MLR 2017 Reg 24

AML Training — the UK guide

MLR 2017 Reg 24 in depth — who must be trained, what to cover, training format options, record-keeping requirements, and why training gaps appear in nearly every supervisory finding.

By Mehmood Rajoka · Last updated 2026-06-08

TL;DR — Quick Summary

  • MLR 2017 Regulation 24 requires every UK regulated firm to ensure that all relevant employees are trained on the firm's AML policies, procedures, and controls — and on identifying and reporting suspicious activity.
  • Training must be regular — annual refresher at minimum, more frequently on material change. Records must be retained for 5 years under MLR 2017 Reg 40, and must show who was trained, on what, by whom, and when.
  • 'Relevant employees' is broader than client-facing staff. It includes anyone whose role gives them potential awareness of money-laundering or terrorist-financing indicators — receptionists, admin staff, partners, contractors.
  • Training gaps — staff untrained or refresher cycles lapsed — appear in nearly every published HMRC and supervisory-body enforcement update. The most common failing: a partner who delegated training to a staff member who left, and the cycle quietly lapsed.
  • Training is not a tick-box exercise. Inspectors assess content quality and operational reality — staff being asked to explain what tipping off is or what triggers a SAR is the test of whether training actually landed.

Answer-first summary

What does MLR 2017 require for AML training?

MLR 2017 Regulation 24 requires every UK regulated firm to ensure that all relevant employees are trained on the firm's AML policies, procedures, and controls, and on identifying and reporting suspicious activity. Training must be regular — annual refresher at minimum, with material change triggering interim updates. Records must be retained for 5 years under Reg 40, showing who was trained, on what, by whom, and when. 'Relevant employees' is interpreted broadly — including reception and admin staff who may see suspicion indicators before fee earners do.

  • Mandatory under MLR 2017 Reg 24
  • Annual refresher minimum + change-driven updates
  • Records under Reg 40 — 5-year retention
  • Broad scope: anyone with potential awareness, not just client-facing

Who must be trained

Four staff categories — and the ‘relevant employee’ threshold is genuinely broad:

Client-facing partners and fee earners

Anyone signing engagement letters, accepting new clients, or interacting with clients about their business. The primary recipients of training content.

Admin and reception staff

First-line contact with clients — observe behaviours, hear conversations, take calls. Often see suspicion indicators before fee earners do. MLR 2017 explicitly extends to non-client-facing staff in supporting roles.

Compliance and MLRO/MLCO team

Specialist training above the baseline — deeper coverage of POCA, MLR 2017, sanctions regimes, regulatory change, SAR pipeline operation, supervisory expectations.

Contractors and outsourced staff

Where the firm's CDD or compliance work is delivered partly by contractors or outsourced providers, MLR 2017 expects those individuals to be trained to the firm's standard. The firm's training policy must address this scope.

What training should cover

Ten content areas. Generic AML content alone is rarely sufficient — supervisors look for firm-specific tailoring:

  • The firm's AML programme — risk assessment, policies, MLRO/MLCO roles, escalation paths, SAR pipeline
  • MLR 2017 — the regulatory framework, key obligations (Reg 18, 19, 21, 28, 33, 35, 40), what changes affect the practice
  • POCA 2002 — the principal offences (ss.327-329), the reporting duty (s.330), tipping off (s.333A), DAML (s.335)
  • Identifying suspicious activity — typical money-laundering patterns relevant to the practice's client sectors
  • Customer Due Diligence — what to collect, how to verify, when to escalate to EDD
  • PEP screening and the post-2023 UK domestic / foreign distinction under FCA PS24/4
  • Sanctions screening — UK Consolidated List, the freeze obligation, OFSI reporting
  • Tipping off — what NOT to say to clients during a SAR window
  • Recent regulatory developments — 2022 proliferation financing, 2023 Companies House reform, ongoing enforcement themes
  • Practical exercises — case studies from the practice's actual client sectors

Training format options

Four common formats. Most firms combine them — online baseline + internal sessions for sector specifics + external for MLRO/MLCO specialist:

Online courses (LMS-delivered)

Standardised content, automatic completion tracking, easy to refresh. Good for baseline. Risk: tick-box completion without genuine learning. Best combined with practical exercises or follow-up assessment.

