Money Laundering Regulations 2017 (MLR 2017) — the complete UK guide
The UK regulatory framework for AML compliance — who's in scope, the 12 key regulations, who supervises, recent updates (2022 proliferation, 2023 UK domestic PEPs), and the penalty regime.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 — MLR 2017 — are the UK regulatory framework requiring regulated firms to operate AML compliance programmes.
- •MLR 2017 sits alongside POCA 2002 — POCA criminalises money laundering and creates the SAR reporting duty; MLR 2017 specifies what regulated firms must do to prevent and detect it.
- •Key regulations every practitioner should know: Reg 18 (firm-wide risk assessment), Reg 19 (written policies), Reg 21 (MLCO/MLRO appointments), Reg 27-31 (CDD), Reg 33-35 (EDD and PEPs), Reg 39 (reliance), Reg 40 (5-year retention).
- •Updated in 2022 to add proliferation financing as a required risk dimension. Updated in 2023 via FSMA to differentiate UK domestic PEPs from foreign PEPs.
- •Supervised by HMRC (unaffiliated firms), the professional bodies (ICAEW, ACCA, CIOT, AAT, IFA, CIMA, ICAS, SRA, Bar, CILEx, Law Societies of Scotland and NI), and the FCA — with OPBAS overseeing the professional bodies.
Answer-first summary
What are the Money Laundering Regulations 2017?
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 — usually abbreviated MLR 2017 — are the UK regulatory framework requiring regulated firms to operate AML compliance programmes. They sit alongside POCA 2002, which criminalises money laundering and creates the SAR reporting duty. MLR 2017 specifies what the regulated firms must do: firm-wide risk assessment, written policies, MLCO and MLRO appointments, customer due diligence, ongoing monitoring, training, record keeping, and a SAR pipeline. The regulations have been updated multiple times since enactment — most recently in 2022 (proliferation financing), 2023 (UK domestic PEP differentiation via FSMA), and 2023 (Companies House reform via the Economic Crime and Corporate Transparency Act).
- Sits alongside POCA 2002 — the regulatory partner to the criminal-law spine
- 12 regulations cover the AML programme end-to-end
- Updated 2022 (proliferation financing) and 2023 (PEPs, Companies House)
- Supervised by HMRC, FCA, professional bodies, and OPBAS
The 12 key MLR 2017 regulations
Every practitioner should know these by section number. They cover the AML programme from firm-wide risk assessment to individual client decisions:
Regulation 8 — Scope
Lists the 'relevant persons' to whom MLR 2017 applies: financial institutions; auditors, accountants, tax advisers, payroll services; legal professionals; estate agents and letting agents above thresholds; TCSPs; high-value dealers; art-market participants; cryptoasset firms; casinos.
Regulation 18 — Firm-wide risk assessment
Every relevant person must carry out and document a firm-wide risk assessment covering client risk, service risk, geographic risk, delivery channel risk, and (post-2022) proliferation financing risk. Reviewed annually at minimum.
Regulation 19 — Policies, controls, procedures
Written policies and procedures derived from the firm-wide risk assessment. Must cover CDD, EDD, internal SAR escalation, training, record keeping, and screening. Approved by senior management and reviewed annually.
Regulation 21 — MLRO and MLCO appointments
Mandatory appointment of an MLCO (Money Laundering Compliance Officer — owns firm-wide AML programme) and an MLRO (Money Laundering Reporting Officer — owns SAR reporting under POCA). In small firms typically the same person, but the appointments must be in writing.
Regulation 27 — Triggers for CDD
CDD is triggered when entering a Business Relationship (Reg 4), carrying out an Occasional Transaction at or above €15,000, suspecting money laundering or terrorist financing, or doubting the veracity of previously obtained identification.
Regulation 28 — Customer Due Diligence
The substantive CDD obligation — identify, verify using reliable independent sources, identify beneficial owners, understand the purpose of the relationship, apply ongoing monitoring.
Regulation 31 — Cannot complete CDD
If the firm cannot complete CDD, it must not carry out a transaction, must not establish a business relationship, must terminate any existing relationship, and must consider whether to file a SAR.
Regulation 33 — When EDD applies
Lists the EDD triggers: PEPs, High-Risk Third Countries, complex or unusual transactions, refusal to evidence, non-face-to-face risks, firm-wide-risk-assessment-flagged categories. Where any trigger applies, EDD is mandatory.
Regulation 35 — PEPs
The dedicated PEP regime — definition of PEP and family members; EDD requirements (senior management approval, source of funds, source of wealth, enhanced monitoring); the post-2023 UK domestic PEP differentiation.
Regulation 39 — Reliance on third parties
Limited ability to rely on CDD measures already carried out by another regulated person. Requires written consent, immediate access to records, and acceptance that liability remains with the relying firm.
Regulation 40 — Record keeping
Retention of CDD evidence, risk assessments, screening results, transaction records, policies, training records, and SAR decisions for at least 5 years from the end of the business relationship or transaction.
Regulation 45ZA — Trust Registration Service
The legal basis for the HMRC TRS. Almost all UK express trusts must be registered, regardless of tax liability. Material changes must be updated within 90 days.
