Skip to main content
HMRC internal manual

Anti-money laundering guidance for supervised businesses

AMLG3400 - Sector Risk Assessments: Risk Assessment of Money Service Businesses

This risk assessment by HMRC is prepared and made available to you under regulations 17 and 47 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (referred to as ‘the Regulations’ throughout this guidance).

This risk assessment tells you about the key risks that your business might face as a Money Service Business (MSB).

Separate guidance to support MSBs in complying with their obligations under the Regulations can be found at within Part 1 and AMLG2400.

In line with regulations 18 and 18A of the Regulations all MSBs must carry out a risk assessment to identify and assess the risks to their business of:

  • Money Laundering
  • Terrorist Financing
  • Proliferation Financing

You must take this risk assessment published by HMRC into account when carrying out your business’s own risk assessment.

When carrying out your risk assessment, you must also read and consider other relevant documents such as:

As a MSB you must take appropriate steps, taking into account the size and nature of your business, to identify and assess the risks your business may be exposed to. You must consider the following risk factors: 

  • your customers
  • the countries or geographical areas in which you operate 
  • the MSB products or combination of services you provide and customer interaction
  • the type of transactions carried out (including size, nature and frequency)
  • the delivery channels used when carrying out day to day business (e.g. how you provide your services and interact with your customers).

The steps you have taken to identify and assess these risks must be properly reflected in your business’s risk assessment and you must keep an up-to-date record in writing of these steps.  You must be able to provide an up-to-date copy of your risk assessment, and the information you have used to carry out that risk assessment to HMRC when requested.

You must apply any additional measures as set out in the Regulations, particularly where there is a high or higher risk of:

  • money laundering;
  • terrorist financing; or
  • proliferation financing

If you begin to provide additional or new services, or if you change how your services are provided, or how your business operates, you must make sure your risk assessment reflects these changes. Your policies, controls and procedures (PCPs) must also be updated to reflect how you will effectively manage and mitigate any additional or new risks, before you start the new services or business operating model.

The risk characteristics within this risk assessment are HMRC’s assessment of risks for the MSB sector.  Whilst all these risks must be taken into account in your risk assessment and PCPs, you may also find additional risks when evaluating your own business.

The presence of one or more of the risk indicators contained within this risk assessment in MSB transactions means that there is a heightened risk of money laundering, terrorist financing or proliferation financing. You should consider carefully the risks involved and whether enhanced due diligence and/or enhanced ongoing monitoring measures should be applied, in line with regulation 33(1)(ii) of the Regulations and whether a suspicious activity report (SAR) should be submitted.

Money laundering

The money laundering risks associated with Money Service Businesses (MSBs) have not changed since NRA 2020 and the overall risk of exploitation for money laundering purposes remains high.  Services such as money remittance and currency exchange allow money to be moved quickly and cheaply to foreign jurisdictions.MSBs that offer FOREX services also remain at high risk, largely due to the amount of money that can be transferred in a single transaction via banks where the fees are often cheaper than retail banks.

MSBs offer a cheap, convenient and easily accessible method to move money anywhere in the world. Cash is common in MSBs, as well as with customers who may not have access to bank accounts in order to remit money electronically, or those who prefer the use of cash. This makes MSBs attractive to criminals as they can launder the cash proceeds of crime without attracting suspicion as they can hide amongst legitimate customers.

Terrorist financing

The terrorist financing risk associated with MSBs remains high. The low cost of transferring funds and the ability to access multiple high-risk jurisdictions make MSBs an appealing and easily accessible channel for terrorists seeking to move small amounts of money rapidly into and out of the UK.

 

Proliferation Financing (PF)

Proliferationfinancing is defined in regulation 16A(9) of the Regulations as “the act of providing funds or financial services for use, in whole or in part, in the manufacture, acquisition, development, export, trans-shipment, brokering, transport, transfer, stockpiling of, or otherwise in connection with the possession or use of, chemical, biological, radiological or nuclear (CBRN) weapons. This includes the provision of funds or financial services in connection with the means of delivery of such weapons and other CBRN-related goods and technology, in contravention of a relevant financial sanction’s obligation”.  PFmeasures exist to prevent the build-up ofchemical, biological,radiologicalor nuclear (CBRN) weapons of mass destruction (WMD) by certain regimes, meeting UK obligations under relevant United Nations (UN) Security Council Resolutions.  

Current PF sanctions caught by the MLRs target organisations, businesses, and individuals in:

  • Iran
  • North Korea

Banking services to both countries are limited, so, although proliferation finance typically has characteristics similar to regular trade finance, the lack of banking options, combined with the increasingly diverse means deployed by the countries to fund and obtain proliferation-sensitive materials means that MSBs, particularly money remitters, may be exposed to increased PF risks. Thus, MSBs should carefully consider the PF risks associated with their customers and transactions, especially when they involve these and bordering countries.

The UK proliferation financing sanctions are regularly updated, so it is important to be aware of any changes and additions by checking the UK sanction list.


Proliferation financing risk indicators

The proliferation financing risks outlined in this assessment should be regarded as high risk and considered together with the wider set of risk indicators contained in this guidance.


Customers linked to the governments of proliferation financing sanctioned regimes

Proliferation sanctions place financial and trade restrictions on certain countries.  For the purposes of the MLRs, financial sanctions apply to countries sanctioned by the UN to prevent their development of CBRN WMD and delivery systems.  Financial sanctions are restrictions put in place to achieve a specific foreign policy or national security objectives and can limit the provision of certain financial services and/or restrict access to financial markets, funds and economic resources.

