Breaking Down KYC/AML Regulations in the UK: Easy-to-read Guide

UK law enforcement strictly oversees all business spheres falling under Anti-Money Laundering (AML) regulations and imposes significant fines for non-compliance. This includes finance, gambling, real estate, the art trade, and more.

In August 2022, Entain Plc received a £17 million ($20.6 mln) fine, the largest ever for a UK bookmaker, after failing to enforce AML measures. A year before, National Westminster Bank Plc was slapped with a £265 million ($298 mln) fine for AML failures related to just one client.

This guide provides an overview of AML compliance in the UK, helping you avoid fines and simplify compliance.

What are the main money laundering regulations in the UK?

AML requirements in the UK are based on several domestic and international laws. Here are the main ones:

• The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and its amendments obligate businesses to follow various AML requirements. It was amended in 2019 to transpose the 5th AML Directive into national law (the UK decided not to transpose the 6th AML Directive due to the fact that most of it was already covered by UK law).
• The Financial Services and Markets Act 2000 (FSMA) is the primary regulation for all financial services in the UK. This law enacts the Financial Conduct Authority as the main AML regulator and provides guidelines for its duties.
• Proceeds of Crime Act 2002 outlines criminal offenses and the penalties for them. It also obliges businesses to report suspicious activity.

The FCA Handbook, the JMLSG guides, and the HM Treasury’s guidance and notices are all helpful resources for understanding AML requirements in the UK.

Who regulates AML in the UK?

Several law enforcement authorities regulate businesses in the UK, including:

• The Financial Conduct Authority (FCA) is the UK’s primary AML regulator. It mainly oversees financial institutions, such as banks, crypto businesses, and other firms in the financial services industry. It also has the authority to investigate money laundering offenses across all industries.

Suggested read: Demystifying the FCA’s Demands: A Detailed Guide for the UK’s AML Requirements.

• HM Revenue & Customs (HMRC) together with the Serious Fraud Office (SFO) and the National Crime Agency (NCA) enforce AML regulations in the UK. They also investigate financial crimes along with the FCA.

There are also industry-specific regulators like the Gambling Commission, which oversees AML compliance in gambling businesses.

Suggested read: The Gambling Commission: AML, License Requirements, Responsible Gambling and More.

Who is subject to AML regulations in the UK?

There are over 100,000 businesses in the UK that fall under AML regulations. This includes, but isn’t limited to:

• Banks, building societies, and credit institutions;
• Crypto businesses;
• Gambling and betting platforms;
• Estate agents;
• High-value dealers (jewelers, art dealers*, auctioneers, car dealers);
• Money service businesses;
• Trusts, including express trusts**, or company service providers.

*In July 2022, the UK updated its Anti-Money Laundering Guidelines for Art Market Participants. The guidelines clarify who falls under the “regulated art sector” and, therefore, must conduct KYC.

**As of September 2022, all UK and certain non-UK express trusts—trusts expressly created, usually in writing, rather than by inference—are subject to AML regulations and need to register with the HMRC.

We’ll continue to monitor changes in regulations and update this article regularly, so save it to your bookmarks.

How to get compliant with UK AML requirements

AML compliance entails the prevention of money laundering, terrorist financing, fraud, and other financial crimes. Here is a breakdown of the required procedures.

• Risk assessment and the risk-based approach

  To implement relevant internal safeguards and controls, a business must first understand what money laundering risks it faces. To assess these risks, businesses must consider:

  • Who their clients are;
  • Types of products and services they offer;
  • Jurisdictions in which they operate;
  • Delivery channels;
  • Transactions.

  For instance, if a business operates remotely, it faces higher risks than businesses conducting face-to-face onboarding. This is because it’s much easier to bypass remote verification using fake documents, and the business must understand how to mitigate this risk—for example, by adding facial recognition or video verification to their onboarding process. On the contrary, businesses that don’t offer complex products and have no international exposure may not need to assess as many risks.

  The core obligations under the risk-based approach include (according to the JMLSG guide):

  • Identifying the risks of money laundering and terrorist financing;
  • Building appropriate systems and controls that mitigate the identified risks;
  • Determining appropriate Customer Due Diligence (CDD) measures on a risk-sensitive basis, depending on the type of customer, business relationship, product, or transaction;
  • Taking into account situations and products which by their nature can present a higher risk of money laundering or terrorist financing (e.g., occasional transactions with PEPs).

  Businesses should record these actions (what has been done, and why) and keep them up-to-date. Please find more information in the JMLSG guide (chapter four).

• CDD checks in the UK

  According to the JMLSG guide, CDD involves identifying and verifying a customer and their beneficial owner (where relevant) as well as assessing and obtaining, where appropriate, information on the purpose and intended nature of the business relationship or transaction.