Who supervises MLR 2017 compliance
Five supervisor categories, with OPBAS overseeing the professional-body supervisors:
- HMRC — unaffiliated accountants, estate agents, high-value dealers, TCSPs, money service businesses
- FCA — banks, investment firms, cryptoasset firms, e-money institutions
- Professional bodies — ICAEW, ACCA, CIOT, AAT, IFA, CIMA, ICAS (accountancy); SRA, Bar Standards Board, CILEx Regulation, Law Society of Scotland, Law Society of Northern Ireland, Council for Licensed Conveyancers (legal sector)
- Gambling Commission — casinos
- OPBAS — Office for Professional Body Anti-Money Laundering Supervision (oversees the professional bodies)
Material updates since enactment
MLR 2017 has been amended multiple times. The most important changes:
2019 — 5MLD transposition
Transposed the EU's 5th Anti-Money Laundering Directive — extended the regime to art-market participants, cryptoasset firms, and tax advisers. Strengthened beneficial ownership transparency requirements.
2020 — TRS 2.0 (Regulation 45ZA)
Extended the Trust Registration Service to cover almost all UK express trusts regardless of tax liability. Introduced phased registration deadlines through 2022.
2022 — Proliferation financing
Required firms to include proliferation financing risk in their firm-wide risk assessments. Reflected FATF recommendation updates on weapons-of-mass-destruction financing.
2022 — Economic Crime (Transparency and Enforcement) Act
Introduced the Register of Overseas Entities at Companies House — overseas entities owning UK land must register beneficial owners verified by a UK-supervised agent.
2023 — Financial Services and Markets Act + FCA PS24/4
Differentiated UK domestic PEPs from foreign PEPs — UK domestic PEPs are by default treated as lower risk. FCA PS24/4 (published 2024) operationalised the change.
2023 — Economic Crime and Corporate Transparency Act
Reformed Companies House — ID verification for directors, PSCs, and registration agents (ACSPs). New powers to challenge company filings. Tightened TCSP supervision.
FAQ
Answer-first summary
What are the Money Laundering Regulations 2017 (MLR 2017)?
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are the UK regulatory framework requiring regulated firms — accountants, lawyers, estate agents, banks, cryptoasset firms, and others — to operate an AML compliance programme. MLR 2017 specifies what firms must do to prevent and detect money laundering and terrorist financing: firm-wide risk assessment, written policies, MLRO and MLCO appointments, customer due diligence, ongoing monitoring, training, record keeping, and a SAR pipeline. The regulations sit alongside POCA 2002, which criminalises money laundering and creates the SAR reporting duty.
Answer-first summary
How do MLR 2017 and POCA 2002 fit together?
POCA is the criminal-law backbone — it creates the principal money laundering offences, the SAR reporting duty for regulated-sector workers, the tipping-off offence, and asset-recovery powers. MLR 2017 is the regulatory framework — it requires firms to operate an AML programme designed to prevent and detect the conduct POCA criminalises. The SAR pipeline runs from MLR 2017 internal disclosures into the POCA s.330 / s.331 external reporting obligation. Firms must comply with both.
Answer-first summary
Who do MLR 2017 apply to?
Regulation 8 defines the 'relevant persons' — financial institutions; auditors, accountants, tax advisers, payroll service providers; independent legal professionals; estate agents and letting agents above thresholds; trust or company service providers; high-value dealers receiving cash payments of €10,000 or more; art-market participants for transactions of €10,000 or more; cryptoasset exchange providers and custodian wallet providers; casinos. Each is assigned a designated AML supervisor — HMRC, the FCA, a professional body, or the Gambling Commission.
Answer-first summary
What are the most important MLR 2017 regulations to know?
Twelve key provisions every practitioner should know. Reg 18 (firm-wide risk assessment). Reg 19 (written policies). Reg 21 (MLCO/MLRO). Reg 27 (CDD triggers). Reg 28 (the substantive CDD obligation). Reg 31 (what to do when CDD cannot be completed). Reg 33 (EDD triggers). Reg 35 (PEPs). Reg 37 (Simplified Due Diligence). Reg 39 (Reliance). Reg 40 (5-year retention). Reg 45ZA (Trust Registration Service). Together they cover the lifecycle of an AML programme from firm-wide risk assessment through to individual client decisions.
Answer-first summary
When was MLR 2017 last updated?
Several material updates since 2017. The 2019 5MLD transposition extended scope to art-market participants, cryptoasset firms, and tax advisers. The 2020 'TRS 2.0' update extended the Trust Registration Service. The 2022 update added proliferation financing as a required risk dimension. The 2022 Economic Crime Act introduced the Register of Overseas Entities. The 2023 Financial Services and Markets Act (operationalised via FCA PS24/4 in 2024) differentiated UK domestic from foreign PEPs. The 2023 Economic Crime and Corporate Transparency Act reformed Companies House with ID verification for directors and PSCs.
Answer-first summary
Who supervises MLR 2017 compliance?
HMRC supervises unaffiliated accountants, estate agents, high-value dealers, TCSPs, and money service businesses. The FCA supervises banks, investment firms, cryptoasset firms, and e-money institutions. Professional bodies (ICAEW, ACCA, CIOT, AAT, IFA, CIMA, ICAS for accountants; SRA, Bar Standards Board, CILEx Regulation, Law Societies of Scotland and Northern Ireland, Council for Licensed Conveyancers for legal sector) supervise their members. The Gambling Commission supervises casinos. OPBAS oversees the professional-body supervisors to drive consistency.
Answer-first summary
What are the penalties for breaching MLR 2017?
Civil penalties imposed by the AML supervisor — HMRC, the SRA, the FCA, or a professional body. Fine scales vary: HMRC penalties can reach significant amounts; SRA individual fines reach £25,000, firm fines exceed £250m for traditional firms; FCA fines can run into multi-million figures for large firms. Beyond penalties, supervisors can impose conditions on registration, suspend, or withdraw registration — effectively preventing the firm from operating in the regulated sector. Criminal prosecution under POCA remains separately available alongside civil enforcement.