Legichain

UK MLR 2017 (Money Laundering Regulations) Explained

A practitioner's reference to the UK's core AML/CTF regulation: regulated entity categories, CDD/EDD standards, PEP rules, beneficial ownership, reporting obligations and the supervisory regime.

Legichain Team 12 min read 26 May 2026

The United Kingdom's core AML/CTF regulation is The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 — MLR 2017. It came into force on 26 June 2017 as SI 2017/692, originally transposing the EU's 4AMLD into UK law. After Brexit, the UK retained an independent path: the 2019 amendment brought 5MLD-equivalent changes, the 2020 amendment brought cryptoasset firms into AML scope, the 2022 amendment extended beneficial ownership rules, and the 2023 amendment introduced the UK Travel Rule. This guide walks through the structure, regulated entity categories, CDD standards and supervisory regime — written for compliance, legal and product teams considering UK market entry or already operating there.

Quick reference

  • Legal name: The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, SI 2017/692.
  • In force: 26 June 2017. Major amendments in 2019 (5MLD transposition), 2020 (cryptoasset scope), 2022 (beneficial ownership extension), 2023 (Travel Rule).
  • Structure: 12 Parts, 7 Schedules.
  • Regulated categories: credit and financial institutions, auditors, tax advisers, legal professionals, estate agents, gambling, art market participants, TCSPs, cryptoasset exchange providers and custodian wallet providers.
  • Supervisors: FCA (financial services, crypto), HMRC (MSBs, tax advisers, gambling), professional bodies (lawyers, accountants).
  • Reporting: Suspicious Activity Reports (SARs) go to the NCA — the UK uses "SAR", not the EU-style "STR".

1. Scope of MLR 2017 — who is regulated?

MLR 2017 Regulation 8 lists the categories of "relevant persons" — those subject to the regulation:

  • Credit institutions and financial institutions — banks, payment institutions, e-money institutions, investment firms
  • Auditors and external accountants
  • Tax advisers
  • Legal professionals (solicitors, notaries) — limited scope
  • Trust or company service providers (TCSPs)
  • Estate agents and letting agents — for rents £10,000+ per month
  • High-value dealers — accepting €10,000+ in cash
  • Casinos
  • Art market participants — €10,000+ transactions
  • Cryptoasset exchange providers and custodian wallet providers — from 10 January 2020

The supervisor differs by category. A credit institution is supervised by the FCA, an art dealer by HMRC, a solicitor by a relevant professional body (PB).

2. The risk-based approach

MLR 2017 Regulation 18 requires every regulated firm to produce a written firm-wide risk assessment. It must address:

  • Customer risk (segments, customer types, jurisdiction)
  • Product and service risk
  • Geographic risk (with reference to the UK National Risk Assessment)
  • Distribution channel risk (face-to-face versus remote, partner versus direct)
  • Transaction risk

A risk assessment is not a static document — it is a living artefact updated annually and whenever the business model changes. In FCA supervisory visits, "when was your risk assessment last updated?" is among the first three questions asked.

The risk assessment then feeds into customer risk scoring, transaction monitoring scenarios and EDD triggers. Our AML screening guide covers the broader operational framework.

3. Customer due diligence (CDD) — standard approach

MLR 2017 Part 3 (Regulations 27–38) defines CDD obligations. CDD is mandatory:

  1. When establishing a business relationship (account opening, contract)
  2. For occasional transactions of €15,000 or more, single or linked
  3. When suspicion of money laundering or terrorist financing arises
  4. When the firm doubts the veracity of previously obtained customer information

CDD has three core components:

(a) Verification of customer identity — legal name, date of birth, address, evidenced by documents from a reliable, independent source.

(b) Identification of beneficial owners — for corporate customers, the natural persons holding 25%+ ownership or control.

(c) Understanding the purpose and intended nature of the business relationship — why this customer, expected transaction patterns.

Digital onboarding is well established in the UK — NFC chip reading, liveness, video verification all qualify as reliable independent sources, provided the technology choice is documented in the policy and the technology's reliability is evidenced.

4. Enhanced due diligence (EDD)

MLR 2017 Regulation 33 specifies when EDD is mandatory:

  • Business relationship with a high-risk third country (cross-referenced against the FATF grey/black list and the UK's own high-risk countries list)
  • Business with a politically exposed person (PEP)
  • Correspondent banking with third-country institutions
  • Complex or unusually large transactions
  • Transactions with no apparent economic or lawful purpose
  • Any other situation assessed by the firm as high risk

Practical EDD components:

  • Deeper beneficial ownership verification
  • Source of funds and source of wealth documentation
  • More detailed enquiry into purpose of the relationship
  • Senior management approval (mandatory for PEPs)
  • Intensified ongoing monitoring

5. Politically exposed persons (PEPs)

MLR 2017 Regulation 35 defines PEPs and the EDD obligation. The PEP scope includes:

  • Foreign PEPs — senior officials of foreign governments, members of parliament, senior political party officials, senior judiciary, senior military, state-owned enterprise leadership.
  • Domestic (UK) PEPs — the 2019 amendment added "domestic PEP" — UK MPs, senior judges, senior public officials.
  • International organisation PEPs — senior leadership at UN, EU, NATO and similar organisations.
  • Family members and close associates — spouse, children, children's spouses, parents; business partners, joint investment partners.

