Beta This part of GOV.UK is being rebuilt – find out what beta means

HMRC internal manual

MLR1 Penalties Guidance

Penalties guidance: related breaches under MLR 2017: fundamental requirements

Breaches under MLR 2017 will in general fall into several groups of related breaches.

Fundamental requirements

These are fundamental requirements for having effective anti-money laundering controls in place:

  • Regulation 18  - failure to identify and assess the risks of money laundering and terrorist financing a business is subject to and to take account of information provided and risk factors
  • Regulation 18(4) -failure to keep an up to date record in writing of the risk assessment
  • Regulation 18(6) - failure to provide the risk assessment when requested
  • Regulation 19 - failure to establish, maintain, review, update, keep a record in writing and communicate the policies, controls and procedures to mitigate and manage the risks identified in the risk assessment
  • Regulation 20 – failure to apply policies, controls and procedures to subsidiaries and branches in and outside the UK
  • Regulation 21(1) – failure to appoint a compliance officer, screen relevant employees and establish an independent audit function
  • Regulation 21(3) - failure to appoint a nominated officer,
  • Regulation 21(4) - failure to notify the identity of and changes to the compliance and nominated officer
  • Regulation 21(5) – failure to consider internal disclosures of suspicion
  • Regulation 21(7) – failure of an electronic money issuer to appoint an individual to monitor and manage compliance with policies, controls and procedures
  • Regulation 21(8) - failure to establish and maintain systems which enable it to respond fully to enquiries from law enforcement officers
  • Regulation 22 – failure of an electronic money issuer or payment service provider to appoint a central contact point in the UK when requested
  • Regulation 26(4) failure of a relevant person to take reasonable care that no-one is appointed, or acts in a capacity that requires approval, without being approved
  • Regulation 26(5) – failure of a sole practitioner requiring approval to be approved
  • Regulation 26(10) - failure of a relevant firm to inform HMRC of a conviction for a relevant offence within the specified time
  • Regulation 40 - failure to keep the required records and provide them when required
  • Regulation 41 - failure to provide customers with the required information in relation to data protection
  • Regulation 78(5) - failure of a relevant person to take reasonable care to ensure that a prohibited person does not act in a management role

Top of page

Fundamental customer due diligence measures:

  • Regulation 27 - failure to apply customer due diligence measures when required. 
  • Regulation 28(2) - failure to identify and verify the customer and assess the purpose and intended nature of the business relationship or occasional transaction
  • Regulation 28(4) - failure to identify and take reasonable measures to verify the identity of the beneficial owner
  • Regulation 28((8) failure to keep records of steps taken to identify the beneficial owner of a corporate body
  • Regulation 28(10) - failure to identify and verify a person acting on behalf of the customer and to verify their authority to act
  • Regulation 28(11) - failure to conduct ongoing monitoring of a business relationship
  • Regulation 28(12) -  failure to take account of the risk assessment and level of risk when taking customer due diligence measures
  • Regulation 30 - failure to comply with the requirements on timing of verification Regulation 33 - failure to apply enhanced due diligence and enhanced ongoing monitoring where required
  • Regulation 35(1) – failure to have appropriate risk management systems and procedures to determine whether a person is a politically exposed person (PEP) or a family member or known close associate of a PEP and to manage the enhanced risk of the business relationship or transactions
  • Regulation 35(5) – failure to take additional measures in relation to a PEP
  • Regulation 37 - failure to apply simplified due diligence appropriately taking account of the risk assessment, information provided to it and the risk factors
  • Regulation 39(2) - failure to use reliance appropriately and to obtain the customer due diligence information from the person relied on and to enter into arrangements as required