Key compliance terms for UK accountants and law firms

Anti-Money Laundering refers to the laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. In the UK, the primary framework is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), which applies to accountants, lawyers, estate agents, and certain financial businesses.

In practice: accountants encounter AML as the overarching compliance framework that requires them to verify clients, assess risk, monitor relationships, and keep records.

Know Your Customer is the process of verifying the identity of a client, understanding their business activities, and assessing the risk they present. KYC is the practical expression of Customer Due Diligence obligations — it answers the question: who is this person or business, and is it safe to act for them?

In practice: collecting a passport, confirming an address, and understanding the purpose of the engagement are all KYC steps that accountants complete at client onboarding.

Customer Due Diligence is the core legal obligation under MLR 2017 to identify clients, verify their identity using reliable independent sources, and understand the purpose and intended nature of the business relationship. Standard CDD applies to most clients. Where risk is elevated, Enhanced Due Diligence (EDD) is required instead.

In practice: a CDD file for a sole trader typically includes identity evidence (passport or driving licence), address evidence (utility bill or bank statement), and a note on the nature of services to be provided.

Enhanced Due Diligence is a more thorough level of client verification required when a relationship presents a higher risk of money laundering or terrorist financing. EDD steps typically include verifying the source of funds, establishing source of wealth, obtaining senior management approval before onboarding, and applying more frequent ongoing monitoring.

In practice: EDD is triggered by factors such as a client being a Politically Exposed Person, operating from a high-risk country, having a complex ownership structure, or involving unusually large or unexplained transactions.

Simplified Due Diligence is a reduced level of KYC that may be applied where the money laundering risk is demonstrably low — for example, for certain regulated financial institutions, listed companies, or UK public authorities. SDD does not mean no checks at all; it means the checks can be less extensive if risk justifies it.

In practice: SDD is rarely applied by accountancy practices in day-to-day client onboarding. Most firms default to Standard CDD unless risk is clearly elevated (EDD) or demonstrably minimal (SDD).

A Politically Exposed Person is an individual who holds or has held a prominent public function — such as a head of state, senior government minister, senior civil servant, judge, military officer, or senior executive of a state-owned enterprise — and their close family members and known associates. PEPs carry elevated money laundering risk due to their access to public funds or political influence. Since the Financial Services and Markets Act 2023 (s.78) and the FCA's PS24/4 guidance, UK domestic PEPs are by default treated as lower risk than foreign PEPs unless other risk factors apply.

In practice: a positive PEP match does not mean refusing to act for a client. It means applying Enhanced Due Diligence, obtaining senior management approval, and conducting more frequent monitoring. For UK domestic PEPs, the EDD bar starts lower than for foreign PEPs — but ongoing monitoring and clear documentation of the risk decision still apply.

Sanctions screening is the process of checking clients, their beneficial owners, and associated parties against official sanctions lists maintained by bodies such as the UK Office of Financial Sanctions Implementation (OFSI), the United Nations Security Council, the European Union, and the US Office of Foreign Assets Control (OFAC). Acting for a sanctioned individual or entity is a criminal offence.

In practice: sanctions screening should be run at onboarding and repeated at regular intervals or whenever circumstances change, since lists are updated regularly. A match must be escalated immediately.

A beneficial owner is the natural person who ultimately owns or controls a legal entity — such as a company or trust — or on whose behalf a transaction is being conducted. Identifying beneficial ownership is a core CDD obligation where clients are companies, partnerships, or trusts, since the legal owner and the true controlling person may be different.

In practice: for a limited company, accountants must establish who the shareholders and directors are, and whether any individual holds more than 25% of shares or voting rights. Where a trust is involved, the settlor, trustees, and beneficiaries must all be considered.

The Ultimate Beneficial Owner is the final natural person at the top of an ownership chain — the individual who ultimately owns or controls a legal entity, even if that control runs through multiple layers of holding companies or trusts. UBO identification is a CDD requirement for corporate clients and is central to preventing criminals from using complex structures to obscure ownership.

In practice: if a client company is owned by another company, which is owned by a third company, you must trace through the structure to identify the individual(s) who ultimately own or control it.