UK asset freezes are in place against both Iran and North Korea, meaning it is against the law to: 

  • Deal with the frozen funds or economic resources, belonging to or owned, held or controlled by a designated person (an individual or entity on the UK Sanctions List (The UK Sanctions List - GOV.UK) or to a person who is owned or controlled directly or indirectly by the designated person.
  • Make funds or economic resources available, directly or indirectly, to, or for the benefit of, a designated person or to a person who is owned or controlled directly or indirectly by the designated person.
  • Engage in actions that, directly or indirectly, circumvent the financial sanctions prohibitions.

More details on UK sanctions can be found here Starter guide to UK sanctions - GOV.UK and detailed guidance on financial sanctions here: UK financial sanctions general guidance - GOV.UK.

There is an increased risk of proliferation financing in any transaction or business relationship linked to a regime sanctioned for proliferation financing.  These transactions and customers should be treated as high risk.Regimes seeking to evade UN sanctions and develop WMD and delivery systems take extensive steps to obscure the true nature of their transactions, including using neighbouring countries from which funds or material will be sent to the sanctioned country.  Firms should be aware of the increased risk around countries and geographical areas bordering sanctioned countries.


MSBs being used to finance dual use goods

MSBs can unknowingly be used to finance the acquisition, movement, or diversion of dual use goods which can be used to develop WMD or delivery systems.Dual use goods are often seemingly innocuous and can be used for civilian purposes as well as for WMD programmes.  The include items such as:

  • carbon fibre
  • electronic components and chemicals
  • aerospace components
  • metals with specific properties
  • certain software or technical data

See the National Risk Assessment of Proliferation Financing and Export controls: dual-use items, software and technology, goods for torture and radioactive sources - GOV.UK for more information on dual use items.

HMRC has assessed that an MSB may encounter the following PF risks: 

  • Payments made through an MSB (or overseas branches/subsidiaries of UK MSBs) may be linked to proliferation-related activities or actors. 

  • MSBs in the UK may have wide-reaching operations around the world. This includes countries that may be particularly exposed to PF. 

You should implement a robust risk-based approach, apply enhanced due diligence measures, provide comprehensive staff training, and maintain effective transaction monitoring to help identify suspicious activity related to dual use goods.


HMRC-supervised MSBs

The services offered by MSBs that HMRC supervise can include increased or reduced risk levels, and it is important that businesses understand and properly appraise the risks presented by each activity and customer.

HMRC is the anti-money laundering (AML) supervisor for MSBs who are not already supervised for MSB activity by the Financial Conduct Authority (FCA). Note, however, that any money remitter must be authorised as a payment institution by the FCA – unless the business has other FCA authorisations meaning it is entirely FCA supervised, must be supervised by HMRC.  This means that a business which is not supervised for AML purposes by the FCA must have had its application for registration by HMRC for AML supervision for MSB activity positively resolved before engaging in that activity.  MSB activity being conducted within a casino must be supervised by the Gambling Commission but any business carrying out MSB activity must also appear on either HMRC’s or the FCA’s register (or, if they are a money remitter, both). 


Risk Indicators

It is vital that MSBs understand and meet their obligations under the Regulations to protect themselves, their families and their communities from the dangers of infiltration by criminals.

Any weakness in the controls the business uses may be exploited by criminals who will seek to use, coerce or control the MSB to move more of their illicit money. Such money is often earned from activities that cause significant harm to society, such as drug dealing, people smuggling or modern slavery.  Facilitating the movement of such money is not only a criminal offence, but it also allows these harmful activities to continue.

It is important that a business carefully assesses and documents the specific risks that business faces and establishes and keeps up-to-date policies, controls and procedures to address these. These must be effective to help prevent money laundering, terrorist financing or proliferation financing through the business.  The following risk indicators have been provided to help businesses consider and manage such risks.  There is separate information available on preparing your risk assessment – see -AMLG1800 and Risk assess your business for money laundering supervision - GOV.UK  

 

Risks common to all Money Service Businesses

The request or business activity does not have a clear business reason or make economic sense

Requests without a clear business reason, particularly those that are complex or cross-border, may signal higher risk especially if the customer is secretive.

A lack of economic sense may be shown by:

  • money flows generated by a company do not match the company’s business or industry
  • a company mainly moving funds, collected from various sources to unrelated local or foreign accounts
  • transactions that do not fit with what is known about the client
  • a business continuously making losses
  • the known financial status of the business does not match the activity conducted
  • the lifestyle or wealth of a customer or owner which does not match their known income

The customer is from or linked to a FATF call for action (“black listed”) country 

FATF call for action countries (formerly referred to in the Regulations as High Risk Third Countries (HRTCs)) are jurisdictions considered by the FATF to have strategic deficiencies in their regimes to counter money laundering, terrorist financing, or proliferation financing.

These countries are included in listed in the following publication, which is subject to change and revision: High-Risk Jurisdictions subject to a Call for Action (black list) on the FATF website.

Services provided to or from FATF black-listed countries or customers, intermediaries and third parties who are resident, have their principal place of business, or are incorporated in one, pose a high risk of money laundering, terrorist financing and/or proliferation financing.

You must apply enhanced due diligence measures before you form a business relationship with a person established in a black-listed country.

As the FATF lists are subject to change, there is a risk that that customers you have an existing business relationship with are established in a jurisdiction which may become black-listed during the business relationship. You should factor this into your ongoing monitoring, alongside other considerations, like changes in country risk profiles, changes to sanctions and embargoes etc.


