Money laundering failures in UK insolvency practice — what the sanctions data shows

Of all the regulatory breaches that recur in the published sanctions against UK insolvency practitioners (IPs), failures under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 ("MLR 2017") and the Proceeds of Crime Act 2002 ("POCA 2002") are by some distance the most prominent. They appear in dozens of consent orders across the corpus — sometimes as standalone failings, more often bundled with breaches of the Insolvency Code of Ethics and Statement of Insolvency Practice (SIP) 2. Taken in aggregate, the pattern is uncomfortable: a meaningful minority of licensed IPs are not doing the basic anti-money laundering (AML) work that the regime requires of them.

This article sets out what MLR 2017 requires of IPs, the specific failures that recur in the data, and what those patterns suggest about the wider state of AML compliance in the profession.

What MLR 2017 requires of an IP

Insolvency Practitioners are "relevant persons" under MLR 2017 and must operate a risk-based AML framework. The provisions cited most frequently in the sanctions corpus are:

• Regulation 27 — the obligation to apply customer due diligence (CDD) measures when establishing a business relationship or carrying out an occasional transaction, and to reassess risk where circumstances change.
• Regulation 28 — the substantive content of CDD: identifying the customer, verifying their identity from reliable independent sources, and identifying any beneficial owner.
• Regulation 30 — the requirement to complete CDD before a business relationship is established or a transaction carried out.
• Regulation 40 — the obligation to maintain records of CDD conducted.

Alongside the Regulations, IPs are subject to POCA 2002, in particular:

• Section 330 — the duty on a person in the regulated sector to disclose knowledge or suspicion of money laundering to a nominated officer (the firm's Money Laundering Reporting Officer, or MLRO) as soon as practicable.
• Section 331 — the equivalent duty on the nominated officer to disclose to the National Crime Agency (NCA).

These obligations are reinforced by the Insolvency Code of Ethics (Fundamental Principle of Professional Competence and Due Care) and by SIP 2, which requires proportionate investigation into the affairs of the insolvent entity and documentation of the work done.

The failures that recur in the sanctions data

Five distinct failure patterns dominate the published orders.

1. Failing to do CDD before taking on the case or accepting funds

This is overwhelmingly the most common MLR breach in the corpus. Numerous consent orders describe IPs — acting variously as proposed liquidator, liquidator, administrator, nominee or supervisor — who established a business relationship, or accepted funds, without first verifying the identity of the customer and any beneficial owner, contrary to Regulations 27, 28 and 30. In some cases the CDD was never done at all; in others it was attempted but inadequate, with no verification from independent sources and no record of beneficial-owner identification.

Several orders describe the failing across multiple cases — one practitioner failed to undertake onboarding checks across nine liquidations and an Individual Voluntary Arrangement (IVA); another was sanctioned for repeated breaches across an entire portfolio. This is not, in other words, a problem confined to one-off oversights.

2. Failing to apply enhanced due diligence to high-risk cases

A subset of the orders concerns IPs who carried out some CDD but failed to apply enhanced due diligence (EDD) in cases their own risk assessment had categorised as high risk. Although Politically Exposed Person (PEP) screening is part of the broader EDD framework, the corpus does not contain a high volume of explicit PEP-failure findings; the EDD failures recorded tend to relate to high-risk classifications more generally.

3. Failing to reassess risk when new information emerges

Several orders cite Regulations 27(8) and 28(11)–(12) — the duty to reassess the level of risk when new information relevant to the risk categorisation comes to light. In one recurring fact pattern, an IP received third-party funds into an IVA or noted material new information during a liquidation, but did not revisit the original (often low) risk categorisation. The regulator has treated this as a serious breach because it shows the AML framework being treated as a one-off onboarding exercise rather than the ongoing monitoring obligation that MLR 2017 actually creates.

4. Failing to keep adequate CDD records

Regulation 40 record-keeping failures appear alongside the substantive CDD breaches in a number of cases. The pattern is straightforward: even where some checks were carried out, the file did not contain sufficient evidence of what was done, by whom, and on what basis. This connects directly to the parallel SIP 2 failings, where IPs were sanctioned for not documenting their investigations into the company and its directors.

5. Failing to report suspicious activity

This is the second large cluster of breaches. A significant number of orders concern IPs — sometimes acting as the MLRO themselves — who had reasonable grounds for knowing or suspecting criminal conduct but failed to make the required disclosure:

• under section 330 POCA, to their firm's MLRO, or
• under section 331 POCA, to the National Crime Agency.

Recurring underlying facts include suspected misuse of Coronavirus Business Interruption Loans or Bounce Back Loan Scheme funds, suspicious payments out of company accounts pre-liquidation, and indications of director misconduct identified during SIP 2 investigations. In one case, an IP went so far as to include the sentence "Report to National Crime Agency has also been submitted" in a final report filed at Companies House — a confidentiality breach treated as a Code of Ethics failure in its own right.

Where the failing IP was the firm's MLRO, the regulator has consistently treated that as an aggravating factor, on the basis that the MLRO should have been the most alert person in the firm to the reporting obligation.

The sanctions pattern

The regulator's published guidance — the AML / Money Laundering Sanctions Guidance — sets a starting point of a Severe Reprimand and a fine of between £8,000 and £10,000 for a serious breach of Regulations 27, 28 or 30, and a starting point of a temporary licence restriction or suspension with a £10,000 fine for a serious failure to report. In practice, fines in the corpus cluster between £4,000 and £10,000, with mitigation given for early acceptance, isolated rather than systemic conduct, remedial training and improved procedures. Aggravation is consistently identified where the IP was the MLRO, where there was a pattern across multiple cases, or where a previous advisory notice had been issued for similar conduct.

What this signals about the state of compliance

Three conclusions are reasonable on the data.

First, MLR 2017 compliance is the single largest source of regulatory risk for IPs. The breaches are concentrated at the most basic end of the regime — identity verification, source-of-funds, suspicious-activity reporting — rather than at the sophisticated edges of typology analysis.

Second, the failures are often systemic rather than one-off. Where breaches appear across dozens of cases or an entire caseload, the underlying issue is firm-level: inadequate onboarding procedures, no effective ongoing-monitoring trigger, and an MLRO function that exists on paper but not in practice.

Third, the SAR-reporting failures matter most. CDD breaches are containable. Failures to report suspicion to the MLRO or NCA defeat the purpose of the regime: they mean that information about potential criminal conduct, surfaced through the privileged access an IP has to a company's books and bank accounts, is not reaching the authorities. For consumers — creditors, employees, the wider public — that is the most consequential failure of all.