A Person with Significant Control is a UK Companies Act concept that refers to an individual who holds more than 25% of shares or voting rights in a UK company, can appoint or remove the majority of the board, or otherwise exercises significant influence or control. UK companies must maintain a PSC register and file it at Companies House.

In practice: Companies House PSC data is a useful starting point for identifying beneficial ownership when onboarding corporate clients, though it should be verified rather than relied upon in isolation.

In AML, risk assessment operates at two levels. A firm-wide risk assessment identifies the overall money laundering risks facing a practice — covering client types, services offered, geographies, delivery channels, and funding sources. A client risk assessment scores an individual client as low, medium, or high risk and determines what level of due diligence to apply.

In practice: MLR 2017 requires every in-scope business to carry out, document, and regularly review a firm-wide risk assessment. HMRC inspectors routinely ask to see it.

Source of funds refers to the origin of the specific money or assets used in a particular transaction or to fund a business relationship — for example, the proceeds of a property sale, a business loan, or salary income. Establishing source of funds is a key EDD step where a transaction is large, unusual, or involves a higher-risk client.

In practice: asking a client to explain and evidence where the money for a transaction came from is a standard EDD request. Plausible, documented evidence is required — verbal assurance alone is not sufficient.

Source of wealth refers to the origin of a client's total net worth or assets — for example, built through a business, inheritance, investments, or professional career. Source of wealth is a broader concept than source of funds and is typically assessed for PEPs and other higher-risk clients as part of Enhanced Due Diligence.

In practice: for a PEP client, documenting how they accumulated their overall wealth — and corroborating it against publicly available information — is part of the EDD process.

A Suspicious Activity Report is a formal disclosure made to the National Crime Agency (NCA) when a person in a regulated sector knows or suspects that someone is engaged in money laundering or terrorist financing. Filing a SAR provides a defence against money laundering offences. Failure to file when there is grounds to do so is itself a criminal offence.

In practice: accountants must have a clear internal escalation route so that staff can report suspicion to the nominated officer (MLRO), who then decides whether to submit a SAR to the NCA.

A Money Laundering Reporting Officer is the individual within a regulated business who is responsible for receiving internal suspicious activity reports, deciding whether to submit external SARs to the National Crime Agency, and overseeing the firm's AML compliance programme. Appointing an MLRO is a legal requirement for businesses within the scope of MLR 2017. In SRA-regulated law firms, the MLRO role sits alongside the Money Laundering Compliance Officer (MLCO) — the MLRO owns SAR reporting under POCA; the MLCO owns the firm's overall AML system under MLR 2017.

In practice: in a small accountancy practice or solicitors' firm, the MLRO is often a partner or the firm owner — and in many small law firms is the same person as the MLCO. The role must be filled formally and the holder must be sufficiently senior and competent to make judgement calls on suspicious activity.

Ongoing monitoring is the continuous obligation to scrutinise transactions and client activity throughout a business relationship and to keep CDD records up to date. It requires watching for transactions or behaviour that is inconsistent with the stated purpose of the relationship or the expected risk profile.

In practice: ongoing monitoring does not require daily scrutiny of every client. It means having a schedule for reviewing client files based on risk level, and updating records whenever circumstances change — such as changes in ownership, new services, or unusual financial activity.

Record keeping is the legal obligation under MLR 2017 to retain CDD evidence, risk assessments, screening results, transaction records, policies, training records, and suspicious activity decision logs for a minimum of five years after the client relationship ends. Records must be retrievable and suitable for inspection.

In practice: keeping records in email folders or paper files is technically compliant but difficult to retrieve under inspection pressure. Dedicated AML software that timestamps and stores evidence provides a cleaner audit trail.

A supervisory authority is the body responsible for overseeing AML compliance within a particular sector. For accountants not belonging to a professional body, the supervisory authority is HMRC. Members of recognised professional bodies (ICAEW, ACCA, CIMA, and others) are supervised by those bodies instead. For law firms in England and Wales, the supervisory authority is the Solicitors Regulation Authority (SRA), with parallel regulators in Scotland and Northern Ireland. Supervisory authorities set standards, conduct reviews, and can impose sanctions.

In practice: your supervisory authority may conduct desk-based reviews or on-site inspections. They will ask to see your firm-wide risk assessment, client files, policies, and training records.

