Anti‑Money Laundering (AML) & Know Your Customer (KYC) Policy

Reviewed: 20 February 2025

At a glance

  • We operate a risk‑based AML/KYC programme aligned to UK law and guidance.
  • We verify customer identity using electronic KYC vendors, documentary evidence, and biometric/liveness checks; we screen for sanctions and PEPs at onboarding and continuously thereafter.
  • We apply Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) where risk is higher, and ongoing monitoring throughout the relationship.
  • We record and escalate suspicions to our MLRO; where appropriate we submit SARs to the NCA and observe no tipping‑off.
  • We retain AML/KYC records for 5 years after the end of the relationship (or longer where legally required).

Purpose

To set out UK Postbox’s approach to preventing money laundering, terrorist financing, sanctions breaches and fraud by implementing proportionate KYC/AML controls across our services. This Policy supports our legal obligations and protects our customers, partners and reputation.

Scope

  • Customers: applicants, individuals, authorised users, directors, beneficial owners, trustees, responsible persons
  • Data & processes: onboarding, identity verification, beneficial ownership checks, sanctions/PEP screening, payment monitoring, mail handling patterns relevant to AML risk, and ongoing reviews.
  • Channels: website/app sign‑up, assisted onboarding via support or sales, and subsequent material changes (e.g., address, ownership, service upgrades).
  • Geographies/services: all jurisdictions we serve and service variants, with restrictions per our Restricted Goods Policy and Terms & Conditions.

Legal and guidance framework

Our compliance programme aligns with applicable UK legislation, regulatory requirements, and recognised industry guidance, including:

  • Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended (“MLR”)
  • Proceeds of Crime Act 2002 (POCA) and Terrorism Act 2000
  • Sanctions and Anti-Money Laundering Act 2018 and the UK sanctions regime, including the UK Sanctions List maintained by HM Treasury’s Office of Financial Sanctions Implementation (OFSI)
  • “High-Risk Third Countries” list as published by the UK Government (HM Treasury) and reflected in UK regulations
  • Joint Money Laundering Steering Group (JMLSG) Guidance (risk-based approach)
  • UK data protection legislation, including the UK GDPR and Data Protection Act 2018, where relevant to identity verification and data processing
  • Local or sector-specific regulations where applicable (for example, the London Local Authorities Act 2007, section 75, in relation to certain address services)
  • Local regulations that may apply to specific services (e.g., London Local Authorities Act 2007 s.75 for certain address services).

Roles and responsibilities

  • Board/Executive: sets risk appetite, approves this Policy and the Business‑wide Risk Assessment (BWRA).
  • MLRO (Nominated Officer): owns AML framework; assesses internal suspicions; files SARs/DAML with NCA; liaises with law enforcement/regulators; maintains AML training and records (mlro@ukpostbox.com).
  • Deputy MLRO: acts when MLRO unavailable.
  • Compliance/KYC Team: performs CDD/EDD, screening, periodic reviews and triggers; maintains KYC evidence and audit trail.
  • Mailroom/Operations: enforces Restricted Goods Policy, monitors unusual mail patterns and escalates to MLRO.
  • Support/Sales/Finance: identify and escalate red flags; do not provide advice that could constitute tipping‑off.
  • All staff: complete AML training at induction and annually; report suspicions promptly.

Risk‑based approach (RBA)

We assess and document risks at three levels:

  1. Business‑wide Risk Assessment (BWRA): products/services, delivery channels, geographies, customer types, and suppliers.
  2. Customer risk assessment: scored factors (Low/Standard/High) including customer type (individual/SME/corporate/trust), PEP/sanctions status, country risk, service usage (e.g., forwarding only vs registered office), payment behaviour, and adverse media.
  3. Transactional/behavioural risk: unusual volumes, rapid address changes, repeated returns, mail indicative of prohibited activities.

EDD is required where: customer is a PEP or close associate; links to high‑risk third countries; complex/opaque ownership; adverse media suggesting financial crime; or other high‑risk indicators. We may decline or exit relationships not compatible with our risk appetite.

Customer Due Diligence (CDD)

Individuals/sole traders

  • Identity: obtain and verify full name, date of birth, nationality and photo ID (passport/ID card/driving licence). Use electronic KYC and biometric/liveness checks.
  • Address: verify residential address via documentary evidence or electronic sources.
  • Sanctions/PEP: screen at onboarding and on a continuous basis.
  • Purpose & intended use: capture intended services, reason for the service and expected activity (e.g., mail volume, forwarding destinations).

