UK Implements New Anti-Money Laundering Rules

by Karolos Seeger, Alex Parker, Ceri Chave, and Andrew Lee

On 26 June 2017, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017[1] came into force. These new regulations (the “2017 Regulations”):

  • require a written assessment of money laundering risk and prescribe some features of effective internal controls;
  • detail when different categories of customer due diligence must be conducted and what steps must be taken; and
  • specify beneficial ownership information that trusts must provide for inclusion on a central register.

The 2017 Regulations are intended to ensure that the UK’s anti-money laundering regime is in line with the Financial Action Task Force’s standards and to implement into UK law the European Union’s Fourth Money Laundering Directive (“MLD 4”).[2] The key features of the 2017 Regulations and the principal differences between them and the Money Laundering Regulations 2007[3] (the “2007 Regulations”) are summarised below.

Who is Affected?

The 2017 Regulations replaced the 2007 Regulations, which were previously the main legislation supplementing the Proceeds of Crime Act 2002 (“POCA”) in relation to money laundering. POCA and the 2017 Regulations now constitute the UK’s primary anti-money laundering legislation. The Joint Money Laundering Steering Group has recently revised its extensive guidance for the UK financial sector accordingly.

The 2017 Regulations largely apply to the same entities and individuals as the 2007 Regulations, including financial institutions, auditors, external accountants, tax advisers and lawyers conducting business in the UK (collectively, “regulated entities”). Dealers in goods who make or receive any cash payment exceeding €10,000 (the threshold was €15,000 in the 2007 Regulations), whether in one transaction or several linked transactions, must also comply. There is an exemption for those engaging in financial activity on an occasional basis if their annual turnover is less than £100,000 (increased from the previous threshold of £64,000) and other criteria are met.

Written Risk Assessment Required

Unlike the 2007 Regulations, the 2017 Regulations specifically require regulated entities to prepare a report identifying and assessing the money laundering and terrorist financing risks associated with their businesses. Risk assessments must be proportionate to the size and nature of the regulated entity’s business, and take into account risk factors relating to:

  • customers, products or services;
  • transactions and delivery channels; and
  • countries where operations are conducted.

Regulated entities must provide such risk assessments, including underlying information, to their supervisory authorities on request. Supervisory authorities will issue more detailed sector-specific guidance for the entities they regulate (for example, the Financial Conduct Authority (“FCA”) is expected to consult soon on updating its Financial Crime Guide).

Implementing Internal Controls

In addition, the 2017 Regulations now require regulated entities to establish and maintain controls, policies and procedures to mitigate and manage the risks identified in the risk assessment. These must be proportionate to the size and nature of the company’s business and be approved by senior management, following the increasing trend of holding senior officers responsible for maintaining their company’s compliance systems. Certain key features of such internal controls are prescribed, including:

  • appointing a director to be responsible for compliance with the Regulations;
  • establishing an independent audit function to examine and evaluate the controls;
  • training relevant employees; and
  • ensuring that the controls are applied to any subsidiaries and branches, including those located outside the UK.

Additional Detail on Customer Due Diligence Measures

The 2017 Regulations set out the circumstances in which a regulated entity needs to apply customer due diligence (“CDD”), including where it is establishing a business relationship, suspects money laundering, or doubts the veracity of previously-obtained customer information. These are similar to the 2007 Regulations.

Unlike the 2007 Regulations, which afforded regulated entities broad discretion to determine when the risk of money laundering meant that they should conduct CDD, the 2017 Regulations specifically identify factors that regulated entities must evaluate, namely:

  • the purpose of an account, transaction or business relationship;
  • the size of the transactions; and
  • the regularity or duration of the business relationship.

Further, the 2017 Regulations detail the CDD information that regulated entities must obtain and verify, depending on the characteristics of the customer and the services to be provided. For example, where the customer is a company, the regulated entity must obtain and verify the company’s name, company or registration number, and the address of its registered office.

No Automatic Simplified Customer Due Diligence

The 2007 Regulations permitted regulated entities to apply simplified customer due diligence (“SDD”) automatically when dealing with certain customers and products. SDD may involve a less extensive undertaking of the same measures required by CDD.

By contrast, the 2017 Regulations emphasise a risk-based approach and provide that regulated entities may only conduct SDD if they have assessed that the business relationship or transaction presents a low degree of money laundering risk. In reaching that conclusion, the regulated entity must take into account numerous factors relating to:

  • customer risk;
  • product, service, transaction or delivery channel risk; and
  • geographical risk.

When to Conduct Enhanced Customer Due Diligence

The 2017 Regulations specify in much greater detail than the 2007 Regulations the circumstances in which a regulated entity is required to conduct enhanced customer due diligence (“EDD”). These include, for example, where the customer is located in a high-risk third country (as designated by a European Commission ‘black list’) or is a politically exposed person (“PEP” – see further below), or the transactions are complex, unusual in size or pattern, or have no apparent economic or legal purpose.

