FCA AML supervision is changing. Here's what to do now.
HM Treasury's 2024 response to the AML supervisory regime consultation pointed at a single, consolidated supervisor for UK accountancy and legal practices. The standard is moving towards FCA-style scrutiny: more frequent inspections, stricter evidence requirements, less tolerance for spreadsheet AML. This is the practitioner's guide — what is changing, what to put in place, and the regulations behind each obligation.
HMRC-ready evidence · Audit trails · UK data residency · Built for regulated practice workflows
Trusted by 100+ UK accounting practices
TL;DR — Quick Summary
- •HM Treasury announced reform of the UK AML supervisory regime in its March 2024 response to the 2023 consultation — moving towards a single Professional Services Supervisor model.
- •The change affects every UK accountancy practice currently supervised by HMRC or by a professional body (ICAEW, ACCA, CIMA, CIOT, AAT, IFA).
- •The new bar is FCA-style supervision: more frequent inspections, stricter evidence requirements, and less tolerance for spreadsheet-based AML.
- •Three things every MLRO should put in place now: a current firm-wide risk assessment under Regulation 18, a documented CDD process under Regulation 28, and a 5-year evidence trail under Regulation 40.
- •Certivus is built around exactly these obligations — by an accountant who ran AML manually for 10 years before building the software.
Answer-first summary
What is the FCA AML reform and what should my practice do?
HM Treasury responded in March 2024 to its June 2023 consultation on reforming the UK's AML supervisory regime. The chosen direction consolidates supervision of accountancy and legal practices and raises the operating standard to FCA-style scrutiny — more frequent inspections, stricter evidence requirements, and less tolerance for spreadsheet-based AML. Every UK regulated practice should now confirm three things are current and documented: a firm-wide risk assessment under MLR 2017 Regulation 18, written AML policies and procedures under Regulation 19, and a five-year retention trail under Regulation 40. These are the foundations every inspector samples first.
- The reform affects all UK accountancy practices supervised by HMRC or a professional body, plus all SRA/CLC-supervised legal practices.
- The change is to the operating standard, not just the supervisor's name — evidence over recalled judgement.
- Regulation 18 (firm-wide RA), 19 (policies), 28 (CDD), 33/35 (EDD/PEP), 40 (retention) are the structural obligations.
- Spreadsheet AML is increasingly hard to defend under FCA-style scrutiny — the audit trail is too fragile.
- Certivus addresses each of those structural obligations and ships a five-year evidence trail by default.
What FCA-style supervision actually changes
The institutional decision matters less than the operating standard. Four things every MLRO should expect to see — whether the inspector's logo is HMRC, your professional body, or the new single supervisor.
Higher inspection frequency
HMRC currently inspects accountancy practices on a risk-based cycle — many smaller firms have not had a visit in years. Under FCA-style supervision, inspections will be more frequent, more focused on evidence, and less forgiving of unprepared documentation.
Evidence over judgement
FCA-style supervision puts heavy weight on the audit trail. Saying "we considered the risk" is not enough — inspectors expect to see the documented analysis, the named MLRO sign-off, the date, and the supporting evidence retained under Regulation 40.
Standardised expectations
The current 22-supervisor patchwork (HMRC plus 13 professional bodies for accountants, plus separate regimes for legal) produces inconsistent application of the MLR 2017. Consolidation under one body removes that variation — and raises the floor for everyone below the current best.
Data-driven targeting
FCA-style supervisors use thematic reviews and data analysis to target practices that look like outliers — sole practitioners handling unusually large client volumes, practices in higher-risk sectors, practices that have never reported an internal SAR. The era of "if no one visits, no one knows" is closing.
Seven steps to prepare for FCA-style AML scrutiny
Each step references the specific MLR 2017 regulation that makes it a legal obligation, not a recommendation. Walk through these in order — most practices can do steps 1, 2, and 7 in a week.
Update your firm-wide risk assessment
Regulation 18 of the MLR 2017 requires every supervised practice to have a current, documented risk assessment covering client types, services provided, geographic exposure, and delivery channels. HMRC's most common inspection finding is a generic or undated assessment. Update yours now, sign it, date it, and set the next review date.
MLR 2017, Regulation 18
Document your AML policies and procedures
Regulation 19 requires written policies, controls, and procedures that mitigate the risks identified in your firm-wide assessment. The document must name the MLRO, set out the CDD and EDD procedures, define how SARs are escalated internally and submitted to the NCA, and explain how staff are trained.
MLR 2017, Regulation 19; Regulation 21 (MLRO appointment)
Apply CDD to every client
Regulation 28 requires identification and verification of every customer and every beneficial owner (25% threshold), an understanding of the purpose of the relationship, and ongoing monitoring. For higher-risk relationships, Regulation 28(2) adds a source-of-funds obligation.
