AML Compliance for Accountants: A Practical UK Guide (2026)

Anti-Money Laundering (AML) compliance for accountants means the policies, controls, and documented procedures a UK accountancy firm uses to identify clients, assess money laundering risk, carry out due diligence, monitor relationships, and report suspicions under the Money Laundering Regulations 2017 (as amended). AML obligations depend on the services the firm provides and its supervisory context, not simply on the fact that it is an accountancy practice. 

Supervisors for UK accountancy firms include the professional bodies — ICAEW, ACCA, and AAT among others — as well as HMRC, which supervises firms that are not members of an approved professional body. The firm’s supervisor determines the specific framework of guidance and visit expectations it must meet, in addition to the baseline obligations set by the Regulations. 

The regulatory direction of travel in 2026 is clear. Supervisors are increasingly focused on the quality of written risk assessments, the consistency of file documentation, and the evidence of ongoing monitoring — not just the existence of policies. The UK National Risk Assessment published in October 2025 identified the accountancy sector as continuing to carry elevated money laundering risk, reinforcing the expectation that practice-level controls match the risk environment. 

Sources: Money Laundering Regulations 2017 (as amended); CCAB AML Guidance for the Accountancy Sector (January 2026 update); HMRC AML supervision guidance; UK National Risk Assessment 2025; ECCTA 2023 

What accountancy work is in scope for AML obligations? 

Not all accountancy work triggers full AML obligations. The Money Laundering Regulations 2017 impose duties on firms acting as a “relevant person” in relation to regulated services. The firm’s overall compliance framework should be calibrated against the combination of services it provides and the risk profile those services generate — not applied uniformly across everything the practice does. 

Typically in-scope services 

• Company and business formation services 
• Trust and company service provider (TCSP) activities 
• Tax advisory work where the firm has involvement in transactions or financial arrangements 
• Providing a registered office address or acting as a nominee 
• Financial planning and investment advice where this falls within the regulated perimeter 
• Accountancy, audit, and insolvency services when these involve the firm as a relevant person under the Regulations 

Boundary-line services requiring risk-based judgement 

• Bookkeeping and accounts preparation where the scope is purely administrative 
• Payroll services with no transactional or advisory element 
• Pure tax compliance work limited to returns preparation with no planning element 

The distinction matters because a practice that treats all its work as fully in scope will over-engineer its compliance framework for lower-risk activities. A practice that under-scopes will miss genuine obligations in higher-risk service lines. Firms should map their service range against the Regulations and document the basis on which they have determined scope for each service category. 

What are the core components of a practice-wide AML framework? 

A robust AML framework for an accountancy practice is built around nine interconnected pillars. Each one must be documented, operational, and proportionate to the risk profile of the firm’s client base and services. 

• Business-wide risk assessment — a written assessment of the money laundering and terrorist financing risks specific to the firm, reviewed regularly and kept up to date 
• Client due diligence (CDD) — verification of client identity, beneficial ownership, and the purpose and intended nature of the business relationship 
• Enhanced due diligence (EDD) — deeper checks for higher-risk clients and situations, including Politically Exposed Persons (PEPs), clients in high-risk jurisdictions, and complex ownership structures 
• Ongoing monitoring and refresh triggers — regular review of existing client relationships to detect changes that affect the risk assessment 
• Source of funds and source of wealth checks — proportionate enquiries into how client funds were generated and accumulated, applied where risk indicators are present 
• Suspicious activity reporting — internal escalation to the Money Laundering Reporting Officer (MLRO) and, where appropriate, submission of a Suspicious Activity Report (SAR) to the National Crime Agency (NCA) 
• Staff training and awareness — risk-based training covering AML obligations, red flag recognition, and the firm’s escalation procedures 
• Record keeping and audit trails — retention of CDD documents, risk assessments, transaction records, and internal decisions for five years from the end of the client relationship, as required by Regulation 40 of the MLRs 
• Governance, escalation, and MLRO oversight — clear lines of responsibility, a designated MLRO with appropriate authority, and board-level or partner-level engagement with the AML programme 

Each pillar must be linked to supervisory expectations, not simply to internal practice preference. Supervisors will examine whether the framework as documented matches the framework as operated, and whether the firm can demonstrate proportionate application across its actual client base. 