For UK domestic PEPs, a risk-based simplified EDD can be applied — lighter procedures than for foreign PEPs. This is one area where the UK has diverged from the more uniform AMLD5 approach.

Exit rule: once an individual ceases to hold a PEP role, they continue to be treated as a PEP for at least 12 months, and longer in higher-risk cases.

Our what is a PEP guide covers the operational detail.

6. Beneficial ownership — the Person of Significant Control (PSC) register

In the UK, identifying beneficial owners of corporate customers operates on two layers:

(a) MLR 2017 obligation: identify natural persons holding 25%+ ownership or control.

(b) Companies House PSC register: for UK limited companies and LLPs, Persons of Significant Control are recorded in a publicly accessible register. A regulated firm should cross-check PSC information against its own CDD. If a discrepancy is found, the firm has an obligation to file a "discrepancy report" to Companies House.

The 2022 amendment introduced the Overseas Entities Register — offshore structures owning UK real estate must disclose their beneficial owners. This is directly relevant to UK property investments structured through Turkish or other non-UK holding entities.

7. Suspicious Activity Reports (SARs)

In the UK, Suspicious Activity Reports are filed with the National Crime Agency (NCA) under the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000.

Two SAR types:

  1. DAML SAR (Defence Against Money Laundering): filed before executing a transaction; the NCA grants "consent" within 7 working days or applies a 31-calendar-day "moratorium".
  2. General SAR: filed after the fact, no consent required.

SAR reporting line:

  • An employee identifies a suspicious activity → reports internally to the MLRO
  • MLRO assesses, files via the NCA's SAR Online portal
  • "Tipping off" the customer is a criminal offence (POCA s.333A)

Submissions go via SAR Online (now the SAR Portal). In 2023 the NCA refreshed the platform — promising AI-driven prioritisation and improved feedback loops.

UK law uses SAR; "STR" is not a UK statutory term.

8. The supervisory regime — multi-authority model

UK MLR supervision is not done by a single regulator. Responsibility is distributed sector by sector:

Sector Supervisor
Banks, payment institutions, EMIs, investment firms FCA
Cryptoasset firms FCA (cryptoasset firms register)
Money service businesses (MSBs), bureau de change HMRC
Tax advisers and accountants outside professional bodies HMRC
Estate agents, art market, gambling HMRC
Solicitors SRA (Solicitors Regulation Authority), Law Society
Chartered accountants ICAEW, ACCA, CIPFA (and other HM Treasury-recognised "professional body supervisors")

The FCA is the most assertive supervisor — annual examination plans, REP-CRIM filings, on-site inspections and a well-established enforcement function. HMRC examinations are less frequent but detailed and can result in significant penalties.

9. Penalties and enforcement

MLR 2017 breaches attract a two-tier penalty regime:

(a) Criminal: up to 2 years imprisonment and/or unlimited fine for serious regulation breaches.

(b) Civil: financial penalties, registration cancellation, fit-and-proper changes, public censure imposed by the FCA, HMRC or PB supervisor.

FCA enforcement for MLR breaches typically pairs firm + individual responsibility (most often the MLRO). Recent years have seen the FCA focus enforcement on:

  • Inadequate transaction monitoring
  • Generic or never-updated risk assessments
  • PEP / sanctions screening policies not operationally applied
  • SAR reporting delays or errors

10. UK MLR 2017 vs the EU AMLDs — post-Brexit divergence

MLR 2017 originally transposed 4AMLD, but the EU and UK paths have visibly diverged:

Topic UK (MLR 2017) EU (AMLD5/6 / AMLR)
5MLD-equivalent 2019 amendment transposed AMLD5
6MLD-equivalent UK chose not to adopt — independent path on criminal AML AMLD6
Cryptoasset scope 2020 amendment AMLD5 (limited), MiCA
Beneficial ownership PSC register + Overseas Entities Register EU ABRR with member-state registers
Travel Rule 2023 amendment (£1,000 unhosted) TFR (€0 every transfer)
New EU AML authority Not applicable to UK AMLA (operational 2025–2028)

Our EU financial regulation guide covers the EU framework end-to-end.

11. Practical compliance checklist for international firms

For an international fintech expanding into the UK, a practical MLR 2017 readiness checklist:

  1. Firm-wide risk assessment written and cross-referenced against the UK National Risk Assessment.
  2. CDD policy including UK-specific detail (Companies House PSC checks, OFSI screening, UK PEP list).
  3. EDD trigger matrix reflecting UK and home-country risk differentials (the UK high-risk countries list is updated independently and may differ from home).
  4. MLRO is UK-resident and appointed as SMF17 with genuine decision-making authority.
  5. NCA SAR workflow is tested end-to-end — from identification through to SAR submission with documented timings.
  6. Sanctions screening covers OFSI (UK) alongside global lists.
  7. Annual training is updated to track MLR 2017 and JMLSG changes.

