UK regulated firms must provide ongoing AML training for all relevant employees under Regulation 24 of the Money Laundering Regulations 2017. Annual refresher training is the industry baseline; higher-risk roles train more frequently. Firms must keep time-stamped completion records for at least five years, and the FCA expects training to be role-relevant, not just a tick-box exercise.
Under Regulation 24 of the Money Laundering Regulations 2017 (MLR 2017), UK regulated firms must take ‘appropriate measures’ to make relevant employees aware of the law on money laundering and terrorist financing and to train them to recognise and handle the related risks. The obligation is not to tick a box. It is to be able to demonstrate, to the Financial Conduct Authority (FCA) and to your own MLRO, that your people can identify and respond to financial crime risk in the work they actually do.
This guide sets out what MLR 2017 and the Joint Money Laundering Steering Group (JMLSG) guidance require, how often training is expected, what it must cover, and how to evidence it. It is not legal advice. It explains what the regulations require and what the FCA expects.
What the MLR 2017 actually requires
The training duty sits in Regulation 24(1). Firms must take appropriate measures to ensure relevant employees are aware of the law on money laundering and terrorist financing and the firm’s own policies, and are given training in how to recognise and deal with transactions and activities that may be related to money laundering or terrorist financing.
‘Relevant employees’ is not necessarily everyone in the firm. It means those whose work is relevant to the firm’s compliance with the regulations, though in a regulated financial-services business that is broad in practice, covering client-facing staff, onboarding and KYC teams, payments and operations, compliance and risk, and senior management.
JMLSG guidance (Part I, Chapter 7) expands on the content and frequency of training, and is the standard the FCA looks to. Its consistent theme is that training should be appropriate to the risks to which each employee is exposed, so frequency and depth are risk-based rather than simply calendar-based. The February 2026 JMLSG revisions strengthened expectations around the nominated officer (MLRO) role and aligned training guidance more closely with data-protection obligations.
How often is AML training required?
AML training under the MLR 2017 must be provided on joining, annually as a minimum, and more frequently for higher-risk roles, with additional event-driven updates whenever rules change or incidents occur.
The regulations do not set a fixed interval. The regulator’s position is, in effect, as often as the risk demands. In practice that produces a clear set of expectations:
- On joining. MLR 2017 and JMLSG both expect relevant employees to be trained before they begin work, or as soon as reasonably practicable afterwards. For roles with immediate AML exposure such as onboarding, payments and client onboarding, do not wait until a full induction period is over.
- Annually, as a baseline. Annual refresher training is the industry standard for general staff. Treat ‘annual’ as a floor, not a ceiling.
- More frequently for higher-risk roles. Functions with elevated exposure may need training more often than once a year.
- Event-driven updates. A regulatory change (such as the February 2026 JMLSG revisions), an enforcement signal in the market, an internal incident, or an employee changing role should all trigger fresh or targeted training. Our guide to keeping compliance training current covers this in more detail.
What must AML training cover?
AML training must cover the three stages of money laundering, customer due diligence (CDD), enhanced due diligence (EDD), suspicious activity reporting to the MLRO, the firm’s own AML policies and controls, and how to identify red flags relevant to each individual’s role.
To meet the ‘appropriate’ standard, content has to be tailored to role and sector. A generic global module does not satisfy MLR 2017. Drawing on JMLSG guidance, effective AML training covers:
- The three stages of money laundering: placement, layering and integration.
- Customer due diligence (CDD), enhanced due diligence (EDD) and beneficial ownership.
- Politically exposed persons (PEPs) and the additional scrutiny they require.
- Suspicious activity reports (SARs), the internal escalation route to the MLRO, and the tipping-off prohibition under the Proceeds of Crime Act 2002.
- The firm’s own AML policies, controls and risk assessment.
The FCA expects training to be scenario-based and role-relevant, building practical judgement rather than passive awareness. Staff should leave training able to recognise a red flag in their own workflow, not merely able to recite a definition.
Who is the MLRO and what training do they need?
The MLRO (Money Laundering Reporting Officer) is the nominated officer under SM&CR (SMF17), responsible for receiving internal suspicion reports and deciding whether to submit a SAR to the National Crime Agency. MLRO training must cover the full AML framework, POCA 2002 reporting obligations and how to assess and file SARs.
Every regulated firm must appoint a nominated officer, the Money Laundering Reporting Officer (MLRO). Under the Senior Managers and Certification Regime this is the SMF17 function. The MLRO receives internal suspicion reports, decides whether to submit a SAR to the National Crime Agency, and oversees the firm’s financial-crime framework.
MLRO training is more demanding than general staff training. It must cover the full AML framework, the firm’s risk assessment, POCA 2002 reporting obligations, and how to assess and submit SARs. It is distinct from, and additional to, the awareness training given to relevant employees more broadly.
How do you evidence AML training to the FCA?
Firms must hold time-stamped completion records tied to each current course version, showing who completed training, when, and on which module. Records must be producible on demand, typically a first request during an FCA financial-crime supervisory visit, and retained for at least five years.
The FCA and JMLSG expect firms to keep records of who was trained, on what, and when. In practice that means:
- Time-stamped completion records, not just attendance logs, tied to the current version of the course rather than a superseded one.
- The ability to produce those records on demand. Training records are typically a first request in a financial-crime supervisory visit.
- Retention for at least five years, in line with the wider MLR 2017 record-keeping requirements.
A reporting platform matters most here. The CityREPORTS reporting platform produces time-stamped, exportable completion records that show assignment, completion and version, the evidence a supervisor actually asks for. For how this fits a wider programme, see our guide to building a compliance training plan that stands up to the FCA.
Common questions about AML training requirements
How often is AML training required under UK law? The MLR 2017 do not specify a fixed interval. They require appropriate, ongoing training for relevant employees. The industry standard is annual refresher training as a minimum, with higher-risk roles training more frequently, and training also triggered by regulatory changes, internal incidents or a change of role. The February 2026 JMLSG updates reinforced the expectation that training frequency reflects each firm’s own risk profile.
Who must complete AML training in a UK regulated firm? All employees whose work is relevant to the firm’s anti-money-laundering obligations must be trained under Regulation 24 of the MLR 2017. In practice this is broad, typically covering all client-facing staff, onboarding teams, compliance and risk functions, and the MLRO. Senior management must also understand the AML framework even if they are not involved in day-to-day CDD.
What records must firms keep of AML training? Firms should hold records showing who completed AML training, when, and on which version of the course. Time-stamped completion records, not just attendance logs, are the standard the FCA expects to see during supervisory visits. Records should be kept for at least five years.
Does a new joiner need AML training immediately? JMLSG guidance states that relevant employees should be trained before they begin work, or as soon as reasonably practicable afterwards. Firms should not wait for a full induction period to finish before training staff in roles with immediate AML exposure.
CityLearning’s AML training course is written for the UK MLR 2017, updated for the February 2026 JMLSG changes and CPD accredited by the CII, with sector-specific versions for banking, insurance, asset management and fintech. It pairs with our financial sanctions training for full financial-crime coverage, and the CityREPORTS platform produces the time-stamped records the regulator expects. Request a demo to see how it maps to your AML obligations.