Terrorist financing is the provision or collection of funds with the intention or knowledge that they will be used, in whole or in part, to carry out a terrorist act. Unlike money laundering — where the underlying funds are criminal in origin — terrorist financing can involve legitimately sourced money. Both money laundering and terrorist financing are covered by MLR 2017 and the Terrorism Act 2000.

In practice: the PEP and sanctions screening process helps identify clients connected to designated terrorist organisations or individuals. Suspicion of terrorist financing must be reported to the NCA immediately.

Proliferation financing is the provision of funds or financial services to support the development, production, or acquisition of weapons of mass destruction — including nuclear, chemical, biological, and radiological weapons. Following the 2022 update to MLR 2017, regulated businesses including accountants are required to include proliferation financing risk in their firm-wide risk assessments.

In practice: most accountancy clients present no proliferation financing risk. However, firms with clients involved in defence, dual-use goods, or international trade with sanctioned states should include a specific proliferation assessment in their risk documentation.

Money laundering is the process of disguising the proceeds of crime so they appear to come from a legitimate source. Under the Proceeds of Crime Act 2002 (POCA), the principal money laundering offences are concealing criminal property (s.327), entering into arrangements that facilitate it (s.328), and acquiring, using, or possessing criminal property (s.329). All three carry maximum penalties of 14 years' imprisonment.

In practice: accountants engage with money laundering chiefly through the obligation to identify, report, and avoid facilitating it. Knowing or suspecting that a client is laundering — and continuing to act without first submitting a SAR (and a DAML where consent is needed) — exposes the firm and individual to a principal POCA offence.

Counter-Terrorist Financing — also written CFT — is the legal and regulatory framework that prevents funds, whether of legitimate or criminal origin, from being used to support terrorism. In the UK, CTF obligations sit alongside AML obligations within MLR 2017 and the Terrorism Act 2000, which makes it an offence to provide, receive, or use funds for terrorist purposes.

In practice: accountants meet CTF obligations through the same control framework as AML — CDD, screening, monitoring, and SAR reporting. Sanctions and PEP screening lists include designated terrorist organisations and individuals, so a single screening pass typically covers both AML and CTF risk.

The National Crime Agency is the UK's lead agency for tackling serious and organised crime, including money laundering and terrorist financing. The NCA's UK Financial Intelligence Unit (UKFIU) receives all Suspicious Activity Reports filed by regulated businesses and uses them to build intelligence pictures that support criminal investigations across UK law enforcement.

In practice: SARs are filed via the NCA's SAR Online portal. The NCA does not investigate every SAR — most are intelligence-only — but failure to file when grounds exist is itself a criminal offence under POCA s.330.

OFSI is part of HM Treasury and is responsible for administering and enforcing UK financial sanctions. It maintains the UK Consolidated List of asset-freeze targets, processes licence applications to deal with sanctioned parties, and investigates breaches. Civil monetary penalties for breaches can reach £1 million or 50% of the breach value, whichever is higher — with criminal prosecution also available for serious cases.

In practice: sanctions screening against the OFSI Consolidated List is mandatory at onboarding and on an ongoing basis for every client. A confirmed match triggers an immediate freezing obligation and an OFSI report — typically within the same working day. Acting for a designated person without an OFSI licence is a criminal offence.

Tipping off is the criminal offence under POCA s.333A of disclosing — to a client or any other person — that a SAR has been or is being filed, where the disclosure is likely to prejudice an investigation. It also covers disclosing the existence of a money laundering investigation. The offence carries up to 5 years' imprisonment. Limited defences exist, including disclosure within a regulated group, but they are narrow.

In practice: once a SAR is being considered or has been submitted, do not tell the client. Do not refer to it in correspondence, hint at it in declining further work, or use coded language with colleagues outside the MLRO chain. Internal escalation should run MLRO → senior partner only, with file notes kept securely.

The Nominated Officer is the individual designated under POCA s.330(3) and s.338 to receive internal disclosures of suspicion about money laundering, and to file SARs with the NCA. In businesses subject to MLR 2017, this role is typically combined with the MLRO role into a single position — but POCA and MLR 2017 are technically separate obligations, and the legal references differ.

