Anti-Money Laundering (AML) regulations are not just for banks and large financial institutions. If you run a small business in certain regulated sectors, you have legal obligations to prevent your services from being used to launder criminal proceeds or finance terrorism. Non-compliance can result in unlimited fines, criminal prosecution, and even imprisonment.

903K+
SARs filed in the UK (2024/25)
£100B
Estimated money laundered in UK annually
Unlimited
Maximum fine for AML non-compliance

What AML Regulations Apply to Small Businesses?

The UK's AML framework is primarily governed by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), as amended. These regulations implement the EU's Fourth and Fifth Anti-Money Laundering Directives into UK law and have been retained post-Brexit.

Under these regulations, businesses operating in certain sectors — known as the "regulated sector" — must carry out risk assessments, verify the identity of their clients, monitor transactions, and report suspicious activity. The regulations apply regardless of how small your business is. A sole trader accountant has the same core obligations as a Big Four firm.

Which Sectors Are Regulated?

Not every small business falls under AML regulations. The rules apply specifically to businesses that provide services in sectors considered high-risk for money laundering:

  • Accountancy service providers — tax advisers, bookkeepers, auditors, and anyone providing accountancy services by way of business
  • Estate agency businesses — anyone involved in buying or selling property on behalf of clients
  • Legal professionals — solicitors, barristers, conveyancers, and legal consultants involved in financial or property transactions
  • Trust or company service providers (TCSPs) — businesses that form companies, act as directors, or provide registered office addresses
  • High-value dealers — any business accepting cash payments of €10,000 or more (or equivalent) in a single transaction
  • Cryptoasset exchange providers — businesses exchanging cryptoassets for money or other cryptoassets
  • Custodian wallet providers — businesses safeguarding cryptoassets or private keys on behalf of clients
  • Art market participants — dealers in art with transactions of €10,000 or more
UK AML-Regulated Businesses by Sector (Estimated)
Accountancy
~67,000
Estate Agents
~30,000
Legal Professionals
~25,000
TCSPs
~5,000
Crypto Providers
~4,000
High-Value Dealers
~3,000

Customer Due Diligence (CDD)

Customer Due Diligence is the cornerstone of AML compliance. Before you establish a business relationship or carry out an occasional transaction above the relevant threshold, you must:

  1. Identify the client — obtain their full name, date of birth, and residential address
  2. Verify their identity — using documents (passport, driving licence), electronic verification, or other reliable sources
  3. Identify beneficial owners — for companies and trusts, determine who ultimately owns or controls the entity (anyone with 25% or more ownership)
  4. Understand the purpose of the business relationship — know what services the client needs and why
  5. Conduct ongoing monitoring — keep client information up to date and scrutinise transactions throughout the relationship

CDD Compliance Checklist

• Obtain photographic ID (passport or driving licence) for all clients
• Verify address with a utility bill or bank statement dated within the last 3 months
• Screen clients against sanctions lists and PEP (Politically Exposed Persons) databases
• Record the source of funds where relevant
• Document the nature and purpose of the business relationship
• Set a review schedule for ongoing monitoring (at least annually for standard-risk clients)

Enhanced Due Diligence (EDD)

In higher-risk situations, standard CDD is not enough. Enhanced Due Diligence requires you to gather additional information and apply greater scrutiny. EDD is mandatory when dealing with:

  • Politically Exposed Persons (PEPs) — individuals holding prominent public functions, their family members, and known close associates
  • Complex or unusually large transactions — transactions with no apparent economic or legal purpose
  • High-risk countries — clients from countries identified by FATF or HM Treasury as having strategic deficiencies in their AML regimes
  • Non-face-to-face relationships — where you have not met the client in person

EDD measures include obtaining additional documentation on source of wealth, senior management approval for new relationships, and increased frequency of ongoing monitoring.

Suspicious Activity Reports (SARs)

If you know or suspect that a client or transaction involves criminal property, you have a legal duty to file a Suspicious Activity Report with the National Crime Agency (NCA). Failure to report is a criminal offence carrying up to 5 years' imprisonment.

A SAR must be filed whenever you have knowledge, suspicion, or reasonable grounds for suspicion of money laundering or terrorist financing. You do not need proof — a suspicion is enough. Importantly, you must not "tip off" the client that a report has been made.

