Jul 22, 2020
10 min read

Demystifying the FCA’s Demands: A Detailed Guide for the UK’s AML Requirements

Name: The Financial Conduct Authority (FCA)
Role: Financial regulator
Country: the UK
Year of foundation: 2013

The field of responsibility

The FCA is one of the stringiest and yet most respected regulators worldwide. Along with the Bank of England, it supervises financial businesses in the UK, such as banks, credit firms, electronic money institutions, insurers, and many more. See the full list of reporting entities under the section ‘firms’ on the FCA’s website.

The activity of the regulator can be divided into two major blocks:

  1. Protection of consumers. The FCA expects businesses to prioritize their customers’ interests over profits. The regulator promotes competition in the interests of consumers and makes companies offer only products and services that they deem appropriate.
  2. Control over organizations. The Authority ensures that only the companies that satisfy the set standards enter the market and that they stay compliant with these standards. Supporting the overall integrity and transparency of the market is also among the functions of the regulator.

Now, we’ll move on to the laws that form the legal basis for the FCA’s activity.


The FCA’s AML requirements are based on several domestic and international laws. Here are the principal ones:

  1. The Financial Services and Markets Act 2000 (FSMA) is the primary regulation for all financial services and markets in the UK. This law enacts the FCA and provides guidelines on the regulator’s duties.
  2. The Financial Services Act 2012 establishes a system of financial business supervision, with the FCA and the Bank of England on top. The latter comprises of two agencies, which are the PRA (the Prudential Regulation Authority) and the FPC (the Financial Policy Committee).
  3. The Proceeds of Crime Act 2002 sets out criminal offenses and the penalties for them.
  4. The Terrorism Act 2000 (as amended by the Anti-terrorism, Crime and Security Act 2001) and Counter-terrorism Act 2008 outline what terrorism is and how it can be combated. The laws also provide penalties for engaging in, and/or supporting terrorism. In addition, the Terrorist Asset-Freezing etc. Act 2010 imposes financial restrictions on persons involved in terrorism.
  5. The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the Regulations 2019 (Amendments) provide companies with various AML requirements. The latter transposes the 5th Anti-Money Laundering Directive into the national law.
  6. The Payment Services Regulations 2017 supervise businesses that provide non-electronic and electronic money services (e.g., banks and e-money issuers). The Electronic Money Regulations 2011 introduced requirements for electronic money service providers and currently oversee the security of the service users.

The UK anti-money laundering regulation is based on the international requirements. In particular, the European 4th and 5th Anti-Money Laundering Directives are transposed into the national law. However, the country will not implement the upcoming 6th AMLD.

The FCA Handbook, the JMLSG guides, and the HM Treasury’s guidance and notices are also very helpful in understanding how the FCA exercises its functions.

To ensure the stability of the market and the protection of consumers, the FCA collaborates with a number of regulators, primarily the Bank of England and the Treasury. See the full list of other organizations that the FCA works with.

AML compliance requirements

AML compliance entails the prevention of money laundering, terrorist financing, fraud, and other financial crimes. Here is a breakdown of the procedures that the FCA enforces:

  1. Risk assessments and a risk-based approach. These are the primary elements of any AML compliance procedure; to implement relevant internal safeguards and controls, a company must first understand what risks it faces. To assess these risks, businesses must consider the types of products and services they offer, in what jurisdiction they operate and who their clients are.
  2. Know Your Customer (KYC). The FCA requires companies to identify and verify all of their customers. ‘Verify’ means verifying an individual or a business through documents or information received from a reliable source.
  3. AML compliance program. A company is to have written policies and procedures that show how exactly it deals with money laundering and other risks. This documentation must be accessible and kept up-to-date.
  4. Organizational structure. Businesses should understand their organizational structure in relation to combating financial crimes. This structure can differ from company to company. For instance, a large company may be able to maintain a separate AML department, whereas a small company is likely to have staff managing several duties simultaneously. Businesses can keep any structure as long as it is clear and works to mitigate the risks. Here are some necessary components of any company’s organizational structure, in terms of AML compliance:

    Senior management is responsible for overseeing the company’s money laundering risks. The management is required to acquire so-called ‘financial crime management information’ from other company members. This information includes the assessment of the risks that the business is exposed to, the efficiency of their mitigation, the number and nature of new business relationships and more. For additional insights, please refer to the ‘Financial Crime Management Information’ section in the Financial Crime Guide.

    Every company that complies with the ML Regulations is required to appoint a nominated officer. Businesses that are regulated by the FCA must also select a Money-Laundering Reporting Officer (MLRO). Duties of the nominated officer and the MLRO are different: a nominated officer reports money laundering cases, while an MLRO manages the company’s AML compliance with the FCA rules. One member of staff can be both a nominated officer and an MLRO.