Frequently asked questions

MLR 2017 is primary legislation — a Statutory Instrument with parliamentary authority, breach of which carries criminal and administrative consequences. The Joint Money Laundering Steering Group (JMLSG) is an industry body whose sectoral guidance is recognised by HM Treasury. JMLSG compliance is not strictly mandatory in law, but non-compliance is hard to defend before the FCA or in court. In practice JMLSG has become operationally near-mandatory.

A Turkish bank opening a UK branch — which regime applies?

A Turkish bank opening a UK branch or subsidiary is subject to MLR 2017 for its UK activities. Turkey's MASAK compliance obligations continue at the parent level; the UK branch is concurrently subject to FCA supervision and MLR 2017 / JMLSG. The two regimes have meaningful nuances (e.g. PEP scope, EDD triggers), so a UK-specific compliance framework is required — a "Turkish standard applies" approach does not work.

How are MLR 2017 amendments tracked?

The UK Treasury, through HM Treasury, publishes MLR 2017 amendments as Statutory Instruments (SIs), accessible via gov.uk. JMLSG updates its guidance to track changes. The FCA's "Dear CEO" letters communicate critical compliance messages. Annually, HM Treasury publishes the National Risk Assessment (NRA) and a Sectoral Risk Assessment — regulated firms are expected to update their own risk assessments by cross-referencing these documents.

Are MLR obligations for a UK-registered cryptoasset firm different from those of other financial firms?

The core CDD, EDD, PEP, beneficial ownership and reporting obligations are the same. Differences come from crypto-specific overlays: (1) on-chain risk monitoring is required, (2) Travel Rule compliance is mandatory, (3) custody architecture invites additional security expectations, (4) JMLSG Sector 22 sectoral guidance must be followed. REP-CRIM filings for crypto firms parallel those of other FCA-authorised firms but with crypto-specific metrics added (wallet screening volumes, Travel Rule message volumes).

How does Turkey's KVHS regulation compare to UK MLR 2017 for crypto firms?

Conceptually similar — both implement FATF Recommendation 15 principles. But operational details diverge: KVHS is supervised by the Turkish SPK, FCA cryptoasset registration by the UK FCA; Travel Rule thresholds differ; reporting authorities differ (MASAK versus NCA); penalty regimes differ. A crypto exchange serving both markets needs two parallel compliance frameworks — a single "global compliance" framework does not satisfy either.

How Legichain helps

Compliance with UK MLR 2017 requires jurisdiction-aware AML infrastructure that minimises operational and regulatory risk. The Legichain platform keeps OFSI (UK) and global sanctions lists, UK and international PEP data current in real time; the AML screening API match-grouping layer reduces false-positive workload by over 80%. Beneficial ownership verification integrates with the UK Companies House PSC data source. SAR reports are auto-formatted to the NCA SAR Portal template, in parallel with MASAK STR for Turkey. Our bank solutions and PSP solutions provide pre-built integrations for firms expanding into the UK market.

Next steps

Legichain Team· Compliance editorial

Written by Legichain's compliance editorial team — regulated-financial-services veterans who built and integrated AML platforms for banks and crypto exchanges across EMEA.

Related reading

You may also like

uk-regulation

UK Travel Rule and JMLSG Guidance for VASPs

The UK Travel Rule for cryptoasset transfers came into force on 1 September 2023 through amendments to MLR 2017. The UK regime differs from the EU TFR in two important ways: a £1,000 threshold for transfers between hosted and unhosted wallets (TFR uses €0 for all transfers), and a risk-based 'sunrise' flexibility where counterpart VASPs cannot exchange Travel Rule data. This guide covers the JMLSG Sector 22 interpretation, threshold and geographic scope, beneficiary VASP verification, FCA expectations, the common operational failure modes and a side-by-side comparison with the EU TFR — written for compliance and product teams at UK-registered cryptoasset firms and international CASPs serving UK customers.

Read article
uk-regulation

UK Financial Regulation Guide: FCA, MLR 2017, and JMLSG

UK financial regulation rests on the FCA, PRA and PSR architecture, with AML rules anchored in MLR 2017 and operationalised through JMLSG guidance. This guide walks through the FCA cryptoasset registration regime, MLR 2017 obligations, JMLSG Sector 22 and the UK Travel Rule, EMI authorisation, and the most important post-Brexit divergences from EU rules. Written for compliance, legal and product leaders weighing UK market entry, with realistic costs and timelines.

Read article
uk-regulation

UK E-Money Institution FCA Authorisation Roadmap

Conducting e-money business in the UK requires FCA authorisation as an authorised E-Money Institution (EMI). This 9-step roadmap covers pre-application, the FCA application form, the regulatory business plan, financial projections, IT and cyber security, the safeguarding plan, SMCR appointments, the post-Brexit absence of passporting and the gateway requirements. It includes the £350,000 initial capital requirement, realistic 9-15 month timelines, £150K-£400K cost ranges and the specific pitfalls international fintechs encounter when entering the UK e-money market.

Read article

Be screen-ready in an afternoon.

Spin up a free workspace, paste your first API key into a curl, ship a verified onboarding flow before your next stand-up.

Start freeBook 30 min with sales