How should a practice build a risk-based, proportionate AML framework? 

Risk-based proportionality is a legal expectation under the Money Laundering Regulations, not a discretion the firm chooses to apply. The Regulations require firms to tailor the extent of their measures to the level of risk presented. A firm that applies identical due diligence to a low-risk sole trader client and a high-risk corporate client with offshore ownership is not complying with the spirit or the letter of the regime. 

Proportionate application means: 

• Lower-risk clients may be subject to lighter-touch ongoing monitoring, longer CDD refresh intervals, and simplified verification where simplified due diligence (SDD) criteria are met 
• Higher-risk clients require more frequent monitoring, deeper verification, and documented reasoning for the level of scrutiny applied 
• The justification for any difference in treatment must be documented in the file and in the business-wide risk assessment 

“Risk-based” does not mean “light-touch for everything.” It means applying the right level of control to each client and service, with documented reasoning for every material decision. A firm that uses a risk-based approach to minimise its compliance work — without genuine analysis behind it — will find that position difficult to defend in a supervisory visit. 

The limits of technology-driven risk scoring 

Automated risk scoring tools can help standardise the initial assessment and flag changes in client profile. They should be treated as decision-support instruments, not as the decision itself. 

If a system assigns a client a low-risk score but the fee-earner has noticed behavioural changes — unusual urgency, reluctance to provide information, changes in the nature of instructions — the score does not override the professional obligation to investigate and document. Firms should have an explicit policy confirming that manual review remains available regardless of what the risk score indicates, and that documented reasoning takes precedence over automated outputs. 

How should an accountancy firm conduct an effective AML risk assessment? 

The business-wide risk assessment is the foundation of the firm’s AML framework. It must be written, proportionate, kept up to date, and capable of withstanding supervisory scrutiny. An assessment that is either too generic or too outdated will be a finding in itself. 

What risk factors should be included? 

A structured risk assessment for an accountancy practice should address at least the following categories: 

• Client type and ownership structure — complexity of legal structures, presence of multiple layers of ownership, jurisdiction of incorporation 
• Geographic risk — clients with connections to high-risk jurisdictions, as identified by FATF and the UK NRA 2025; particular attention to countries subject to enhanced monitoring 
• Service risk — the specific services provided and their exposure to abuse, with company formation and TCSP services carrying the highest inherent risk 
• Delivery-channel risk — remote onboarding, reliance on digital identity verification without face-to-face contact, cash-intensive clients 
• Transaction complexity and unusual patterns — arrangements that appear complex relative to the stated business purpose, or that involve frequent changes to beneficial ownership 
• Source of funds and source of wealth concerns — where the origin of funds is unclear, opaque, or inconsistent with the stated business 
• PEP-related relationships — presence of Politically Exposed Persons, their family members, or known close associates in the client structure 
• Adverse information and sanctions-related flags — media coverage, enforcement actions, or matches against the OFSI Consolidated Sanctions List or the UK Sanctions List 

How should the assessment be documented, reviewed, and tested? 

The business-wide risk assessment must be explicit enough to stand up to supervisory scrutiny. Supervisors conducting file picks will examine whether the written assessment reflects the actual risk decisions made at client and matter level, and whether those decisions are consistent across the practice. 

Best practice requires: 

1. A written assessment that is clearly dated, version-controlled, and owned by a named senior individual 
2. Periodic review at least annually, and immediately following any material change in the firm’s services, client base, or the external risk environment 
3. Internal sampling periodic reviews of a representative selection of client files to test whether risk ratings and due diligence levels are being consistently applied 
4. Documented outcomes from any sampling exercise, including any remediation steps taken where inconsistencies are identified 

Software can support the standardisation of risk language and the capture of assessment data across the practice. The firm’s governance remains responsible for the quality and accuracy of the content. 

What is the difference between CDD and EDD, and when does each apply? 