In practice: most UK accountancy practices appoint a single individual who is both the MLRO (MLR 2017 oversight role) and the Nominated Officer (POCA reporting role). Either title is acceptable; the legal responsibilities cover both. The role must be filled, in writing, by a sufficiently senior person.

A Trust or Company Service Provider is a business that — by way of a business — forms companies, provides registered-office or business-address services, acts as or arranges for nominee shareholders or directors, or acts as or arranges for trustees of express trusts. TCSPs are within scope of MLR 2017 (Regulation 12) and must be either supervised by HMRC or a relevant professional body.

In practice: many small accountancy practices fall within the TCSP definition simply by offering registered-office services to clients. That triggers TCSP-specific supervisory registration obligations and means the firm-wide risk assessment must explicitly cover the TCSP activity.

A High-Risk Third Country is a jurisdiction listed in Schedule 3ZA of MLR 2017 — or identified by FATF as having strategic deficiencies in its AML/CTF regime — that triggers mandatory Enhanced Due Diligence. Under MLR 2017 Regulation 33(1)(b), any business relationship or transaction with a client established in or connected to a high-risk third country requires EDD as a matter of law, not discretion.

In practice: check the current Schedule 3ZA list (it diverges from the EU list since 2021) when assessing geographic risk in client onboarding. Connection includes residence, registration, operations, and significant transactions — not just nationality.

A Defence Against Money Laundering — often called a 'consent SAR' — is a request to the NCA under POCA s.335 (or s.336 for terrorism) for permission to undertake an act that would otherwise be a principal money laundering offence. Approval is implied if the NCA does not respond within 7 working days (the 'notice period'); a refusal can be extended for a further 31 days (the 'moratorium period').

In practice: a DAML is required when an accountant knows or suspects criminal property is involved in a planned transaction (such as completing a property sale, releasing client funds, or distributing partnership profits) and continuing without consent would expose the firm to a POCA offence. The DAML pauses the work; communication with the client must avoid tipping off.

Placement, layering, and integration are the three classic stages of money laundering. Placement is the initial introduction of criminal proceeds into the financial system. Layering separates the funds from their source through a series of transactions, transfers, or conversions designed to obscure the trail. Integration is the final reintroduction of the laundered funds into the legitimate economy as apparently clean assets — property, businesses, or investments.

In practice: accountants are most likely to encounter the integration stage — laundered funds re-emerging as business income, property purchases, or investments. Red flags include unexplained wealth, transaction patterns inconsistent with stated business activity, complex ownership chains, and reluctance to evidence source of funds or wealth.

A predicate offence is the underlying criminal activity that generates the proceeds laundered through a money laundering offence. Under POCA, almost any criminal offence — committed in the UK or overseas — that produces a financial benefit can be a predicate offence. Common examples include tax evasion, fraud, drug trafficking, corruption, theft, and modern slavery.

In practice: an accountant does not need to identify or prove the specific predicate offence to report a suspicion. Knowing or suspecting that funds derive from criminal conduct is enough to trigger the SAR obligation under POCA s.330 — even if the underlying offence is unclear.

Reliance is the limited ability under MLR 2017 Regulation 39 to rely on CDD measures already carried out by another regulated person — such as another UK accountancy practice, law firm, or qualifying financial institution — rather than repeating them. Reliance requires written consent from the third party, immediate access to the underlying CDD records on request, and acceptance that legal responsibility for CDD remains with the relying firm.

In practice: reliance is most useful when taking on referred clients from another regulated firm. The relying firm still has to satisfy itself that the original CDD was adequate, document the reliance arrangement in writing, and update its own records — outsourcing the work does not outsource the liability.

A business relationship under MLR 2017 Regulation 4 is a relationship between a regulated firm and a client that has, or is expected to have, an element of duration. Acceptance of a client into a business relationship triggers the full set of CDD obligations under Regulation 28, including identity verification, beneficial-ownership identification, and ongoing monitoring throughout the life of the engagement.

In practice: virtually every retained accountancy client constitutes a business relationship — annual tax returns, monthly bookkeeping, ongoing payroll. Short one-off services for non-recurring clients may instead fall under the 'occasional transaction' rules if below threshold, but most firms apply full CDD regardless.

