If the Proceeds of Crime Act 2002 is the criminal law that makes laundering an offence, the Money Laundering Regulations 2017 are the rulebook that tells regulated businesses what they must do to prevent it. Together they form the backbone of the UK's anti-money-laundering regime.
The full name is a mouthful — the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, usually shortened to "the MLRs" or "MLR 2017". They have been amended several times since, but the core structure has held.
Who the regulations apply to
The MLRs apply to the "regulated sector" — businesses whose activities are most exposed to laundering risk. Per GOV.UK guidance, that includes:
- financial and credit institutions (banks, payment firms, e-money issuers);
- accountants, tax advisers, auditors and insolvency practitioners;
- legal professionals carrying out certain transactional work;
- estate agents and letting agents (above a rent threshold);
- high value dealers (businesses taking large cash payments);
- trust or company service providers;
- art market participants;
- cryptoasset exchange providers and custodian wallet providers; and
- casinos.
If you fall in scope, you must register with the relevant supervisory authority — the FCA, HMRC, the Gambling Commission, or one of the professional-body supervisors — and you commit an offence by carrying on the activity without being registered.
The risk-based approach
The single most important idea in the MLRs is that they are risk-based. There is no one-size-fits-all checklist. Instead, a firm must understand the money-laundering and terrorist-financing risks it faces — by customer, product, geography and delivery channel — and then apply controls proportionate to those risks.
In practice this produces three tiers of customer due diligence:
- Simplified due diligence (SDD) for demonstrably low-risk situations;
- Standard customer due diligence (CDD) as the default; and
- Enhanced due diligence (EDD) where the risk is higher — for example with politically exposed persons, high-risk third countries, or unusually complex transactions.
When customer due diligence is triggered
The triggers for CDD are set out in regulation 27. A relevant person must apply CDD measures when they:
- establish a business relationship;
- carry out an occasional transaction (see thresholds below);
- suspect money laundering or terrorist financing; or
- doubt the veracity or adequacy of documents or information previously obtained.
Occasional-transaction thresholds
For one-off transactions outside an ongoing relationship, regulation 27 sets specific monetary thresholds at which CDD becomes mandatory:
| Situation | Threshold (CDD required at or above) |
|---|---|
| General occasional transaction | €15,000 |
| High value dealer (cash) | €10,000 |
| Casinos (wagering or winnings) | €2,000 |
| Letting agents (monthly rent) | €10,000 |
| Art market participants | €10,000 |
| Cryptoasset transfers / fund transfers | €1,000 |
These figures are stated in euros in the regulations themselves. Note that suspicion of laundering triggers CDD regardless of any threshold — a small transaction that looks wrong still requires action.
What customer due diligence involves
At its core, CDD under the MLRs means:
- Identifying the customer and verifying that identity from a reliable, independent source.
- Identifying the beneficial owner — for a company or trust, the natural person who ultimately owns or controls it (see our guide to beneficial ownership and the PSC register) — and taking reasonable measures to verify them.
- Understanding the purpose and intended nature of the business relationship.
- Ongoing monitoring of the relationship, including scrutiny of transactions to make sure they are consistent with what the firm knows about the customer.
The wider duties
CDD is only part of the obligation. A firm in scope must also:
- carry out and document a firm-wide risk assessment;
- maintain policies, controls and procedures to manage the risks it identifies;
- appoint a nominated officer (often called the MLRO) to receive internal suspicious-activity reports, and where appropriate a compliance officer at management level;
- train staff on their AML responsibilities; and
- keep records — of CDD, transactions and the supporting evidence — for five years from the end of the relationship or the completion of the transaction, as set out in the GOV.UK responsibilities guidance.
Where Probitas fits
The MLRs require evidence: that you identified who you were dealing with, screened them, understood the ownership, and recorded why you were comfortable proceeding. Probitas reads the same primary sources a careful analyst would — Companies House, the Charity Commission, the UK Sanctions List — and assembles that evidence into a single, citable report. It is the evidence layer beneath your procedures, not a replacement for the procedures themselves: if MLR 2017 applies to you, the obligation to design and run a compliant programme remains yours.
Sources
This guide is written from primary sources. Each is linked below; claims in the text link to the specific reference they rely on.
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (legislation.gov.uk)
- MLR 2017 reg. 27 — when CDD must be applied (legislation.gov.uk)
- GOV.UK — Money laundering supervision: your responsibilities
- GOV.UK — Who needs to register for money laundering supervision