Client due diligence is the baseline verification process required when establishing a new business relationship. Enhanced due diligence is the additional layer of scrutiny applied where the risk profile of a client or situation is assessed as higher than standard. 

Standard CDD: what it covers 

For each new client, CDD requires: 

• Verification of the client’s identity using reliable, independent source documents or electronic verification 
• Identification and verification of beneficial owners — individuals who own or control more than 25% of the entity, or who otherwise exercise control 
• Understanding the purpose and intended nature of the business relationship 
• Ongoing monitoring of the relationship and the transactions carried out within it 

CDD records must be retained for five years from the end of the business relationship (MLR 2017, Regulation 40). This is a hard legal requirement, not a recommended practice. 

Enhanced due diligence: when it applies 

EDD is required in the following circumstances: 

• The client is a Politically Exposed Person, their family member, or a known close associate 
• The client has connections to a high-risk third country as designated under the Regulations 
• The client presents a complex ownership structure that creates opacity around beneficial ownership 
• The source of funds or source of wealth raises questions that standard CDD does not resolve 
• Unusual transaction patterns are inconsistent with the stated nature of the client’s business 
• Any combination of factors that the firm’s risk assessment identifies as triggering enhanced scrutiny 

EDD does not follow a single prescribed checklist. Its content must be proportionate to the specific risks identified. The firm must document both the triggers for applying EDD and the steps taken, in sufficient detail that the reasoning is visible to a supervisor reviewing the file. 

Source of funds and source of wealth 

Source of funds refers to the origin of the specific funds used in a transaction or engagement. Source of wealth refers to the overall assets and financial position of the client — how they accumulated their wealth over time. These are related but distinct checks, and both may be required in higher-risk situations. 

For a client involved in property transactions or complex financial arrangements, a simple statement that funds originate from “business proceeds” is unlikely to be sufficient. The firm should seek documentation that corroborates the stated source, proportionate to the risk level of the client and the transaction. 

Domestic PEPs: the January 2024 amendment 

A December 2023 amendment to the Money Laundering Regulations, effective 10 January 2024, introduced a material change to the treatment of UK domestic PEPs. Under the amended Regulations, UK domestic PEPs — such as current or former Members of Parliament, senior civil servants, or other senior UK public officials — are now treated as inherently lower risk than foreign PEPs in the absence of other risk factors. 

This means proportionately reduced EDD measures may be appropriate for domestic PEPs where no additional risk factors are present. The obligation to identify PEP status and apply enhanced scrutiny has not been removed; the level of that scrutiny is now calibrated to whether the individual is a domestic or foreign PEP. Firms should update their PEP screening procedures and file documentation to reflect this distinction. 

What does the Digital Verification Services trust framework mean for accountant identity checks? 

The Digital Verification Services (DVS) trust framework, published by DSIT in February 2026, establishes the standards against which digital identity verification providers are certified. It represents the most significant development in regulated digital identity since the introduction of the Right to Work and Right to Rent digital routes, and it directly affects how accountancy firms can use digital identity checks to satisfy their CDD obligations. 

What the DVS trust framework establishes 

The trust framework sets out the certification criteria that identity verification service providers must meet to be treated as a trusted source of digital identity evidence. A DVS-certified check conducted by an approved provider satisfies the “reliable, independent source” standard required for CDD identity verification under the MLRs. 

For firms that have been using digital identity verification tools, this framework provides a clearer basis for demonstrating that their onboarding process meets the regulatory standard. Where a provider is not DVS-certified, firms must assess whether the checks they conduct are sufficient against the MLR requirements independently. 

How DVS interacts with the ACSP regime under ECCTA 2023 

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) introduced the Authorised Corporate Service Provider (ACSP) regime through Companies House. Firms registered as ACSPs are authorised to carry out identity verification checks on behalf of individuals registering with Companies House for company formation and related purposes. 

DVS-certified checks conducted through an ACSP registration can satisfy both the Companies House identity verification requirement and, in defined circumstances, the CDD identity verification requirement under the MLRs. However, this is not automatic. Firms must assess the specific check conducted, the level of assurance achieved, and whether any residual CDD steps are required under their own risk assessment. 