The customer or service is from or linked to an overseas jurisdiction

Providing services to or from overseas jurisdictions, including people or businesses based there, may pose an increased risk of:

  • money laundering;
  • terrorist financing; or
  • proliferation financing.

You must apply the appropriate customer due diligence or enhanced due diligence measures and consider your business’s risk assessment before you carry out occasional transactions or form a business relationship where there is a link to an overseas jurisdiction.

If an overseas jurisdiction is also a high-risk third country, you must apply enhanced due diligence measures before you form a business relationship.

Your assessment of the level of risk must include consideration of the geographical risk factors in regulation 33(6)(c) that can indicate that an overseas jurisdiction poses an increased level of risk.

Some jurisdictions are deemed a higher risk than others and can:

  • have poor or insufficient money laundering and terrorist financing measures
  • have a significant level of corruption, terrorism or supply of illicit drugs
  • are subject to sanctions or embargoes issued by the UK, EU and UN
  • provide funding or support for terrorism
  • having organisations designated under domestic sanctions legislation or UK-proscribed terrorist groups or organisations 

Some countries do not implement measures to counter money laundering and terrorist financing that are consistent with the FATF recommendations. These are assessed by organisations such as:

  • FATF
  • FATF style regional bodies
  • World Bank
  • Organisations for Economic Co-operation and Development
  • International Monetary Fund

HMRC also considers there may be an increased geographical risk where the overseas jurisdiction:

  • is not subject to anti money laundering or counter terrorist measures equivalent to the UK
  • shares a border with a high-risk third country or sanctioned country, as money laundering, terrorist financing or proliferation financing often involves the movement of funds across borders
  • has limited corporate registration requirements or limited beneficial ownership information requirements (for example, where there is no requirement to update ownership changes)
  • allows unrestricted bearer share usage
  • has laws aiding financial secrecy
  • has high levels of tax evasion
  • has high levels of capital flight
  • is a conflict zone

Information about high-risk jurisdictions is widely available from several open-source documents and media.

All Money Service Business Providers will need to decide their own level of comfort when assessing jurisdictional risk. The business will be expected to develop and maintain awareness around this topic and include it in their written policies and procedures and risk assessment.

Examples of sources which may help you to consider the risk of an overseas jurisdiction may include:

You should take care to make sure the sources you consider are credible.

All persons and entities linked to the UK sanctions list, irrespective of which sanctions regime, should be treated as high-risk.  You must not deal with those specifically listed – see proliferation finance section above.

Whilst you must make your own assessment of all jurisdictions based on the factors already mentioned, HMRC considers the countries listed within the National Risk Assessment 2025 to be higher risk.

 

The customer is linked to or sends/receives funds from businesses/individuals in areas with a higher risk of terrorist financing

If a customer either sends or receives money from a business and/or individual with links to an area controlled by terrorists, there is a risk that the money could be linked to terrorist activity.

Businesses or individuals operating in areas where terrorists are active or in control might end up funding terrorist groups, either knowingly or without realising it. For example, a business or individual might pay a terrorist group to be allowed to operate there, or it might hire a subcontractor that has hidden links to terrorism. If any of the funds are used to support terrorism, they are treated as being connected to terrorist activity and that can affect the customer who receives them.

For more information on terrorist financing, read section 4 of the National Risk Assessment 2025.

 

Customers from jurisdictions that offer Citizenship by Investment (CBI)

CBI is the practice of granting citizenship status principally or solely in return for financial investment, without any requirement for a significant period of prior physical residency in the issuing jurisdiction. CBI schemes are often referred to as Golden Passports or Golden Visas. Some CBI schemes feature investment directly into property within the jurisdiction.

CBI programmes usually allow applicants to acquire citizenship quicker than through other, more traditional immigration channels. Some schemes also allow for citizenship to be passed down to dependants.

Illicit actors can exploit CBI programmes to facilitate a range of illicit activity including financial crimes, such as money laundering, corruption, fraud and tax evasion. These criminals may also abuse citizenship or residency status granted to them to enable further criminal activity or to evade law enforcement authorities.

CBI offers the opportunity to acquire a travel and identification document under a different nationality or name, which can be used to represent who the holder is in a novel way, or otherwise obfuscate the person’s original identity – this can be used to hide the original identity, particularly to avoid sanctions.

When assessing whether there is a high risk of money laundering, MSBs must take account of the risk of CBI, in order to meet their obligations under regulation 33(6)(viii), in regard to enhanced due diligence measures. HMRC expects MSBs to treat any customer who has a passport from a country that offers CBI as a higher risk where the place of birth is shown as being in a different jurisdiction to that of the issued passport.

Countries that offer CBI include, but are not limited to:

  • Antigua and Barbuda
  • Cyprus
  • Dominica
  • Grenada
  • Jordan
  • Malta
  • Montenegro
  • Saint Vincent and the Grenadines
  • St. Kitts and Nevis
  • St. Lucia
  • Turkey
  • United Arab Emirates
  • Vanuatu

Dealing with a business, customer or intermediary that has no anti money laundering supervision

Before entering a business relationship with a business, customer or intermediary who is carrying out relevant activity, you should take appropriate measures to confirm they are anti money laundering supervised for that activity. If not, you should not enter into the business relationship.  If you believe a business is conducting relevant activity without appropriate supervision, you should report that business to HMRC by either:

Such businesses may not understand their legal obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and are unlikely to have proper controls in place to identify, assess, and manage the risk of their services being used for:

  • money laundering
  • terrorist financing
  • proliferation financing

This increases the risk for anyone doing business with them.