As with CDD, the 2017 Regulations outline a number of factors that regulated entities must consider when deciding whether there is a high risk of money laundering and the measures required to mitigate this, including issues relating to:

  • customer risk;
  • product, service, transaction or delivery channel risk; and
  • geographical risk.

Although MLD 4 contains little guidance as to what EDD measures are actually required (these are expected to be detailed in the upcoming Fifth Money Laundering Directive (“MLD 5”)), the 2017 Regulations do stipulate some mandatory and optional steps for regulated entities to take, especially in relation to correspondent relationships with firms from third countries.

Expanding the Range of Politically Exposed Persons

Whereas PEPs were defined in the 2007 Regulations to include only individuals entrusted with a ‘prominent public function’ outside the UK, the 2017 Regulations do not exclude domestic PEPs. However, the EDD requirements for establishing a business relationship with a PEP (or their family members or known close associates) remains the same in that the regulated entity must:

  • obtain approval from senior management;
  • determine the PEP’s source of wealth and source of funds; and
  • conduct enhanced ongoing monitoring of the business relationship.

The Government has indicated that regulated entities should assess the risk posed by each PEP on a case-by-case basis and tailor the extent of EDD accordingly, but it would expect domestic PEPs generally to be considered lower-risk PEPs. The FCA’s guidance on how FCA-regulated firms should treat domestic and foreign PEPs is expected to be finalised shortly (following its March 2017 consultation paper).[4]

Register of Beneficial Ownership Information

MLD 4 requires each EU member state to introduce a central register of beneficial ownership information for legal entities incorporated in that jurisdiction. The UK’s publicly-accessible register is already in operation at Companies House. From 30 June 2016, companies’ annual returns to Companies House were required to include details of beneficial owners (defined as any individual who exercises management control or ultimately owns or controls more than 25% of the shares or voting rights).[5] Beneficial ownership information must be provided when new companies are registered.

In line with MLD 4, the 2017 Regulations also impose several new obligations concerning the beneficial ownership information of “relevant trusts” (express trusts where: (i) all the trustees reside in the UK; or (ii) the trust receives income from, or has assets in, the UK). Trustees must maintain accurate and up-to-date records of the trust’s beneficial owners (defined as the settlor, trustees, beneficiaries, and any individual who controls the trust). HM Revenue & Customs will maintain a register of the details of the beneficial owners of such trusts, as long as they incur UK tax liabilities. However, this register will only be accessible to UK law enforcement authorities.

New Criminal Penalties

Like the 2007 Regulations, breach of many of the 2017 Regulation’s provisions constitutes a criminal offence punishable by up to two years’ imprisonment (for individuals) and/or an unlimited fine. The 2017 Regulations create new criminal offences of prejudicing an investigation into a breach of the Regulations, and making false or misleading statements in purported compliance with a requirement imposed under the Regulations. The 2017 Regulations also enable UK supervisory authorities to impose civil penalties and public censures on regulated entities that contravene its provisions. Furthermore, the FCA has been given separate powers to cancel, suspend or restrict a firm’s regulatory permission and authorisations.


The 2017 Regulations represent a significant evolution of the UK’s anti-money laundering laws and impose greater compliance burdens on regulated entities and their employees. For many large firms, the 2017 Regulations mainly codify existing industry best practices. Nevertheless, regulated entities should review their existing systems and controls to ensure that they are compliant. The additional detail as to when CDD, EDD and SDD must be carried out and what measures must be taken should assist regulated entities in carrying out due diligence and are generally to be welcomed. Smaller firms may find it more difficult to implement the new rules effectively, although this is mitigated to some extent by the risk-based approach underlying the 2017 Regulations.

Anti-money laundering rules are continually adapting to the criminal landscape, so the 2017 Regulations will soon be supplemented by new rules. MLD 5 is currently expected to be finalised and come into force in late 2017. This will, amongst other matters: bring virtual currency exchange platforms and custodian wallet providers within the scope of regulation; address concerns about the use of pre-paid cards to finance terrorism; provide more detail on EDD measures where business relationships or transactions involve high-risk third countries; and require EU countries to establish central registries allowing the identification of those holding or controlling payment accounts and bank accounts.


[1] Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (2017/692).

[2] Directive (EU) 2015/849.  Please see our earlier client update on MLD 4.

[3] Money Laundering Regulations 2007 (2007/2157).

[4] FCA Guidance Consultation: Guidance on the treatment of politically exposed persons (PEPs) under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (GC17/2).

[5] See the Small Business, Enterprise and Employment Act 2015.

Karolos Seegar is a partner, Alex Parker is International Counsel and Ceri Chave and Andrew Lee are associates in the London Office of Debevoise & Plimpton.

The above post was originally issued as a client memo of Debevoise & Plimpton by Karolos Seegar, Alex Parker, Ceri Chave and Andrew Lee.  The authors can be reached at,,, and


The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.