The ACSP regime also creates a commercial opportunity. Firms registered as ACSPs can offer technology-enabled identity verification as a billable onboarding service to clients, rather than absorbing the cost as a compliance overhead. For practice partners evaluating the business case for investment in compliant digital onboarding infrastructure, this is a material consideration alongside the risk-reduction argument. 

📋  ACSP registration: key points for practices 

Registration as an Authorised Corporate Service Provider is required to conduct identity verification on behalf of clients under the ECCTA 2023 Companies House regime. Registered ACSPs can verify identities for company formation and related filings, and may be able to use DVS-certified checks to satisfy CDD obligations under the MLRs in defined circumstances. ACSP-enabled verification represents a potential new service line, not just a compliance cost. 

Source: gov.uk/companieshouse — ECCTA 2023 ACSP registration guidance 

Implications for remote onboarding workflows 

The DVS framework provides the most credible basis yet for practices to conduct fully digital onboarding for new clients without a face-to-face verification step. Practices should review their current remote onboarding process against the framework criteria and assess whether their current digital verification provider is DVS-certified or otherwise meets the required standard. 

Where existing tools do not meet the standard, the transition to a compliant solution should be planned before the next supervisory visit cycle. Supervisors are increasingly familiar with the DVS framework and are likely to ask about digital identity processes during file-pick exercises. 

How should a practice manage ongoing monitoring and when should CDD be refreshed? 

AML compliance is a continuous obligation, not an onboarding exercise. Ongoing monitoring requires firms to keep the client relationship under review throughout its duration, updating the risk assessment and refreshing CDD when circumstances change. 

Inconsistent monitoring is one of the most common findings in supervisory visits and file-pick exercises. A firm that carries out thorough onboarding but then has no structured process for monitoring changes in existing client relationships will accumulate stale files that do not reflect current risk. 

When should CDD or EDD be refreshed? 

Refresh triggers include: 

• Changes in ownership or control structure, including new beneficial owners or changes in shareholding above the 25% threshold 
• Material changes to the nature of the engagement, including new services instructed or significant changes in transaction volumes or patterns 
• New adverse information or negative media coverage relating to the client or connected individuals 
• Transaction patterns that no longer fit the profile established at onboarding 
• Changes in sanctions or geographic risk status, including the client’s acquisition of connections to newly designated high-risk jurisdictions 
• An extended period of inactivity followed by the resumption of activity 
• Approaching the firm’s standard periodic review interval, which should be set risk-proportionately — more frequent for higher-risk clients, less frequent for lower-risk relationships 

The firm should have a documented process for each trigger type, setting out who is responsible for identifying the trigger, what steps are taken in response, and how the outcome is recorded. A monitoring process that relies entirely on fee-earner memory or ad hoc observation will produce inconsistent results. 

How does suspicious activity reporting and the SAR process work in practice? 

Identifying and reporting suspicion is one of the most operationally sensitive aspects of AML compliance. The process requires fee-earners to recognise red flags, escalate internally to the MLRO without alerting the client, and for the MLRO to assess whether a SAR is required. 

Identifying red flags 

Red flags are not a checklist to be applied mechanically. They are contextual signals that, when assessed against what the firm knows about the client and the engagement, give rise to concern. Common red flags in accountancy practice include: 

• Unusual urgency or pressure to complete transactions or filings 
• Reluctance or refusal to provide information that would ordinarily be expected 
• Inconsistencies between stated income or wealth and the client’s apparent lifestyle or spending patterns 
• Complex or opaque ownership structures that appear to serve no legitimate business purpose 
• Instructions to receive or transfer funds through unusual routes or to third parties 
• Cash-intensive business activity at volumes inconsistent with the client’s stated trade 
• Frequent changes in beneficial ownership or control without clear commercial rationale 

Internal escalation and the MLRO’s role 

When a fee-earner forms a suspicion, they must report it internally to the MLRO promptly and without alerting the client. The internal report should document the specific concerns, the information available, and the basis for the suspicion. Vague or undocumented escalations undermine the firm’s ability to demonstrate a proper process in any subsequent review. 

