This comprehensive guide provides an overview of key Anti-Money Laundering (AML) regulations and how firms can achieve compliance to avoid fines and penalties.
In the UK, certain businesses are subject to stringent Anti-Money Laundering (AML) regulations. These include firms such as banks and building societies, gambling, real estate, and the high value and luxury item trade, among others.
With the risk of crippling fines and revocation of trading abilities for non-compliance, getting AML compliance right in these firms is business-critical.
In this complete guide, we cover:
Money laundering is the illegal process of making large amounts of money generated by criminal activity, such as terrorist funding or drug trafficking, appear to have come from a legitimate source.
This ill-gotten money is deemed as ‘dirty’ and is then ‘laundered’ to appear ‘clean’ and usable within the financial system. In laundering dirty money, the source, destination, and identity of funds generated by criminal activities is concealed.
Early anti-money laundering legislation was enacted during the Prohibition era in 1930s America, but the September 11th terrorist attacks (and subsequent Patriot Acts and similar worldwide legislation) led to a heightened emphasis on comprehensive money laundering laws in order to combat terrorism and criminal activity financing.
In current times, compliance with AML regulations is a much greater challenge for financial institutions, and enforcement has stepped up significantly as well.
“In 2018, it was estimated that British financial institutions were spending £5 billion every year fighting financial crime and preventing money being laundered through their network of bank accounts.”
– WIRED
AML regulations are a comprehensive set of laws, regulations, and procedures aimed at preventing criminals from disguising illegally obtained funds as legitimate income.
These regulations are designed to detect and prevent money laundering activities by mandating the monitoring and reporting of suspicious activity, ensuring that financial institutions have the necessary controls in place. The primary goal of AML regulations is to safeguard the integrity of financial systems and prevent them from being exploited for illicit activities.
AML regulations aim to prevent and detect money laundering by identifying and mitigating the risk of financial systems being used to launder money derived from criminal activities. This involves financial institutions implementing robust systems to detect and report suspicious activities, thereby reducing the likelihood of money laundering.
AML regulations also promote transparency in financial transactions and corporate structures to prevent the concealment of illicit funds. This is achieved through requirements for financial institutions to know their customers (KYC) and understand the nature of their business (KYB), ensuring a clear picture of financial activities.
Protecting the integrity of financial systems is also a key objective of AML regulations. By preventing the influx of illicit funds, these regulations help to maintain the stability of economies and financial institutions. This, in turn, helps to ensure public confidence in the financial system by demonstrating a commitment to preventing and addressing financial crimes.
For anyone responsible for AML controls inside a regulated UK business, understanding the mechanics behind money laundering adds useful context to the rules you apply every day. Regulations exist to interrupt a very deliberate process.
Criminals rarely move illicit funds directly into the legitimate economy. Instead, the money is gradually introduced, moved through layers of transactions, and eventually reintroduced in a way that appears lawful.
The process of laundering money typically involves three crucial steps: placement, layering and integration. However, criminals often add more complexity to each of these stages, making it more difficult for authorities to trace the original source of the funds and ultimately, making the criminals less likely to be found out.
Step 1: Placement
Placement involves criminals depositing their ‘dirty’ money into the legal financial system. Often large sums of physical cash acquired through bribery, theft and corruption, criminals now seek to ‘clean’ their money and move it into a legitimate system. They may pay off a loan, lend someone money, invest in property or foreign currency.
Step 2: Layering
As the money switches hands, it further masks its original source. This is where criminals ‘layer’ transactions to further hide the source of their ill-gotten funds and distance the money from its criminal origins. As money moves around (often at speed and sometimes across borders), it muddies the waters and knowing where it came from becomes more difficult. This complex web of multiple financial transactions embeds the money into the financial system and further obscures the audit trail of the funds, making it increasingly challenging for authorities to identify, or indeed prove, the money was in fact, laundered.
Step 3: Integration
The final stage of money laundering integrates the funds into the financial ecosystem as legal tender and it is absorbed into the economy in a legitimate capacity such as art, high-end cars, jewellery or property investments. Once placed and layered, the funds are integrated very carefully, from legitimate sources, to create a credible explanation for where the money came from.
