m in 2019 for AML breaches in two higher risk areas of its business. The second largest financial penalty for AML controls failings ever imposed by the FCA.
  • Commerzbank London - Fined £37.8 million in 2020 for failing to put adequate anti-money laundering (AML) systems and controls in place between October 2012 and September 2017.

HMRC publishes a list of businesses for the tax year 2019 to 2020 that have not complied with the 2017 Money Laundering Regulations.

The risk profile of your business is influenced by a number of variables, some are unique to your business (e.g. how its run, where it operates, the nature of goods/services you sell, how staff are rewarded/incentivised, the nature of your customer base, where they are located, etc.). However, if your firm/business is covered by the Regulations, Regulation 18 requires you to carry out a written risk assessment to identify and assess the risk of money laundering and terrorist financing that your firm faces.

In carrying out the risk assessment you must take account of information on money laundering and terrorist financing risks made available by your supervisor/regulatory body, as well as risk factors relating to:

  • your customers (e.g. what they do/sell, who they do business with, how they are owned/controlled, etc.)
  • the countries or geographic areas where your firm operates (e.g. has a physical presence or does business remotely, such as, via agents/intermediaries, on-line, or other country exposure)
  • your products and services (e.g. advisory or transactional, where applicable)
  • your transactions (e.g. who you do business with and/or on behalf of, how transparent is the audit trail to the beneficiary of transactions, etc.)
  • your sales, supply or delivery channels (e.g. do you meet customers face-to-face or place any reliance on other parties to complete your KYC/CDD, etc.)

The guidance applicable to your sector/industry as referenced in the above FAQ (i.e. Is guidance available on anti-money laundering (‘AML’)?) could be useful source to consider, as well as any previous enforcement action your regulatory body may have published information about.

Self-service option
A number of country risk sources are available, which could be considered and a weighting applied, if necessary, to provide a unified and consistent risk-banding against which you can assess whether to treat customers with a nexus to certain countries, as relatively high, medium or low risk. Money laundering, terrorist financing and/or bribery & corruption risk linked to certain countries can be assessed through sources/lists provided by:

Commercial option

Commercial service providers incorporate aggregated / multiple country-risk data into a ‘data file’. This could be incorporated via data-feed into your in-house customer risk assessment tool, or accessed via a web-based GUI, or other means. The following might be of interest if this is your preferred way forward (NB: These are provided as examples only and not an FCRM endorsement or recommendation of their functionality above other providers in the market):

  • D&B Country Insight – Described as a comprehensive information source for evaluating cross-border risks and opportunities.
  • Plenitude Compass – Described as an objective approach to assessing country risk that can be integrated into financial crime control frameworks to deliver tangible risk mitigation benefits. It provides a recommended risk rating from five levels for all countries, enabling a granular and targeted approach to business and clients in these jurisdictions. This delivers an ‘off the shelf’ list of risk rated countries, with enhanced insight beyond what is currently available in the industry.
  • Refinitiv - Country Risk Ranking – Described as a powerful solution which allows screening against World-Check Risk Intelligence, while at the same time checking for location-based risk all within the same system.
  • KnowYourCountry – Described as a global research tool designed to provide the data and information your Compliance or Business Development team needs to understand and assess the jurisdictional risk on a case by case basis.
Regulatory consideration

UK regulated firms/businesses must, as a minimum take account of the following:

  • Reg. 33(1)(b) of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 requires you to apply enhanced due diligence (‘EDD’) measures, to mitigate the risks arising in ‘any’ business relationship or transaction with a person established in a high-risk third country identified by the European Commission. See: Commission Delegated Regulation (EU) 2016/1675 of 14 July 2016
  • The Office of Financial Sanctions Implementation (‘OFSI’) publishes lists linked to financial sanctions imposed by the UK. Financial sanctions which relate to a specific country or terrorist group are known as ‘regimes’. You can find the specific regulations and designated persons for each regime imposed in the UK on the UK Government website. See: Financial sanctions targets by regime

In addition to Enforcement Notices (e.g. see FAQ ‘What happens if we get it wrong?’) the FCA publishes other information of use to the firms’ it supervises, including:

General guidance
Thematic reviews
  • Bank’s management of high money-laundering risk situations – 2011 Thematic
  • Banks’ control of financial crime risks in trade finance – TR13/3
  • Anti-Money Laundering and Anti-Bribery and Corruption Systems and Controls: Asset Management and Platform Firms – TR13/9
  • How small banks manage money laundering and sanctions risk: update – TR14/16
  • Money Laundering and Terrorist Financing Risks in the E-Money Sector – TR18/3
  • Understanding the money laundering risks in the capital markets – TR19/4
Annual Reports - AML

No anti-money laundering or counter terrorist financing (‘AML/CTF’) framework can guarantee complete protection against, or prevention of risk. The framework which is best suited to ‘Enterprise A’, may have some similarities and differences, to ‘Enterprise B’.

The framework arrangements which best suits your organisation’s needs should include:

  • Governance - Senior management risk-appetite, risk ownership and accountability (e.g. by Board member or other individual with authority, expertise and resource), with supporting activity endorsed by the Board or equivalent senior management body:
  • Specific appointments -
    1. Regulated firms must appoint a Nominated Officer – Responsible for being aware of any suspicious activity in the business that might be linked to money laundering or terrorist financing, and where necessary, to report it to the National Crime Agency.
    2. FCA regulated firms must appoint an individual as Money Laundering Reporting Officer (‘MLRO’), who might also be the Nominated Officer. MLRO responsibilities are set out in the FCA Handbook (see: SYSC 3.2.6I)
  • Group or firm-wide Policy - With due consideration of legal and regulatory risk in the operating environment, including the countries in and through which business is done (e.g. if transacting in U.S. Dollar, you should take account of U.S. sanctions enforced by OFAC)
  • Risk-based control environment - Design and implement a suitable control framework, which reflects assessed risk and is appropriately resourced to promote an effective anti-money laundering culture, to ensure compliance with policy and supporting procedure(s)
  • Training and Awareness - Development of appropriate training content and ensuring coverage of key AML/CTF risk in the operating environment. Content should, as a minimum cover:
    1. Policy, procedure and supporting guidance
    2. Risk-based training of relevant staff and any agents used to support delivery of regulated activity (e.g. generic for all staff, with additional focused content for staff in higher-risk roles’)
    3. Minimum standards for third-party providers and/or key outsource relationships, where applicable, on your organisation’s AML/CTF requirements
  • Compliance monitoring - Controls testing and assurance must be included, to provide assurance or insight for senior management on compliance with policy and procedure
  • Reporting - An internal mechanism accessible to all staff, so as to be able to report any AML/CTF suspicion identified in regulated activity to the Nominated Officer.
  • Record Keeping - Covering the retention and storage of customer due diligence information, transactions, employee & agents training, service agreements with outsource providers, suspicious activity reports, etc.

For more on our AML services - See AML Services