  5. Employee training and vetting. Companies are required to check on their employees and provide training, so that they will be able to spot financial crimes. Members of businesses that are exposed to a higher risk of money laundering are subject to a higher degree of vetting.
  6. Recording and retention. Copies of documents and information obtained during due diligence checks must be kept for five years after the business relationship ends. Companies must also maintain records of occasional transactions for five years after the transaction took place. Records for usual transactions within a business relationship need not be stored for more than ten years.
  7. Reporting. Suspicious Activity Reports (SARs) must be sent to the National Crime Agency (NCA).

The FCA requires companies to ongoingly monitor the implementation and relevance of all these procedures. How a business performs its AML compliance duties must also be regularly assessed through internal and external auditing.

A company can seek the help of a service provider in carrying out its KYC duties.

Customer Due Diligence requirements

“Applying CDD measures involves several steps. The firm is required to verify the identity of customers and, where applicable, beneficial owners. The purpose and intended nature of the business relationship must also be assessed, and if appropriate, information on this obtained.” (The JMLSG’s guide on Prevention of money laundering/ combating terrorist financing, §5.3.1.)

As part of any KYC procedure, Customer Due Diligence (CDD) must be carried out. This can either be simplified or enhanced, depending on the situation.

A company applies CDD when:

  1. A business relationship is established
  2. An occasional transaction is to be carried out
  3. There is a suspicion of money laundering or terrorist financing
  4. The integrity of documents or information previously attained is questionable

The list of information that needs to be collected for CDD differs for natural persons and legal persons.

Natural persons:

  1. Name
  2. Residential address
  3. Date of birth

Legal persons:

  1. Name
  2. Registration number
  3. Address of the registered office
  4. Principal place of business (if different from the registered office)
  5. Name of a person (persons) who owns or controls 25% or more of the company’s shares or voting rights
  6. Name of a person (persons) who controls the company’s management
  7. Law to which the company is subject
  8. Constitution
  9. Name of the directors and senior management

The FCA prescribes slightly different CDD requirements for each type of business (state-owned firms, public sector companies, etc.), so it is always recommended to refer to the JMLSG guide section dedicated to the relevant type.

Both legal and natural persons should be checked against various watchlists such as the UK government’s financial sanctions list and trade sanctions list, the European Commission’s list of high-risk third countries and the Treasury’s list of high-risk countries & countries towards which enhanced due diligence is required. Although the screening of customers against all these sanctions lists is not a legal requirement, the FCA still highly recommends doing so to avoid breaches of the sanctions regime.

If a company cannot apply CDD or be satisfied with the results of the check (for instance, when it cannot obtain information about the beneficial owner), the company must not engage in a business relationship.

Identity Verification

“The firm identifies the customer by obtaining a range of information about him. The verification of the identity consists of the firm verifying some of this information against documents or information obtained from a reliable source which is independent of the customer.” (The JMLSG’s guide, §5.3.2.)

CDD consists of identification (i.e., getting to know who this individual or company is) and verification (i.e., making sure that the individual or company is who they claim they are).

Verification can be conducted based on identity documents (a passport, driving license, etc.) or some information received from a reliable and independent source (e.g., written assurance from the company that has dealt with the customer).

The FCA permits digital identity verification. When seeking the help of a KYC service provider, a company must ensure that the provider is reliable in terms of its technology and policies. Some of the major requirements for a provider include: 1) Registration with the Information Commissioner’s Office (or an equivalent) to store personal data; 2) Access to a wide range of information sources, and 3) transparency.

Simplified Due Diligence (SDD)

Companies can apply a less strict version of due diligence check called Simplified Due Diligence (SDD), when the risk of coming across money laundering or another financial crime is low. For example, conducting SDD may be an option when a business deals with a publicly owned enterprise or an individual from a lower-risk country. Credit or financial institutions that are subject to the 4th AML Directive and companies listed on a regulated market are also among the list of lower-risk factors. See all of the factors at §5.4.2. of the JMLSG guidance.

However, the presence of one or even several such factors does not automatically mean that a company can apply SDD. A really thorough estimation is needed to conduct this check, so in reality, businesses undertake it quite rarely.

During SDD, companies are able to tone down the extent and timing of the measures that they take. It is up to the business to decide how exactly it conducts this simplified check. However, all SDD procedures must be outlined in the AML compliance policy. In addition, each application case must be comprehensively recorded.

Enhanced Due Diligence (EDD)

When businesses encounter high-risk factors for money laundering, they must apply a further check, in addition to CDD, that is much more thorough. This procedure is called Enhanced Due Diligence (EDD). Below, you can find some of the most common high-risk factors:

  1. Politically Exposed Persons (PEP), their family or any close, known associates (check out the FCA’s guide on PEP)
  2. Customers outside the EU, especially those from high-risk third countries
  3. Customers that have provided false information
  4. Large, complex, suspicious or unusual transactions

EDD must also be conducted for any other situation that presents a high possibility of money laundering. See the full list of cases in which an enhanced check is needed here. However, not all of these factors will automatically result in the need to conduct EDD. For instance, it is possible not to apply an enhanced check for domestic PEPs if there are no other ‘red flags.’