The MLRO must assess the internal report and decide whether to submit a SAR to the NCA. This decision must be documented regardless of the outcome. If the MLRO decides not to submit, the reasoning must be recorded in the file. The MLRO must be protected from undue commercial pressure in making this assessment — a governance structure that creates implicit pressure to avoid reports creates both regulatory and legal risk for the firm. 

The tipping-off offence 

Once a SAR has been filed — or where the firm is contemplating filing one — the tipping-off provisions under sections 333A to 333E of the Proceeds of Crime Act 2002 apply. Tipping off means disclosing to the client, or to any other person who might pass information to the client, that a SAR has been or may be submitted, or that an investigation is under way. 

Tipping off is a criminal offence. It applies to everyone in the firm, not just the MLRO. Fee-earners who are aware that a matter has been referred internally should avoid any communication with the client that could reveal the existence of the referral. Where a client asks directly about a delay or a change in the nature of communications, the fee-earner should not explain the reason and should seek immediate MLRO guidance on how to respond. 

The prejudicing a money laundering investigation offence under section 342 of POCA 2002 imposes a related but distinct obligation: firms must not do anything likely to prejudice a money laundering investigation being carried out by HMRC, the NCA, or another relevant authority. Both offences require active awareness in training programmes and documented escalation procedures. 

⚠️  Tipping off and prejudicing investigations: key distinctions 

Tipping off (POCA 2002, ss.333A–333E): disclosing to the client or any third party that a SAR has been or may be submitted, or that an investigation is under way. Criminal offence. Prejudicing an investigation (POCA 2002, s.342): taking any action likely to prejudice an active money laundering investigation by a relevant authority. Criminal offence. Both apply to all staff, not just the MLRO. Both must be addressed explicitly in training. 

Why is AML a culture and governance issue, not just a compliance checklist? 

Supervisors and enforcement bodies increasingly distinguish between firms that have AML policies and firms that operate AML cultures. The difference is visible in file quality, the consistency of risk decisions across the practice, and the engagement of partners and senior management with the compliance programme. 

A firm where AML is treated as an administrative overhead — assigned to junior staff, reviewed annually with minimal partner involvement, and applied inconsistently across fee-earners — will produce files that reflect that approach. A supervisor reviewing those files will find gaps, inconsistencies, and missing documentation that the firm may not even be aware of, because no one has sampled the files against the stated policy. 

Tone from the top is not a soft aspiration in this context. It is a supervisory expectation that partners actively engage with the firm’s AML framework, understand the risk appetite statement, support the MLRO’s authority, and treat AML findings as governance issues rather than administrative inconveniences. 

AML also sits within a broader financial crime and conduct framework. The UK’s implementation of international sanctions obligations, the obligations under the Bribery Act 2010, and the broader ESG-linked conduct expectations that many professional body supervisors are now articulating all interact with the AML governance model. A practice that is serious about financial crime risk will build a governance structure that addresses all of these dimensions coherently, rather than treating each as a separate checklist. 

What are the training, quality assurance, and supervisory expectations for AML? 

Training and awareness 

Training is a legal requirement under the Money Laundering Regulations. The frequency is not fixed at “annually” — it is risk-based. Teams carrying out higher-risk work, or practices with a complex or diverse client base, may need more frequent refresher training than a standard annual cycle provides. 

Training must cover the firm’s specific AML procedures, not just generic AML concepts. Fee-earners need to understand the firm’s escalation process, what information to include in an internal report to the MLRO, and the tipping-off restrictions that apply once a suspicion has been raised. Generic e-learning covering “what is money laundering” is not sufficient on its own. 

Internal testing and quality assurance 

Periodic file reviews and sampling are best practice, and increasingly treated by supervisors as an expectation rather than an optional extra. A structured sampling programme should: 

• Cover a representative selection of client files across risk categories and service lines 
• Assess whether CDD is complete and current, risk ratings are documented, and monitoring records are up to date 
• Identify and record any gaps or inconsistencies 
• Produce documented outcomes and remediation steps 
• Feed into the next revision of the business-wide risk assessment 

The outcome of sampling exercises should be visible at the governance level — not confined to the compliance team. If sampling consistently identifies the same types of gap across multiple fee-earners, this is a systemic issue that requires a systemic response, not individual correction. 