AML regulations in the UK apply to a wide range of businesses and professions that are deemed at risk of being used for money laundering or terrorist financing activities.
In many cases, financial services organisations are supervised for money laundering purposes by the Financial Conduct Authority (FCA), but other authorities supervise specific sectors such as the Gambling Commission, Association of Chartered Certified Accountants and HMRC. In instances where businesses are not supervised by a professional body or the FCA, HMRC is often the supervisory authority.
Essentially, any business that deals with large sums of money or high-value assets is likely to be affected by AML regulations in the UK. Businesses affected by AML regulations in the UK include:
Financial institutions
Accountancy firms
Banks/building societies
Estate agents
Solicitors and law firms
Gambling businesses
High value dealers
Art market participants
Trust service providers
Money service business
In the UK, AML regulations are based on a number of domestic and international laws.
The UK’s anti-money laundering and counter terrorist financing network consists of primary and secondary legislation and industry guidance, designed to support His Majesty’s Treasury, in accordance with Financial Action Task Force’s (FATF) international standards and EU Directives.
There are three key pieces of legislation in the UK designed to combat money laundering and terrorist financing:
The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) and its amendments is the primary piece of UK legislation designed to combat money laundering and terrorist financing. The regulations apply to various businesses, including banks, financial institutions, and professional services providers, such as lawyers and accountants.
The key requirements of the regulations include:
Customer Due Diligence (CDD): Businesses must carry out CDD checks on their customers to identify and verify their identity, as well as assess the risk of money laundering and terrorist financing.
Risk-based approach: Businesses must conduct a risk assessment to identify and assess the risk of money laundering and terrorist financing that they may be exposed to. Taking a risk-based approach ensures that any risks are assessed in line with their severity and resources are allocated to mitigate these appropriately.
Record-keeping: Businesses must keep records of all CDD checks and transactions. You need to keep a record of all customer due diligence measures carried out, including customer identification documents obtained, risk assessments, policies, controls and procedures, and training records.
Reporting suspicious activity: Businesses must report any suspicious activity to the relevant authorities, such as the National Crime Agency, and must not tip off the customer.
Training and awareness: Businesses must raise awareness and provide training to their staff on the risks of money laundering and terrorist financing.
Sanctions compliance: Businesses must comply with all financial sanctions imposed by the UK government and the European Union.
The regulations aim to improve the effectiveness of the UK’s anti-money laundering and counter-terrorist financing framework by enhancing transparency, strengthening the risk-based approach, and increasing cooperation between businesses, law enforcement, and regulatory authorities.
The Financial Services and Markets Act 2000 (FSMA) regulates financial services and markets in the United Kingdom.
It established the Financial Services Authority (FSA) as the regulator for financial services and markets. The FSA was later replaced with the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA).
The FSMA aims to protect consumers, maintain market confidence, and promote competition in the financial services industry. It also provides a framework for regulating financial services and markets in the UK, including setting standards for conduct and ensuring that firms are adequately funded and managed.
The act covers a wide range of financial products and services, including investments, banking, insurance, and mortgages. It also includes provisions for the regulation of market abuse, insider trading, and other types of financial misconduct.
The Proceeds of Crime Act 2002 (POCA) is a UK law that provides a framework for recovering the proceeds of criminal activity. It aims to prevent criminals from benefiting from their crimes by allowing law enforcement agencies to seize and confiscate assets that have been obtained through illegal methods.
Under POCA, law enforcement can obtain court orders to freeze, seize, and forfeit assets that are suspected of being obtained through criminal activity. This includes money, property, and other assets that have been acquired either directly or indirectly through criminal proceeds.
The act also includes provisions for investigating and prosecuting money laundering. It sets out the requirements for businesses and individuals to report suspicious transactions to the authorities and establishes criminal penalties for those who fail to comply.
The POCA is an important tool in the fight against financial crime, as it helps to disrupt the financial networks of criminal organisations and reduce the incentives for committing crimes.
With the regulatory landscape changing constantly, it is important to understand your anti-money laundering compliance requirements and responsibilities.