An occasional transaction under MLR 2017 Regulation 27 is a single transaction (or a series of linked transactions that appear to be a single operation) carried out outside an established business relationship. CDD is triggered when an occasional transaction reaches €15,000 — or any lower threshold the firm sets in its own risk-based policies.

In practice: a one-off engagement for a non-recurring client should be assessed against the occasional-transaction threshold. Many firms apply full CDD regardless of value, on the basis that the marginal cost is low and the risk of inadvertently splitting linked transactions to stay below threshold is real.

The Register of Overseas Entities at Companies House records the beneficial ownership of overseas entities that own UK land. Introduced by the Economic Crime (Transparency and Enforcement) Act 2022, registration on the ROE — including beneficial owner details verified by a UK-supervised agent — is required for any overseas entity that owns, buys, or sells UK property. Failure to register makes the entity unable to register the property or carry out future transactions on it.

In practice: any client who is an overseas entity owning UK land must be on the ROE. When acting for such a client, the ROE filing is now part of routine compliance alongside HMRC filings — and ROE-recorded beneficial owners should be cross-checked against the firm's independent beneficial-ownership findings.

The Solicitors Regulation Authority is the independent regulator of solicitors and law firms in England and Wales. It is the supervisory authority under MLR 2017 for SRA-regulated firms — issuing AML guidance, conducting thematic and on-site reviews, and imposing fines, conditions, or strike-offs for failures. SRA fines for individual AML breaches can reach £25,000; firm-level fines can exceed £250m for traditional firms (lower caps apply to alternative business structures).

In practice: SRA-regulated firms are inspected on a risk-based cycle, with conveyancing-heavy and TCSP-active practices receiving more attention. The SRA expects every firm to have a current firm-wide risk assessment, a written AML programme, named MLCO and MLRO, and CDD records open for inspection.

The Legal Sector Affinity Group is the umbrella of UK legal sector AML supervisors — including the SRA, Bar Standards Board, CILEx Regulation, the Law Society of Scotland, the Law Society of Northern Ireland, and the Council for Licensed Conveyancers. LSAG publishes the consolidated AML guidance for the legal sector, which is the practical reference SRA inspectors use to benchmark firm practice.

In practice: when the SRA assesses a firm's AML controls, the LSAG guidance is what they measure against. Reading the latest LSAG guidance — updated as MLR 2017 and case law evolve — is mandatory for the MLCO and recommended for everyone in the AML chain.

The Money Laundering Compliance Officer is a senior individual responsible under MLR 2017 Regulation 21 for overseeing a firm's overall AML compliance programme — including the firm-wide risk assessment, policies, training, and the relationship with the supervisor. In SRA-regulated firms, the MLCO is a distinct role from the MLRO: the MLCO owns the AML *system*; the MLRO owns SAR reporting under POCA.

In practice: many smaller law firms combine the MLCO and MLRO into one role held by the same person, but the appointment must be formal and recorded. The MLCO must be sufficiently senior — typically a partner or director — to enforce changes across the firm.

Legal Professional Privilege is the common-law right of a client to refuse to disclose, or have disclosed, confidential communications with a lawyer made for the purpose of giving or receiving legal advice (advice privilege) or in connection with actual or contemplated litigation (litigation privilege). LPP is not a defence to dishonesty — it is overridden by the 'iniquity exception' where the communication is made to further a crime.

In practice: LPP is the reason solicitors have a different SAR landscape from accountants. POCA s.330(6) excludes a 'professional legal adviser' from the SAR duty where the information would attract LPP — but only where the lawyer is acting in privileged circumstances and not facilitating the crime. Misapplying LPP to dodge a SAR is itself a risk.

Privileged Circumstances is the statutory exemption in POCA s.330(6) (and s.342 for tipping off) that relieves a 'professional legal adviser' of the duty to file a SAR where the information came to them in privileged circumstances — broadly, when seeking legal advice or in connection with legal proceedings. The exemption does not apply where the information is communicated with the intention of furthering a criminal purpose (the 'crime/fraud exception').