Responding to supervisory visits and file picks 

When a supervisory body visits or conducts a file-pick exercise, it will typically request to see the business-wide risk assessment, a sample of client files including the CDD documentation and risk ratings, evidence of ongoing monitoring, and records of any internal SAR escalations and the MLRO’s decisions. 

Practices that prepare for this proactively — by maintaining well-organised files, documenting risk decisions at the time they are made, and being able to explain why different clients have been treated differently — are far better positioned than those that attempt to reconstruct documentation when a visit is confirmed. The latter approach is itself a finding. 

What are the practical limits of software in AML compliance? 

Software can help standardise, evidence, and streamline AML processes. It cannot replace professional judgment, and it does not transfer legal responsibility from the firm to the technology provider. 

Automated risk scores and screening alerts are decision-support tools. They surface information and flag potential concerns. The decision about what that information means, and what steps to take in response, remains with the fee-earner and the MLRO. A file that records only “system flagged — no action taken” is not adequate documentation of a risk decision. 

Firms should also be cautious about over-reliance on software-generated consistency. A system that applies uniform risk categories across a client base may create the appearance of a structured process while masking genuine risk variation that requires human assessment. The value of software is in supporting well-designed processes, not in substituting for them. 

What is the cost of weak AML processes for an accountancy practice? 

Between October 2024 and March 2025, HMRC issued approximately £3.2 million in AML fines across the businesses it supervises. Of that total, around £539,000 in penalties was directed at 91 accountancy firms. These are not isolated cases involving unusual conduct. Many relate to incomplete documentation, inconsistent CDD, and failure to demonstrate adequate monitoring — the everyday process failures that accumulate in practices operating without structured controls. 

Beyond the fine itself, an adverse supervisory finding generates significant management time, legal and professional costs, and reputational damage with professional body supervisors. A practice that receives a formal finding will be subject to enhanced oversight, additional visits, and a demonstrably higher bar for its next supervisory review. 

The operational cost of weak AML processes is also measurable in internal terms: inconsistent checks that require rework, missing refresh triggers that create file gaps before a supervisory visit, time spent chasing incomplete client information, and the absence of a central audit trail that forces manual reconstruction of compliance decisions when they are challenged. 

How does IRIS Elements support AML workflows in accountancy practices? 

IRIS Elements is a cloud-based platform that helps practices structure, standardise, and evidence their AML and client onboarding workflows. It is positioned as a layer of operational discipline and audit-trail infrastructure, not as a compliance guarantee. 

IRIS Elements supports practices with: 

• Structured client onboarding workflows that enforce consistent capture of CDD information and risk assessment data at the point of engagement 
• Standardised language and templates for business-wide risk assessments and client-level risk ratings, reducing variation across fee-earners and offices 
• Integration with identity verification and sanctions screening including support for DVS-certified digital identity checks and ongoing screening against the OFSI Consolidated Sanctions List and UK Sanctions List 
• Automated refresh reminders and monitoring triggers that flag clients due for review based on the practice’s risk-proportionate schedule 
• A complete digital audit trail linking every CDD document, risk decision, and monitoring event to the client record, accessible for supervisory review without manual reconstruction 
• Reduced manual rework by centralising AML data that would otherwise be held across multiple systems, files, or individual fee-earner records 

The firm remains responsible for the quality of the judgements made within the system, for how workflows are configured to reflect the specific risk profile of its practice, and for the ongoing governance of the AML programme. IRIS Elements helps support better-run, more consistently evidenced compliance — it does not make those judgements on the firm’s behalf. 

Practical AML example: onboarding a higher-risk corporate client 

The following example is illustrative. It shows how a practice might apply the AML framework described in this guide to a single client onboarding scenario. It does not represent a prescriptive process and should be adapted to the firm’s own risk assessment, supervisory guidance, and client circumstances. 