There’s also a possibility that they are deliberately avoiding anti money laundering supervision, potentially to enable illegal activity.

HMRC is one of 25 supervisory authorities that provides anti money laundering supervision to businesses carrying out relevant activity. You can check the types of businesses that should be supervised, including those specifically under HMRC supervision.

If the business should be supervised by HMRC, you can check HMRC’s supervised business register. This will not include businesses supervised by another authority.

If another authority should supervise the business, you should check if anti money laundering supervision is in place. To do this, you may need to ask the business who its supervisory authority is.

Services are provided with little or no face-to-face interaction

Meeting your customer in person (with physical presence) and checking original documents can help confirm they are who they say they are.

If you do not meet them face-to-face in-person, there’s a higher risk they might be using a false identity.

Fake documents are harder to spot when the original documents are not available for physical inspection, and the customer has not been met in person.  Regular in-person contact lowers the risk compared to only meeting once at the start.

Even if you checked your customer’s identity at the beginning, they might be working for criminals just to get access to your services. Without ongoing in-person face-to-face contact, you might not realise the business is linked to organised crime.

For the purposes of this risk assessment, interactions conducted solely via telephone, video call (for example Zoom or Microsoft Teams), or other remote means are treated as non face‑to‑face and carry a higher inherent risk than meetings conducted with the customer physically present. The customer due diligence measures you take where there is little, or no face-to-face contact must reflect the additional risk.   This may include the application of additional verification measures, enhanced due diligence, or increased ongoing monitoring, depending on the nature of the customer, product, and transaction risk.

 

Forming a business relationship with a professional enabler

Firms and practitioners offering professional services include but are not limited to:

  • financial services
  • payment services providers
  • legal professionals
  • accountants and bookkeepers
  • bank officials (including relationship managers)

The risk of dealing with a professional enabler applies to both individual professionals and firms operating in these sectors or posts, in the UK or overseas, whether acting directly for a customer or as an intermediary, introducer, or facilitator.Most of these professionals follow the rules and help stop criminals from misusing their services. However, some, whether knowingly or otherwise, have helped criminals commit crimes like fraud, money laundering or otherwise supported serious organised crime in the UK. Those who facilitate such crimes are known collectively as ‘professional enablers’.

Complicit professional enablers may exploit their knowledge of regulatory frameworks, professional privilege, industry norms, or trust placed in them by other regulated businesses.

There is a risk that during the course of your business you may come into contact with professional enablers.  They may deliberately seek to exploit your services and any weaknesses in your regulatory procedures, to facilitate criminal activity.  Alternatively, they may also expose you to these risks through failures or neglect in their own compliance arrangements.

Not all professionals follow the rules in the same way. Some may know your responsibilities and try to take advantage of your trust in others in the industry. You might assume they’re doing the right thing, but they could be helping criminals.

This risk may be heightened where reliance is placed on information, assurances, or documentation provided by another regulated professional without sufficient independent verification.

It can be difficult to identify professional enablers, but you can look out for warning signs in how they behave. For example, individuals or organisations who:

  • in relation to their regulatory or professional obligations (including but not limited to the Regulations):
    • appear to avoid or shortcut rules they’re supposed to follow
    • display behaviour that seems dishonest, careless, or irresponsible
    • do not take proper care to meet their professional or legal duties
    • carry out activities under the Money Laundering Regulations 2017 but do not appear to be anti-money laundering supervised

Additional warning signs may include resistance to providing information, over‑reliance on professional status to avoid scrutiny, pressure to expedite transactions, or attempts to discourage appropriate due diligence.

Where a business relationship involves an increased risk of professional enabling, this is considered as part of the business‑wide risk assessment under regulation 18, and appropriate customer due diligence, enhanced due diligence, or ongoing monitoring measures are applied on a risk‑sensitive basis.

The risk of professional enabling may be increased where relationships involve complex ownership structures, overseas intermediaries, nominee arrangements, trust or company service providers, or where the professional operates in a jurisdiction with weaker AML supervision. Reliance on introducers who are not directly supervised in the UK, or who operate through informal referral arrangements, may also heighten risk.

Use of third-party identity providers or compliance companies

There is a well-established market of third-party identity verification providers and compliance specialists that offer a range of services to MSBs to support compliance with their obligations under the MLRs. These services include conducting CDD and sanctions screening checks, providing wider regulatory compliance support, and developing risk assessments on behalf of MSBs.

The level of service, and standard of the product and service provided will depend on which third-party you use, and which level of service you pay for.

It is important to note that you, as the MSB, are responsible ensuring you comply with all of your obligations under the regulations. Any service, product or report the third-party provides must be examined by you, and you need to decide what, if any, further action you need to take to ensure you meet your obligations under the regulations.   

Care must be undertaken when using third parties, as any breach of the regulations may result in sanctions, including financial penalties or criminal charges, on you or your business, as the supervised entity: use of a third party does not absolve you of your responsibility for compliance.

Digital identity services certified under the UK Digital Identity and Attributes Trust Framework and included on the DVS Register are considered a reliable and independent source of information, provide an appropriate level of assurance against impersonation, and can be relied upon when conducting customer due diligence. Entities are able to fulfil their obligations under regulation 28 by verifying a customer who is a natural person’s identity using certified and registered digital identity services.  Digital verification services which are not certified and therefore not on the DVS register cannot reliably be deemed suitable for identity verification in compliance with the MLRs.

