
What non-compliance actually costs
Anti-money laundering (AML) enforcement in the UK operates on two tracks: civil penalties for procedural failures, and criminal prosecution for more serious offences. Both carry real consequences, and recent enforcement action shows regulators are willing to act against firms of every size.
Civil financial penalties
Supervisors — including the FCA, HMRC, and the Gambling Commission — can issue civil financial penalties for breaches of MLR 2017, such as inadequate risk assessments, missing policies and procedures, or failure to carry out proper due diligence. Penalties for the most serious breaches are unlimited, and the FCA alone issued over £121.5 million in AML fines by November 2024. These penalties scale with the severity and duration of the breach and can apply even where no actual money laundering took place — the breach is in the system, not necessarily the outcome.
Criminal offences under POCA 2002
The Proceeds of Crime Act 2002 sets out the criminal offences that sit above the civil regime. Money laundering offences themselves carry a maximum of 14 years’ imprisonment and unlimited fines. Failing to report a known or suspected case — the offence most regulated businesses are actually exposed to day to day — carries a separate maximum of 5 years’ imprisonment. These offences apply to individuals, including employees and MLROs personally, not just the business as an entity.
The Economic Crime (Anti-Money Laundering) Levy
Entities supervised for AML by the FCA, HMRC or the Gambling Commission must pay the Economic Crime Levy, calculated on UK revenue band:
- Small entities: exempt
- Medium entities: £10,000 per year
- Large entities: £36,000 per year
- Very large entities: £250,000 per year
This is a separate, recurring obligation from registration fees and any penalties — it applies regardless of whether a firm has ever had a compliance issue.
Recent enforcement, in context
Large-scale fines aren’t reserved for obscure technical breaches — they’ve landed on well-known names. Metro Bank was fined £17 million and Starling Bank £29 million for AML control failures, both involving gaps in how customer risk was monitored over time rather than a single dramatic incident, part of more than £121.5 million in total AML fines issued by the FCA by November 2024. Enforcement isn’t limited to the largest firms either: across professional services, supervisors issued 338 fines totalling over £2 million in the 2024–25 reporting year alone, more than tripling the total value of penalties since 2022. The pattern across recent enforcement is consistent: regulators penalise weak systems and controls as readily as they penalise actual wrongdoing.
