Cross-Border AML Compliance — UK guide for mid-market firms
Operating UK MLR 2017 across international client books — Schedule 3ZA HRTCs, OFSI sanctions, ROE for overseas entities, post-Brexit EU divergence, and the limits of reliance on overseas CDD.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •Cross-border AML compliance is the operational reality for mid-market UK firms serving clients with international exposure — overseas-domiciled clients, UK clients with foreign income or assets, UK clients transacting through non-UK jurisdictions, and overseas entities owning UK property.
- •The framework is UK MLR 2017 + POCA for UK touchpoints, with the foreign jurisdiction's AML regime applying for foreign touchpoints. UK firms need to operate the UK framework consistently while understanding the foreign jurisdiction's expectations.
- •Key UK-side levers: High-Risk Third Country list (MLR 2017 Schedule 3ZA) which triggers mandatory EDD, OFSI Consolidated List for sanctions, the Register of Overseas Entities (ROE) for non-UK entities owning UK land.
- •EU member states post-Brexit operate under EU AML Directives (5AMLD, 6AMLD, AMLR/AMLD6 from 2025-2027) which diverge in detail from UK MLR 2017 — particularly around PEP differentiation and beneficial-ownership register access.
- •Reliance on third-party CDD (MLR 2017 Reg 39) between UK firms and overseas correspondents is possible but limited — the UK firm retains liability and must accept the foreign verification standard.
Answer-first summary
What is cross-border AML compliance?
Cross-border AML compliance is the operational reality for mid-market UK firms serving clients with international exposure — overseas-domiciled clients, UK clients with foreign income or assets, UK clients transacting through non-UK jurisdictions, and overseas entities owning UK land. The UK MLR 2017 + POCA framework applies to the UK firm's compliance obligations; foreign jurisdiction AML regimes apply to the foreign-domiciled counterparties. UK firms need to operate the UK framework consistently while understanding the foreign jurisdiction's expectations.
- UK MLR 2017 for UK touchpoints; foreign frameworks for foreign touchpoints
- Schedule 3ZA HRTC list triggers mandatory EDD
- ROE for overseas entities owning UK land
- Post-Brexit EU divergence on PEPs and HRTC list
Four cross-border scenarios
Overseas-domiciled clients
Clients resident or domiciled outside the UK who engage a UK firm. The UK MLR 2017 framework applies for the UK firm's compliance obligations. The client's country of residence may have its own AML requirements that the UK firm should be aware of but is not directly subject to.
UK clients with foreign income or assets
UK-resident clients whose income or assets touch foreign jurisdictions. Source of funds and source of wealth (under EDD) must be traceable across jurisdictions. UK firms typically rely on documentary evidence supplemented by sanctions and adverse-media screening on the foreign-jurisdiction touchpoints.
UK clients transacting through non-UK jurisdictions
UK clients executing transactions through foreign banks, foreign legal entities, or foreign tax structures. The UK firm's MLR 2017 obligations apply to the UK firm's role. Foreign jurisdiction AML obligations apply to the foreign-domiciled counterparties.
Overseas entities owning UK land
Non-UK companies, trusts, or partnerships holding UK real estate. ROE registration via a UK-supervised ACSP is mandatory. UK firms acting as the ACSP carry verification liability under the Economic Crime (Transparency and Enforcement) Act 2022.
UK levers for cross-border AML
Four UK-side mechanisms that translate cross-border activity into UK compliance treatment:
High-Risk Third Country list (MLR 2017 Schedule 3ZA)
Clients established in, transacting with, or having significant connections to a country on the UK list require mandatory EDD under Reg 33(1)(b). The UK list diverges from the EU list since Brexit — firms with EU client exposure should check both lists.
OFSI Consolidated List sanctions screening
UK sanctions designations apply to UK firms regardless of where the client is domiciled. Screening must catch international clients whose names appear on the UK list, plus (where the firm's risk assessment requires) UN, EU, and US OFAC lists.
Register of Overseas Entities (ROE)
Non-UK entities owning UK land must register via a UK-supervised ACSP. Disclosure includes beneficial owners, with verification via the ACSP under the same standard as MLR 2017 Reg 28 CDD.
Companies House PSC register
UK companies disclose their People with Significant Control. For overseas-parent UK companies, the PSC trail traces upward to the foreign parent — at which point the firm typically needs to verify the foreign parent's beneficial ownership directly rather than relying on UK register data.
