Governance, Risk & Compliance

How to Build an AML Framework for a UK Firm

Build a compliant AML framework under the Money Laundering Regulations 2017: risk assessment, CDD, the MLRO, SAR reporting, training and audit.

8 min read Published 17 Jul 2026
How to Build an AML Framework for a UK Firm

An AML framework is the set of documented arrangements a UK firm uses to identify, prevent and report money laundering and terrorist financing. It is not a single policy document. It is a connected system that starts with understanding the risks your business faces and ends with well trained staff who know how to raise a concern. Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, a relevant person must build these arrangements in a way that is proportionate to the size and nature of its business.

The regulatory expectations sit across several instruments. The Money Laundering Regulations 2017 set out what your controls must cover, the Proceeds of Crime Act 2002 creates the personal reporting duties that sit behind suspicious activity reporting, and the Financial Conduct Authority's Financial Crime Guide explains what good and poor practice look like. Guidance from the Joint Money Laundering Steering Group carries additional weight because it has HM Treasury approval, and the Regulations require a court to consider whether a firm followed relevant guidance when deciding whether an offence was committed.

This article walks through the building blocks of a compliant framework: the business-wide risk assessment, policies and procedures, customer due diligence, the money laundering reporting officer and nominated officer roles, ongoing monitoring, suspicious activity reporting, training, and independent audit. Every requirement below is drawn from the primary sources cited at the end.

Start with a business-wide risk assessment

The foundation of any AML framework is the business-wide risk assessment. Regulation 18 of the Money Laundering Regulations 2017 requires a relevant person to take appropriate steps to identify and assess the risks of money laundering and terrorist financing to which its business is subject. This is the document that shapes everything else, because you cannot design proportionate controls until you understand where your exposure sits.

Regulation 18 sets out the risk factors your assessment must consider. These are your customers, the countries or geographic areas in which you operate, your products or services, your transactions, and your delivery channels. The FCA's Financial Crime Guide reinforces this, noting that a risk assessment should be comprehensive and should draw on a wide range of information rather than a single factor or source.

The assessment cannot be a one-off exercise. Regulation 18 requires you to keep an up-to-date record in writing of all the steps you have taken, and the FCA expects firms to review the assessment regularly so that it remains current. A poor-practice example flagged by the FCA is allocating low-risk scores to higher-risk countries in order to avoid enhanced due diligence, which shows why the assessment must be honest as well as documented.

Risk factors a business-wide assessment must cover

The five risk factors a relevant person must consider under Regulation 18 of the Money Laundering Regulations 2017.

Risk factors a business-wide assessment must cover
100Total %
Customers20%
Countries or geographic areas20%
Products or services20%
Transactions20%
Delivery channels20%

Write policies, controls and procedures that mitigate the risk

Once you understand your risks, Regulation 19 requires you to establish and maintain policies, controls and procedures to mitigate and manage them effectively. These must be proportionate to the size and nature of your business and, importantly, they must be approved by your senior management. You must also keep a written record of your policies and communicate them across the business.

Regulation 19 sets out the areas the policies must address. They cover risk management practices, internal controls, customer due diligence, reliance and record keeping, and the monitoring and management of compliance with the policies themselves. They must also include procedures for identifying complex or unusually large transactions and unusual patterns of activity, for scrutinising activity the firm regards as particularly likely to be related to money laundering, and for assessing new products, business practices and technology.

For firms that operate as a group, Regulation 20 extends these obligations. A relevant parent undertaking must ensure that the group's policies, controls and procedures apply across all its subsidiary undertakings and branches, including those located outside the United Kingdom, and must keep records of how those policies are communicated. Getting the control layer right at this stage means every later step, from due diligence to reporting, rests on a documented and senior-approved foundation.

The goal is a living operating model, not a binder that sits on a shelf. Policies should translate directly into the day-to-day steps your teams follow when they onboard a customer, screen a payment or escalate a concern.

Apply customer due diligence and enhanced due diligence

Customer due diligence is where the framework meets the customer. Regulation 27 sets out when CDD measures must be applied: when you establish a business relationship, when you carry out certain occasional transactions, when you suspect money laundering or terrorist financing, and when you doubt the veracity or adequacy of documents or information you obtained earlier for identification or verification. CDD must also be applied at other appropriate times to existing customers on a risk-sensitive basis.

The FCA's Financial Crime Guide explains that CDD involves identifying your customers and, where applicable, their beneficial owners, and then verifying their identities so you build a complete picture of the risk associated with the relationship. Firms should build on their business-wide risk assessment to decide the level of CDD to apply to each relationship or occasional transaction.