 

The customer operates a cash-intensive business

Cash-intensive businesses can be attractive tools for criminals to launder illicit cash through, presenting it as legitimate funds.  It also provides anonymity and makes the funds harder to track.

Cash may originate from a variety of sources, including legitimate trading activity, however the use of cash can obscure audit trails and increase the difficulty of tracing the origin of funds.

MSBs can be exploited by criminals because they offer a means of moving funds in a way that may not attract immediate attention.  You must consider establishing the source of funds for the transaction is consistent with your knowledge of the customer, the customer’s business and risk profile.

This includes considering whether the nature, scale, and frequency of cash transactions are commercially credible when compared with the customer’s stated business activities.

Where the volume of cash transacted through the customer’s business is not consistent with what you know of their business activity or does not make commercial sense, this poses an increased risk and may indicate an attempt to launder illicit funds.

Such inconsistencies may arise where there is a sudden change in transaction behaviour, unusually high levels of cash compared to similar businesses, or a mismatch between reported turnover and cash volumes.

The following types of cash-intensive businesses have been known to launder money:

  • vape shops
  • hairdressers or barbers
  • car washes
  • tanning salons, nail bars and beauty parlours
  • takeaway, bars, nightclubs and fast-food outlets
  • American candy shops
  • money service businesses

This list is not exhaustive.

The inclusion of these business types does not mean that they are inherently high risk. Risk should be assessed on a case‑by‑case basis, taking into account the specific customer, business model, transaction behaviour, and overall risk profile as part of the business‑wide risk assessment under regulation 18. Where higher risk is identified, appropriate customer due diligence, enhanced due diligence, and ongoing monitoring measures should be applied. 

The inclusion of money service businesses on this list is important: MSBs have been criminally penetrated and the cash-based nature of MSB activity is attractive to criminals.  Even if your customer is another UK-supervised MSB, you need to carefully consider the risks associated with that customer and put appropriate arrangements in place to manage those risks.  There may be additional risks where an MSB operates a network of agents (see below).

Consideration of the appearance and origin of bank notes

A key risk across all MSBs is the widespread use of cash by criminals seeking to exploit features of the MSB sector to move or convert criminal funds to launder money or finance terrorism.

It is important for you to consider how cash is presented to you.  Is it all bundled up or is it just loose bank notes, does the presentation match the explanation for cash? For example, if your customer tells you that they withdrew the money from their bank account, then higher value notes may be in thousand-pound bundles contained by a bank wrapper and not likely to be rough bundles with rubber bands holding them together.

The condition and appearance of bank notes should also be considered, including whether notes appear excessively worn, mixed between different issue types, or inconsistent with normal circulation for the stated source of funds.

If the customer claims the cash came from a casino win, it is likely to be wrapped in that casino’s slips, and you could undertake further customer due diligence checks with the casino.

If your customer only operates in England, you should consider where the Scottish or Northern Irish notes come from.  If they have an operation in Northern Ireland or Scotland, is it likely that they will carry such high value notes across the country.  If your customer claims people travel long distances to their business in southern England, is this credible?

It is important that you satisfy yourself that the evidence supports where the cash comes from.  If not, you must consider whether to stop the transaction and submit a Suspicious Activity Report (SAR).

Decisions to proceed, refuse, or report should be made on a risk basis, taking into account all available information, and in line with your business’s policies, procedures, and escalation processes.

 

Multiple cash deposits directly into your bank account from multiple branches around the UK

The payment of cash directly into your business bank account can pose a significant risk of money laundering.  Criminals and their associates prefer direct deposits as it makes them appear anonymous and allows multiple people to deposit criminal cash on behalf of one customer.  Direct deposits into your account, or through the use of third-party collectors or van services, including cashin services provided by banks, the Post Office, Electronic Money Institutions (EMIs), or other financial institutions, also removes your ability to see what the cash looks like.

You are responsible for anti-money laundering checks on such deposits, not the bank or the third-party cash collection business or financial institution facilitating the cashin service.  You must be able to demonstrate what your procedures are to monitor bank deposits or cash collection pickups, be able to identify who put cash into your business bank account or passed it to the collector, challenge any unexpected deposits, amounts or unexpected locations and if relevant complete a SAR.

It is also important for you to consider if the deposit locations match what you know of the customer.  For example, are the deposits being made in locations or multiple locations remote from the customer?  If the customer is a retail customer, sole proprietor or small business, how are they able to deposit cash in multiple locations across the UK on the same day at the same time.

Where cash is deposited via multiple branches, locations, or service providers, this should be assessed in the context of the customer’s known business operations, geographic footprint, and expected cash handling arrangements.

 

A customer travels a long distance in the UK just to use your MSB, when the same services are available nearer their home location

You should consider whether the customer has come to you because local MSBs have refused to serve them, or whether they are attempting to make small payments across multiple locations to avoid raising suspicion.

This behaviour may indicate attempts to evade detection, avoid enhanced due diligence, or disguise transaction patterns, particularly where transactions are structured below reporting or internal threshold levels.

If you are a smaller MSB, criminals may target your business because they assume you lack the more advanced controls, such as crosschecking customer activity across multiple branches or businesses, that a larger MSB might have in place.

If you operate through a network of agents, you should monitor the risk that customers use multiple agents of your business to break larger transactions down into multiple smaller payments.


