You’re required to register with a supervisory authority, before you start any regulated activity. To register, you must:

1 – Prepare your AML risk assessment, policies, and controls

2 – Identify and include all responsible persons (e.g. MLROs) and business premises

3 – Complete the online application via Government Gateway or HMRC portal

4 – Pay the fees (typically £300 per premises)

5 – Ensure your responsible persons pass the Fit & Proper/Approval checks

6 – Once approved, you’ll receive your registration and must renew annually via HMRC’s supervision service

Helpful links:

• Register for AML supervision – gov.uk link
• Report suspicious activity (SAR) – NCA portal
• Sanctions List – OFSI consolidated list

Even in small teams, someone must be appointed as the Money Laundering Reporting Officer (MLRO). This person is responsible for overseeing AML policies and reporting concerns. However, every team member must understand and apply basic AML procedures.

HMRC can impose fines, revoke your registration, or pursue criminal action for serious breaches. Many businesses face enforcement not for criminal intent, but for poor record-keeping, failure to train staff, or lack of a written risk assessment.

Yes, in many cases businesses offering virtual office, registered address, business address, director service address, or mail handling services may fall under Trust and Company Service Provider (TCSP) regulations and require AML supervision with HMRC.

The exact requirements depend on the services being provided and how your business operates. Even businesses primarily focused on co working, serviced offices, or flexible workspace may still have AML obligations if they offer address related services to customers.

It is important to review your setup carefully before launching or expanding these services to ensure the correct AML policies, onboarding processes, and compliance procedures are in place.

Businesses offering virtual office, registered address, or mail handling services should typically complete identity verification, proof of address checks, beneficial ownership verification, PEP and sanctions screening, customer risk assessments, and ongoing monitoring as part of their AML obligations.

The level of due diligence required will depend on the services being provided, the customer risk profile, and the overall risk appetite of the business.

A Trust or Company Service Provider (TCSP) is a business that offers regulated services such as registered office addresses, directors’ service addresses, company formations, or business address services.

Yes, but overseas customers may present higher AML risks depending on the jurisdiction, company structure, and nature of the business. Enhanced due diligence may be required in certain situations.

Examples may include customers unwilling to provide information, complex ownership structures, high risk jurisdictions, frequent director changes, unusual mail volumes, or businesses with unclear trading activity.

Businesses should maintain customer due diligence records, risk assessments, onboarding documentation, ongoing monitoring records, training logs, and internal AML procedures in line with UK AML regulations.

HMRC may review your AML policies, customer files, risk assessments, onboarding processes, training records, ongoing monitoring procedures, and wider compliance controls to assess whether your business meets regulatory obligations.

Absolutely. Flex AML supports virtual office providers with mock audits, AML policy reviews, remediation work, operational guidance, staff training, and ongoing compliance support.

CDD involves verifying the identity of your clients, understanding the nature of the business relationship, and assessing the risk of money laundering. It includes ID and proof of address checks, source of funds verification, and screening against PEP and sanctions lists.

EDD must be applied when a client is high-risk: for example, if they are a Politically Exposed Person (PEP), based in a high-risk jurisdiction, or involved in complex ownership structures. EDD involves gathering additional documentation and gaining senior approval before proceeding.

A PEP is someone in a prominent public role (e.g. MP, judge, military official), or their close family or associates. PEPs are considered higher risk for bribery or corruption and must be subject to Enhanced Due Diligence.

High-risk clients should be reviewed at least annually. For lower-risk clients, periodic review is still recommended, particularly if there are any changes in ownership, address, or payment methods.

To identify a UBO, you need to find the individuals who ultimately own or control the business you’re dealing with — usually anyone who owns 25% or more of the shares or voting rights, either directly or indirectly.

For companies, this means:

• Checking official documents (e.g. Companies House records)
• Looking through complex ownership structures to identify individuals behind holding companies
• Recording full name, date of birth, nationality, and proof of ID for each UBO

If no one meets the 25% threshold, you should identify the person with overall control, such as a senior manager or director.

👉 For a simple breakdown of UBO checks (with examples), read our full guide: Understanding UBOs – Flex AML

For AML checks, you’ll usually need to collect one document to confirm identity and another to confirm proof of address. These must be valid, independent, and from trusted sources.

Acceptable proof of identity includes:

• Valid passport
• UK or EU photo driving licence
• National ID card
• Biometric residence permit

Acceptable proof of address includes:

• Utility bill (dated within the last 3 months)
• Bank or credit card statement
• Council tax bill (current year)
• Mortgage or tenancy agreement
• HMRC tax letter (dated within 12 months)

Always ensure documents are clear, in date, and match the person’s name exactly.

👉 For a full list and helpful verification tips, read our ID and Proof of Address (POA) Verification Guide.

HMRC will assess your policies, procedures, staff training records, and client files. They’ll check for a written risk assessment, documented CDD and EDD processes, and proof that AML responsibilities are being carried out.

We conduct mock audits, review your documentation, update your risk assessments, and provide tailored training: giving you peace of mind and reducing the risk of enforcement action.

You must retain AML-related records (e.g. ID checks, risk assessments, due diligence notes) for at least five years from the end of the business relationship.

The most common AML compliance failures (across all sectors) include:

• No written AML risk assessment
• Incomplete or missing CDD/KYC records
• Lack of staff training or awareness
• Weak record-keeping and file management
• Failure to report suspicious activity (SARs)

You can avoid these by embedding AML into your daily workflow, not just ticking a box. Keep your risk assessment up to date, train staff regularly, review your procedures, and spot-check files. It’s not about perfection, it’s about consistency and accountability.

Yes! We deliver bespoke training for front-line staff, compliance teams, and directors, either in-person or remotely. It’s practical, sector-specific, and easy to understand.

Absolutely. We tailor our support to your size and risk level. Whether you’re a solo operator or a growing team, we’ll help you meet your obligations without overwhelm.

Book a free 30-minute consultation to chat through your needs. We’ll advise on next steps, timelines, and support options based on your current setup.

Preparing for an AML audit means making sure your policies and procedures aren’t just written but actually working. Here’s what to check:

• Customer Due Diligence (CDD): Are your client files complete and up to date?
• Risk Assessment: Is your AML risk assessment written, relevant, and regularly reviewed?
• Training Records: Have all relevant staff been trained and can they spot red flags?
• Record Keeping: Can you show a clear audit trail — including ID checks, risk ratings, and decisions?
• Reporting Process: Do you know when to submit a SAR and how to escalate concerns internally?