Where the money laundering risk is increased, the Financial Crime Guide requires enhanced due diligence. The extent of EDD must be commensurate with the risk. In practice this can mean obtaining more robust verification of a beneficial owner's identity from a reliable and independent source, or establishing how a customer acquired their wealth. Applying the same measures to customers of very different risk is highlighted by the FCA as poor practice, which is why a risk-sensitive approach matters.

MLR 2017 requirementWhat the firm must do
Regulation 18: risk assessmentIdentify and assess risk across customers, countries, products or services, transactions and delivery channels, and keep a written up-to-date record.
Regulation 19: policies, controls and proceduresEstablish and maintain proportionate policies approved by senior management, covering risk management, CDD, monitoring, reporting and record keeping.
Regulation 20: group-level controlsEnsure group policies apply across all subsidiaries and branches, including those outside the UK, and record how they are communicated.
Regulation 21: internal controlsWhere appropriate to the business, appoint a board or senior management compliance officer, appoint a nominated officer, screen relevant employees and set up an independent audit function.
Regulation 24: trainingMake staff aware of the law and give regular training on recognising and dealing with suspicious activity, and keep a written record of the training given.
Regulation 27: customer due diligenceApply CDD when establishing a relationship, on certain occasional transactions, on suspicion, and where earlier identification is doubtful.
Core Money Laundering Regulations 2017 requirements mapped to firm actions.

Appoint your MLRO and nominated officer

Two roles anchor the governance of an AML framework, and Regulation 21 sets them out where it is appropriate to the size and nature of the business. The first is an individual on the board, or its equivalent management body, or in senior management, who is the officer responsible for the firm's compliance with the Regulations. This person is often described as the money laundering compliance officer.

The second is the nominated officer, the role widely known as the money laundering reporting officer or MLRO. Regulation 21 requires the firm to appoint an individual to receive internal disclosures and evaluate whether they give rise to knowledge or suspicion of money laundering or terrorist financing. The FCA's Financial Crime Guide describes the MLRO as responsible for oversight of the firm's compliance with its AML obligations and as the focal point for AML activity, and it expects the MLRO to have sufficient resources, experience, access and seniority.

These are not titles on an organisation chart alone. The nominated officer role carries a personal legal duty. Under section 331 of the Proceeds of Crime Act 2002, once a nominated officer receives an internal disclosure and forms the relevant knowledge or suspicion, they must make a disclosure to the National Crime Agency as soon as is practicable. Failure to do so is a criminal offence.

1
Assess your risk
Complete and document a business-wide risk assessment covering customers, geographies, products, transactions and channels.
2
Write your policies
Draft proportionate policies, controls and procedures and obtain senior management approval.
3
Appoint key roles
Appoint a senior compliance officer and a nominated officer with adequate seniority and resources.
4
Embed due diligence
Set risk-based CDD and EDD procedures for onboarding and for triggering events during a relationship.
5
Run ongoing monitoring
Scrutinise transactions and keep customer due diligence information current on a risk-sensitive basis.
6
Enable reporting
Give staff a clear internal route to the nominated officer and register to submit SARs to the NCA.
7
Train and audit
Train staff regularly, keep written records and run an independent audit of the framework.

Monitor, report and enable suspicious activity reporting

Due diligence at onboarding is only the start. The FCA's Financial Crime Guide requires firms to conduct ongoing monitoring of business relationships on a risk-sensitive basis, scrutinising transactions to check they are consistent with what the firm knows about the customer, and keeping the documents, data and information obtained through CDD up to date. Good practice, in the FCA's view, includes using automated systems to monitor transactions rather than accepting a customer's explanation for unusual activity at face value.

Monitoring exists to surface concerns that then need to be reported. The Proceeds of Crime Act 2002 sits behind this. Under section 330, a person working in the regulated sector who knows or suspects, or has reasonable grounds for knowing or suspecting, that another person is engaged in money laundering must make a disclosure as soon as is practicable to a nominated officer or to a person authorised by the National Crime Agency. The maximum penalty for the failure to disclose offences is five years' imprisonment.

The reporting chain then runs to the National Crime Agency. The NCA states that organisations and individuals in the regulated sector have a legal obligation to submit suspicious activity reports, and it names the Proceeds of Crime Act 2002 and the Terrorism Act 2000 as the source of that obligation. Reports are submitted through the NCA's SAR portal, and it recommends that the person responsible for AML compliance, such as the MLRO or nominated officer, is registered to submit them. Firms that also handle customer money should make sure their payment workflows feed the same monitoring and reporting pipeline.