Example: higher-risk corporate client with overseas ownership 

A mid-size accountancy practice is instructed by a newly incorporated UK company to provide tax advisory and company secretarial services. Initial information indicates the company is owned through a holding structure based in a jurisdiction on the FATF enhanced monitoring list. 

Step 1 — Risk identification: 

The fee-earner completes the initial risk assessment, noting: high-risk jurisdiction connection; complex multi-layer ownership; company formation service in scope; no prior relationship. The client is rated higher risk. EDD is triggered. 

Step 2 — Beneficial ownership verification: 

The firm identifies all individuals owning or controlling more than 25% of the ultimate entity. Verification is conducted using a DVS-certified digital identity check for each beneficial owner. A Companies House PSC register check is performed and cross-referenced against the information provided by the client. Discrepancies are noted and queried. 

Step 3 — Source of funds and source of wealth: 

Given the jurisdiction risk and transaction volumes anticipated, the firm requests documentation of the source of the funds to be used in the engagement and a general explanation of how the beneficial owners have accumulated their wealth. Supporting documentation is reviewed and retained on file. 

Step 4 — Sanctions and PEP screening: 

All beneficial owners and connected individuals are screened against the OFSI Consolidated Sanctions List, the UK Sanctions ist, and a PEP database. One beneficial owner is identified as a family member of a foreign PEP. EDD is confirmed; the relationship is documented. 

Step 5 — Documentation and MLRO sign-off: 

The full CDD file is assembled: verification documents, risk assessment, source of funds documentation, screening results and MLRO sign-off on the EDD decision. The file is retained digitally with a timestamped audit trail. 

Step 6 — Ongoing monitoring: 

A structured monitoring schedule is set: six-monthly review given the higher-risk rating. Refresh triggers are documented and the client record is flagged for review if any change in ownership structure, jurisdiction status, or transaction pattern is identified. 

AML for Accountants: Frequently Asked Questions 

What is the difference between CDD and EDD? 

Client due diligence (CDD) is the baseline identification and verification process required when establishing a new business relationship. It involves verifying the client’s identity, identifying beneficial owners, and understanding the purpose and nature of the relationship. Enhanced due diligence (EDD) applies where the client or situation presents a higher risk level — for example, where the client is a Politically Exposed Person, has connections to a high-risk jurisdiction, or has a complex ownership structure. EDD requires deeper verification, source of funds and source of wealth checks, and more detailed documented reasoning. The distinction is not between simple and complex clients; it is between different levels of risk that require proportionately different responses. 

How often should AML training take place? 

The Money Laundering Regulations require training but do not prescribe a fixed annual cycle. The frequency is risk-based: firms carrying out higher-risk work, or those with a diverse client base, should train more frequently than a standard annual model. All staff with client-facing or AML-relevant responsibilities must be trained, not just compliance officers. Training must cover the firm’s specific procedures — escalation processes, tipping-off restrictions, and how to identify red flags in the context of the firm’s actual services — not just generic AML awareness. 

Who supervises accountants for AML in the UK? 

Accountancy firms are supervised for AML either by their professional body or by HMRC. Professional body supervisors include ICAEW, ACCA, CIMA, CIPFA, AAT, ICAS, and CAI among others. Firms that provide trust and company services and are not supervised by a professional body are supervised by HMRC under the Money Laundering Regulations. The supervisory body determines the specific guidance framework, visit expectations, and enforcement approach the firm must meet in addition to the baseline obligations in the Regulations. 

What should be included in a firm-wide risk assessment? 

A business-wide risk assessment must address the specific risks the firm faces given its client base, geographic exposure, service range, and delivery channels. It should be written, version-controlled, kept up to date, and capable of standing up to supervisory scrutiny. The assessment should cover client risk categories, high-risk jurisdiction connections, service-specific risks, and any delivery-channel risks such as remote onboarding. It must also explain the basis on which different clients receive different levels of due diligence. Generic templates that do not reflect the firm’s actual circumstances are unlikely to satisfy a supervisor in a file-pick exercise. 

When should an accountant file a SAR? 

