MLR 2017 Regulation 19 — UK practitioner guide
The written-policies obligation in UK AML law — what must be covered, who approves, how often to review, and the five most common Reg 19 inspection failings.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •MLR 2017 Regulation 19 requires every regulated UK firm to establish and maintain written policies, controls, and procedures designed to mitigate and manage the money-laundering and terrorist-financing risks identified in the firm-wide risk assessment.
- •The policies must be approved by senior management, reviewed at least annually, and updated whenever the firm-wide risk assessment changes or regulatory developments require.
- •Coverage is comprehensive: CDD, EDD, internal SAR escalation, training, monitoring, record keeping, sanctions screening, beneficial ownership identification, and the MLCO/MLRO appointment chain.
- •The policies document is the operational translation of the firm-wide risk assessment. Without it, the assessment is theoretical; with it, the firm has a documented programme.
- •Supervisors ask for the policies after the firm-wide risk assessment — they check for currency, internal consistency, and translation into operating reality at the file level.
Answer-first summary
What does MLR 2017 Regulation 19 require?
MLR 2017 Regulation 19 requires every regulated UK firm to establish and maintain written policies, controls, and procedures designed to mitigate and manage the money-laundering and terrorist-financing risks identified in the firm-wide risk assessment. Approved by senior management. Reviewed at least annually. Comprehensive coverage including CDD, EDD, SAR escalation, training, monitoring, record keeping, sanctions screening, beneficial ownership, and MLCO/MLRO appointments. The operational translation of the firm-wide risk assessment under Reg 18.
- Operational translation of the Reg 18 risk assessment
- Nine substantive coverage areas
- Annual review minimum + change-driven updates
- Senior-management sign-off required
Nine required coverage areas
Each requires firm-specific detail — generic template language fails inspection:
Customer Due Diligence (CDD)
How the firm identifies and verifies clients, beneficial owners, and the purpose of relationships. What documentation is acceptable. Who can sign off CDD. When ongoing monitoring is triggered.
Enhanced Due Diligence (EDD)
The triggers that escalate from Standard CDD to EDD. The required EDD components (senior approval, SoF, SoW, enhanced monitoring, adverse media). Who approves EDD-tier onboarding.
Internal SAR escalation
How any staff member with knowledge or suspicion reaches the MLRO. The MLRO's decision-making process. Tipping-off-safe client communication protocols during the SAR window.
Sanctions and PEP screening
Which lists are screened (UK Consolidated List minimum). Cadence (onboarding, ongoing, event-driven). Match disposition procedure. OFSI reporting workflow on confirmed match.
Training
Annual refresher cadence. Content scope. Who delivers (internal vs external). How completion is recorded. What to do when a staff member is overdue.
Ongoing monitoring
Review cadence by risk rating (typically quarterly for higher-risk, annually for medium, less for low). Transaction monitoring approach. How material change triggers ad-hoc review.
Record keeping
What documents are retained, where, for how long (minimum 5 years under Reg 40). How records are accessed for supervisory inspection. Data protection and confidentiality protocols.
Beneficial ownership identification
How the firm traces ownership through corporate, partnership, and trust structures. Which registers (PSC, TRS, ROE) are consulted. When independent verification is required beyond register data.
MLCO and MLRO appointments
Named individuals, written appointment terms, role specifications. Reporting lines. Cover arrangements during absence. Succession planning for these critical roles.
Senior management sign-off — what supervisors expect
- Annual approval by senior management (partnership board, executive committee, or equivalent)
- Material-change approval whenever the firm-wide risk assessment is updated or regulatory developments require policy change
- Documented sign-off with date, approver name, and minute reference
- Distribution to all relevant staff with documented receipt
- Accessible reference copy in the firm's compliance system or knowledge base
- Version control showing what changed at each iteration
Five recurring Reg 19 gaps
Policies that don't match operating reality
Document says one thing, file evidence shows the firm does something different. Inspectors find the discrepancy at file-level sampling. Policies should describe operating reality, not aspirational best practice the firm doesn't achieve.
Generic template policies
Downloaded template with the firm name swapped in. No firm-specific tailoring to client sectors, services, geographies, or risk profile. Supervisors recognise template content and treat it as evidence of weak programme ownership.
Policies last reviewed 18+ months ago
MLR 2017 Reg 19 requires policies to be kept up to date. Annual review is the minimum; material change (e.g. 2022 proliferation financing addition, 2023 FCA PS24/4 PEP differentiation) triggers interim updates. Stale policies are a frequent inspection finding.
Policies that don't reference current legislation correctly
Citing MLR 2007 (the superseded predecessor regime), citing outdated reg numbers, missing the 2022 and 2023 updates. Demonstrates lack of currency to the inspector.
No evidence of dissemination or training on policy content
Policies exist as a binder but staff have not been trained on them. Reception and admin staff cannot explain the SAR escalation path; fee earners cannot explain when EDD triggers apply. Policy without operational adoption is partial compliance at best.
FAQ
Answer-first summary
What does MLR 2017 Regulation 19 require?
MLR 2017 Regulation 19 requires every regulated UK firm to establish and maintain written policies, controls, and procedures designed to mitigate and manage the money-laundering and terrorist-financing risks identified in the firm-wide risk assessment. The policies must be approved by senior management, reviewed at least annually, and updated whenever the firm-wide risk assessment changes or regulatory developments require. Coverage is comprehensive — CDD, EDD, internal SAR escalation, training, monitoring, record keeping, sanctions screening, beneficial ownership identification, and the MLCO/MLRO appointment chain.
Answer-first summary
What must the policies cover?
Nine substantive areas. CDD (identification, verification, ongoing monitoring). EDD (triggers, components, senior approval). Internal SAR escalation and tipping-off-safe protocols. Sanctions and PEP screening. Training (cadence, content, records). Ongoing monitoring (review cadence by risk). Record keeping (Reg 40 retention). Beneficial ownership identification (PSC, TRS, ROE workflows). MLCO and MLRO appointments. Each area needs firm-specific detail — not generic template language.
Answer-first summary
Who approves the policies?
Senior management — partnership board, executive committee, managing partners, or equivalent. The signature represents the firm's commitment to operate the policies as described. Sign-off by a junior compliance manager alone does not satisfy the regulatory expectation. The approver must be in a position to commit firm resources and to overrule commercial pressure against necessary controls.
Answer-first summary
How often must policies be reviewed?
At least annually. Material changes trigger interim updates: firm-wide risk assessment update, new service line or client sector, major AML-legislation change (2022 proliferation, 2023 PEP differentiation, 2023 Companies House reform), new sanctions regime, supervisory thematic review, internal incident (SAR pattern, near-miss, finding from prior inspection). Diarise the next annual review the day the current one is approved.
Answer-first summary
What's the link to the firm-wide risk assessment?
Tight. The firm-wide risk assessment under Reg 18 identifies the risks the firm faces. The policies under Reg 19 are the operational response to those risks. The two documents should be internally consistent — if the assessment identifies an emerging risk, the policies should describe how the firm is mitigating it. Inspectors look at both documents together; inconsistency between them is a finding in itself.
Answer-first summary
What are common Reg 19 inspection failings?
Five recur. Policies that don't match operating reality (document says one thing, file evidence shows another). Generic template policies with no firm-specific tailoring. Policies last reviewed 18+ months ago. Policies citing outdated legislation (MLR 2007 not MLR 2017, missing 2022 and 2023 updates). No evidence of dissemination or training on the policy content. Each is avoidable with consistent compliance ownership and regular review cadence.