A customer only wants to deal with a particular person in your business

As part of your transaction monitoring procedures, you should consider indicators related to how the transaction was processed, including which staff member or agent was involved, whether it occurred at unusual times, and whether multiple transactions were carried out in quick succession. Some complicit staff may create several small transactions to match bulk amounts of criminal cash. A customer’s insistence on dealing with a specific member of staff may indicate attempts to exploit familiarity, trust, or potential weaknesses in staff oversight or segregation of duties.

 You should also check whether transactions were processed after business hours rather than at the time the customer presented at the counter.


Multiple customers are using the same address or telephone number

This may indicate that the customer is attempting to conceal their identity or place of residence from detection. It may also indicate linked or coordinated activity, the use of nominees, or attempts to structure transactions across multiple individuals to avoid scrutiny.

You should consider implementing systems and controls that can detect linked transactions to prevent any attempts to misuse the MSB for money laundering or terrorist financing purposes.

 

Risks relating to MSBs with agents

As a principal, you are responsible for satisfying yourself that your agents are fit and proper (F&P) persons and that they would be deemed so if HMRC conducted a F&P test on those agents directly, including that they:

  • do not have an unspent conviction for a relevant offence (listed in Schedule 3 of the Regulations) in the UK or overseas;

  • their history of compliance with the Regulations and the risk that agent/business may be used for money laundering or terrorist financing; and

  • the prospective agent’s:

  • honesty and integrity
    • skills and experience
    • financial soundness

For more details of the F&P test, see AMLG1600 and the guidance here: The fit and proper test - GOV.UK and here: ECSH44383 - The fit and proper test - HMRC internal manual - GOV.UK.

As part of this assessment, you must also consider why someone wants to become your agent, especially if they are acting as an MSB principal in their own right, they are an agent for other MSBs, or their request, business premises or model makes little economic sense.  

You must record in your Risk Assessment and PCPs the risks associated with delivering services through an agent network and how you manage and monitor that risk.  This should include information on:

  • Onboarding (risk assessment and F&P checks)
  • Safeguarding your systems, including protection of system access and passwords (warning indicators may include unusual activity, including out of hours activity or activity that does not comply with the usual profiles of that agent)
  • ML/TF risks posed
  • Compliance risks (if your agent works for other principles and/or as a principal in their own right, how do you ensure they properly follow your PCPs?  Is there an increased risk of non-compliance by the principle having to comply with multiple business’ PCPs?  How do you manage and monitor that risk?
  • Agent training
  • Ongoing monitoring arrangements.


Agents posing as customers to misuse systems without independent verification

MSBs that use agents are responsible for ensuring those agents have effective internal controls to prevent system misuse. To reduce money laundering and terrorist financing risks, you should regularly monitor and test transactions and routinely review the internal controls operated by your agents.


Agents with multiple principal relationships

The use of agents operating for multiple principals is widespread, particularly across the money transmission subsector.

If your MSB uses an agent network, you should ensure you have effective, risk-based policies and procedures in place to monitor and manage the heightened exposure arising from agent activity. These controls should mitigate the risk that agents may themselves engage in, or be misused for, money laundering, terrorist financing, or proliferation financing.

 

Risks related to Money Transmitters

Money transmitters enable the movement of funds from one individual to another, often involving cross border transfers to or from the UK.


Informal Value Transfer Systems (IVTS)

IVTS refers to a system, mechanism, or network of individuals that receives money or value in one location to make an equivalent amount payable to a third party in another location, often (but not always) outside conventional banking systems. IVTS are commonly used for remittances to and transactions in regions with limited formal financial infrastructure, playing an important role in financial inclusion.IVTS includes various types of activity, including Hawala and Chinese Underground Banking.

IVTS faces a high-risk of being abused for money laundering because it usually operates outside of formal banking systems and can allow funds to move across borders anonymously without formal documentation or traditional transaction trails.  Criminals use IVTS for money laundering and terrorist financing because they believe these systems involve less rigorous checks by the providers. 

IVTS may also be used to bypass sanctions controls, capital controls, and formal customer due diligence requirements, increasing the risk of undetected illicit financial flows.

Any business providing IVTS services in the UK must be registered with HMRC for supervision and authorised by the FCA in the same way as any other money remitter.

 

Funds are transferred using a money transmission service but are actually being moved through an IVTS

 Money transfers made through IVTS typically involve countries with less developed banking systems, where a Hawala or payout agent is better positioned to meet the customer’s remittance needs. Because the value moves outside of international banking channels, there is no trace within mainstream banking systems. This anonymity can be appealing to those seeking to transfer the proceeds of crime, including organised immigration crime, drug trafficking, and terrorist financing.

 

Third Party Payments

Professional money launderers use third party payments to move money to their preferred location. Sometimes the UK MSB receives criminal cash, and sometimes it receives clean cash while the overseas MSB pays out criminal funds. In both situations, the UK MSB is told, either by the launderer or through the overseas MSB, to send the funds to a third country, often with an invoice used to justify the transfer. These invoices may name suppliers or customers who have no real connection to the overseas MSB or the payees and may potentially be fictious.

