Crypto Law Profile

UK Money Laundering Regulations 2017

UK-wide AML/CFT regulations imposing risk assessment, due diligence, record-keeping and supervisory duties. As amended, they require FCA registration for in-scope crypto firms and a Travel Rule for cryptoasset transfers.

United Kingdom Effective Regulation Jun 26, 2017
View official text Suggest correction

At a glance

Status In force across the UK since 26 June 2017, with further amendments staged.
Crypto scope Exchange and custodian-wallet providers entered the MLR regime on 10 January 2020.
Primary crypto supervisor The FCA registers and supervises in-scope UK cryptoasset businesses for AML/CTF.
Crypto Travel Rule Part 7A has governed specified cryptoasset transfers since 1 September 2023.

Overview

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, commonly called the UK Money Laundering Regulations or MLRs, are a UK-wide statutory instrument in force since 26 June 2017. The regulations replaced the 2007 money-laundering and transfer-of-funds instruments and established a risk-based framework for preventing money laundering and terrorist financing. As of 18 June 2026, S.I. 2017/692 remains in force as amended. Cryptoasset exchange providers and custodian wallet providers entered the regime on 10 January 2020, the cryptoasset Travel Rule took effect on 1 September 2023, and further amendments are scheduled from 30 June 2026.

Core requirements under the UK Money Laundering Regulations

The MLRs apply to defined “relevant persons” across financial services and other sectors exposed to illicit-finance risk. Covered businesses must identify and assess the money-laundering and terrorist-financing risks affecting their operations, document that assessment, and maintain proportionate policies, controls and procedures. Later amendments added parallel duties concerning proliferation-financing risk.

Customer due diligence is central to the regime. When the statutory triggers apply, a relevant person must identify and verify the customer, identify and take reasonable measures to verify beneficial owners, understand the purpose and intended nature of the relationship, and conduct ongoing monitoring. Enhanced due diligence and enhanced monitoring apply in specified higher-risk circumstances, while simplified measures may be available where the regulations and risk assessment support them.

  • Internal controls can include senior-management responsibility, screening and training, depending on the size and nature of the business.
  • Records supporting due diligence and transactions generally must be retained for the prescribed period, commonly five years, subject to the detailed rules and lawful exceptions.
  • Part 7 supports supervision and enforcement of payer and payee information requirements for traditional transfers of funds.
  • Supervisors have information-gathering, inspection, registration and enforcement powers. The regulations provide for civil penalties, public statements, management prohibitions and criminal liability for specified contraventions.

How the regulations apply to cryptoasset businesses

FCA registration and supervision

The Money Laundering and Terrorist Financing (Amendment) Regulations 2019 brought cryptoasset exchange providers and custodian wallet providers into the MLRs from 10 January 2020. A business carrying on an in-scope cryptoasset activity in the United Kingdom must be registered with the Financial Conduct Authority before beginning that activity, subject to the legislation’s territorial and transitional rules. The FCA applies a fit-and-proper assessment and supervises registered firms for compliance with the MLRs. FCA registration is an AML/CTF legal requirement, not a recommendation or endorsement of the business.

In-scope firms must apply the wider MLR framework, including business-wide and customer risk assessments, customer due diligence, ongoing monitoring, record-keeping, governance and reporting controls. The exact perimeter depends on the definitions in regulation 14A and the facts of the activity; the regime is not a general approval of every product or service offered by a registered firm.

Cryptoasset Travel Rule

Part 7A, inserted by the 2022 amendment regulations and operative from 1 September 2023, governs specified inter-business and unhosted-wallet cryptoasset transfers. It requires originator businesses to collect, verify and transmit prescribed originator and beneficiary information. Beneficiary and intermediary businesses must check for missing or non-corresponding information, take risk-based action, preserve required information and report repeated failures to the FCA. For certain unhosted-wallet transfers, a cryptoasset business must consider requesting information and cannot release the cryptoasset where requested information is not received.

Status, amendments and next dates

The regulations have been amended repeatedly since 2017 and should be read in their current consolidated form. The Money Laundering and Terrorist Financing (Amendment) Regulations 2026, S.I. 2026/621, were made on 9 June 2026. Most of that instrument is scheduled to commence on 30 June 2026. A new enhanced-due-diligence rule for cryptoasset correspondent relationships, including a prohibition involving shell banks, is scheduled for 1 February 2027, while remaining change-in-control amendments for registered cryptoasset businesses are scheduled for 25 October 2027. These staged dates mean the text applicable to a firm can depend on the date and activity in question.

