MLR 2017 Regulation 28 — the UK practitioner guide
The substantive CDD obligation in UK AML law — the four required measures, ongoing monitoring under (11), and the five recurring inspection failings.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •MLR 2017 Regulation 28 is the substantive Customer Due Diligence obligation — what UK regulated firms must actually do to verify clients, identify beneficial owners, and understand the purpose of the relationship.
- •Reg 28 specifies four required steps: identify the client, verify identity using reliable independent sources, identify and verify beneficial owners, and obtain information on the purpose and intended nature of the relationship.
- •Reg 28(11) requires ongoing monitoring — continuous scrutiny of transactions and client behaviour throughout the relationship, not just at onboarding.
- •Reg 28 has to be operated in combination with the other CDD-adjacent regulations: Reg 27 (when CDD applies), Reg 28A (electronic identification), Reg 31 (what to do when CDD cannot be completed), Reg 33-35 (EDD triggers), and Reg 37 (SDD).
- •The most common Reg 28 failings in HMRC inspections: identification but no verification, verification source not documented, beneficial-owner identification stopping at the corporate parent layer, and ongoing monitoring as theory but not practice.
Answer-first summary
What is MLR 2017 Regulation 28?
MLR 2017 Regulation 28 is the substantive Customer Due Diligence obligation in UK AML law. It specifies what regulated firms must do to verify clients: identify the client and verify identity using reliable independent sources, identify and verify beneficial owners, obtain information on the purpose and intended nature of the relationship, and conduct ongoing monitoring throughout the relationship. The operational backbone of MLR 2017's preventative regime.
- Four required CDD measures under Reg 28(2)-(4)
- Ongoing monitoring under Reg 28(11) — continuous, not one-off
- Reliable independent sources required for verification
- Five common failings drive most inspection findings
The four CDD measures
Reg 28(2) through Reg 28(4) — all four are mandatory at onboarding for any Standard CDD client:
Reg 28(2)(a) — Identify the client
Establish who the client is — for natural persons, full name, date of birth, residential address. For entities, registered name, registered number, registered office address, the type of legal form, and the names of directors / partners / trustees / equivalent.
Reg 28(2)(b) — Verify identity using reliable independent sources
Verify the identity established under (a) using documents, data, or information from reliable, independent sources. Government-issued photo ID (passport, driving licence) for individuals; Companies House register, statutory filings, and audited accounts for UK companies.
Reg 28(3) — Identify and verify beneficial owners
For corporate, partnership, and trust clients, identify the natural persons who ultimately own or control the entity (UBOs) and take reasonable measures to verify them. Trace through corporate layers, do not stop at the first parent company.
Reg 28(4) — Purpose and intended nature of the relationship
Understand and document what the client wants the firm to do — the services to be provided, the source of expected funds, the expected pattern of business, and (where relevant) the source of wealth. This is the foundation for risk rating and for ongoing monitoring.
Reg 28(11) — Ongoing monitoring
CDD is not a one-off onboarding task. Reg 28(11) specifies the continuous obligation:
- Scrutinise transactions throughout the relationship to ensure they are consistent with the firm's knowledge of the client, the client's business, and risk profile
- Where necessary, scrutinise the source of funds and source of wealth on transactions that seem inconsistent
- Keep documents, data, and information up to date — refresh ID where it expires, refresh address on house move, refresh beneficial ownership on company restructure
- Apply review cadences proportionate to client risk — typically quarterly for higher-risk, annually for medium-risk, every 3 years for lower-risk Standard CDD
- Document monitoring activity — what was reviewed, when, what was found, what action was taken (or that no action was warranted)
Five recurring Reg 28 failings
Identification without verification
The firm has the client's name and date of birth on file but no documentary verification — no passport scan, no driving licence record, no Companies House check. Identification ≠ verification; both are required under Reg 28(2).
Verification source not documented
The firm has the document on file but no record of where it came from, who checked it, or how it was verified. The 'reliable independent' standard means provenance must be reconstructible from the file.
Beneficial ownership stops at the first layer
The firm identifies the immediate parent company as the beneficial owner and stops there. The 'natural person' requirement under Reg 28(3) means tracing through corporate layers to find the human at the top.
Purpose and intended nature is a checkbox
Reg 28(4) is recorded as 'tax compliance services' without any analysis of expected transaction patterns, source of funds, or services to be provided over time. The purpose statement should be specific enough to drive monitoring decisions.
Ongoing monitoring is theoretical
The policy document says quarterly review. The file shows no review since onboarding. Reg 28(11) is treated as aspirational rather than operational.
FAQ
Answer-first summary
What is MLR 2017 Regulation 28?
MLR 2017 Regulation 28 is the substantive Customer Due Diligence obligation in UK AML law. It specifies what regulated firms must do to verify clients: identify the client and verify identity using reliable independent sources, identify and verify beneficial owners, obtain information on the purpose and intended nature of the relationship, and conduct ongoing monitoring throughout the relationship. Together, these are the operational backbone of MLR 2017's preventative regime.
Answer-first summary
What are the four CDD measures under Reg 28?
Reg 28(2)(a) — identify the client. Reg 28(2)(b) — verify the identity using reliable independent sources. Reg 28(3) — identify and verify beneficial owners. Reg 28(4) — obtain information on the purpose and intended nature of the relationship. Plus Reg 28(11) — ongoing monitoring of transactions and client behaviour throughout the relationship. All five are mandatory; none is optional.
Answer-first summary
What counts as a reliable independent source?
For individuals: government-issued photo ID (passport, driving licence, national ID card), proof of address (utility bill, bank statement, council tax bill — usually under 3 months old). For UK companies: Companies House register data, the company's statutory filings, and audited accounts. For trusts: the trust deed, TRS records. The 'independent' qualifier means the source must be independent of the client — the client's own letterhead doesn't count as verification of their address.
Answer-first summary
What is ongoing monitoring under Reg 28(11)?
Continuous scrutiny of transactions and client behaviour throughout the relationship to ensure they remain consistent with the firm's knowledge of the client. Includes scrutinising source of funds and source of wealth where transactions seem inconsistent. Documents and information must be kept up to date. Review cadence is risk-rated — typically quarterly for higher-risk, annually for medium-risk, every 3 years for lower-risk Standard CDD.
Answer-first summary
When does Reg 28 apply?
Reg 27 sets the triggers. Reg 28 CDD measures must be applied when: (a) the firm enters a Business Relationship under Reg 4, (b) the firm carries out an Occasional Transaction at or above €15,000, (c) the firm suspects money laundering or terrorist financing, or (d) the firm doubts the veracity of previously obtained identification. For higher-risk situations under Reg 33, EDD applies instead. For demonstrably low-risk situations under Reg 37, SDD may apply.
Answer-first summary
What are the most common Reg 28 failings?
Five recur in HMRC and other supervisory inspection reports. Identification without verification — name on file, no documentary check. Verification source not documented. Beneficial ownership stopping at the first corporate parent layer rather than tracing to the natural person. Purpose-of-relationship recorded as a tick-box phrase without substantive analysis. Ongoing monitoring described in policy but not evidenced in client files. Each is avoidable with consistent file practice.