The new rules for Pooled Client Accounts: Staying ahead of MLR changes

Pooled Client Accounts (PCAs) are bank accounts used by businesses which need to hold funds which belong to their clients. They are sometimes used as a mechanism to protect client funds in the event that the firm servicing the client becomes insolvent. In some cases, they are mandated by regulators (e.g. the Client Asset Sourcebook (CASS) rules applicable to investment businesses, safeguarding for non-bank Payment Service Providers (PSPs), the Solicitors Regulation Authority (SRA) Account Rules for solicitors, and the Client Money Protection (CMP) rules applicable to letting agents).

What do we actually mean by a ‘pooled account’?

At the simplest level a ‘pooled account’ is an account into which monies are pooled. More specifically:

  • The bank’s customer operates a business which ordinarily involves the handling of client funds;

  • The bank’s customer may be subject to regulatory requirements regarding the holding of client funds in designated accounts;

  • The bank has no contractual relationship with the clients of the customer;

  • The pooled account is controlled by the customer firm, not the owners of the funds, or the bank (meaning that the clients of the bank’s customer cannot instruct the bank as to the use of the funds).

  • Client funds are commingled, rather than being separately identifiable (which is why it is important that the customer maintains accurate and up-to-date written records with respect to movement of funds into and out of a PCA).

Do pooled accounts pose a money laundering risk?

The risks relating to pooled accounts stem from potential mis-use by the customer’s client, whether the customer is unaware or complicit (willingly, or under duress). The latest UK National Risk Assessment (NRA), noted that “client accounts continue to be assessed as high risk as they can be misused by criminals to both move illicit funds and provide a veil of legitimacy to the proceeds of crime. Criminals can use client accounts as a way of moving money from one individual or entity to another through a trusted third party (e.g. a Legal Service Provider (LSP)) under the guise of a legitimate transaction. They are also attractive to criminals as their use can contribute to true transferee and beneficiary being shielded, reducing transparency and assisting with obfuscating the source of funds.”

In addition to the potential mis-use, the banks which provide pooled accounts have inherently lower visibility over client transactions through the account, compared to separate, named accounts for each individual client. As PCAs are controlled by the customer, a bank does not know to which underlying client a particular transaction relates. This knowledge limitation can reduce a bank’s ability to effectively monitor transactions through PCAs. This can be heightened where, for example, the firm holding the account is unwilling or unable to disclose client information (e.g. confidentiality, legal and professional privilege).

The JMLSG Guidance (Part 1, Annex 4-II) highlights pooled accounts as an example of a product or service where there may be lesser transparency.

Banks providing pooled accounts have to carefully consider whether the setup is manageable within their respective risk appetites and from a commercial perspective. There have been reports that some firms who depend on a pooled client account to operate within the bounds of their regulatory requirements faced the closure of these accounts by their banks. Through the June 2022 review of the UK’s AML/CFT regulatory and supervisory regime, the UK Government indicated its intent to consult on options aimed at addressing difficulties with accessing PCAs.  HM Treasury’s February 2024 consultation on improving the effectiveness of the Money Laundering Regulations presented various access improvement options. The Government response to the consultation included a proposal to remove the link between PCAs and simplified due diligence (SDD) in the MLRs and include new requirements regarding PCAs in the MLRs.

The current position

Currently, MLR 2017 Reg 37 permits a bank to apply simplified due diligence (SDD) where: 

  • the customer is subject to the MLRs (or equivalent); 

  • the account is a pooled account; 

  • the business relationship is assessed as low ML/TF risk; and

  • the identities of the underlying clients who have a claim on the funds are available upon request. This is reflected in JMLSG Guidance Part 1 Para 5.3.142.

JMLSG Guidance, Part 1, Annex 5-V provides guidance on the management of pooled accounts by banks. In summary:

  • Establish and document the purpose of the PCA (e.g. types of underlying clients, volume of funds to be deposited, volume, value and frequency of transactions, exposure to higher risk industries and countries).

  • Assess the risk presented by the PCA and factor that into the broader customer risk assessment.

  • Assess the steps taken by the customer to apply due diligence to its clients (e.g. review of audit reports, attestation by the customer, and/or review the customer’s due diligence procedures).

  • Establish a written agreement with the customer, under which the customer is obliged to provide the identity information of the underlying clients, upon request, within an agreed timeframe.