This profile is a legal-reference summary of the framework as of 18 June 2026. The official consolidated legislation, commencement provisions and FCA materials should be checked for the version applicable to a particular date.

Key provisions

Business-wide risk assessment and controls

Relevant persons must assess AML/CTF risks and maintain proportionate, senior-management-approved policies, controls and procedures. Later amendments added proliferation-financing duties.

AML/CFT Jun 26, 2017 Source

Customer and beneficial-owner due diligence

When statutory triggers apply, firms must identify and verify customers, address beneficial ownership, understand the relationship and conduct ongoing monitoring.

Due diligence Jun 26, 2017 Source

Enhanced due diligence

Enhanced due diligence and monitoring apply in specified higher-risk cases, including circumstances set out in regulation 33 and related provisions.

Risk controls Jun 26, 2017 Source

Record-keeping

Relevant persons must retain prescribed due-diligence and transaction records, generally for five years, subject to the regulation's detailed rules and exceptions.

Records Jun 26, 2017 Source

Transfer-of-funds information

Part 7 provides UK supervision and enforcement machinery for payer and payee information requirements applying to covered transfers of funds.

Payments Jun 26, 2017 Source

FCA registration for cryptoasset businesses

In-scope cryptoasset exchange and custodian-wallet providers must register with the FCA and satisfy the MLR framework, including applicable fitness and governance requirements.

Registration Jan 10, 2020 Source

Cryptoasset Travel Rule

Part 7A requires prescribed originator and beneficiary information to accompany specified cryptoasset transfers and sets checks for missing or mismatched information.

Travel Rule Sep 1, 2023 Source

Unhosted wallet transfers

For specified unhosted-wallet transfers, a cryptoasset business must assess whether to request information and may not release assets when requested information is not received.

Self-custody Sep 1, 2023 Source

Supervision and enforcement

Supervisors have information, inspection, registration and enforcement powers. Specified breaches can result in civil penalties, public statements, prohibitions or criminal liability.

Enforcement Jun 26, 2017 Source

Timeline

  1. Regulations made

    HM Treasury made S.I. 2017/692 and laid it before Parliament on the same day.

    Enacted Source

  2. Regulations enter into force

    The principal 2017 regulations became legally operative across the United Kingdom.

    In force Source

  3. Cryptoasset businesses added

    The 2019 amendment brought exchange and custodian-wallet providers into the MLR regime.

    In force Source

  4. Cryptoasset Travel Rule begins

    Part 7A took effect for specified inter-business and unhosted-wallet cryptoasset transfers.

    In force Source

  5. 2026 amendment regulations made

    S.I. 2026/621 was made, with most provisions scheduled to commence 21 days later.

    Enacted Source

Who it affects

Actors

Financial Conduct Authority, HM Treasury

Asset classes

Cryptoassets

Official sources

S.I. 2017/692: current consolidated text legislation.gov.uk Official legislation Jun 22, 2017 English Primary—high Explanatory Memorandum to S.I. 2017/692 HM Treasury Explanatory memorandum Jun 22, 2017 English Primary—high Money Laundering and Terrorist Financing (Amendment) Regulations 2019 legislation.gov.uk Official legislation Dec 19, 2019 English Primary—high FCA: Cryptoassets—who needs to register Financial Conduct Authority Regulator guidance Oct 24, 2023 English Primary—high Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022 legislation.gov.uk Official legislation Jul 21, 2022 English Primary—high FCA expectations for cryptoasset Travel Rule compliance Financial Conduct Authority Regulator statement Aug 17, 2023 English Primary—high Money Laundering and Terrorist Financing (Amendment) Regulations 2026 legislation.gov.uk Official legislation Jun 9, 2026 English Primary—high

Editorial note

This profile covers S.I. 2017/692 as amended, rather than only the text made in 2017. As of 18 June 2026, S.I. 2026/621 has been made, but most of its amendments have not yet commenced. Review this profile after 30 June 2026.