MLR 2017, Regulation 28; Regulation 28(2) source of funds
Apply EDD where triggers apply
Regulation 33 lists the triggers — high-risk third country, PEP exposure, complex or unusual transactions, transactions with no apparent economic purpose, or any case the firm assesses as higher risk. Regulation 35 adds the PEP-specific overlay: senior management approval, source of wealth as well as source of funds, and enhanced ongoing monitoring.
MLR 2017, Regulations 33 and 35
Screen against the OFSI consolidated list
UK financial sanctions are administered by OFSI under the Sanctions and Anti-Money Laundering Act 2018. Every new client must be screened against the OFSI consolidated list, and every client must be re-screened whenever the list is updated. A hit triggers an immediate freezing obligation and an OFSI report — usually within the same business day.
Sanctions and Anti-Money Laundering Act 2018; OFSI guidance
Retain everything for 5 years
Regulation 40 sets a five-year retention period running from the end of the business relationship or transaction. The records must include the CDD documents, the supporting evidence, the risk rating, the screening results, and the business correspondence relating to the relationship. Retention is part of what an inspector samples — not an afterthought.
MLR 2017, Regulation 40
Train every relevant employee — annually
Regulation 24 requires every relevant employee to be trained on the firm's AML policies and on identifying and reporting suspicious activity. Training is one of the easiest things for an inspector to test — they ask staff direct questions. Annual refresher training, with documented attendance, is the practical minimum.
MLR 2017, Regulation 24
Every regulation gets a workflow
Certivus is built around the MLR 2017 structural obligations. Here is the direct mapping from each preparation step to the feature that handles it.
Risk assessment module
Step 1 — firm-wide risk assessment (Reg 18)
Guided assessment covering the four required factors. Output is a dated, sign-offable document with automatic review reminders.
Policy templates
Step 2 — written policies and procedures (Reg 19)
Resource-hub templates for AML policy, MLRO appointment letter, CDD checklist, EDD trigger list, and ongoing monitoring schedule — adaptable for your firm.
Client onboarding flow
Step 3 — CDD (Reg 28)
ID verification on UK passport, driving licence, and national ID with biometric liveness check. Beneficial owner capture (25% threshold). Purpose-of-relationship recorded. Source-of-funds questionnaire for higher-risk clients.
EDD workflow
Step 4 — EDD (Regs 33, 35)
Configurable EDD triggers, PEP screening with step-down logic, senior-management approval workflow, and enhanced ongoing monitoring cadence per client risk rating.
Sanctions screening
Step 5 — OFSI screening (SAMLA 2018)
Real-time screening against OFSI consolidated list plus OFAC, UN, and EU lists. Automatic re-screening on every list update. Documented audit trail of every screen.
Audit-ready exports
Step 6 — record retention (Reg 40)
Every CDD record exportable as a timestamped, immutable PDF. Retention period applied automatically. Five-year availability for inspection.
Training tracking
Step 7 — training (Reg 24)
Training matrix per role with completion tracking. Annual reminder workflow. Evidence retained against each named staff member.
Spreadsheets, enterprise AML, or Certivus
The trade-offs are real. Spreadsheets are free but indefensible under scrutiny. Enterprise platforms are robust but sales-gated and expensive. Here is how the options compare on what an FCA-style inspector actually looks at.
| What inspectors check | Spreadsheet | Enterprise AML | Mid-market competitor | Certivus |
|---|---|---|---|---|
| Public, transparent pricing | Free | Hidden — sales call gated | Hidden — sales call gated | £0 / £49 / £149 / £349 / custom |
| MLR 2017 Reg 18 risk assessment | Manual — easy to let lapse | Included | Included | Included — guided + dated |
| CDD with biometric ID verification | Not possible | Included | Included | Included on every paid tier |
| Source-of-funds questionnaire (Reg 28(2)) | Manual document chase | Included | Add-on or higher tier | Built into the verification flow |
| OFSI + OFAC + UN + EU sanctions screening | Manual — error-prone | Included | Per-check billing | Included, real-time, automatic re-screen |
| One-click HMRC/FCA-ready PDF export | Reconstruction job | CSV — needs assembly | Available | One click, timestamped, retention applied |
| 5-year retention applied automatically | Depends on backup discipline | Included | Included | Included, with deletion lock |
| UK data residency (ICO-registered) | Depends on storage location | Varies | Varies | UK only — AWS eu-west-2 |
| Free tier to test before committing | Free forever (but painful) | No free trial | Demo only — no self-serve | 5 free verifications/month, no card |
Public prices. No sales-call gate.
Every competitor in this space hides pricing behind a sales call. Ours has been on the website since day one — for the MLRO who needs to budget without making three phone calls.