Train your staff and test the framework with independent audit

A framework only works if the people using it understand it. Regulation 24 requires a relevant person to take appropriate measures so that employees and agents are made aware of the law relating to money laundering and terrorist financing, and are regularly given training in how to recognise and deal with transactions and other activities that may be related to it. You must also maintain a written record of the measures taken, including the training given to employees and agents.

The final building block is assurance. Where appropriate to the size and nature of the business, Regulation 21 requires an independent audit function with the responsibility to examine and evaluate the adequacy and effectiveness of the firm's policies, controls and procedures, to make recommendations, and to monitor compliance with those recommendations. Regulation 21 also requires screening of relevant employees, both before appointment and during their employment.

Independent audit is what closes the loop. It tests whether the risk assessment still reflects the business, whether the policies are being followed, and whether reporting is working in practice. Because Regulation 86 of the Money Laundering Regulations 2017 requires a court to consider whether a person followed relevant FCA or Treasury-approved guidance when deciding whether an offence was committed, being able to show that you tested your framework against that guidance is a meaningful protection.

Conclusion

Building an AML framework for a UK firm is a sequence, not a checklist to complete in a single sitting. It begins with a documented business-wide risk assessment under Regulation 18, flows into senior-approved policies under Regulation 19, and is delivered through risk-based customer due diligence, clear ownership by a senior compliance officer and a nominated officer, ongoing monitoring, suspicious activity reporting to the National Crime Agency, regular training and independent audit. Each element reinforces the others, and each is anchored in the Money Laundering Regulations 2017, the Proceeds of Crime Act 2002 and FCA guidance.

The Regulations are explicit that these arrangements must be proportionate to the size and nature of your business, so a small firm and a large group will implement them very differently. What does not change is the need to document your decisions, keep them current and be able to demonstrate that you followed relevant guidance. If you want a single place to build, evidence and maintain these controls, you can request a demo to see how a structured platform can support the framework end to end.

Frequently asked questions

What are the core building blocks of an AML framework?

A business-wide risk assessment, policies and procedures, customer due diligence and enhanced due diligence, a senior compliance officer and a nominated officer, ongoing monitoring, suspicious activity reporting, staff training, and an independent audit function. These map to Regulations 18, 19, 21, 24 and 27 of the Money Laundering Regulations 2017 and to the FCA's Financial Crime Guide.

What must a business-wide risk assessment cover?

Regulation 18 of the Money Laundering Regulations 2017 requires you to identify and assess money laundering and terrorist financing risk across your customers, the countries or geographic areas you operate in, your products or services, your transactions and your delivery channels. You must keep an up-to-date written record of the steps you have taken.

What is the difference between the MLRO and the money laundering compliance officer?

Under Regulation 21, the compliance officer is a board or senior management individual responsible for the firm's compliance with the Regulations, while the nominated officer, commonly called the MLRO, receives internal disclosures and decides whether to report to the National Crime Agency. Both roles apply where appropriate to the size and nature of the business.

When must a firm submit a suspicious activity report?

Under section 330 of the Proceeds of Crime Act 2002, someone in the regulated sector who knows or suspects, or has reasonable grounds to suspect, money laundering must disclose as soon as practicable to the nominated officer or the NCA. Under section 331 the nominated officer must then report to the NCA as soon as practicable. The maximum penalty for failing to disclose is five years' imprisonment.

Does a firm need an independent AML audit?

Where appropriate to the size and nature of its business, Regulation 21 requires an independent audit function to examine and evaluate the adequacy and effectiveness of the firm's AML policies, controls and procedures, make recommendations and monitor compliance with them. Smaller firms scale this proportionately.

How much weight does JMLSG guidance carry?

JMLSG guidance is approved by HM Treasury. Under Regulation 86 of the Money Laundering Regulations 2017, a court must consider whether a person followed relevant guidance issued by the FCA, or issued by another supervisory authority and approved by the Treasury, when deciding whether an offence was committed.

Ready to move money with confidence?

Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.

Talk to an expert
Keep reading

More insights you will like.

Stay ahead of the curve

Practical guides and updates for UK firms, straight to your inbox.

Secure by designBank-grade security and encryption
Built for UK firmsMade for FCA-regulated businesses
Data protectedYour data stays private and controlled
Global reachCross-border payments worldwide