Systems & controls

Copyright © 2025 LexisNexis

Organisations caught by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), SI 2017/692, as amended, must implement systems and controls to mitigate and manage effectively the risks of money laundering, terrorist financing and proliferation financing.

Is it mandatory to implement systems and controls under the MLR 2017?

If the MLR 2017 apply to your organisation, you must:

  1. establish and maintain policies, controls and procedures to mitigate and manage effectively the risks of money laundering, terrorist financing and proliferation financing identified in your Money laundering, terrorist financing and proliferation financing organisation-wide risk assessment

  2. regularly review and update those policies, controls and procedures

  3. maintain a written record of:

    1. those policies, controls and procedures—see Precedent: Register of AML, CTF and counter-proliferation financing policies, plans and procedures

    2. any changes to those policies, controls and procedures

    3. the steps taken to communicate those policies, controls and procedures, or any changes to them, within your business

What systems and controls are required?

Regulations 19 and 19A contain details of required policies,

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

Existing user? Sign-in TAKE A FREE TRIAL
Powered by Lexis+®
Latest Risk & Compliance News

FATF announces new mutual evaluation framework to strengthen global illicit finance defences

The Financial Action Task Force (FATF) has convened  its annual high-level meeting with the nine FATF-Style Regional Bodies (FSRBs) in Strasbourg, announcing the implementation of new mutual evaluations. The Global Network, comprising the FATF and nine FSRBs, representing over 200 jurisdictions, remains committed to combating illicit finance through a unified set of standards and mutual evaluations. The meeting focused on implementing Global Network priorities, particularly preparing members for the upcoming mutual evaluations, which will prioritise effectiveness in tackling money laundering, terrorist financing and proliferation risks. All FSRBs aim to complete their first evaluations by late 2026 or early 2027. Additionally, significant emphasis was placed on fostering peer learning, experience sharing and strengthened cohesion within the Global Network, a key priority under the Mexican Presidency.

DSIT welcomes DUA Bill becoming Act of Parliament as DUAA

The Department for Science, Innovation and Technology (DSIT) has welcomed the Data (Use and Access) Bill (DUA Bill) receiving Royal Assent on 19 June 2025 and becoming law as the Data (Use and Access) Act 2025 (DUAA). DSIT notes that key measures include enabling real-time sharing of healthcare data across NHS services, saving 140,000 hours of admin annually and improving patient care, and the simplification of digital identity verification through certified tools, aiding tasks like renting or job application. The DUAA also introduces legislation to support investigations into child deaths linked to social media by preserving relevant data. Additionally, DSIT underlines that as mandated by the DUAA, a new Information Commission will replace the ICO, with a recruitment drive underway for its board to ensure diverse expertise.

ICO publishes guidance documents and work plan for Data (Use and Access) Act 2025

The Information Commissioner's Office has published several guidance documents and a working plan following the Data (Use and Access) Bill receiving royal assent on 19 June 2025 and becoming an Act of Parliament as the Data (Use and Access) Act 2025 (DUAA). The ICO notes that the main changes to the law include clarifying how personal information can be used for research, lifting restrictions on some automated decision making, setting out how to use some cookies without consent, allowing charities to send people electronic mail marketing without consent in certain circumstances and requiring organisations to have a data protection complaints procedure and introducing a new lawful basis of recognised legitimate interests. The ICO also underlines that the DUAA provides it with new powers including the ability to compel witnesses to attend interviews, request technical reports, and issue higher fines.

Risk & Compliance weekly highlights—19 June 2025

This week's edition of Risk & Compliance weekly highlights includes: the latest Risk & Compliance forecast, notable financial sanctions updates, legislative progress with the Data (Use and Access) Bill, and key developments in FATF standards and SFO funding.

View Risk & Compliance by content type :
News
Practice notes
Precedents
Q&As

Popular documents

Who can certify identification documents (passports, driving licences, utility bills, etc)?

Who can certify identification documents (passports, driving licences, utility bills, etc)?Government guidance on Certifying a document states documents must be certified by a professional person or someone well-respected in your community (‘of good standing’) like a:•bank or building society

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companiesWhy does it matter?A company that is a member of a group and has incurred any of the types of losses available for surrender by way of group relief may, without any further rules, have more than one way in which to use the loss. There are a

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application
Who can certify identification documents (passports, driving licences, utility bills, etc)?

Who can certify identification documents (passports, driving licences, utility bills, etc)?

Who can certify identification documents (passports, driving licences, utility bills, etc)?Government guidance on Certifying a document states documents must be certified by a professional person or someone well-respected in your community (‘of good standing’) like a:•bank or building society

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companies

Priority between loss reliefs in loss making companiesWhy does it matter?A company that is a member of a group and has incurred any of the types of losses available for surrender by way of group relief may, without any further rules, have more than one way in which to use the loss. There are a

Late payment penalties—inheritance tax

Late payment penalties—inheritance tax

Late payment penalties—inheritance taxWhile interest often accrues on overdue tax, the late payment of certain taxes may also attract a penalty. For information on the interest accruing on overdue tax, see Practice Notes: IHT—payment deadlines on death—Interest on IHT and Interest on late paid

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of case

Strike out—making an application to strike out a statement of caseA strike out order can be made either following an application by the parties or on the court's own initiative. This Practice Note deals with the scenario of the order being made following a party's application.Making an application