Free
£0
5 verifications/month · ID check · audit-ready PDF
Starter
£49/mo
50 verifications · PEP & Sanctions · 1 user
Professional
£149/mo
200 verifications · custom risk rules · multi-user
100+ UK practices already on Certivus
“Certivus cut our AML admin from 12 hours a month to 2. The automation is a game-changer — no more double data entry.”
Sarah Thompson
Managing Partner, Thompson & Co Accountants
“We verified 200 clients in the first month. The client-facing portal is so simple that we got 80% completion rates.”
David Patel
Compliance Officer, Patel Associates
“As a sole practitioner, I can't afford to spend days on AML. Certivus lets me verify clients in minutes.”
Emma Clarke
Sole Practitioner, Clarke Accountancy
FCA AML supervision — the practitioner's FAQ
Sixteen questions MLROs ask us most. With the regulation references, so you can cross-check against gov.uk and legislation.gov.uk.
What is the FCA AML reform and when does it take effect?▼
HM Treasury announced its preferred direction for UK AML supervisory reform in its March 2024 response to the June 2023 consultation "Reforming the Anti-Money Laundering and Counter-Terrorism Financing Supervisory Regime." The preferred model consolidates supervision of accountancy and legal practices under a smaller number of supervisors — moving away from the current 22-supervisor patchwork (HMRC plus 13 professional bodies for accountants, plus separate regimes for solicitors and licensed conveyancers). Specific commencement dates depend on the legislation needed to implement the chosen model, and as of mid-2026 not every step has been laid before Parliament — practices should follow gov.uk announcements as the timetable is confirmed.
Is FCA actually taking over AML supervision of accountants?▼
The 2024 government response set out a preferred model called the Single Professional Services Supervisor (SPSS). The exact institutional housing of the SPSS — whether it sits inside the FCA, inside a new statutory body, or via a strengthened HMRC-PBS structure — is part of the implementation work. What is clear is that supervision will become more centralised, more consistent, and more evidence-driven than the current regime. "FCA-style scrutiny" is shorthand for the operating standard rather than necessarily the institutional name on the door.
Will the FCA replace HMRC as the AML supervisor for accountancy practices?▼
Not overnight, and not necessarily in name. HMRC currently supervises around 30,000+ accountancy service providers that are not members of a professional body. The reform is expected to consolidate these into a smaller number of supervisors and raise the operating standard, but the transition will be staged and existing supervisor relationships will continue during any handover. The substantive change for MLROs is the standard of evidence expected, not which logo is on the inspection letter.
Will the FCA replace the Professional Body Supervisors (ICAEW, ACCA, CIMA, CIOT, AAT, IFA)?▼
The current direction is consolidation rather than wholesale removal. The Office for Professional Body Anti-Money Laundering Supervision (OPBAS) was set up in 2018 specifically to drive consistency between the PBS bodies. The 2024 reform builds on OPBAS's findings, which have repeatedly identified inconsistent application across the PBS network. The practical effect for member firms is that supervision will become more uniform across PBS bodies, with the floor raised to match the better-performing supervisors.
What does FCA-style AML supervision actually mean in practice?▼
FCA-style supervision means: (a) more frequent inspections targeted by risk and data analysis rather than random selection; (b) emphasis on documented evidence over recalled judgement; (c) thematic reviews that test specific issues across multiple firms; (d) lower tolerance for spreadsheet-based AML where the audit trail is fragile; and (e) more proactive enforcement where systemic failings are found. The Financial Crime Guide (FCG) and SYSC 6.3 set the tone for FCA-supervised firms already — the reform exports that operating standard to the wider accountancy and legal sector.
What documents will the new supervisor look at first?▼
Based on FCA, OPBAS, and HMRC supervisory practice, the predictable opening requests are: (1) the firm-wide risk assessment under Regulation 18 — dated, signed, and current; (2) the written AML policy and procedures under Regulation 19, naming the MLRO appointed under Regulation 21; (3) a sample of CDD files showing identification, verification, beneficial ownership, source-of-funds where applicable, and ongoing monitoring evidence; (4) the training matrix under Regulation 24; (5) the internal SAR register and the firm's submission record to the NCA; and (6) the sanctions screening audit trail. All of this should be retrievable within the inspection window — typically 14 days.
What's the difference between MLR 2017 Regulation 28 and Regulation 33?▼
Regulation 28 sets the standard customer due diligence requirement that applies to every relationship: identify the customer, verify identity from a reliable source, identify and take reasonable measures to verify beneficial owners (25%+ threshold), understand the purpose of the relationship, and apply ongoing monitoring. Regulation 33 is the enhanced due diligence overlay — it lists the situations where the standard CDD is not enough: high-risk third countries, PEPs and their associates, complex or unusually large transactions, transactions without apparent economic purpose, and any case the firm assesses as higher-risk. Regulation 35 then adds PEP-specific steps on top of Reg 33.