Foreign jurisdiction context
Four jurisdictional contexts UK mid-market firms commonly encounter:
EU AML Directives (5AMLD, 6AMLD)
EU member states operate under 5AMLD (transposed 2020) and 6AMLD (transposed 2021) plus the forthcoming AMLR/AMLD6 package (phased 2025-2027). The framework diverges from UK MLR 2017 in detail — particularly around PEP differentiation (UK post-2023 PS24/4 differs from EU treatment) and beneficial-ownership register public access (more restricted post-2022 CJEU ruling).
Republic of Ireland
Closest jurisdiction to UK for cross-border AML — single Common Travel Area, significant cross-border commercial work. RoI operates EU AML directives via the Criminal Justice (Money Laundering and Terrorist Financing) Acts. NI / RoI cross-border arrangements need both UK and EU framework awareness.
Channel Islands and Crown Dependencies
Jersey, Guernsey, Isle of Man operate AML frameworks aligned with UK standards but under separate supervisory regimes (Jersey Financial Services Commission, Guernsey Financial Services Commission, Isle of Man Financial Services Authority). UK firms acting for CD-based clients should understand the CD framework but operate UK MLR 2017 obligations for the UK touchpoint.
FATF non-EU jurisdictions
Other developed jurisdictions (US, Canada, Australia, Singapore, etc.) operate FATF-aligned AML frameworks. UK firms can typically rely on documentary CDD from these jurisdictions as 'reliable independent sources' under Reg 28(2)(b), with sanctions and PEP screening on top.
FAQ
Answer-first summary
What is cross-border AML compliance?
Cross-border AML compliance is the operational reality for UK firms serving clients with international exposure — overseas-domiciled clients, UK clients with foreign income or assets, UK clients transacting through non-UK jurisdictions, and overseas entities owning UK land. The UK MLR 2017 + POCA framework applies to the UK firm's compliance obligations; foreign jurisdiction AML regimes apply to the foreign-domiciled counterparties. UK firms need to operate the UK framework consistently while understanding (not necessarily directly applying) the foreign jurisdiction's expectations.
Answer-first summary
What's the UK list of High-Risk Third Countries?
MLR 2017 Schedule 3ZA lists countries that the UK considers high-risk for money laundering and terrorist financing. Clients established in, transacting with, or having significant connections to a Schedule 3ZA country trigger mandatory EDD under Reg 33(1)(b). The list is updated periodically and has diverged from the EU equivalent since Brexit — firms with EU client exposure should check both lists. The current Schedule 3ZA is published by HM Treasury on gov.uk.
Answer-first summary
How does ROE work for overseas entities?
The Register of Overseas Entities, introduced by the Economic Crime (Transparency and Enforcement) Act 2022, requires non-UK entities owning UK land to register beneficial owners at Companies House. Registration must be made via a UK-supervised Authorised Corporate Service Provider (ACSP) — typically a UK law firm or accountancy practice. Failure to register prevents Land Registry from registering transfers, leases, or charges. Annual renewal is mandatory. See our dedicated ROE guide for the full process.
Answer-first summary
Can I rely on CDD done by an overseas firm?
MLR 2017 Reg 39 permits reliance on CDD measures already carried out by another regulated person, but the conditions are tight: written consent from the relied-upon party, immediate access to CDD records, and liability remains with the relying firm. For overseas counterparties, the question is whether the overseas firm's CDD meets UK MLR 2017 standards. For FATF-aligned jurisdictions (EU, US, Canada, Australia, etc.) reliance is more straightforward; for higher-risk or non-FATF jurisdictions, the firm should typically conduct its own UK-standard CDD rather than rely on the overseas verification.
Answer-first summary
What about EU clients post-Brexit?
Since 2021, EU clients are 'foreign clients' from a UK MLR 2017 perspective. The UK framework applies for the UK firm's obligations; the EU AML directives apply for the EU-domiciled counterparties. Material divergences: UK domestic PEPs are treated as lower-risk than EU PEPs post-2023 FCA PS24/4; UK High-Risk Third Country list has diverged from the EU list since 2021. Firms with significant EU client exposure should monitor both UK and EU regulatory developments — particularly the EU AMLR/AMLD6 package phased 2025-2027.
Answer-first summary
Does Certivus support cross-border client work?
Yes. Certivus is designed for UK firms operating UK MLR 2017 obligations — and most UK firms have cross-border client work. The product handles overseas-domiciled clients, foreign sanctions and PEP screening (UK Consolidated List, UN, EU, OFAC), Schedule 3ZA HRTC EDD escalation, and ROE workflow for ACSP-acting firms. Foreign-jurisdiction AML obligations (where the UK firm is also subject to them — rare) sit outside the core Certivus workflow.