Anti-Money Laundering for Businesses
A guide to anti-money laundering requirements for UK businesses, including due diligence, reporting obligations and the regulatory framework.
Anti-money laundering (AML) regulations require UK businesses in certain sectors to take active steps to prevent criminals from using legitimate businesses to disguise the origins of illegally obtained money. Failing to comply can result in criminal prosecution, unlimited fines and significant reputational damage.
Even if your business is not in a traditionally regulated sector, understanding AML basics protects you from inadvertently facilitating financial crime.
Who is covered by AML regulations?
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) apply to businesses in the “regulated sector”, which includes:
- Accountants and tax advisers
- Estate agents and letting agents
- Legal professionals (solicitors, barristers)
- Financial institutions (banks, building societies, insurance companies)
- Trust and company service providers
- High-value dealers (businesses accepting cash payments of €10,000 or more)
- Art market participants (dealers handling transactions of €10,000 or more)
- Cryptoasset exchange providers and custodian wallet providers
If your business falls within any of these categories, you must comply with the full AML regime. If it does not, you still have a general obligation under the Proceeds of Crime Act 2002 (POCA) not to deal with the proceeds of crime.
Core AML obligations
Risk assessment
Every regulated business must carry out a firm-wide risk assessment that identifies and assesses the money laundering and terrorist financing risks it faces. This assessment must consider:
| Risk factor | What to assess |
|---|---|
| Customers | Who are they? Where are they based? What is their risk profile? |
| Products and services | Which of your services could be exploited for money laundering? |
| Delivery channels | Face-to-face vs remote? Introduced by third parties? |
| Geographic risk | Do you deal with high-risk countries? |
| Transaction patterns | Are there unusual patterns, sizes or frequencies? |
The risk assessment must be documented, kept up to date and made available to your supervisory authority on request.
Customer due diligence (CDD)
Before establishing a business relationship or carrying out an occasional transaction above certain thresholds, you must carry out customer due diligence:
- Identify the customer – obtain their name, date of birth and residential address
- Verify identity – check identity documents (passport, driving licence) or use electronic verification
- Identify beneficial owners – determine who ultimately owns or controls the customer (anyone holding more than 25% of shares or voting rights)
- Assess the purpose and nature of the business relationship
Enhanced due diligence (EDD)
Enhanced checks are required in higher-risk situations:
- Politically Exposed Persons (PEPs) – individuals holding prominent public positions, their family members and known close associates
- Customers from high-risk third countries – countries identified by the Financial Action Task Force (FATF) or the UK government
- Complex or unusually large transactions with no apparent legitimate purpose
- New technologies or delivery mechanisms that may increase anonymity
EDD measures might include obtaining additional identity documentation, verifying the source of funds, obtaining senior management approval and conducting ongoing enhanced monitoring.
Simplified due diligence (SDD)
For lower-risk customers (such as UK-listed companies, UK public authorities), you may apply simplified due diligence – reduced checks based on the lower risk profile. However, you must still be able to demonstrate that the lower risk assessment is justified.
Suspicious Activity Reports (SARs)
If you know or suspect that a person is engaged in money laundering or terrorist financing, you must file a Suspicious Activity Report (SAR) with the National Crime Agency (NCA).
Key rules:
- Reports must be filed as soon as practicable after the suspicion arises
- You must not tip off the customer that a report has been made
- If you want to proceed with a transaction that you have reported, you must obtain consent from the NCA (known as a Defence Against Money Laundering, or DAML)
- Failure to report is a criminal offence carrying up to 5 years’ imprisonment
What triggers a SAR?
There is no definitive list, but common indicators include:
- Customer reluctant to provide identification
- Transactions that do not match the customer’s known profile
- Unusually large cash transactions
- Complex transaction structures with no apparent legitimate purpose
- Connections to countries with weak AML controls
- Customer acting on behalf of undisclosed third parties
Record-keeping
AML records must be kept for 5 years after the end of the business relationship or the date of the occasional transaction. Records include:
- Copies of identification documents
- Details of all transactions carried out
- Results of due diligence and ongoing monitoring
- Internal suspicion reports and SARs filed
This aligns with broader accounting records retention requirements, though the AML-specific retention period runs from the end of the relationship, not the end of the accounting period.
Policies, controls and procedures
Regulated businesses must have written AML policies covering:
- Customer due diligence procedures
- Reporting procedures (internal and external)
- Record-keeping procedures
- Risk assessment methodology
- Screening of employees
- Training – all relevant staff must receive AML training at the start of their employment and at regular intervals
You must appoint a nominated officer (also called the Money Laundering Reporting Officer, or MLRO) responsible for receiving internal suspicious activity reports and filing SARs with the NCA.
Supervisory authorities
Your AML supervisory authority depends on your sector:
| Sector | Supervisory authority |
|---|---|
| Banks and financial services | FCA (Financial Conduct Authority) |
| Accountants (ICAEW members) | ICAEW |
| Accountants (ACCA members) | ACCA |
| Accountants (not professionally supervised) | HMRC |
| Solicitors (England and Wales) | SRA (Solicitors Regulation Authority) |
| Estate agents | HMRC |
| Trust and company service providers | HMRC |
| Cryptoasset businesses | FCA |
If you are unsure which supervisory body applies to your business, HMRC is the default supervisor for businesses in the regulated sector that are not supervised by a professional body.
Penalties
AML failures carry severe consequences:
| Offence | Maximum penalty |
|---|---|
| Failure to comply with MLR 2017 | Unlimited fine and/or 2 years’ imprisonment |
| Failure to report (POCA) | Up to 5 years’ imprisonment |
| Tipping off | Up to 5 years’ imprisonment |
| Money laundering offence (POCA) | Up to 14 years’ imprisonment |
Beyond criminal penalties, regulated firms face enforcement action from their supervisory authority, which can include fines, public censure and removal of authorisation to operate.
Practical steps for small businesses
Even small businesses in the regulated sector must have proportionate AML measures. Practically, this means:
- Complete your firm-wide risk assessment and review it annually
- Document your CDD procedures and apply them consistently
- Train your staff – even a sole practitioner needs to evidence their own training
- Keep records of all identification checks and transactions
- Appoint a nominated officer (this can be the owner in a small firm)
- Screen against sanctions lists – the UK sanctions list is available from the Office of Financial Sanctions Implementation (OFSI)
- Report suspicions – when in doubt, file a SAR; you are protected from liability for reporting in good faith
AML compliance is not just a regulatory box-ticking exercise. It protects your business from criminal exploitation and the devastating consequences of being associated with financial crime.