Does Regulation 28(2) require source of funds for every client?▼
No — Regulation 28(2) requires the firm to take "reasonable measures" to understand the source of the customer's funds where the relationship is higher-risk or where Regulation 33 enhanced due diligence applies. For routine, low-risk relationships, source of funds is not formally mandated, but most well-run practices ask for it whenever a transaction is unusual relative to the client's profile. For PEPs, source of funds AND source of wealth are required under Regulation 35.
What is the OFSI consolidated list and how does it apply to accountants?▼
The OFSI consolidated list is the UK's official list of persons, entities, and ships subject to financial sanctions. It is maintained by the Office of Financial Sanctions Implementation, part of HM Treasury. Every regulated business, including accountancy practices, must screen new clients against the list and re-screen existing clients when the list is updated. A confirmed match triggers an immediate freezing obligation on any funds or economic resources held, plus a reporting obligation to OFSI — usually within the same business day for funds held. Sanctions obligations sit alongside MLR 2017 obligations, not inside them.
How long must AML records be retained?▼
Regulation 40 of the MLR 2017 sets a five-year retention period. The clock runs from the end of the business relationship for ongoing relationships, or from the date of the transaction for one-off transactions. The retained records must include the CDD identification documents, the verification evidence, the risk rating decision, the screening results, the ongoing monitoring history, and the relevant correspondence. The five-year period is a minimum — some firms retain longer where there is an ongoing investigation or where their professional body recommends it.
Is a sole practitioner subject to the same AML rules as a large firm?▼
Yes. The MLR 2017 applies to every business carrying on a relevant activity, regardless of size. A sole-practitioner accountancy practice has the same firm-wide risk assessment obligation under Regulation 18, the same CDD obligation under Regulation 28, the same SAR obligation under POCA 2002 sections 330–332, and the same record retention obligation under Regulation 40. The proportionality lies in how much process is appropriate — a sole practitioner with 30 clients runs lighter procedures than a 25-partner practice, but the obligations are not waived.
Are spreadsheets still acceptable for AML compliance?▼
Spreadsheets are not banned, but they are increasingly hard to defend under FCA-style scrutiny. Three problems: (1) they do not produce a tamper-evident audit trail; (2) they depend on the MLRO who maintains them — when that person leaves, the institutional memory leaves with them; (3) they do not auto-screen against updated sanctions or PEP lists, so the firm misses changes between manual re-screens. Most firms that fail an inspection on evidence quality were running on spreadsheets. The pragmatic move is to digitise before the supervisor visit, not after.
What about solicitors and licensed conveyancers — are they affected?▼
Solicitors regulated by the SRA, CLC, Law Society of Scotland, or Law Society of Northern Ireland sit under their respective AML supervisory regimes, separate from HMRC and the accountancy PBS bodies. The reform direction affects them too — the SRA has been issuing thematic reviews on source-of-funds, particularly in conveyancing, that explicitly raise the evidence bar. Even where the institutional supervisor is unchanged, the operating standard is converging towards FCA-style expectations.
How does Certivus help with FCA-readiness specifically?▼
Certivus is built around the MLR 2017 obligations that an FCA-style supervisor will test against. The firm-wide risk assessment module addresses Regulation 18. The configurable AML policy templates address Regulation 19. The client onboarding flow addresses Regulations 28 and 28(2). The EDD workflow addresses Regulations 33 and 35. The OFSI-integrated sanctions screening addresses the SAMLA 2018 obligation. The audit-ready PDF export addresses Regulation 40 retention. Every workflow produces the dated, signed, evidence-backed output that an inspector expects to see. We are not a compliance advisor — your MLRO owns the judgement calls — but we make sure the evidence trail is there when the inspection arrives.
Will adopting Certivus prevent enforcement action?▼
No software prevents enforcement on its own. Enforcement decisions are made by the supervisor based on the firm's overall conduct — including the MLRO's judgement, the practice's culture of compliance, and the substance of the AML work done. What software changes is the speed of evidence retrieval and the consistency of the audit trail. A firm using Certivus that has done the work properly will spend the inspection showing the inspector the evidence rather than reconstructing it. A firm using Certivus that has cut corners is still a firm that has cut corners — the software does not paper over substance.
How long does it take to migrate from spreadsheets to Certivus?▼
For most practices, a working setup is in place within an hour. CSV upload imports the existing client list. The first verification runs in three minutes. The first audit-ready PDF exports with one click. For larger practices migrating evidence from existing tools, the typical cycle is one to two weeks — most of which is the firm reviewing and tidying client data, not Certivus implementation. The free tier (5 verifications per month, no credit card) is the right way to test the fit before deciding on a paid plan.
Not legal advice. This page explains the regulation in general terms. It is not legal or compliance advice for any specific firm. Your MLRO or a qualified solicitor must decide how the obligations apply to your circumstances. Last updated 22 May 2026. Regulation references are to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended.