Anti-Money Laundering (AML) — the complete UK guide for accountants and law firms
The UK AML regime end-to-end — the four governing statutes, who must comply, the eight-element compliance programme, the supervisory landscape, the three stages of laundering, and the penalty tracks.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •Anti-Money Laundering (AML) is the body of UK law, regulation, and practice designed to prevent the proceeds of crime from being disguised as legitimate funds — and to prevent the financing of terrorism alongside it.
- •The UK AML regime sits on four statutes: the Proceeds of Crime Act 2002 (POCA), the Terrorism Act 2000, the Sanctions and Anti-Money Laundering Act 2018 (SAMLA), and the Money Laundering Regulations 2017 (MLR 2017). The Economic Crime Acts 2022 and 2023 added the Register of Overseas Entities and broader Companies House identity-verification powers.
- •Regulated sectors — accountants, lawyers, estate agents, crypto-asset firms, banks, TCSPs — must run a documented AML programme: firm-wide risk assessment, policies, CDD, training, ongoing monitoring, record keeping, and a SAR pipeline.
- •Each sector has a named supervisory authority: HMRC for unaffiliated accountants and estate agents; ICAEW, ACCA, CIOT, AAT, IFA, CIMA, ICAS for affiliated accountants; the SRA, Bar Standards Board, and CILEx Regulation for lawyers; the FCA for financial services. The OPBAS oversees the professional-body supervisors.
- •Penalties run on three tracks: criminal under POCA (up to 14 years for principal offences), civil under MLR 2017 (HMRC and supervisor fines), and individual liability for MLROs who fail to report — up to 5 years for failure to file a SAR when grounds exist.
Answer-first summary
What does anti-money laundering mean?
Anti-Money Laundering (AML) is the body of UK law, regulation, and practice designed to prevent criminals from disguising the proceeds of crime as legitimate funds — and to prevent the financing of terrorism alongside it. The UK regime is built on four principal statutes: the Proceeds of Crime Act 2002 (the criminal-law spine), the Terrorism Act 2000 (the parallel terrorism regime), the Sanctions and Anti-Money Laundering Act 2018 (the sanctions framework), and the Money Laundering Regulations 2017 (the detailed compliance rules). Regulated sectors — including accountants, lawyers, estate agents, banks, and crypto-asset firms — must run a documented AML programme covering risk assessment, customer due diligence, ongoing monitoring, training, record keeping, and suspicious-activity reporting to the National Crime Agency.
- Four governing statutes: POCA 2002, Terrorism Act 2000, SAMLA 2018, MLR 2017
- Two parallel regimes: AML (criminal proceeds) and CFT (terrorism financing)
- Eight programme elements required under MLR 2017
- Penalties run on four tracks: POCA criminal, MLR civil, SRA/professional-body, OFSI sanctions
The UK AML legal framework
Six statutes that together create the UK AML regime. POCA and MLR 2017 do most of the day-to-day work; the others provide structural support for sanctions, terrorism, and corporate transparency.
Proceeds of Crime Act 2002 (POCA)
The principal money laundering offences sit in POCA ss.327-329 — concealing, arranging, or acquiring criminal property — each carrying up to 14 years' imprisonment. POCA s.330 requires regulated-sector workers to report suspicion. POCA s.333A criminalises tipping off. POCA s.335 provides the DAML route for consent to proceed with a specific transaction.
Money Laundering Regulations 2017 (MLR 2017)
The detailed compliance framework: Regulation 18 requires a firm-wide risk assessment; Reg 19 written policies; Reg 21 the MLRO and MLCO appointments; Reg 28 customer due diligence; Reg 33 enhanced due diligence triggers; Reg 39 reliance on third parties; Reg 40 five-year record-keeping. Updated in 2022 to include proliferation financing risk.
Terrorism Act 2000
Parallels POCA for terrorist financing — separate principal offences (ss.15-18) and a separate SAR pipeline. Suspicion of terrorist financing must be reported to the NCA on the same SAR Online portal but with the terrorism marker selected.
Sanctions and Anti-Money Laundering Act 2018 (SAMLA)
The statutory framework for UK financial sanctions, administered by OFSI. Provides the power to designate persons, freeze assets, and impose civil monetary penalties for breach. Underpins the sanctions-screening obligation in MLR 2017.
Economic Crime (Transparency and Enforcement) Act 2022
Introduced the Register of Overseas Entities at Companies House — overseas entities owning UK land must register and disclose their beneficial owners, verified by a UK-supervised agent. Tightened the asset-freeze and sanctions-enforcement regime.
Economic Crime and Corporate Transparency Act 2023
Reformed Companies House — introduced ID verification for company directors, PSCs, and registration agents (ACSPs); created new powers to challenge company filings; restricted the use of UK companies for nominee structures. AML implications cascade through TCSP supervision and CDD verification.
Who must comply with UK AML law
MLR 2017 applies to specific 'relevant persons'. The scope is wider than commonly assumed — many small accountancy practices fall in because they offer TCSP-type services, and many estate agents fall in because they cross the rent threshold:
- Accountants, tax advisers, payroll professionals — supervised by HMRC, ICAEW, ACCA, CIOT, AAT, IFA, CIMA, or ICAS depending on professional body membership
- Solicitors, barristers, licensed legal executives — supervised by the SRA, BSB, CILEx Regulation, or equivalent regulators in Scotland and Northern Ireland
- Estate agents and lettings agents above the rent threshold — supervised by HMRC
- Trust or Company Service Providers (TCSPs) — including any firm forming companies or providing registered-office services
- Banks, investment firms, e-money institutions, payment services providers, insurers — supervised by the FCA or PRA
- Cryptoasset firms — supervised by the FCA under the cryptoasset registration regime
- Casinos, high-value dealers receiving cash payments of €10,000 or more, art-market participants for transactions of €10,000 or more — supervised by HMRC
The eight elements of an AML programme
Every MLR-regulated firm must operate all eight. Missing any one is the most common reason for a supervisory finding.
Firm-wide risk assessment (Reg 18)
A documented, periodically reviewed assessment of the money-laundering risks facing the practice — client types, services, geographies, delivery channels, funding sources. Inspectors will ask to see it first.
Written policies, controls, procedures (Reg 19)
A written AML programme covering MLRO appointment, CDD and EDD procedures, SAR escalation, training schedule, monitoring cadence, and record retention. Reviewed annually.
MLRO and MLCO appointments (Reg 21)
Senior individuals appointed in writing. The MLRO owns SAR reporting under POCA; the MLCO owns firm-wide AML oversight under MLR 2017. In smaller firms typically the same person.
Customer Due Diligence (Reg 28)
Identify clients, verify identity using reliable independent sources, identify beneficial owners, understand the purpose of the relationship, apply ongoing monitoring. Standard CDD by default, EDD where Reg 33 triggers apply, SDD only with documented low-risk reasoning.
Ongoing monitoring
Continuous scrutiny of transactions and client behaviour throughout the relationship, with file-review cadence calibrated to client risk rating (typically annual for low risk, more frequent for medium and high).
SAR pipeline
Clear internal escalation path from any staff member with knowledge or suspicion to the MLRO, who decides whether to file with the NCA. Confidential SAR register. Tipping-off-safe client communications protocol.
Annual training
Every relevant employee trained on the firm's AML policies and on identifying and reporting suspicious activity. Refresher training at least annually. Records retained for inspection.
Record keeping (Reg 40)
CDD evidence, risk assessments, screening results, monitoring records, SAR decisions, training records — all retained for at least 5 years from the end of the business relationship or transaction.
The three stages of money laundering
The classic model used in FATF, NCA, and supervisory-body guidance to describe how criminal funds move through the legitimate economy:
1. Placement
The initial introduction of criminal proceeds into the financial system. Cash is the dominant form — bank deposits, casino chips, structured small-value transactions designed to stay under threshold reporting limits ('smurfing'), purchase of money orders or cashier's cheques. The placement stage is the most visible to financial-sector AML controls.