No matter where you do business, AML compliance is crucial for the success and security of your company. These requirements can vary significantly by location, risk environment, and emerging fintech innovations.
The AML regulations around the world are constantly evolving, and each country has its own set of laws and regulations.
The AML regulatory framework in Europe is primarily based on the European Union’s (EU) Fourth and Fifth Anti-Money Laundering Directives, which set out AML requirements for financial institutions operating in the EU.
The Fourth Anti-Money Laundering Directive (4AMLD) came into effect in 2017 and required EU member states to implement AML regulations in line with the directive. The 4AMLD requires financial institutions to establish AML programs, conduct customer due diligence (CDD), report suspicious transactions, and maintain records of transactions. The directive also introduced beneficial ownership requirements, which require companies to identify their ultimate beneficial owners (UBOs).
The AML regulations in Europe are enforced by national financial regulatory authorities, such as the Financial Conduct Authority (FCA) in the UK, and the European Banking Authority (EBA), which works to ensure consistent application of AML regulations across the EU.
The Fifth Anti-Money Laundering Directive (5AMLD) came into effect in 2020 and further strengthened the EU’s AML regulatory framework. The 5AMLD introduced new requirements, including:
The United States has a complex AML regulatory framework that includes multiple agencies and laws. The Bank Secrecy Act (BSA) is the primary federal law that requires financial institutions to report suspicious transactions and maintain records of certain transactions. The Financial Crimes Enforcement Network (FinCEN) is the agency responsible for enforcing the BSA and issuing guidance to financial institutions. Additionally, the USA Patriot Act of 2001 expanded the scope of AML regulations and included provisions related to terrorist financing.
The BSA requires financial institutions to comply with the following AML regulations:
Other AML regulations in the US include:
The USA Patriot Act: This law, passed in response to the 9/11 terrorist attacks, expanded the scope of AML regulations to include provisions related to terrorist financing. This act requires financial institutions to implement additional measures, such as enhanced due diligence for high-risk customers and correspondent banking relationships.
Foreign Account Tax Compliance Act (FATCA): This law requires foreign financial institutions to identify and report on US account holders to the Internal Revenue Service (IRS).
Anti-Money Laundering Examination Manual: The Federal Financial Institutions Examination Council (FFIEC) issues guidance to financial institutions on how to comply with AML regulations. The AML Examination Manual provides guidance on the risk-based approach to AML compliance, AML program requirements, and regulatory expectations for AML compliance.
The UK has been a member of the Financial Action Task Force (FATF) since 1990, an independent inter-governmental body that develops and promotes policies to protect the global financial system.
As FATF members, the UK commits to developing and strengthening its AML and CTF framework in order to maintain membership; this is achieved through regulations that outlaw money laundering as well as other forms of corruption, and also require financial institutions to take action to combat these crimes.
“A risk-based approach to AML and counter-terrorist financing means that countries, competent authorities and financial institutions, are expected to identify, assess and understand the money laundering and terrorism financing risks to which they are exposed and take AML and counter-terrorist financing measures commensurate to those risks in order to mitigate them effectively.”
– Financial Action Task Force
If the MLR 2017 applies to your business, you must take a risk-based approach and develop measures to identify and assess any threat of money laundering and terrorist financing.
Typically, a risk-based approach to AML and CTF involves:
A shell company is a company that exists only on paper and has no office or employees but may have a bank account or may hold passive investments or be the registered owner of assets, such as intellectual property, or ships.
The company may serve as a vehicle for business transactions without itself having any significant assets or operations. Sometimes shell companies are used for legitimate business purposes, however, they can also be used for tax evasion, tax avoidance, and money laundering, or simply to achieve a specific goal such as anonymity.
Anonymity may be sought to shield personal assets from others, such as a spouse when a marriage is breaking down, from creditors, from government authorities, besides others.
Layers of corporate structures: Using layers of corporate shell companies is a tactic deliberately used to hide the trail of illegal proceeds, to increase the difficulty faced by regulators to detect and uncover a laundering activity. The known methods are: cash converted into monetary instruments by way of banker’s drafts and money orders and material assets bought with cash then sold.