UK Suspicious Activity Reports Filed by Sector (2024/25)
Banking
82%
Accountancy
7%
Legal
4%
Estate Agents
3%
Crypto / Fintech
2%
Other Regulated
2%

Record-Keeping Requirements

Under the MLR 2017, you must retain copies of all CDD documents and records of all transactions for at least 5 years after the business relationship ends or the occasional transaction is completed. Records must include:

  • Copies of identification documents (or references to them if using electronic verification)
  • Records of all transactions carried out within the business relationship
  • Correspondence and communications relating to the relationship
  • Your risk assessment and the basis for any decisions made
  • Records of any SARs filed (kept separately and securely)

Record-Keeping Best Practices

• Use a secure digital document management system rather than paper files
• Implement a clear naming convention for client folders
• Set automated reminders for when records are due for review or deletion
• Ensure records are backed up and protected from unauthorised access
• Keep SAR-related records in a restricted-access folder, separate from general client files

Penalties for Non-Compliance

The consequences of failing to meet your AML obligations are severe. Supervisory bodies can impose both civil and criminal sanctions:

Offence Civil Penalty Criminal Penalty
Failure to conduct CDD Unlimited fine Up to 2 years' imprisonment
Failure to file a SAR Unlimited fine Up to 5 years' imprisonment
Tipping off a suspect Unlimited fine Up to 5 years' imprisonment
Inadequate record-keeping Unlimited fine Up to 2 years' imprisonment
Failure to register with supervisor Unlimited fine Up to 2 years' imprisonment

Warning: Ignorance Is Not a Defence

HMRC and other AML supervisors have made it clear that "not knowing" about your obligations is not an acceptable excuse. In 2024/25, HMRC imposed over £6.2 million in AML penalties on supervised businesses, with fines ranging from £1,500 for minor record-keeping failures to over £500,000 for systemic non-compliance. Directors and sole traders can be held personally liable.

AML Fines Issued by HMRC by Year (£ millions)
2020/21
£2.3M
2021/22
£3.5M
2022/23
£4.8M
2023/24
£5.5M
2024/25
£6.2M

HMRC as Your AML Supervisor

If your business is not supervised by a professional body (such as ICAEW, ACCA, or the Law Society), then HMRC is your default AML supervisor. This applies to most small accountancy practices, tax advisers, bookkeepers, estate agents, trust or company service providers, and cryptoasset businesses.

You must register with HMRC for AML supervision before you begin operating. Registration involves paying an annual fee (currently £300 for sole practitioners, scaling up for larger firms), completing a fit-and-proper-person check, and submitting details of your AML policies and procedures.

HMRC conducts compliance visits — both announced and unannounced — and issues penalty notices for failures identified. Their supervisory approach has become increasingly rigorous in recent years, with a focus on risk-based supervision and targeted enforcement.

Practical Steps for Compliance

  1. Conduct a firm-wide risk assessment — identify the money laundering and terrorist financing risks specific to your business, clients, services, delivery channels, and geographic areas
  2. Appoint a nominated officer — designate someone responsible for receiving internal suspicious activity reports and filing SARs with the NCA (in a sole trader business, this is you)
  3. Write AML policies, controls, and procedures — document your approach to CDD, ongoing monitoring, record-keeping, and SAR reporting
  4. Train all relevant staff — ensure employees understand their obligations, can recognise red flags, and know how to escalate concerns internally
  5. Screen clients at onboarding — verify identity, check sanctions and PEP lists, and assess the risk level before accepting a new client
  6. Monitor existing relationships — review client files regularly, update CDD information, and watch for changes in transaction patterns
  7. Keep detailed records — maintain all CDD documents, risk assessments, and transaction records for at least 5 years
  8. Report suspicious activity promptly — file SARs with the NCA as soon as suspicion arises; do not delay and do not tip off the client

AML Compliance Toolkit for Small Businesses

• Download HMRC's free AML guidance for your sector from gov.uk
• Use an electronic verification service for client ID checks (saves time and creates an audit trail)
• Subscribe to HM Treasury's sanctions list updates
• Join your sector's professional body for access to AML templates and support
• Schedule an annual internal review of your AML policies and risk assessment
• Keep a log of all staff training sessions with dates and content covered

Red Flags to Watch For

Knowing what to look for is half the battle. The following indicators should trigger further investigation and may warrant a SAR:

  • Reluctance to provide ID — the client is evasive, provides inconsistent information, or refuses to supply documentation
  • Complex ownership structures — multiple layers of companies, trusts, or offshore entities with no clear commercial purpose
  • Unusual transaction patterns — large cash payments, transactions just below reporting thresholds, or frequent round-sum transfers
  • Source of funds unclear — the client cannot adequately explain where their money comes from
  • Connections to high-risk jurisdictions — funds flowing to or from countries with weak AML controls
  • Overpayment and refund requests — a client overpays an invoice and asks for the difference to be refunded to a different account
  • Rushed transactions — pressure to complete a deal unusually quickly with limited documentation
  • Use of nominees or third parties — someone else is funding the transaction or giving instructions on behalf of the client
  • Property transactions at unusual values — properties bought significantly above or below market value
  • Crypto-related indicators — frequent conversions between cryptoassets and fiat currency, use of mixing services, or wallets linked to darknet markets
"If something feels wrong, it probably is. Trust your professional judgement and report your suspicions. It is always better to file a SAR that turns out to be unfounded than to fail to report genuine criminal activity." — NCA Guidance

Stay Compliant and Keep Clean Records

DIY Tax Return helps you maintain organised financial records year-round, making AML record-keeping and tax compliance straightforward. Start your free trial today.

Start Free Trial

← Back to all articles