An MSB asks that cash received by the UK MSB not be paid out in the payee’s country, but instead settled in a third country, often using an unrelated goods invoice as a third-party payment

For third party payments, it is important for money transmitters to consider if the transaction underlying this payment makes commercial sense.  For example, if an invoice shows a sale of goods from a Hong Kong manufacturer to a customer in India, how is this related to your correspondent MSB in Europe.  Are the goods stated on the invoice likely to be of commercial use or value in the stated destination country?  Do the supplier and customer appear to trade in such goods when checked using open-source material?  If your correspondent MSB is instructing you to move money or value to a third country in this way, it is important to remember that they are your customer in respect of this subsequent money or value transfer, and the necessary due diligence checks must be carried out. 

Multiple customers sending funds to a single payee (many to one)

This activity may be an attempt to keep transactions below customer due diligence thresholds or to finance terrorism. You should consider implementing a system that identifies transactions linked by the same payee.


A single customer sending funds to multiple payees (one to many)

As with many to one, criminals often break down significant sums of illicit cash into smaller transactions, distributing payments across multiple individuals to obscure the funds’ origin or purpose and avoid triggering AML reporting thresholds. These methods can also be linked to terrorist financing.

Sharing of login details amongst staff or MSB agents’ staff

This can result in unauthorised system use and expose the business to criminal exploitation for money laundering or terrorist financing. MSBs should ensure each staff member has their own login credentials and that all activity is monitored, including transactions made outside normal business hours. Staff should receive regular training to recognise and respond to potential money laundering or terrorist financing risks. MSBs must also provide appropriate training to their agents so they understand the relevant risks and how to manage them effectively.

 

Importing or Exporting cash

Importing or exporting of physical cash can be an effective way of moving bulk amounts of cash – in specific currencies – to certain jurisdictions. However, the large scale movement of physical currency is a well-established method used by criminal organisations to launder funds, obscure audit trails, and comingle illicit proceeds with legitimate cash. If you import or export physical cash, you may be exposed to this risk.  You should carefully consider and manage the risks of money laundering, terrorist financing and proliferation financing associated with such activity.  This includes assessing the volume, currency, source, destination, and stated purpose of cash movements, and whether these are consistent with what is known about the customer and their business activities.

Bank De-Risking

The withdrawal of banking services by financial institutions has driven and continues to drive MSBs to pursue alternative banking arrangements.  This can include the use of third-party accounts, other MSBs, or Electronic Money Institutions (EMIs).  Such services may have simpler onboarding processes compared to a traditional bank and operate entirely remotely. These features can make them attractive for money launderers and terrorist financiers to exploit.Debanking may mean that some MSBs need to use personal accounts for their business. The use of personal bank accounts may be appropriate for sole traders, depending on the terms and conditions of the account.  UK limited companies are separate legal entities whose finances should be kept distinct from the personal finances of their BOOMs.    That does not mean that personal accounts cannot be used.  But the risks associated with this must be carefully considered and managed.If your customer is another MSB, you should consider the risks associated with their financial and arrangements, their proposed business with you and the profile of the business and its customers and transactions (e.g. if the business is seeking to route high volumes of cash through your business, is this consistent with what you know of the customer MSB’s business model etc?). 

Transaction Flipping or Pass through account

This refers to individuals who receive funds via money remittance and shortly after send all or part of the funds onwards to a third party. The risks are further increased if the two transactions are spread across two or more principal money transmitters.

This activity may be used by money mules or as part of a romance or similar scam. The money being moved rapidly is part of a layering process that disguises the audit trail of the funds, and you should be alert to such activity occurring though your business.  

 

Risks related to Currency Exchange

Currency exchange businesses, sometimes referred to as bureaux de change, change money from one currency to another, most commonly providing cash to the customer.  Currency exchangers are widely used by the public to convert currency when travelling abroad.

 

Bulky volumes of low denomination notes changed for easily transported high denomination notes.

Criminals may use currency exchangers to change large volumes of low denomination notes into high denomination notes that can be more easily transported, including to foreign jurisdictions. High‑denomination notes can reduce the physical bulk of cash, making it easier to conceal, move, or store large values outside the formal financial system.  Criminals may change money to facilitate further criminal activity or use the currency to buy overseas assets.

Foreign exchange (forex) businesses

Forex businesses provide remote currency dealing and money transmission services. Their customers are predominantly corporate clients who typically initiate high-value, bank-to-bank transactions conducted remotely.

The remote nature of these services, combined with high transaction values and cross‑border flows, can reduce face‑to‑face interaction and increase reliance on electronic and documentary controls.

The National Risk Assessment identifies forex businesses as high risk, as criminals can exploit them to facilitate rapid and substantial overseas remittances. Money Service Businesses (MSBs) offering foreign exchange services remain particularly vulnerable, given their ability to transfer large sums in a single transaction through banking channels, often at lower fees than those charged by traditional retail banks.

A high proportion of the customer’s income is being deposited into the forex MSB either for currency trading or money transmission

This behaviour may indicate that the customer’s accounts are being used for money laundering. You should assess whether the customer’s activity is consistent with their expected profile and usual patterns of behaviour. It is also important to consider whether the customer may be acting as a front for illicit activity.

 

Risks related to Cheque Cashers

Cheque cashers exchange cheques made payable to a customer for cash.  Whilst correctly identified as high risk by the National Risk Assessment, HMRC considers cheque cashers to face a lower level of relative risk when compared to other MSB sub-sectors.


Customer is unable to provide satisfactory evidence of the source of the funds

This could be a sign that the cheque is linked to fraud or tax evasion.  Criminals may use cheque cashers to hide their income from HMRC, evading any tax, or to cash fraudulent cheques.

 

The cheque originated from a scrap dealer

As scrap metal dealers are now only permitted to pay for scrap metal by cheque or bank transfer, criminals may use cheque cashing services to convert cheque payments into cash to remain anonymous.

