What does HMRC actually ask at an MLR-2017 inspection of a letting agency?
An HMRC MLR-2017 inspection visit for a letting agent typically takes 2-3 hours on-site and centres on seven evidence categories: the firm-wide risk assessment, customer due diligence policy, training log, MLRO appointment record, suspicious activity report record, source-of-funds policy for cash transactions, and ongoing monitoring evidence. HMRC publishes the inspection-visit outline plus the list of penalised firms on gov.uk; the penalty list is the authoritative reference for what gets fined.
The seven evidence categories in detail:
1. Firm-wide risk assessment (MLR-2017 reg 18). A written document describing the firm's risk profile (customer types, geographies, transaction types, delivery channels) and the controls applied to each. Must be reviewed at least annually or when risk profile changes materially. Missing this is the single most common HMRC fine reason for letting agents.
2. Customer due diligence policy (regs 27-28). A written procedure describing how the firm identifies and verifies each customer, screens for sanctions and PEPs, walks the PSC tree on corporate clients, and records the outcome. Backed by per-customer evidence files.
3. Training log (reg 24). A record of which staff received AML training, when, and on what content. Must be annual minimum. Missing or stale training logs are a frequent fine reason.
4. MLRO appointment record (reg 21). Written appointment of the firm's MLRO. Sole traders self-appoint; small firms appoint the owner or a director. A signed memo dated when the appointment took effect.
5. Suspicious Activity Report record. Logs of internal suspicion escalations from staff to the MLRO plus the MLRO's decision on whether to file an external SAR. Zero SARs is fine if the log shows the firm has considered the question; no log at all is not fine.
6. Source-of-funds policy for cash transactions. Letting agents handling rent-in-advance or large deposits in cash need a written threshold above which source-of-funds evidence is collected. MLR-2017 reg 33 enhanced due diligence triggers above €10,000.
7. Ongoing monitoring evidence (reg 28(11)). Periodic re-screening of existing customer relationships. Includes capturing material changes such as a customer becoming a PEP or a director being appointed to a Warning-Listed firm.
Penalty range published on gov.uk shows fines for letting and estate agents from low-thousands of pounds up to £25,000+ for larger firms or repeat offenders. The most common causes published in the HMRC enforcement list are: failure to register with HMRC for AML supervision at all (the largest single category); failure to conduct firm-wide risk assessment; failure to apply customer due diligence; failure to maintain policies, controls, and procedures; failure to train staff on AML; failure to keep records.
What trips small firms most often: they assume MLR-2017 does not apply to them; they have customer due diligence in some form but no written firm-wide risk assessment; the MLRO appointment is informal not in writing; the training log is verbal not documented. Each of these is a separate fine head; an inspection rarely finds one in isolation.
Certaby's letting-agent suite addresses the per-check evidence (reg 28 CDD plus reg 28(11) ongoing monitoring) by producing a signed PDF cert with a 7-year verify URL on every let. It does not produce the firm-wide risk assessment, the training log, the MLRO appointment memo, or the SAR record; those are documents the firm maintains itself. The combination of the firm-side documents plus the per-let cert from Certaby covers the seven evidence categories an HMRC inspector asks about.
Source: HMRC MLR-2017 enforcement publication
Last updated 2026-05-19.