Build a compliant AML framework under the Money Laundering Regulations 2017: risk assessment, CDD, the MLRO, SAR reporting, training and audit.

An AML framework is the set of documented arrangements a UK firm uses to identify, prevent and report money laundering and terrorist financing. It is not a single policy document. It is a connected system that starts with understanding the risks your business faces and ends with well trained staff who know how to raise a concern. Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, a relevant person must build these arrangements in a way that is proportionate to the size and nature of its business.
The regulatory expectations sit across several instruments. The Money Laundering Regulations 2017 set out what your controls must cover, the Proceeds of Crime Act 2002 creates the personal reporting duties that sit behind suspicious activity reporting, and the Financial Conduct Authority's Financial Crime Guide explains what good and poor practice look like. Guidance from the Joint Money Laundering Steering Group carries additional weight because it has HM Treasury approval, and the Regulations require a court to consider whether a firm followed relevant guidance when deciding whether an offence was committed.
This article walks through the building blocks of a compliant framework: the business-wide risk assessment, policies and procedures, customer due diligence, the money laundering reporting officer and nominated officer roles, ongoing monitoring, suspicious activity reporting, training, and independent audit. Every requirement below is drawn from the primary sources cited at the end.
The foundation of any AML framework is the business-wide risk assessment. Regulation 18 of the Money Laundering Regulations 2017 requires a relevant person to take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject. This is the document that shapes everything else, because you cannot design proportionate controls until you understand where your exposure sits.
Regulation 18 sets out the risk factors your assessment must consider. These are your customers, the countries or geographic areas in which you operate, your products or services, your transactions, and your delivery channels. The FCA's Financial Crime Guide reinforces this, noting that a risk assessment should be comprehensive and should draw on a wide range of information rather than a single factor or source.
The assessment cannot be a one-off exercise. Regulation 18 requires you to keep an up-to-date record in writing of all the steps you have taken, and the FCA expects firms to review the assessment regularly so that it remains current. A poor-practice example flagged by the FCA is allocating low-risk scores to higher-risk countries in order to avoid enhanced due diligence, which shows why the assessment must be honest as well as documented.
The five risk factors a relevant person must consider under Regulation 18 of the Money Laundering Regulations 2017.
Once you understand your risks, Regulation 19 requires you to establish and maintain policies, controls and procedures to mitigate and manage them effectively. These must be proportionate to the size and nature of your business and, importantly, they must be approved by your senior management. You must also keep a written record of your policies and communicate them across the business.
Regulation 19 sets out the areas the policies must address. They cover risk management practices, internal controls, customer due diligence, reliance and record keeping, and the monitoring and management of compliance with the policies themselves. They must also include procedures for identifying complex or unusually large transactions and unusual patterns of activity, for scrutinising activity the firm regards as particularly likely to be related to money laundering, and for assessing new products, business practices and technology.
For firms that operate as a group, Regulation 20 extends these obligations. A relevant parent undertaking must ensure that the group's policies, controls and procedures apply across all its subsidiary undertakings and branches, including those located outside the United Kingdom, and must keep records of how those policies are communicated. Getting the control layer right at this stage means every later step, from due diligence to reporting, rests on a documented and senior-approved foundation.
The goal is a living operating model, not a binder that sits on a shelf. Policies should translate directly into the day-to-day steps your teams follow when they onboard a customer, screen a payment or escalate a concern.
Customer due diligence is where the framework meets the customer. Regulation 27 sets out when CDD measures must be applied: when you establish a business relationship, when you carry out certain occasional transactions, when you suspect money laundering or terrorist financing, and when you doubt the veracity or adequacy of documents or information you obtained earlier for identification or verification. CDD must also be applied at other appropriate times to existing customers on a risk-sensitive basis.
The FCA's Financial Crime Guide explains that CDD involves identifying your customers and, where applicable, their beneficial owners, and then verifying their identities so you build a complete picture of the risk associated with the relationship. Firms should build on their business-wide risk assessment to decide the level of CDD to apply to each relationship or occasional transaction.
Where the money laundering risk is increased, the Financial Crime Guide requires enhanced due diligence. The extent of EDD must be commensurate with the risk. In practice this can mean obtaining more robust verification of a beneficial owner's identity from a reliable and independent source, or establishing how a customer acquired their wealth. Applying the same measures to customers of very different risk is highlighted by the FCA as poor practice, which is why a risk-sensitive approach matters.
| MLR 2017 requirement | What the firm must do |
|---|---|
| Regulation 18: risk assessment | Identify and assess risk across customers, countries, products or services, transactions and delivery channels, and keep a written up-to-date record. |
| Regulation 19: policies, controls and procedures | Establish and maintain proportionate policies approved by senior management, covering risk management, CDD, monitoring, reporting and record keeping. |
| Regulation 20: group-level controls | Ensure group policies apply across all subsidiaries and branches, including those outside the UK, and record how they are communicated. |
| Regulation 21: internal controls | Where appropriate to the business, appoint a board or senior management compliance officer, appoint a nominated officer, screen relevant employees and set up an independent audit function. |
| Regulation 24: training | Make staff aware of the law and give regular training on recognising and dealing with suspicious activity, and keep a written record of the training given. |
| Regulation 27: customer due diligence | Apply CDD when establishing a relationship, on certain occasional transactions, on suspicion, and where earlier identification is doubtful. |
Two roles anchor the governance of an AML framework, and Regulation 21 sets them out where it is appropriate to the size and nature of the business. The first is an individual on the board, or its equivalent management body, or in senior management, who is the officer responsible for the firm's compliance with the Regulations. This person is often described as the money laundering compliance officer.
