Ongoing monitoring under MLR 2017 Reg 28(11): the duty firms forget
AML duty does not end at onboarding. What ongoing monitoring under MLR 2017 Reg 28(11) requires, why firms overlook it, and how the gap creates real risk.
Arvind Manimaran · 1 July 2026 · 6 min read
Most firms think about anti-money laundering as something that happens at the start of a matter. You onboard the client, verify identity, assess risk, check source of funds, and then get on with the legal work. That mental model is understandable, and it is wrong. The Money Laundering Regulations 2017 impose a duty that runs for the entire life of a business relationship. It is set out plainly in Regulation 28(11), and it is one of the most commonly overlooked obligations in the whole regime.
What Reg 28(11) actually says
Regulation 28(11) requires a firm to conduct ongoing monitoring of a business relationship. That has two limbs (MLR 2017, Reg 28(11)):
- Scrutinising transactions undertaken throughout the course of the relationship (including, where necessary, the source of funds) to ensure that the transactions are consistent with the firm's knowledge of the client, their business and their risk profile; and
- Keeping the documents, data and information obtained for CDD up to date.
The word doing the heavy lifting is ongoing. The obligation is not discharged at onboarding and then filed away. It is a continuing duty to keep watching whether what the client is actually doing still matches what the firm expected them to do, and to refresh the underlying due diligence as things change.
Reg 28(11) is a continuing duty: keep checking that the client's actual activity matches the risk profile you assessed at the start.
Why it is the duty firms forget
Onboarding checks have a natural home in a firm's workflow. There is a clear trigger (a new instruction), a clear owner (whoever opens the file), and a clear moment of completion. Ongoing monitoring has none of those things. There is no obvious trigger, no natural end point, and no single moment when someone is prompted to do it. It falls into the gap between "we've onboarded them" and "the matter is closed", and in that gap, it is easy for nobody to own it.
Several patterns make the problem worse:
- The long-standing client. A client onboarded years ago, comfortable and familiar, is often the least scrutinised, precisely because the relationship feels safe. But their circumstances, ownership structure or risk profile may have changed completely since the original CDD, which is now stale.
- The repeat matter. When an existing client brings a new instruction, firms frequently rely on the CDD gathered at the outset without asking whether it still holds. Reg 28(11)'s duty to keep information "up to date" is aimed squarely at this.
- The transaction that doesn't fit. A client who was assessed as low risk suddenly transacts in a way that is out of character: larger sums, unusual counterparties, a different jurisdiction. Ongoing monitoring is what is supposed to catch that inconsistency. Without it, the anomaly sails through.
The link to suspicion reporting
Ongoing monitoring is not a standalone administrative chore. It is the mechanism that feeds a firm's suspicious activity reporting obligations. Under the Proceeds of Crime Act 2002, individuals and firms can commit offences if they fail to disclose knowledge or suspicion of money laundering that arises in the course of their work. Suspicion, in the real world, very often arises during a relationship rather than at its start: a payment that doesn't add up, a story that shifts, a source of funds that no longer makes sense.
If a firm is not monitoring, it is not positioned to form that suspicion, and it cannot report what it never noticed. In that sense, Reg 28(11) is the sensor that makes the rest of the anti-money-laundering system work. A firm that skips it is not just missing a regulatory box; it is switching off its own early-warning system.
What "good" looks like
Ongoing monitoring is, like the rest of the regime, risk-based. It does not mean re-running full CDD on every client every month. In practice it tends to involve a few connected habits:
- Periodic review calibrated to risk: higher-risk clients and matters reviewed more frequently, lower-risk ones less so, but none left indefinitely untouched.
- Transaction scrutiny in the moment: a genuine check, when money moves, that the activity is consistent with the client's known profile, rather than processing payments on autopilot.
- Refreshing stale CDD: updating identity documents, beneficial ownership information and risk assessments when they age or when a trigger event occurs (a new matter, a change in the client's circumstances, an anomaly).
- A record that it happened: because, as with every other part of the regime, an unrecorded review is, to an inspector, no review at all.
The SRA's supervision increasingly reflects this. Its file reviews look not just at the state of a file at onboarding but at whether the firm continued to engage with risk as the matter progressed. A file that was pristine on day one and untouched thereafter is not a compliant file if the relationship called for continued scrutiny.
Why it matters
The onboarding-only mindset creates a specific and dangerous blind spot: the firm feels compliant because it did everything correctly at the start, while the actual money-laundering risk on a live matter goes unwatched. Criminal activity rarely announces itself at onboarding; it emerges through behaviour over time. That is exactly the window Reg 28(11) is designed to cover.
For firms of every size, but especially smaller ones, where nobody may formally own the "middle" of a matter's life, the lesson is that AML compliance is not an event but a state. The duty does not end when the client is onboarded. Forgetting that is not a small oversight; it is a gap in the very control that turns a firm's paperwork into an actual defence against being used to launder money.
Sources
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, Reg 28(11): www.legislation.gov.uk/uksi/2017/692/regulation/28
- SRA, Anti-Money Laundering Annual Report 2024-25: www.sra.org.uk/sra/research-publications/aml-annual-report-2024-25
- Legal Sector Affinity Group (LSAG), Anti-Money Laundering Guidance for the Legal Sector
- Proceeds of Crime Act 2002: www.legislation.gov.uk/ukpga/2002/29/contents
Written by Arvind Manimaran. This article is educational and does not constitute legal advice. Regulatory positions should be verified against current SRA guidance and primary legislation.
Book a free compliance health-check