Internal training sessions

MLRO or MLCO delivers content tailored to the firm's actual client sectors and recent inspection learnings. Higher engagement than generic online courses. Risk: content varies with the trainer's preparation; not always documented to inspection standard.

External AML training providers

Specialist providers (often supervisory-body-affiliated) deliver structured content with assessment. Higher cost but defensible documentation. Used commonly for MLRO/MLCO specialist training.

Continuing professional development (CPD) integration

Many firms structure AML training as part of their broader CPD programme — particularly for accountancy and legal staff who already have CPD obligations. Combines AML training records with professional CPD records.

Records you must keep

Seven elements per training event. Retention: 5 years under MLR 2017 Reg 40:

  1. 1Who was trained — full name, role, date of training
  2. 2What was trained — content covered, learning objectives, materials used
  3. 3By whom — internal trainer name and credentials, or external provider details
  4. 4When — date of training, assessment (where applicable), completion confirmation
  5. 5Refresher schedule — when the next refresher is due (typically annual)
  6. 6Specialist scope — where the training was specialist (MLRO, MLCO, contractor), what additional content was covered
  7. 7Updates — where the training content was updated mid-year to reflect material change, which staff received the update
Common questions

FAQ

Answer-first summary

What does MLR 2017 require for AML training?

MLR 2017 Regulation 24 requires every UK regulated firm to ensure that all relevant employees are trained on the firm's AML policies, procedures, and controls, and on identifying and reporting suspicious activity. Training must be regular — annual refresher at minimum, with material change triggering interim updates. Records must be retained for 5 years under MLR 2017 Reg 40, showing who was trained, on what, by whom, and when. 'Relevant employees' is interpreted broadly — including non-client-facing roles like reception and admin.

Answer-first summary

Who counts as a 'relevant employee' for AML training?

Broader than client-facing staff. Includes anyone whose role gives them potential awareness of money-laundering or terrorist-financing indicators: partners, fee earners, paralegals, admin staff, reception, compliance team, contractors involved in CDD work, outsourced providers delivering parts of the practice's compliance work. Reception and admin staff often see suspicion indicators before fee earners do — the broad scope reflects this.

Answer-first summary

How often must AML training be refreshed?

Annual refresher is the regulatory minimum. Material changes trigger interim updates: significant AML legislation changes (2022 proliferation financing, 2023 PEP differentiation, 2023 Companies House reform), new firm services or client sectors, internal incidents (a SAR filing, a near-miss, a supervisory finding), or supervisory thematic reviews announcing new expectations. Diarise the next annual refresher the day the current training completes.

Answer-first summary

What should AML training cover?

Ten content areas. The firm's AML programme. MLR 2017 framework. POCA 2002 (principal offences, reporting duty, tipping off, DAML). Identifying suspicious activity. CDD and EDD. PEP screening (with post-2023 UK domestic / foreign distinction). Sanctions screening and the freeze obligation. Tipping off operational rules. Recent regulatory developments. Practical exercises tied to the firm's actual client sectors. Generic AML content alone is rarely sufficient — supervisors look for firm-specific tailoring.

Answer-first summary

What records must I keep for AML training?

Seven elements per training event. Who was trained (full name, role, date). What was trained (content, learning objectives, materials). By whom (trainer name, credentials, or external provider). When (date, assessment, completion). Refresher schedule (next-due date). Specialist scope (where training was specialist, what additional content). Updates (mid-year content updates, which staff received them). Retention: 5 years under MLR 2017 Reg 40.

Answer-first summary

What if a staff member misses training?

Document the gap, the reason (sickness, maternity, late join), and the catch-up plan. Schedule catch-up training as soon as practicable — same standard content, recorded the same way. The firm's policy should include a documented procedure for catch-up. A staff member operating without training records is a clear supervisory finding if the inspection happens during the gap. The catch-up record protects the firm.

Related glossary and guides

MLRO

Specialist training recipient

MLCO

Owns training programme oversight

MLRO guide

The role training elevates

Firm-wide Risk Assessment

Shapes the training emphasis

HMRC inspection guide

Where training records are checked

Train your team without losing track of who's current

Certivus structures AML training records — who was trained, on what, by whom, when, with refresher diary built in.

5 verifications / month · No card required