AML (anti-money-laundering) and KYC (know-your-customer) are the regulatory practices UK businesses use to verify who they're doing business with and prevent the financial system from being used for crime. AML is the wider obligation; KYC is the customer-onboarding part of it. If your business is in scope, the rules are not optional and the penalties for getting them wrong are real.
The short answer: who has to comply
In the UK, the Money Laundering Regulations 2017 (as amended) apply to a defined list of "regulated sectors":
- Banks, building societies, and electronic-money institutions
- Accountants, auditors, tax advisers, and bookkeepers
- Solicitors and other legal professionals
- Trust and company service providers
- Estate agents and high-value-goods dealers (over €10,000)
- Cryptoasset firms
- Payment services and FX firms
- Casinos and gambling operators
If your business sits in one of these categories, you have a legal obligation to operate an AML programme — including KYC on your customers — and you are supervised by a regulator (HMRC, FCA, the SRA, ICAEW, ACCA, or others depending on the sector).
What KYC actually requires
KYC is the practical front end: at the point you take on a client, you have to know enough about them to make a reasoned judgement about whether they are who they say they are and whether the business relationship carries unusual risk. The core steps:
- Identify the customer. Collect documentary evidence — passport or driving licence for individuals, incorporation certificate and registered details for companies.
- Verify their identity. Using a reliable, independent source. Increasingly this means electronic ID verification with biometric checks rather than physical document copies.
- Identify the beneficial owners. For company customers, who ultimately owns or controls more than 25% of the entity? For trusts, who are the settlors, trustees, and beneficiaries?
- Understand the purpose of the business relationship — what services are being requested, how they will be used, where the money flows.
- Risk-rate the relationship — low, medium, or high risk — and document the decision.
- Apply enhanced due diligence (EDD) on higher-risk relationships: PEPs (politically exposed persons), high-risk jurisdictions, complex ownership structures, unusual transaction patterns.
- Monitor on an ongoing basis. KYC is not a one-off at onboarding. Customer behaviour, transaction patterns, and risk profiles all change.
What AML covers beyond KYC
Beyond customer onboarding, the wider AML programme includes:
- A written risk assessment for the business as a whole — what your exposure looks like, where the gaps are.
- Policies, controls, and procedures in writing and applied consistently.
- A nominated officer (the MLRO — Money Laundering Reporting Officer) who handles internal reports and external SARs (Suspicious Activity Reports) to the NCA.
- Training for everyone in the business who could encounter regulated activity.
- Record-keeping — typically five years from the end of a business relationship.
- Independent audit in larger or higher-risk firms, to test that the programme is actually working rather than just on paper.
Common mistakes
- Treating AML as a one-time onboarding task. The regulations require ongoing monitoring. Static KYC is non-compliant KYC.
- Relying on copies of passports in email. Document images alone are no longer sufficient evidence. Electronic ID verification with liveness checks is now the baseline standard.
- Missing beneficial owners. A company structure that hides the real controller is exactly what AML is designed to surface. Stopping at "the directors" misses the point.
- No written risk assessment. Auditors and regulators ask for it first. If it does not exist, the firm is exposed.
- Untrained or undertrained staff. Training records have to be kept; the MLR2017 makes this explicit.
- Failure to file SARs. If a member of staff forms a suspicion, the obligation to report is personal as well as corporate. Tipping-off the customer is a separate criminal offence.
Penalties
UK AML penalties are not theoretical. The FCA, HMRC, and sectoral supervisors have all issued seven-figure fines. Individual directors and MLROs can be held personally responsible. Loss of supervisory registration shuts a regulated business down.
Beyond fines, the operational cost of an AML failure is usually larger than the fine itself: remediation programmes running for years, staff hired in retrospect, and the commercial damage of being publicly named in a notice.
What good AML tooling does
For firms above the smallest scale, doing AML manually is unrealistic. Modern tooling typically covers:
- Electronic identity verification with biometric or liveness checks (selfie + document, often using OCR and chip-NFC for biometric passports).
- Sanctions and PEP screening against global lists, refreshed continuously.
- Adverse-media screening for negative news that might affect risk rating.
- Beneficial-ownership extraction from corporate registries.
- Risk-scoring engines that combine the above into a structured decision and audit trail.
- Ongoing monitoring with re-screening triggered by new data or time-based intervals.
- A written audit log that is exportable for the regulator on demand.
The point of tooling is not to replace judgement — the MLRO still owns the decision — but to make the evidence base consistent, fast, and provable.
Where Rajoka fits
Inside the Rajoka portfolio, Certivus provides AML and KYC compliance infrastructure for regulated businesses — identity verification, screening, ongoing monitoring, and the audit trail. For the wider compliance stack a regulated UK business needs, see the four pillars article and the full portfolio.
Frequently asked questions
What's the difference between AML and KYC?
AML (anti-money-laundering) is the wider regulatory framework that requires regulated UK businesses to prevent financial crime. KYC (know-your-customer) is the customer-onboarding component of AML — verifying identity, beneficial ownership, and the purpose of the business relationship. KYC sits inside AML; AML also covers risk assessment, training, monitoring, suspicious-activity reporting, and record-keeping.
Does my UK business need to do KYC?
Only if it operates in a regulated sector under the Money Laundering Regulations 2017 — banks, accountants, lawyers, estate agents, payment firms, cryptoasset firms, trust and company service providers, high-value-goods dealers, and similar. Non-regulated businesses are not legally required to do KYC, though many adopt parts of it voluntarily for fraud prevention.
What documents are required for UK KYC?
For individuals, government-issued photo ID (passport or driving licence) plus proof of address (utility bill, bank statement, or council tax bill dated within the last three months). For companies, the certificate of incorporation, the register of members, the PSC register, and ID for each director and beneficial owner over 25%. Electronic verification with biometric checks is increasingly the standard rather than physical documents.
What is enhanced due diligence (EDD)?
Enhanced due diligence is the additional checks required when a customer relationship presents higher AML risk — for example, politically exposed persons, customers in high-risk jurisdictions, complex or opaque ownership structures, or unusual transaction patterns. EDD typically means deeper source-of-funds and source-of-wealth verification, senior-management approval, and more frequent monitoring.