Generally, EDD requires companies to obtain more information about the individual or the company to be fully satisfied that they are who they claim they are. EDD usually includes an understanding of a customer’s reputation, an examination of their source of wealth and source of funds, in addition to independent internal and external intelligence reports (for very high-risk cases). For more insights, please refer to the Regulations 2017, 2019, and the Financial Crime Guide that provides examples of good and poor CDD practices.

Reporting requirements

The FCA requires companies to file three main types of reports:

  1. Annual Financial Crime Report
  2. MLRO Annual Report
  3. Suspicious Activity Report

Let’s dive deeper into each type.

Annual Financial Crime Report

This is a report on a company’s procedures and safeguards for preventing financial crime. It, above all, includes information about customers and AML compliance. Check out the submission form.

Person in charge of the submission: MLRO.
Authority to submit to: FCA.
Means of submission: online via the FCA website.
Time: annually, at the end of a financial year or within 60 business days of the company’s latest accounting reference date.

Here you can find thorough guidance on the submission requirements.

MLRO Annual Report

This is an internal report on the company’s AML compliance. It overviews AML procedures and internal safeguards and provides then with recommendations for their improvement. Although a Money-Laundering Reporting Officer (MLRO) is obliged to file this report, there is no specific format as to how it must be done.

Person in charge of the submission: MLRO.
Authority to submit to: the senior management of the company.
Means of submission: any.
Time: annually.

The JMLSG suggests using this framework as a reference.

Suspicious Activity Report (SAR)

Under the Proceeds of Crime Act 2002 (POCA), every company that is subject to the FCA must report any suspicious activity that they detect.

Person in charge of the submission: a nominated officer.
Authority to submit to: the National Crime Agency (NCA).
Means of submission: reports can be submitted online via the NCA SAR Online System.
Time: as soon as the suspicion has arisen.

For detailed information on how to report suspicious activity, please check out the NCA’s introduction to SARs and Submitting a SAR guides.

For successful reporting, any company needs an AML compliant system of data recording, which we’re going to discuss in the next section.

Recording and retention requirements

“Record keeping is an essential component of the audit trail that the ML Regulations and FCA Rules seek to establish in order to assist in any financial investigation and to ensure that criminal funds are kept out of the financial system, or if not, that they may be detected and confiscated by the authorities.” (The JMLSG’s guide, §8.2.)

Here, we’ll briefly talk you through the requirements for the recording and storage of data.

Data to record: AML policies, results of due diligence checks, records for transactions (information about payers and payees for wire transfers), SARs and other reports, information on the established business relationship and offered services, in addition to communication with customers (telephone calls, emails, SMS, etc.).
Recording requirements: store scans or electronic forms of the documents.
Retention period: five years after the relationship with the customer ends or after an occasional transaction. There is no need to keep records of ordinary transactions, which were performed within a business relationship, for more than ten years.

The personal data of customers must be possessed only to comply with AML requirements.

Penalties for non-compliance

Here is a list of the misconducts the FCA has the authority to sanction:

  1. Financial crimes
  2. Failings within the company’s systems and controls, as well as a lack of integrity
  3. Unauthorized activity
  4. Misselling
  5. Anti-competitive behavior
  6. Failure to undertake proper disclosure in primary markets

The FSMA, the Regulations 2017 and 2019, and some other laws grant the FCA extensive enforcement powers that include disciplinary, civil, and criminal prosecution.

The FCA has the following powers to impose sanctions for non-compliance (breach, market abuse, etc.): 1) publish a statement; 2) impose a financial penalty; 3) withdraw a company’s license; 4) suspend an individual of their functions.

There is no set limit to the fine that the FCA can impose. Instead, the regulator examines every case and calculates the amount based on its 5-step approach (see DEPP 6.5 Determining the appropriate level of financial penalty).

In addition to fine imposition, the regulator can engage in criminal prosecution. While insufficient AML compliance can result in a fine and/or a prison term of up to two years, actual money laundering offenses can, in the most severe of cases, lead to 14 years of imprisonment.

For more information, please check out the FCA’s guide on enforcement.

Useful sources

Here, we have brought to your attention some compliance-related materials about the FCA that may be of use.

The primary resource for understanding the FCA’s activity and requirements is the FCA Handbook.

Please check out the list below for more information on financial crimes compliance:

  1. Financial Crime Guide: A firm’s guide to countering financial crime risks (FCG)
  2. The Joint Money Laundering Steering Group’s (JMLSG) guidance
  3. Financial Sanctions: Guidance

Below, you can find some comprehensive guidance on suspicious activity reporting:

  1. Introduction to SARs
  2. Submitting a SAR

Here are a couple of materials that can help you to better understand the regulator’s enforcement activity.

  1. FCA Mission: Approach to Enforcement
  2. Enforcement Guide

Subscribe to continue reading

Enter your email address to get access to the full article

By providing your email you consent to receiving our newsletter. For further information please see ourPrivacy Notice

AMLCDDEDDFCAFinancial InstitutionsKYCRecordkeepingReportingUK