 

Customer presents cheques from multiple sources but payable to one customer

Fraudsters may seek to cash cheques obtained from victims, for example, through romance fraud, scams targeting vulnerable individuals, boiler room schemes, or fraudulent wine investments. Your business may then be exploited to convert these cheques into cash, providing an opportunity for criminals to realise these illicit funds and weaken the audit trail.

 

Emerging Risks that can affect all MSB sub-sectors

Trade Based Money Laundering (TBML)

TBML can be exploited by criminals who will use the system to conceal illicit proceeds and transfer value through trade transactions to legitimise their criminal origins.  MSBs have a high risk of exposure to TBML, as it can be used to facilitate broader money laundering methods, including through cash smuggling.

Although MSBs do not typically finance trade directly, they may be exposed to TBML through services used to settle trade transactions, remit funds overseas, exchange currency, or move value between parties involved in import and export activities.

This risk may be heightened where payments are inconsistent with the customer’s stated business, involve high‑risk jurisdictions, or appear disconnected from the value, nature, or frequency of the underlying trade.

Tech Enabled Money Laundering (TEML)

Technologically Enabled Money Laundering (TEML) can increase both the risk of exposure and the compliance burden faced by MSBs.  This is largely because MSBs operate at crucial points in the financial system, handling fast international transactions, and converting cash into digital funds.

These characteristics make MSBs particularly attractive to criminals, who exploit the speed, volume, and relative anonymity of such transactions to move and disguise illicit proceeds. As a result, MSBs must contend with more complex risk typologies and evolving technological threats which demand stronger controls, enhanced transaction monitoring, and greater investment in compliance frameworks to detect and prevent misuse.


Crypto-Assets

The money laundering risks associated with crypto assets have increased and are now assessed to be high.  

MSBs may be exposed to crypto‑asset related risks where customers seek to use MSB services to receive funds derived from crypto‑asset activity.

Crypto‑assets can be attractive to criminals due to perceived anonymity, the speed of cross‑border transfers, and the ability to layer transactions across multiple wallets, exchanges, or jurisdictions.

There is also a risk that MSB services may be used to cash‑out the proceeds of crime generated through crypto‑asset related offences, including fraud, ransomware, or sanctions evasion.

Crypto‑asset related activity should therefore be assessed as part of the business‑wide risk assessment, with appropriate customer due diligence, enhanced due diligence, transaction monitoring, and escalation applied where exposure to this risk is identified.


Artificial Intelligence (AI)

AI is developing rapidly in the prevention of money laundering and terrorist financing but there are indications that it can potentially be abused for criminal purposes to create synthetic bank accounts, commit fraud and facilitate the onboarding of money mules.

Generative AI may be exploited by criminals to circumvent business’s customer due diligence procedures, for example by creating synthetic identities or generating images that match stolen or fraudulent identity documents.

AI‑enabled tools may also be used to generate convincing false documentation, manipulate voice or video interactions (thereby evading some electronic CDD controls), or automate large‑scale attempts to defeat onboarding and monitoring controls.

As reliance on digital and remote onboarding increases, MSBs should remain alert to emerging typologies involving AI‑enabled fraud and identity manipulation and ensure that controls, staff awareness, and escalation procedures evolve alongside these risks.


Geopolitical Tensions

Increasing geopolitical instability and the expansion of international sanctions regimes since 2020 have heightened risks relevant to the MSB sector. These developments have led to a greater convergence between traditional money laundering activity and sanctions evasion, with sanctioned individuals and entities seeking to conceal the origin, ownership, or control of funds using established money laundering techniques.

MSBs are particularly exposed to these risks due to the nature of their services, including cross‑border remittances, foreign exchange, cash handling, and the speed at which funds can be moved through formal and informal channels. Geopolitical disruption may also increase reliance on cash, informal value transfer systems, or non‑bank intermediaries where access to traditional banking services is restricted.

Geopolitical tensions can also drive legitimate changes in customer behaviour, such as increased remittances to conflict‑affected regions or the movement of funds linked to displaced persons or overseas family support. While such activity may be genuine, it can increase the difficulty of verifying source of funds, destination of funds, and beneficial ownership, and may be exploited for money laundering, terrorist financing, or sanctions evasion.

The National Risk Assessment 2025 identifies geopolitical tensions and sanctions evasion as priority risks. Where exposure is identified, the business applies proportionate controls including enhanced sanctions screening, customer due diligence, transaction monitoring, and escalation for suspicious activity reporting where appropriate.


Unusually large transactions

Transactions that are unusually large for the customer, transaction type, purpose or your business may indicate increased risk. Likewise, where a customer transacts at a value or frequency that is outside of their normal pattern this should be viewed as an indicator of risk.  Appropriate risk assessment and management should be put in place in these circumstances.


Unusually complex

Transactions that are unusually complex, or that lack a clear commercial or lawful purpose, may indicate an attempt to obscure the origin, destination, or ownership of funds.

In line with the Regulations, MSBs should give enhanced scrutiny to transactions where complexity appears unnecessary or disproportionate to the stated purpose. This may include the use of multiple intermediaries, third parties, jurisdictions, currencies, or transaction steps without a clear explanation.

Where transactions appear unusually complex, the business should assess whether the activity is consistent with the customer’s profile and expected behaviour and consider whether additional due diligence, enhanced monitoring, or escalation for suspicious activity reporting is required.