2. Layering
Separating the funds from their source through a series of transactions or transfers designed to obscure the trail. Wire transfers across borders, currency conversions, purchase and resale of investments, layering through multiple legal entities and jurisdictions. The layering stage is where corporate-services and legal-sector AML controls do most of their work.
3. Integration
Reintroduction of laundered funds into the legitimate economy as apparently clean assets — property purchases, business investments, luxury goods, business income that supports a lifestyle inconsistent with declared earnings. Accountants and lawyers are most likely to encounter the integration stage, often without realising it.
The UK AML supervisory landscape
Each sector has a designated supervisor under MLR 2017. OPBAS sits above the professional-body supervisors to drive consistency across them:
- HMRC — unaffiliated accountants, estate agents, high-value dealers, TCSPs
- ICAEW — Chartered Accountants in England and Wales
- ACCA — Association of Chartered Certified Accountants
- CIOT — Chartered Institute of Taxation
- AAT — Association of Accounting Technicians
- IFA — Institute of Financial Accountants
- CIMA — Chartered Institute of Management Accountants
- ICAS — Institute of Chartered Accountants of Scotland
- Solicitors Regulation Authority (SRA) — solicitors in England and Wales
- Bar Standards Board — barristers in England and Wales
- CILEx Regulation — chartered legal executives
- Law Society of Scotland, Law Society of Northern Ireland — legal sector outside England and Wales
- Council for Licensed Conveyancers — licensed conveyancers and probate practitioners
- Financial Conduct Authority (FCA) — banks, investment firms, cryptoasset firms, e-money institutions
- OPBAS — Office for Professional Body Anti-Money Laundering Supervision (oversees the professional-body supervisors)
Penalties — four enforcement tracks
UK AML enforcement operates on four parallel tracks. They can run simultaneously — a single AML failure can result in criminal, civil, supervisory, and sanctions consequences against the firm and named individuals.
Criminal — POCA principal offences
Concealing, arranging, or acquiring criminal property under POCA ss.327-329: up to 14 years' imprisonment plus an unlimited fine. Failure to report under POCA s.330: up to 5 years. Tipping off under POCA s.333A: up to 5 years. These are individual offences — the responsible person, not just the firm, carries liability.
Civil — MLR 2017 enforcement
HMRC and the professional-body supervisors can impose civil penalties for failures of the AML programme — inadequate risk assessment, missing CDD, no training, no MLRO. Fines scale with firm size and turnover. Repeat breaches attract escalating action up to suspension or withdrawal of registration.
SRA and professional-body fines
For solicitors, individual fines reach £25,000; firm fines exceed £250m for traditional firms. Accountancy bodies impose tariff fines plus referral to disciplinary tribunals. AML breaches frequently sit alongside other regulatory findings, compounding the cumulative cost.
OFSI sanctions penalties
OFSI civil monetary penalties for sanctions breaches reach £1 million or 50% of the breach value, whichever is higher. Criminal prosecution remains available for serious cases. The SAMLA framework also allows enforcement co-operation with overseas sanctions authorities.
FAQ
Answer-first summary
What does anti-money laundering mean?
Anti-money laundering — usually abbreviated AML — is the body of law, regulation, and practice designed to prevent criminals from disguising the proceeds of crime as legitimate funds. In the UK, AML is built on four principal statutes (POCA 2002, the Terrorism Act 2000, SAMLA 2018, MLR 2017) and a network of supervisory authorities. Regulated sectors — including accountants, lawyers, estate agents, banks, and crypto-asset firms — must run a documented AML programme covering risk assessment, customer due diligence, monitoring, training, record keeping, and suspicious-activity reporting.
Answer-first summary
What is the difference between AML and CFT?
AML (Anti-Money Laundering) addresses funds that originate from criminal activity. CFT (Counter-Financing of Terrorism) — sometimes written CTF — addresses funds destined for terrorist activity, regardless of whether the source is criminal. In UK law the two regimes run in parallel: MLR 2017 covers both, the Terrorism Act 2000 mirrors POCA's reporting structure for terrorism, and SAR Online accepts both AML and terrorism SARs through a single portal with a marker to indicate which.
Answer-first summary
Who has to comply with AML regulations in the UK?