A Suspicious Activity Report should be submitted to the National Crime Agency when the firm knows, suspects, or has reasonable grounds for suspecting that a person is engaged in money laundering or terrorist financing. The threshold is suspicion, not certainty. A fee-earner who has concerns must escalate them internally to the MLRO promptly. The MLRO then assesses whether a SAR is required. The decision must be documented regardless of the outcome. Once a SAR has been filed or is being contemplated, the tipping-off restrictions under POCA 2002 apply, and neither the fee-earner nor anyone else in the firm should communicate anything to the client that could disclose the existence of the SAR or an investigation. 

What is an ACSP and does my accountancy firm need to register? 

An Authorised Corporate Service Provider (ACSP) is a firm registered with Companies House under the Economic Crime and Corporate Transparency Act 2023 to carry out identity verification checks on behalf of individuals registering with Companies House for company formation and related purposes. Accountancy firms that provide company formation or trust and company services should consider whether ACSP registration is required or beneficial for their practice. 

ACSP registration also provides a commercial opportunity: registered firms can offer technology-enabled identity verification as a billable service to clients undergoing Companies House registration, rather than absorbing verification costs as a pure compliance overhead. This positions identity verification as a service line rather than a cost. Refer to the Companies House guidance on ACSP registration at gov.uk/companieshouse for current requirements. 

What does the DVS trust framework mean for accountant identity checks? 

The Digital Verification Services trust framework, published by DSIT in February 2026, sets the certification standards that digital identity verification providers must meet to be treated as reliable independent sources for regulated identity checks. For accountancy firms, using a DVS-certified provider for digital CDD checks provides a clear and defensible basis for demonstrating that identity verification meets the required standard under the Money Laundering Regulations. 

Firms should verify whether their current digital identity verification tools are provided by a DVS-certified organisation. Where they are not, the firm must independently assess whether the checks conducted satisfy the MLR standard. DVS-certified checks may also satisfy the Companies House identity verification requirement under the ACSP regime in defined circumstances, supporting more streamlined digital onboarding workflows. 

What is the tipping-off offence and how does it affect client communications? 

Tipping off is a criminal offence under sections 333A to 333E of the Proceeds of Crime Act 2002. It occurs when a person discloses to a client — or to anyone who might pass information to the client — that a Suspicious Activity Report has been or may be submitted, or that a money laundering investigation is under way. The offence applies to everyone in the firm, not just the MLRO. 

Once a matter has been referred internally for SAR consideration, fee-earners must avoid any communication with the client that could reveal the existence of the referral. If a client asks why there has been a delay or a change in how the firm is responding, the fee-earner must not explain and must seek immediate guidance from the MLRO. A related offence under section 342 of POCA 2002 — prejudicing a money laundering investigation — applies where anyone takes action likely to harm an ongoing investigation by the NCA, HMRC, or another relevant authority. Both offences must be addressed explicitly in staff training and escalation procedures. 

Can technology replace the need for professional AML judgement? 

No. Software tools — including risk scoring engines, sanctions screening databases, and workflow automation platforms — are decision-support instruments, not substitutes for professional judgement. An automated risk score does not constitute a risk decision. A system-generated alert that is closed without documented reasoning is not adequate file evidence of a compliance decision. 

Firms are legally responsible for the quality of their AML judgements regardless of the tools used to support them. Software helps standardise processes, maintain audit trails, and reduce manual rework. It does not transfer legal liability, and it does not prevent a supervisory finding where the underlying judgements recorded in the system are inadequate. 



Stephanie Coward


Managing Director, HCM

Stephanie Coward is Managing Director for HCM at IRIS, where she leads the strategy, innovation and growth of the organisation’s HR and payroll portfolio. She is responsible for positioning IRIS as a trusted partner to HR professionals and ensuring its solutions support the evolving needs of modern workforces.

With more than 25 years’ experience in the technology sector, Stephanie brings deep commercial and operational expertise, with a passion for improving the employee experience through technology.

Stephanie is committed to advancing IRIS’ HCM offering and helping organisations build more resilient, empowered workforces.