  A company applies CDD when:

  • A business relationship is established;
  • An occasional transaction is to be carried out;
  • There is a suspicion of money laundering or terrorist financing;
  • The integrity of documents or information previously attained is questionable.

  Identification: To identify an individual, businesses must request their name, residential address, and date of birth. For a legal person, businesses must take reasonable measures to understand its ownership and control structure.

  Verification: Businesses can verify a customer through identity documents (a passport, driving license, etc.) or using information received from a reliable and independent source (e.g., written assurance from a company that has already dealt with the customer).

  If using a KYC service, businesses must ensure that the provider is reliable in terms of its technology and policies. Some of the major requirements for such providers include:

  • Registration with the Information Commissioner’s Office (or an equivalent) to store personal data;
  • Access to a wide range of information sources;
  • Transparency.

  CDD doesn’t end after customer verification, as some businesses might think. Beyond verification, businesses must choose the right due diligence track (regular, simplified, or enhanced) and deal with the customer accordingly. So,  if it has been determined that a customer presents a low risk, businesses can apply simplified due diligence. In the case of higher-risk customers, specifically PEPs, enhanced due diligence measures must be applied.

  Find out how to conduct enhanced and simplified due diligence in detail in our Compliance Guidelines for the United Kingdom.

• AML screening

  Businesses should have effective and up-to-date screening systems appropriate to the nature, size, and risk of their business.

  Both legal and natural persons should be checked against various watchlists such as the UK government’s financial sanctions list and trade sanctions list, the European Commission’s list of high-risk third countries, and the Treasury’s list of high-risk countries & countries towards which enhanced due diligence is required.

  Although screening customers against all these sanctions lists isn’t a legal requirement, the FCA highly recommends doing so to avoid compliance breaches.

• Ongoing monitoring

  Businesses should conduct ongoing monitoring of existing customers. This includes:

  • Transaction monitoring that ensures that  transactions are consistent with the business’s knowledge of the customer, their business, and their risk profile.
  • Reviewing  existing records and keeping documents or information obtained through CDD up-to-date.

  The goal of monitoring is to identify unusual activities for further investigation.

• Recording and retention requirements

  UK businesses must record due diligence check results, transactions (information about payers and payees for wire transfers), suspicious activity reports, information on established business relationships and offered services, in addition to communications with customers (telephone calls, emails, SMS, etc.). Copies of documents and information obtained during due diligence checks must be kept for five years after the business relationship ends. Companies must also maintain records of occasional transactions for five years after the transaction took place.

• Reporting

  Under the Proceeds of Crime Act 2002, businesses must report any suspicious activity that they detect. A Suspicious Activity Report (SAR) must be submitted to the National Crime Agency (NCA) by a nominated officer as soon as the suspicion arises. This can be done online.

• Organizational structure

  Businesses should understand their organizational structure in relation to combating financial crimes. This structure can differ from company to company. For instance, a large company may be able to maintain a separate AML department, whereas a small company is likely to have staff managing several duties simultaneously. Businesses can keep any structure as long as it is clear and mitigates risks.

  Nominated officers and MLROs. Businesses are also required to appoint a nominated officer. FCA-regulated businesses must also select a Money-Laundering Reporting Officer (MLRO). The duties of the nominated officer and the MLRO are different: a nominated officer reports money laundering cases, while an MLRO manages the company’s AML compliance with FCA rules. One member of staff can be both a nominated officer and an MLRO.

  Employee training and vetting. Companies are required to monitor their employees and provide AMLtraining. Employees that are exposed to a higher risk of money laundering are subject to a higher degree of vetting.

Sanctions

AML failures can lead to fines, license revocation, employee termination, or imprisonment.

There is no set limit to the fines that the FCA can impose. Instead, the regulator examines every case and calculates the amount based on a 5-step approach (see DEPP 6.5 Determining the appropriate level of financial penalty).

The total amount of fines that the FCA enforced in 2022 so far is £39,233,360‬ ($44 mln). The following businesses were sanctioned for financial crimes:

• The TJM Partnership Limited—£2,038,700 ($2.3 mln);
• Ghana International Bank Plc—£5,829,900 ($6.6 mln);
• JLT Specialty Limited—£7,881,700 ($8.9 mln).

The regulator can also criminally prosecute employees engaged in money laundering or allowing it to happen. While insufficient AML compliance can result in a fine and/or a prison term of up to two years, actual money laundering offenses can, in the most severe cases, lead to 14 years of imprisonment.

More on UK compliance

• The Gambling Commission: AML, License Requirements, Responsible Gambling and More;
• Gambling in the UK: How to Get Licensed and Stay Compliant;
• How to Submit the Annual Financial Report for UK Cryptoasset Businesses;
• Demystifying the FCA’s Demands: A Detailed Guide for the UK’s AML Requirements.

We’ve also prepared a downloadable UK AML compliance guidance just for you. Get it here.