Flex AML

You’re required to register with a supervisory authority, before you start any regulated activity. To register, you must:

1 – Prepare your AML risk assessment, policies, and controls

2 – Identify and include all responsible persons (e.g. MLROs) and business premises

3 – Complete the online application via Government Gateway or HMRC portal

4 – Pay the fees (typically £300 per premises)

5 – Ensure your responsible persons pass the Fit & Proper/Approval checks

6 – Once approved, you’ll receive your registration and must renew annually via HMRC’s supervision service

Helpful links:

• Register for AML supervision – gov.uk link
• Report suspicious activity (SAR) – NCA portal
• Sanctions List – OFSI consolidated list

Even in small teams, someone must be appointed as the Money Laundering Reporting Officer (MLRO). This person is responsible for overseeing AML policies and reporting concerns. However, every team member must understand and apply basic AML procedures.

HMRC can impose fines, revoke your registration, or pursue criminal action for serious breaches. Many businesses face enforcement not for criminal intent, but for poor record-keeping, failure to train staff, or lack of a written risk assessment.

Yes. Under the UK Money Laundering Regulations 2017, estate and letting agents involved in property sales (and in some cases lettings) are considered regulated businesses. This means you’re required to carry out customer due diligence (CDD), keep accurate records, assess client risk, and report any suspicious activity to the National Crime Agency (NCA).

👉 Need a step-by-step guide? Check out our Practical 2025 Guide to AML Compliance for UK Estate Agents.

Yes. Under the UK Money Laundering Regulations 2017, estate and letting agents involved in property sales (and in some cases lettings) are considered regulated businesses. This means you’re required to carry out customer due diligence (CDD), keep accurate records, assess client risk, and report any suspicious activity to the National Crime Agency (NCA).

Letting agents in the UK must screen clients against UK sanctions lists if they are carrying out work subject to the Money Laundering Regulations, such as high-value lettings over £10,000 per month. Even if not legally required, screening tenants and landlords is considered best practice for risk management and regulatory compliance.

👉 Need a step-by-step guide? New Legal Requirement for UK Letting & Estate Agents: Sanctions Checks Now Mandatory (May 2025 Update).

Yes, from 14 May 2025, all letting agents in the UK must screen tenants, landlords, guarantors, and adult occupiers against the UK sanctions list. This applies to all lettings, regardless of the monthly rent amount. If there’s a match or suspicion, it must be reported to OFSI.

👉 Need help with what to screen, how often, and what to do if there’s a match? View our free PEP & Sanctions Compliance Guide for Estate and Letting Agents

Letting agents are now legally required to:

• Check all parties against the UK sanctions list
• Report matches or suspicions to the Office of Financial Sanctions Implementation (OFSI)
• Freeze assets if required
• Keep records of checks and reports

These changes mean letting agents now have similar legal responsibilities to estate agents and other regulated firms, so having clear procedures in place is a must.

👉 Not sure where to start? View you free guide: New Legal Requirement for UK Letting & Estate Agents.

Great question. Under AML rules, letting agents only needed to register with HMRC and carry out ID checks if the rent was £10,000+ per month.

But as of May 2025, all letting agents must carry out sanctions checks, regardless of rent amount. Even if you’re not doing AML, sanctions screening is now a legal requirement for every tenancy.

Your AML risk assessment should be tailored to your business. Think about who your clients are, what services you offer, and where your risks lie — then write down how you reduce those risks in practice.

A good risk assessment should cover:

• Business-wide risks (e.g. cash buyers, foreign clients, complex company structures)
• Customer risk factors
• Geographic risks
• How you monitor and review risk over time

👉 Need help getting started? View our free AML Risk Assessment Guide for Estate Agents.

There are lots of subtle (and not-so-subtle) signs that a deal might be suspicious. Watch out for:

• Unusual payment methods (cash, third parties, crypto)
• Rushed transactions with no clear reason
• Overseas clients using opaque companies
• Clients unwilling or unable to provide ID or proof of funds
• Property being sold or bought way above or below market value

If something doesn’t feel right: document it, escalate it, and consider submitting a Suspicious Activity Report (SAR) – you guessed it we have a guide for that too: How and When to File a Suspicious Activity Report (SAR).

You’ll need to collect documents that show where the client’s money is coming from and that it’s legitimate. Common examples include:

• Bank statements
• Mortgage offers
• Gifted deposit letters with ID from the donor
• Sale of another property or investment records

The evidence should match the risk, the higher the value or the riskier the client, the deeper you need to dig. And remember: “proof” means documents, not just explanations.