Corporates/other entities

  • Existence: obtain company registration details; verify via official registries (e.g., Companies House).
  • Ownership & control: identify directors and beneficial owners (≥25% or other control) and verify their identity as per individuals.
  • Nature of business: collect description, trading addresses, website and expected use of UK Postbox services.
  • Sanctions/PEP: screen the entity and key principals; check against sectoral sanctions where applicable.
  • Documentation: articles/constitutional documents where required; for charities/partnerships/trusts obtain equivalent evidence.

When CDD must be performed

  • Before establishing a relationship or carrying out an occasional transaction over applicable thresholds.
  • On suspicion of money laundering/terrorist financing.
  • When there is doubt about previously obtained identity information.
  • On material change (ownership, directors, service risk, geography).
  • Routine ongoing monitoring

Enhanced Due Diligence (EDD)

Where risk is higher we apply additional measures, which may include:

  • Obtaining senior management approval to onboard/continue.
  • Additional independent verification of identity and address; source of funds/wealth evidence where appropriate.
  • More granular understanding of intended use and expected volumes.
  • Increased monitoring frequency; shorter review cycles.
  • On‑site or video interview (where proportionate).
  • For high‑risk geographies, confirmation of lawful purpose for using a UK service address.

If required information is not provided or is unsatisfactory, we will refuse or terminate services.

Screening (sanctions, PEPs, adverse media)

  • Timing: at onboarding, daily list updates (continuous), and on trigger events (ownership change, risk change).
  • Sources: official sanctions lists (e.g., OFSI, UN, EU, US OFAC as relevant), PEP and RCA datasets, and reputable adverse media.
  • Handling potential matches: pause onboarding/activity as needed; investigate and document; escalate to MLRO for decision. Services will not proceed until a PEP/sanctions hit is resolved.
  • Recurrence: periodic rescreening is automated where feasible.

Ongoing monitoring & periodic review

  • Behavioural monitoring: unusual activity patterns (e.g., excessive returns to sender, rapid forwarding to higher‑risk locations, customer refuses to provide explanations).
  • Periodic reviews: at least every 12–36 months depending on risk tier (High: 12, Standard: 24, Low: 36).
  • Trigger reviews: on material changes, alerts, or new adverse media.
  • Breaches of the UK Postbox terms of conditions including but not restricted to, sending or receiving legal substances, mis-declaration on shipments or unusual behaviour or actions

Suspicious activity reporting (SAR) & DAML

  • Staff must immediately report suspicions to the MLRO using the internal SAR form; include facts, reasons, identifiers and do not tip off the customer.
  • The MLRO assesses and, where appropriate, files a Suspicious Activity Report (SAR) with the NCA. If a prohibited act may occur, the MLRO seeks a Defence Against Money Laundering (DAML) before allowing the transaction to proceed.
  • We comply with any consent or moratorium periods and document all decisions.
  • Tipping‑off and prejudicing an investigation are criminal offences; staff must keep SARs strictly confidential.

Payments & fraud controls


  • We use PCI DSS‑validated processors; unusual payment behaviours (multiple cards, mismatched names/countries, repeated declines/chargebacks) are flagged for review.
  • We may require verified payment methods for higher‑risk accounts and may hold or refuse services where fraud is suspected.

Records & retention

  • KYC evidence, risk assessments, screening results, decisions, communications, SAR logs and training records are retained for 5 years after the relationship ends, or as required by law/regulator.
  • Records are stored securely with access control/MFA and audit logs; deletion follows our Data Retention & Deletion Policy.

Training & awareness

  • Mandatory AML training at onboarding and annual refreshers for all relevant staff; role‑specific modules for KYC, support, mailroom and finance.
  • Training covers legal duties, red flags, SAR process, sanctions/PEP handling, and no tipping‑off.

Quality assurance & audit

  • Second‑line QA on a sample of KYC files monthly; findings tracked to closure.
  • Internal audit (periodic) of the AML framework and BWRA.
  • Vendor assurance: annual review of KYC/screening vendor performance and accuracy.

Data protection

  • KYC processing is carried out under legal obligation (MLR) and legitimate interests (fraud prevention).
  • Biometric/liveness checks are processed by vetted vendors with appropriate safeguards; see Data Protection Policy, Privacy Notice and DPA for details.
  • We apply data minimisation, encryption, and strict access controls.

Enforcement & consequences

We may decline, suspend or terminate services, and/or report to authorities where customers fail to pass KYC/EDD, breach sanctions, or present unacceptable AML risk. Misuse of addresses, restricted goods violations, or abusive conduct, breach of our Terms & Conditions, AUP, Restricted Goods Policy and Mail Inspection Policy.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom


Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com


Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907