Different jurisdictions: Often multiple financial territories are used to increase the complexity of tracing dirty money. For example, a shell company may be set-up in the British Virgin Islands, to funnel funds to a Trust in Wyoming (USA), whilst a lawyer based in London, could be used to manage this money, potentially to be held in a bank in Malaysia.
Any one of those structures would be vulnerable to investigation from a law enforcement agency or government. However, when taken together, it becomes an almost entirely impregnable system, because no one agency could afford to combat all of those different country’s legal systems simultaneously and unlock all the protections the different countries grant to companies.
Hiding Ultimate Beneficial Ownership (UBO): Lastly, shell companies are often set up in a manner that obscures the Ultimate Beneficial Owners (UBOs) true identity and makes verification extremely difficult. They may be sanctioned individuals or on a PEP list, but the degree of anonymity these companies provide means they can evade sanctions, and avoid the AML measures firms use to detect suspicious financial activity.
“Lack of transparency in the formation and operation of shell companies may be a desired characteristic for certain legitimate business activity, but it is also a vulnerability that allows these companies to disguise their ownership and purpose.”
– Financial Crimes Enforcement Network (FinCEN)
Certain financial sectors attract greater regulatory attention because of the speed, scale and complexity of the transactions they support. Industries that move funds across borders, handle high-value investments or operate through digital platforms create opportunities for criminals to disguise illicit proceeds within legitimate financial activity
International payments and foreign exchange: The international payments and foreign exchange sector handles vast transaction volumes across global markets that operate around the clock. This speed and scale make the industry attractive for criminals attempting to move illicit funds quickly between jurisdictions. Cross-border transfers often pass through multiple financial institutions, which can obscure the origin of funds and complicate audit trails.
Money service businesses and FX providers are therefore subject to heightened regulatory scrutiny. Weak customer due diligence, limited monitoring of transaction activity or inadequate staff training can expose firms to financial crime risk. For AML professionals, strong Know Your Customer processes and continuous monitoring play a central role in identifying suspicious cross-border transactions.
WealthTech: WealthTech platforms use financial technology to deliver digital investment and wealth management services, often relying on automated systems to build personalised investment portfolios. These platforms analyse information such as income, age and investment preferences to provide tailored recommendations through online platforms.
The digital structure introduces AML challenges, particularly when investors operate across multiple jurisdictions or hold assets through complex corporate structures. Offshore trusts or layered company ownership can obscure beneficial ownership and make the origin of funds harder to verify. WealthTech firms also prioritise fast digital onboarding, which can create pressure to streamline verification processes. AML teams must balance efficient onboarding with strong identity checks and ongoing monitoring.
Peer-to-peer lending platforms: Peer-to-peer lending platforms connect borrowers and investors directly through digital marketplaces, removing many traditional banking intermediaries. While this model improves access to funding, it also introduces AML risks linked to online participation and high volumes of users. Verifying the identity and legitimacy of every borrower and lender can be challenging, particularly when documentation is incomplete or sources of wealth are unclear.
Criminals may attempt to exploit these platforms by posing as legitimate participants to circulate illicit funds through the lending ecosystem. For compliance teams, effective AML controls rely on thorough customer verification, detailed risk assessments and ongoing monitoring to identify unusual behaviour across lending activity.
All customers or entities entering into a relationship with a regulated organisation must undergo checks in accordance with anti-money laundering regulations.
As a minimum regulatory requirement, the FATF recommends that financial institutions undertake customer due diligence measures when:
It’s new business
When establishing new business relations with a customer.
More than €15,000
When occasional transactions amount to more than €15,000.
You have suspicions
There is a suspicion of money laundering or terrorism financing.
There are doubts
The accuracy or adequacy of customer information is in doubt.
“Effective AML and combatting the financing of terrorism regimes are essential to protect the integrity of markets and of the global financial framework as they help mitigate the factors that facilitate financial abuse.”
– Min Zhu, Deputy Managing Director of the International Monetary Fund
Know Your Customer (KYC) checks
Regulated businesses must comply with Know Your Customer (KYC) obligations in order to ensure the legitimacy of customers.
Organisations must verify customers before opening an account or processing a transaction.