MLR 2017 applies to specific 'relevant persons': financial institutions; auditors, accountants, tax advisers, and payroll service providers; independent legal professionals; estate agents and letting agents (above thresholds); trust or company service providers; high-value dealers receiving cash payments of €10,000 or more; art-market participants for transactions of €10,000 or more; cryptoasset exchange providers and custodian wallet providers; casinos; and certain insurance intermediaries. Each sector is supervised by a designated authority — HMRC, the FCA, a professional body, or in some cases the Gambling Commission.
Answer-first summary
What are the four main UK AML statutes?
First, the Proceeds of Crime Act 2002 (POCA) — the criminal-law spine, containing the principal money laundering offences (ss.327-329), the SAR reporting duty (s.330), the tipping-off offence (s.333A), and the DAML route (s.335). Second, the Terrorism Act 2000 — parallel offences and reporting for terrorist financing. Third, the Sanctions and Anti-Money Laundering Act 2018 (SAMLA) — the statutory framework for UK financial sanctions, administered by OFSI. Fourth, the Money Laundering Regulations 2017 (MLR 2017) — the detailed compliance framework requiring CDD, risk assessment, training, monitoring, and record keeping.
Answer-first summary
What are the three stages of money laundering?
Placement, layering, and integration. Placement is the initial introduction of criminal proceeds into the financial system — typically cash deposits, money orders, or 'smurfed' small-value transactions. Layering is the series of transactions designed to obscure the audit trail — wire transfers, currency conversions, layering through legal entities. Integration is the final reintroduction of laundered funds into the legitimate economy as apparently clean assets — property, businesses, investments. UK accountants and lawyers are most likely to encounter the integration stage.
Answer-first summary
What is an AML compliance programme?
Eight components, all required under MLR 2017 for regulated firms. (1) Firm-wide risk assessment under Reg 18. (2) Written policies, controls, and procedures under Reg 19. (3) MLRO and MLCO appointments under Reg 21. (4) Customer Due Diligence at onboarding and on an ongoing basis under Reg 28. (5) Enhanced Due Diligence where Reg 33 triggers apply. (6) Ongoing monitoring of transactions and client behaviour. (7) Annual training for every relevant employee. (8) Five-year record keeping under Reg 40. Plus the SAR pipeline under POCA s.330 — internal escalation to the MLRO, who decides whether to file with the NCA.
Answer-first summary
What are the penalties for breaching AML law in the UK?
POCA principal money laundering offences carry up to 14 years' imprisonment plus an unlimited fine. Failure to report under POCA s.330 carries up to 5 years; tipping off under s.333A carries up to 5 years. Civil enforcement under MLR 2017 can result in fines, conditions on registration, suspension, or withdrawal. SRA individual fines reach £25,000; SRA firm fines exceed £250m. OFSI civil monetary penalties for sanctions breaches reach £1 million or 50% of the breach value. Criminal prosecution remains available alongside civil enforcement.
Answer-first summary
Who supervises AML compliance in the UK?
It depends on the sector. HMRC supervises unaffiliated accountants, estate agents, high-value dealers, TCSPs, and money service businesses. The FCA supervises banks, investment firms, cryptoasset firms, and e-money institutions. Professional bodies (ICAEW, ACCA, CIOT, AAT, IFA, CIMA, ICAS) supervise accountants who are members. The Solicitors Regulation Authority, Bar Standards Board, CILEx Regulation, the Law Society of Scotland, the Law Society of Northern Ireland, and the Council for Licensed Conveyancers supervise legal sector firms. OPBAS — the Office for Professional Body Anti-Money Laundering Supervision — oversees the professional-body supervisors to drive consistency.
Related glossary and guides
Anti-Money Laundering
Canonical glossary entry
Money Laundering
The criminal activity — POCA ss.327-329
Counter-Terrorist Financing
Parallel regime under the Terrorism Act 2000
Customer Due Diligence — UK guide
MLR 2017 Reg 28 in depth
Suspicious Activity Reports — UK guide
Filing, DAML, tipping off
MLRO meaning — UK guide
The role, eligibility, and common mistakes