AML Compliance for Money Services Businesses — Practical UK Guide

Why AML Compliance Matters for MSBs

Money services businesses operate in sectors the FCA considers inherently higher risk for money laundering and terrorist financing. Cash-intensive operations, cross-border remittances and walk-in customers with limited prior relationships all create vulnerabilities that criminals can exploit. The FCA has made clear — through thematic reviews, enforcement actions and supervisory communications — that it expects MSBs to maintain robust, risk-based AML frameworks.

This guide provides practical guidance on building and maintaining an AML compliance programme that meets FCA expectations and protects your business from regulatory action.

The Business-Wide Risk Assessment

The business-wide risk assessment (BWRA) is the foundation of every MSB's AML framework. Under Regulation 18 of the MLR 2017, firms must identify and assess the risks of money laundering and terrorist financing to which their business is subject. The BWRA must consider:

• Customer risk — the types of customers you serve, their geographic locations, occupations and expected transaction patterns
• Product and service risk — which of your services are most vulnerable to abuse (e.g., high-value cash exchange, cross-border remittance to high-risk corridictions)
• Delivery channel risk — whether services are provided face-to-face, online or through agents, and the associated verification challenges
• Geographic risk — exposure to countries or regions with higher levels of corruption, weak AML regimes or active sanctions programmes

The BWRA must be a written document, approved at board or senior management level, and reviewed at least annually. The FCA's 2023 MSB thematic review found that the most common compliance deficiency was a generic or outdated risk assessment that did not reflect the firm's actual business activities.

Customer Due Diligence

Customer due diligence (CDD) is the process of verifying a customer's identity, understanding the nature and purpose of the business relationship, and conducting ongoing monitoring. For MSBs, effective CDD involves:

Standard CDD measures: - Verifying the customer's identity using reliable, independent source documents (passport, driving licence) or electronic verification - Identifying beneficial owners where the customer is a legal entity - Obtaining information on the purpose and intended nature of the business relationship - Applying ongoing monitoring to detect transactions inconsistent with the firm's knowledge of the customer

Enhanced due diligence (EDD): EDD must be applied in higher-risk situations, including: - Customers from high-risk third countries identified by HM Treasury or the EU - Politically exposed persons (PEPs) and their family members and close associates - Complex or unusually large transactions with no apparent economic purpose - Any situation where there is a higher risk of money laundering or terrorist financing

EDD measures must go beyond standard CDD and may include obtaining additional identification documents, verifying source of wealth, obtaining senior management approval for the relationship and conducting enhanced ongoing monitoring.

Simplified due diligence (SDD): SDD may only be applied where the firm has determined there is a low risk of money laundering or terrorist financing. For most MSB activities — particularly cash-based services — SDD will rarely be appropriate.

Transaction Monitoring

Effective transaction monitoring is essential for detecting suspicious activity. The FCA expects MSBs to implement monitoring systems proportionate to their size, complexity and risk profile:

• Automated screening — all customers and transactions should be screened against sanctions lists, PEP databases and adverse media sources. This should occur at onboarding and on an ongoing basis
• Rule-based monitoring — implement rules to flag transactions that exceed expected thresholds, involve high-risk jurisdictions or display patterns consistent with structuring (deliberately splitting transactions to avoid reporting thresholds)
• Manual review — automated alerts must be investigated by trained compliance staff. The investigation should be documented, including the rationale for any decision to file or not file a SAR
• Management information — senior management should receive regular reports on transaction monitoring volumes, alert rates, investigation outcomes and SAR filings

Suspicious Activity Reporting

MSBs have a legal obligation to file suspicious activity reports (SARs) with the National Crime Agency (NCA) whenever they know or suspect that a transaction involves the proceeds of crime or terrorist financing. Key requirements include:

• SARs must be filed promptly — the NCA expects reports within days of the suspicion forming, not weeks or months
• The MLRO is responsible for evaluating internal reports and deciding whether a SAR should be filed
• Tipping off is a criminal offence — firms must not disclose to the customer that a SAR has been or will be filed
• Consent SARs must be filed where the firm wishes to proceed with a transaction it suspects involves criminal property — the firm must not proceed until consent is received or the moratorium period expires

The FCA has brought enforcement action against MSBs that failed to file SARs in a timely manner, filed SARs of poor quality (lacking sufficient detail to be actionable) or continued processing suspicious transactions without seeking consent.

Staff Training

All employees who handle transactions, conduct CDD or have customer-facing roles must receive AML training. Training must cover:

• The firm's AML policies and procedures
• How to identify suspicious activity and escalate concerns internally
• CDD requirements including when to apply EDD
• The legal obligations relating to SAR filing and tipping off
• The consequences of non-compliance — both for the firm and for individuals

Training must be provided at induction and refreshed at regular intervals. The FCA expects training records to be maintained and available for inspection. Generic online modules are acceptable as a baseline but should be supplemented with firm-specific content reflecting the MSB's actual risk profile and customer base.

Record-Keeping

Under the MLR 2017, MSBs must retain:

• CDD records (copies of identification documents and verification evidence) for five years after the business relationship ends
• Transaction records for five years from the date of the transaction
• Records of risk assessments, training, SAR decisions and compliance monitoring activity

Records must be sufficient to permit reconstruction of individual transactions and to demonstrate compliance with CDD obligations if requested by the FCA or law enforcement.

Common Compliance Failures

Based on FCA thematic reviews and enforcement actions, the most common AML compliance failures among MSBs include:

• Treating compliance as a paper exercise — having policies in place but not implementing them in practice
• Inadequate transaction monitoring — relying solely on manual review without systematic screening or threshold-based alerting
• Poor SAR quality and timeliness — filing late, filing incomplete reports or failing to file at all
• Insufficient senior management engagement — the MLRO operating without adequate authority, resources or board-level support
• Failure to update the BWRA — risk assessments that have not been reviewed despite significant changes in business activities or the external threat landscape

Building an Effective AML Programme

Make the BWRA your operating manual. Every AML control in your framework should trace back to a risk identified in the BWRA. If a control exists without a corresponding risk, it may be unnecessary. If a risk exists without a corresponding control, you have a gap.

Invest in proportionate technology. The FCA does not prescribe specific systems, but it does expect monitoring capability proportionate to your risk profile. For firms processing thousands of transactions monthly, manual monitoring is inadequate.

Empower your MLRO. The MLRO must have direct access to senior management, authority to halt suspicious transactions and sufficient resources to fulfil the role effectively. Treating the MLRO as a junior, part-time function is a red flag for the FCA.

Document everything. The FCA's assessment of your AML framework will be based on the evidence you can produce. If a CDD decision, risk assessment update or training session is not documented, the FCA will treat it as if it did not happen.