Where the relationship with the firm holding the PCA is deemed to present greater risk, additional steps should be taken, such as:

  • Entering into a reliance agreement or otherwise verify the identities of the owners of the funds in the PCA;

  • Applying enhanced ongoing monitoring to the PCA;

  • Restricting the usage of the PCA (e.g. by reference to the type of client whose funds the customer may place in the account).

The proposed position

On 2 September 2025, the Government published draft amending regulations (The Money Laundering and Terrorist Financing (Amendment and Miscellaneous Provision) Regulations 2025) and an accompanying policy note. The policy note explains that the policy intent is to increase the supply and accessibility of PCAs for businesses with a legitimate need, while maintaining robust risk-based controls.

Under the amended MLRs, banks operating PCAs will have to: 

  • Take reasonable measures to understand the purpose of the pooled account and how the customer proposes to use it.

  • Satisfy themselves that the purpose and proposed use of the pooled account is consistent with the customer’s business.

  • Assess the level of ML/TF risk associated with the customer using the PCA.

  • Take reasonable steps to manage and mitigate the risk arising from the customer’s use of a PCA.


Customers holding pooled accounts will be obliged to:

  • Make client identity information available to the bank, upon request.

  • Maintain accurate and up-to-date written records of all the monies that are paid in and out of the pooled account for a period of five years from the completion of a transaction

  • Provide, upon request, information about itself and its management of the PCA to the bank or a law enforcement authority.

Are virtual IBANs pooled accounts?

A virtual IBAN (vIBAN) enables multiple end users to utilize a single IBAN, whilst ensuring that the payment transactions are linked to each user. A vIBAN is effectively a unique identifier which is linked to an underlying IBAN (often referred to as a ‘master account’). The underlying IBAN can be opened either in the name of the end user of the vIBAN, or, in the name of another entity which then allocates the virtual IBANs to its customers (the end users). Incoming payments addressed to the vIBAN are credited to the underlying master account. Outgoing payments initiated by the end user of the vIBAN are debited from the underlying master account.

Concern has been expressed in some quarters that the proposed MLR amendments regarding pooled accounts could impact on the provision of virtual IBANs to Electronic Money Institutions (EMIs) and Payment Institutions (PIs). The latest UK NRA noted that virtual IBANs have some similarities with pooled accounts, in that fund transfers between virtual IBANs can be executed as ledger adjustments, without a transaction moving between separately addressable accounts. The underlying account issuer has a high degree of dependence on the controls operated by its customer, just as with pooled accounts.

However, there are also key differentiators:

  • Virtual IBANs are typically offered as a product type to facilitate the execution of payments, including cross-border transactions. Whereas pooled accounts have a climate money protection objective.

  • The customer for a virtual account will typically be a non-bank PSP, subject to authorisation and supervision by a domestic regulator. Whereas, the customer for a pooled account could be outside of financial services (for example, a law firm or lettering agent), or possibly even unregulated (e.g. care homes, property management agents).

  • In a virtual IBAN model, the end user (which could be a customer of an EMI or PI) has control over the funds, whereas, in a pooled account situation, only the firm holding the account would have control.

As such, it can be reasonably argued that virtual IBAN models are not ‘pooled accounts’. Whilst there is some read across between pooled accounts and virtual IBANs, it is not anticipated that the MLR amendments regarding pooled accounts will materially impact virtual IBAN offerings.

What will actually change?

Whilst the de-coupling of PCAs and SDD might broaden the range of customers to whom banks consider themselves able to offer PCAs, this does not necessarily mean that obtaining and maintaining a PCA will become any easier for such businesses, as the banks will need to demonstrate the appropriateness of their risk assessment, due diligence and risk mitigation. Businesses wishing to obtain and maintain pooled client accounts will need to be prepared to evidence the robustness of their own client due diligence, fund handling and record keeping measures, and be prepared to commit to providing client identity information, upon demand. The amendments to the MLRs express that disclosures to achieve this do not amount to a breach of other disclosure restrictions (e.g. confidentiality, professional privilege). Firms will be required to move from simplified due diligence for a relatively narrow range of businesses to risk-based due diligence and monitoring for a broader range of businesses.


Read next: Money Laundering and Terrorist Financing Regulations Updates: Next Steps for Firms

Free resources

Access free resources designed to help strengthen your anti-financial crime controls.

Partner with us

We love to support projects that combat financial crime -
get in touch to find out more.