In practice: a solicitor who learns of suspicious activity from a client during privileged advice on a contemplated matter may be exempt from the SAR duty. The solicitor must still consider whether the information falls within the exception — and whether continuing to act exposes the firm to a substantive POCA offence regardless of the reporting carve-out.

A client account is a separately designated bank account, regulated under the SRA Accounts Rules 2019, in which a law firm holds money received from or for a client. Client account funds must be kept distinct from the firm's office funds, must be paid out only for the purpose for which they were received, and must be reconciled at least every five weeks. Misuse of client account funds is an SRA disciplinary offence and a frequent vector for money laundering through legal practice.

In practice: AML risk in the client account comes from receiving funds without a clearly identified underlying legal service, holding funds for unusually long periods, or routing funds through the firm to a third party. The SRA expects firms to refuse client-account use as a 'banking service' and to question any payment instruction that doesn't fit the matter.

Mixed funds arise when client money and office money are held together in a single bank account in breach of the SRA Accounts Rules 2019. Mixed funds are an AML concern because they can mask the source of payments leaving the firm and create reconciliation gaps — both of which can support a money laundering case if proceeds of crime are involved.

In practice: detection often starts with a five-weekly client account reconciliation. A firm with persistent mixed-funds incidents will trigger SRA scrutiny on both accounts compliance and AML controls — the two regulators expect each other's standards to be met.

Conveyancing Risk Factors are the recognised red flags that elevate AML risk in residential or commercial property transactions. They include unexplained third-party funding of the purchase, gifts from non-disclosed donors, large cash elements, rapid resale or sub-sale patterns, no-search indemnity policies in place of standard searches, suspiciously high or low purchase prices vs valuation, and clients reluctant to evidence source of funds or attend in person.

In practice: every conveyancing matter should be risk-rated at instruction. A combination of factors — gift + unverified donor + no in-person meeting, for example — should trigger EDD and a partner-level review before the file proceeds.

Mortgage fraud is the criminal offence of obtaining a mortgage advance by deception — typically by misrepresenting income, employment, the purchase price, the identity of the borrower, or the nature of the transaction. Mortgage fraud is a predicate offence for money laundering and is one of the most common AML scenarios faced by conveyancing solicitors.

In practice: solicitors acting for both lender and borrower owe duties to both. Identifying a discrepancy — between the price stated to the lender and the price actually paid (a 'value uplift'), or between the buyer named and the person funding — must be reported to the lender or the buyer relationship must be terminated, depending on the duty owed.

Probate Risk refers to the AML risks specific to law firms acting in the administration of estates. The key risk vectors are: high-value estates passing through the firm's client account; assets in jurisdictions with weak AML regimes; multiple beneficiaries unknown to the firm; beneficiaries who are PEPs or sanctioned individuals; estates including cash, cryptocurrency, or assets of unclear provenance; and contested estates where suspicion of source-of-wealth manipulation may arise.

In practice: standard CDD on the executor or administrator is required at instruction. Where the estate includes overseas assets, high-value items, or where any beneficiary triggers EDD (PEP, sanctions match, high-risk third country), the firm must extend due diligence accordingly — not assume that probate work is automatically lower risk than conveyancing.

The Trust Registration Service is HMRC's central register of UK express trusts, mandated under MLR 2017 Regulation 45ZA. Almost all UK express trusts must be registered on the TRS, regardless of whether they generate a tax liability, with named trustees, settlors, and beneficiaries (or class of beneficiaries) disclosed. Failure to register attracts HMRC penalties.

In practice: solicitors involved in trust formation, administration, or amendment should treat TRS registration as part of routine compliance — and as a CDD source. The TRS record can be cross-checked against the firm's independent beneficial-ownership findings on the trust; mismatches should be investigated before acting.

An express trust is a trust deliberately created by a settlor — by deed, will, or written declaration — naming trustees and identifying beneficiaries or a class of beneficiaries. Express trusts are distinguished from implied or constructive trusts (which arise by operation of law). Almost all UK express trusts must be registered on the HMRC Trust Registration Service under MLR 2017.

In practice: when acting on the formation or administration of an express trust, the firm has TRS-registration responsibilities and full CDD obligations on the settlor, trustees, and beneficiaries. The settlor's source of funds and the rationale for the trust structure should be documented to demonstrate the absence of evasion risk.