The most common AML breaches reported by HMRC for estate agents include:

• Failure to register for AML supervision (Regulation 56 breach)
• Missing or weak customer due diligence (CDD) — especially ID or source of funds evidence
• No written AML risk assessment tailored to the business
• Lack of staff training on money laundering risks and red flags
• Poor record-keeping, including missing audit trails or outdated files
• Failure to report suspicious activity (SARs) or document internal escalation
• HMRC’s inspections have become stricter, and fines are rising — estate agents saw a 177% increase in AML penalties between 2021 and 2025.

HMRC’s inspections have become stricter, and fines are rising. Estate agents saw a 177% increase in AML penalties between 2021 and 2025.

CDD involves verifying the identity of your clients, understanding the nature of the business relationship, and assessing the risk of money laundering. It includes ID and proof of address checks, source of funds verification, and screening against PEP and sanctions lists.

EDD must be applied when a client is high-risk: for example, if they are a Politically Exposed Person (PEP), based in a high-risk jurisdiction, or involved in complex ownership structures. EDD involves gathering additional documentation and gaining senior approval before proceeding.

A PEP is someone in a prominent public role (e.g. MP, judge, military official), or their close family or associates. PEPs are considered higher risk for bribery or corruption and must be subject to Enhanced Due Diligence.

High-risk clients should be reviewed at least annually. For lower-risk clients, periodic review is still recommended, particularly if there are any changes in ownership, address, or payment methods.

To identify a UBO, you need to find the individuals who ultimately own or control the business you’re dealing with — usually anyone who owns 25% or more of the shares or voting rights, either directly or indirectly.

For companies, this means:

• Checking official documents (e.g. Companies House records)
• Looking through complex ownership structures to identify individuals behind holding companies
• Recording full name, date of birth, nationality, and proof of ID for each UBO

If no one meets the 25% threshold, you should identify the person with overall control, such as a senior manager or director.

👉 For a simple breakdown of UBO checks (with examples), read our full guide: Understanding UBOs – Flex AML

For AML checks, you’ll usually need to collect one document to confirm identity and another to confirm proof of address. These must be valid, independent, and from trusted sources.

Acceptable proof of identity includes:

• Valid passport
• UK or EU photo driving licence
• National ID card
• Biometric residence permit

Acceptable proof of address includes:

• Utility bill (dated within the last 3 months)
• Bank or credit card statement
• Council tax bill (current year)
• Mortgage or tenancy agreement
• HMRC tax letter (dated within 12 months)

Always ensure documents are clear, in date, and match the person’s name exactly.

👉 For a full list and helpful verification tips, read our ID and Proof of Address (POA) Verification Guide.

HMRC will assess your policies, procedures, staff training records, and client files. They’ll check for a written risk assessment, documented CDD and EDD processes, and proof that AML responsibilities are being carried out.

We conduct mock audits, review your documentation, update your risk assessments, and provide tailored training: giving you peace of mind and reducing the risk of enforcement action.

You must retain AML-related records (e.g. ID checks, risk assessments, due diligence notes) for at least five years from the end of the business relationship.

The most common AML compliance failures (across all sectors) include:

• No written AML risk assessment
• Incomplete or missing CDD/KYC records
• Lack of staff training or awareness
• Weak record-keeping and file management
• Failure to report suspicious activity (SARs)

You can avoid these by embedding AML into your daily workflow, not just ticking a box. Keep your risk assessment up to date, train staff regularly, review your procedures, and spot-check files. It’s not about perfection, it’s about consistency and accountability.

Yes! We deliver bespoke training for front-line staff, compliance teams, and directors, either in-person or remotely. It’s practical, sector-specific, and easy to understand.

Absolutely. We tailor our support to your size and risk level. Whether you’re a solo operator or a growing team, we’ll help you meet your obligations without overwhelm.

Book a free 30-minute consultation to chat through your needs. We’ll advise on next steps, timelines, and support options based on your current setup.

Preparing for an AML audit means making sure your policies and procedures aren’t just written but actually working. Here’s what to check:

• Customer Due Diligence (CDD): Are your client files complete and up to date?
• Risk Assessment: Is your AML risk assessment written, relevant, and regularly reviewed?
• Training Records: Have all relevant staff been trained and can they spot red flags?
• Record Keeping: Can you show a clear audit trail — including ID checks, risk ratings, and decisions?
• Reporting Process: Do you know when to submit a SAR and how to escalate concerns internally?