Breaking Down KYC/AML Regulations in the UK: Easy-to-read Guide (2025)
The UK has advanced Anti-Money Laundering regulations in place, so compliance isn’t easy. This guide is here to help.
The UK has advanced Anti-Money Laundering regulations in place, so compliance isn’t easy. This guide is here to help.
UK law enforcement strictly oversees all business spheres falling under Anti-Money Laundering (AML) regulations and imposes significant fines for non-compliance. This includes finance, gambling, real estate, the art trade, and more.
In November 2024, Metro Bank was fined nearly £17 million ($21 mln) by the FCA, for failing to properly monitor potential money laundering between 2016 and 2020. Another bank, Starling, was fined £29 million ($36.6 mln) a month before, for overly lenient financial crime control. This could have been avoided if the banks had had robust AML mechanisms in place.
This guide provides an overview of AML compliance in the UK, helping you avoid fines and simplify compliance.
AML requirements in the UK are based on several domestic and international laws. Here are the main ones:
The FCA Handbook, the JMLSG guides, and the HM Treasury’s guidance and notices are all helpful resources for understanding AML requirements in the UK.
Several law enforcement authorities regulate businesses in the UK, including:
Suggested read: Demystifying the FCA’s Demands: A Detailed Guide for the UK’s AML Requirements.
There are also industry-specific regulators like the Gambling Commission, which oversees AML compliance in gambling businesses.
Suggested read: The Gambling Commission: AML, License Requirements, Responsible Gambling and More.
There are over 100,000 businesses in the UK that fall under AML regulations. This includes, but isn’t limited to:
*In February 2023, the UK updated its Anti-Money Laundering Guidelines for Art Market Participants. The guidelines clarify who falls under the “regulated art sector” and, therefore, must conduct KYC. They also updated on what has to be done prior to establishing a business relationship.
**As of September 2022, all UK and certain non-UK express trusts—trusts expressly created, usually in writing, rather than by inference—are subject to AML regulations and need to register with the HMRC.
We’ll continue to monitor changes in regulations and update this article regularly, so save it to your bookmarks.
AML compliance entails the prevention of money laundering, terrorist financing, fraud, and other financial crimes. Here is a breakdown of the required procedures.
To implement relevant internal safeguards and controls, a business must first understand what money laundering risks it faces. To assess these risks, businesses must consider:
The core obligations under the risk-based approach include (according to the JMLSG guide):
Businesses should record these actions (what has been done, and why) and keep them up-to-date. Please find more information in the JMLSG guide (chapter four).
According to the JMLSG guide, CDD involves identifying and verifying a customer and their beneficial owner (where relevant) as well as assessing and obtaining, where appropriate, information on the purpose and intended nature of the business relationship or transaction.
A company applies CDD when:Identification: To identify an individual, businesses must request their name, residential address, and date of birth. For a legal person, businesses must take reasonable measures to understand its ownership and control structure.
Verification: Businesses can verify a customer through identity documents (a passport, driving license, etc.) or using information received from a reliable and independent source (e.g., written assurance from a company that has already dealt with the customer).
If using a KYC service, businesses must ensure that the provider is reliable in terms of its technology and policies. Some of the major requirements for such providers include:CDD doesn’t end after customer verification, as some businesses might think. Beyond verification, businesses must choose the right due diligence track (regular, simplified, or enhanced) and deal with the customer accordingly. So, if it has been determined that a customer presents a low risk, businesses can apply simplified due diligence. In the case of higher-risk customers, specifically PEPs, enhanced due diligence measures must be applied.
Businesses should have effective and up-to-date screening systems appropriate to the nature, size, and risk of their business.
Both legal and natural persons should be checked against various watchlists such as the UK government’s financial sanctions list and trade sanctions list, the European Commission’s list of high-risk third countries, and the Treasury’s list of high-risk countries & countries towards which enhanced due diligence is required.
Although screening customers against all these sanctions lists isn’t a legal requirement, the FCA highly recommends doing so to avoid compliance breaches.Businesses should conduct ongoing monitoring of existing customers. This includes:
UK businesses must record due diligence check results, transactions (information about payers and payees for wire transfers), suspicious activity reports, information on established business relationships and offered services, in addition to communications with customers (telephone calls, emails, SMS, etc.). Copies of documents and information obtained during due diligence checks must be kept for five years after the business relationship ends. Companies must also maintain records of occasional transactions for five years after the transaction took place.
Under the Proceeds of Crime Act 2002, businesses must report any suspicious activity that they detect. A Suspicious Activity Report (SAR) must be submitted to the National Crime Agency (NCA) by a nominated officer as soon as the suspicion arises. This can be done online.
Businesses should understand their organizational structure in relation to combating financial crimes. This structure can differ from company to company. For instance, a large company may be able to maintain a separate AML department, whereas a small company is likely to have staff managing several duties simultaneously. Businesses can keep any structure as long as it is clear and mitigates risks.
Nominated officers and MLROs. Businesses are also required to appoint a nominated officer. FCA-regulated businesses must also select a Money-Laundering Reporting Officer (MLRO). The duties of the nominated officer and the MLRO are different: a nominated officer reports money laundering cases, while an MLRO manages the company’s AML compliance with FCA rules. One member of staff can be both a nominated officer and an MLRO.
Employee training and vetting. Companies are required to monitor their employees and provide AMLtraining. Employees that are exposed to a higher risk of money laundering are subject to a higher degree of vetting.
AML failures can lead to fines, license revocation, employee termination, or imprisonment.
There is no set limit to the fines that the FCA can impose. Instead, the regulator examines every case and calculates the amount based on a 5-step approach (see DEPP 6.5 Determining the appropriate level of financial penalty).
The total amount of fines that the FCA enforced by November 2024 is £121,512,517 ($153.6 mln). The following businesses were sanctioned for financial crimes:
The regulator can also criminally prosecute employees engaged in money laundering or allowing it to happen. While insufficient AML compliance can result in a fine and/or a prison term of up to two years, actual money laundering offenses can, in the most severe cases, lead to 14 years of imprisonment.
Money laundering, in the UK and globally, follows three key stages: placement, layering, and integration. In the initial step, placement, the illicit money is introduced into the financial system. During layering, money is moved through various transactions to obscure its origin and make it difficult to trace. Finally, during integration, the money is reintroduced into the legitimate economy, appearing as if it comes from a legitimate source.
There are three main anti-money laundering laws in the UK. The first one is the Proceeds of Crime Act 2002 (POCA), which criminalizes money laundering and provides the framework for confiscating criminal proceeds. Then, Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) implements the EU’s 5th Anti-Money Laundering Directive (AMLD5). Finally, the Financial Services and Markets Act 2000 (FSMA) law regulates financial services and enforces AML compliance.
KYC, or “Know Your Customer,” is a cornerstone of the UK’s anti-money laundering (AML) framework. It involves verifying customer identities and assessing their risk of involvement in money laundering or other financial crimes.
We’ve also prepared a downloadable UK AML compliance guidance just for you. Get it here.