KYC checks typically require customers to provide proof of identity, address verification, and sometimes other information related to the situation or transaction in question.
People may also be screened for sanctions, political exposure, CCJs and credit checks, depending on their relationships and risk factors.
Ongoing monitoring
It is also crucial for businesses to monitor their clients throughout their entire relationship with them. While initial KYC checks satisfy AML regulatory requirements at the point of an individual becoming a customer, things can change drastically in a short space of time.
A client identified as low-risk at the time of initial onboarding may be elected into a public or governmental position a year later, at which point they would become a Politically Exposed Person (PEP).
As such, they would be exposed to far higher risk of financial crime and must be treated with adequate caution.
PEPs and sanctions screening
Similarly, regulatory bodies such as the FATF, the US Department of the Treasury, His Majesty’s Treasury and the EU all have detailed requirements for financial institutions to verify customers against lists of sanctioned individuals, companies and countries.
Understanding any risk profile changes to both companies and individuals is critical to AML compliance.
Firms must keep tabs on political exposure, sanctions or adverse media and ensure they remain compliant with anti-money laundering regulations Firms must keep tabs on political exposure, sanctions or adverse media and ensure they remain compliant with anti-money laundering regulations.
Under Part 7 of the Proceeds of Crime Act, individuals working within regulated organisations are required to submit a Suspicious Activity Report (SAR) to the National Crime Agency if they know, suspect or have reasonable grounds to believe that a person is engaged in, or is attempting to engage in, money laundering or terrorist financing.
The National Crime Agency’s Financial Intelligence Unit receives more that 460,000 SARs a year with each report being analysed for strategic and tactical intelligence before the most sensitive are identified and sent to law enforcement or other organisations for investigation.
SARs are often used for multiple purposes by different organisations. The information in a SAR may provide HM Revenue & Customs with taxation information, local police with information about fraud and theft, and a government department with information about a financial product flaw or issue. Reports can be made online through the SAR online system or by using forms for manual reporting.
“Suspicious Activity Reports (SARs) are made by financial institutions and other professionals such as solicitors, accountants and estate agents and are a vital source of intelligence not only on economic crime but on a wide range of criminal activity. They provide information and intelligence from the private sector that would otherwise not be visible to law enforcement.”
– National Crime Agency
Failure to comply with AML regulations can have serious consequences – both civil and criminal. Such penalties range from unlimited fines and reputational damage to sanctions, licence revocation and even jail time.
What’s more, HMRC has a duty to publish details of every business which has not complied with MLR 2017 publicly. This list is available in the public domain and details a business’ name and address, the regulations that have been breached, the amount fined, and whether the firm in question is appealing the penalty.
The number of examples of companies failing to adhere to anti-money laundering regulations is significant. Almost a million (901,255) SARs were registered with the NCA in the period from April 2021 to April 2022, published in their annual report, an increase of 21% on the same period in the previous year.
And this is just those cases that are being registered! It is hard to identify precisely how many instances of money laundering are flying under the radar without detection and prosecution.
With the number of money laundering cases rocketing, we take a look at some of the most significant cases from recent years and examine some record-breaking fines for AML and CTF failings.
HSBC
Fined $1.9bn
HSBC was fined for having insufficient AML measures in place which enabled around $8 billion to be laundered over a seven year period.
It was found that HSBC provided services to terrorist organisations and allowed transactions involving blacklisted countries like Iran and North Korea.
Santander
Fined £107.7m
Santander was fined by the FCA for ‘serious and persistent gaps’ in their anti-money laundering controls, and a lack of due diligence between December 2012 and October 2017.
It was estimated that over £298m was successfully processed through business accounts despite red flags being raised.
888.com
Fined £9.4m
888 were fined for AML failings and poor social responsibility.
Customers were allowed to gamble large amounts of money without sufficient due diligence, the company failed to identify players at risk of harm and failed to implement guidance on customer interaction from the Gambling Commission.
888.com
Fined £9.4m
888 were fined for AML failings and poor social responsibility.
Customers were allowed to gamble large amounts of money without sufficient due diligence, the company failed to identify players at risk of harm and failed to implement guidance on customer interaction from the Gambling Commission.