The second is the nominated officer, the role widely known as the money laundering reporting officer or MLRO. Regulation 21 requires the firm to appoint an individual to receive internal disclosures and evaluate whether they give rise to knowledge or suspicion of money laundering or terrorist financing. The FCA's Financial Crime Guide describes the MLRO as responsible for oversight of the firm's compliance with its AML obligations and as the focal point for AML activity, and it expects the MLRO to have sufficient resources, experience, access and seniority.
These are not titles on an organisation chart alone. The nominated officer role carries a personal legal duty. Under section 331 of the Proceeds of Crime Act 2002, once a nominated officer receives an internal disclosure and forms the relevant knowledge or suspicion, they must make a disclosure to the National Crime Agency as soon as is practicable. Failure to do so is a criminal offence.
Due diligence at onboarding is only the start. The FCA's Financial Crime Guide requires firms to conduct ongoing monitoring of business relationships on a risk-sensitive basis, scrutinising transactions to check they are consistent with what the firm knows about the customer, and keeping the documents, data and information obtained through CDD up to date. Good practice, in the FCA's view, includes using automated systems to monitor transactions rather than accepting a customer's explanation for unusual activity at face value.
Monitoring exists to surface concerns that then need to be reported. The Proceeds of Crime Act 2002 sits behind this. Under section 330, a person working in the regulated sector who knows or suspects, or has reasonable grounds for knowing or suspecting, that another person is engaged in money laundering must make a disclosure as soon as is practicable to a nominated officer or to a person authorised by the National Crime Agency. The maximum penalty for the failure to disclose offences is five years' imprisonment.
The reporting chain then runs to the National Crime Agency. The NCA states that organisations and individuals in the regulated sector have a legal obligation to submit suspicious activity reports, and it names the Proceeds of Crime Act 2002 and the Terrorism Act 2000 as the source of that obligation. Reports are submitted through the NCA's SAR portal, and it recommends that the person responsible for AML compliance, such as the MLRO or nominated officer, is registered to submit them. Firms that also handle customer money should make sure their payment workflows feed the same monitoring and reporting pipeline.
A framework only works if the people using it understand it. Regulation 24 requires a relevant person to take appropriate measures so that employees and agents are made aware of the law relating to money laundering and terrorist financing, and are regularly given training in how to recognise and deal with transactions and other activities that may be related to it. You must also maintain a written record of the measures taken, including the training given to employees and agents.
The final building block is assurance. Where appropriate to the size and nature of the business, Regulation 21 requires an independent audit function with the responsibility to examine and evaluate the adequacy and effectiveness of the firm's policies, controls and procedures, to make recommendations, and to monitor compliance with those recommendations. Regulation 21 also requires screening of relevant employees, both before appointment and during their employment.
Independent audit is what closes the loop. It tests whether the risk assessment still reflects the business, whether the policies are being followed, and whether reporting is working in practice. Because Regulation 86 of the Money Laundering Regulations 2017 requires a court to consider whether a person followed relevant FCA or Treasury-approved guidance when deciding whether an offence was committed, being able to show that you tested your framework against that guidance is a meaningful protection.
Building an AML framework for a UK firm is a sequence, not a checklist to complete in a single sitting. It begins with a documented business-wide risk assessment under Regulation 18, flows into senior-approved policies under Regulation 19, and is delivered through risk-based customer due diligence, clear ownership by a senior compliance officer and a nominated officer, ongoing monitoring, suspicious activity reporting to the National Crime Agency, regular training and independent audit. Each element reinforces the others, and each is anchored in the Money Laundering Regulations 2017, the Proceeds of Crime Act 2002 and FCA guidance.
The Regulations are explicit that these arrangements must be proportionate to the size and nature of your business, so a small firm and a large group will implement them very differently. What does not change is the need to document your decisions, keep them current and be able to demonstrate that you followed relevant guidance. If you want a single place to build, evidence and maintain these controls, you can request a demo to see how a structured platform can support the framework end to end.
A business-wide risk assessment, policies and procedures, customer due diligence and enhanced due diligence, a senior compliance officer and a nominated officer, ongoing monitoring, suspicious activity reporting, staff training, and an independent audit function. These map to Regulations 18, 19, 21, 24 and 27 of the Money Laundering Regulations 2017 and to the FCA's Financial Crime Guide.
Regulation 18 of the Money Laundering Regulations 2017 requires you to identify and assess money laundering and terrorist financing risk across your customers, the countries or geographic areas you operate in, your products or services, your transactions and your delivery channels. You must keep an up-to-date written record of the steps you have taken.
Under Regulation 21, the compliance officer is a board or senior management individual responsible for the firm's compliance with the Regulations, while the nominated officer, commonly called the MLRO, receives internal disclosures and decides whether to report to the National Crime Agency. Both roles apply where appropriate to the size and nature of the business.
Under section 330 of the Proceeds of Crime Act 2002, someone in the regulated sector who knows or suspects, or has reasonable grounds to suspect, money laundering must disclose as soon as practicable to the nominated officer or the NCA. Under section 331 the nominated officer must then report to the NCA as soon as practicable. The maximum penalty for failing to disclose is five years' imprisonment.
Where appropriate to the size and nature of its business, Regulation 21 requires an independent audit function to examine and evaluate the adequacy and effectiveness of the firm's AML policies, controls and procedures, make recommendations and monitor compliance with them. Smaller firms scale this proportionately.
JMLSG guidance is approved by HM Treasury. Under Regulation 86 of the Money Laundering Regulations 2017, a court must consider whether a person followed relevant guidance issued by the FCA, or issued by another supervisory authority and approved by the Treasury, when deciding whether an offence was committed.
Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.