AML for Accountancy Mergers — UK guide
The AML workstream within M&A — pre-completion due diligence, post-completion stabilisation, full remediation, supervisor notification, and the tipping-off-safe protocols that protect the deal.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •Accountancy and law-firm mergers are AML events as much as they are commercial events. The acquired firm's client base, its CDD evidence, its risk-rating framework, and its SAR history all become the acquiring firm's responsibility from completion day.
- •Pre-completion AML due diligence is now an expected M&A workstream — the acquiring firm needs to understand what it is inheriting, with material weakness affecting valuation, indemnity drafting, and post-completion remediation budget.
- •Post-completion integration runs in two phases: stabilisation (90 days — bring acquired CDD up to the acquiring firm's standard for active clients) and full remediation (6-12 months — extend the standard across the whole acquired book).
- •Supervisory continuity matters — the acquired firm's MLR supervision (HMRC, ICAEW, ACCA, SRA, etc.) needs formal notification of the change of control, and the unified entity's risk assessment needs to reflect the combined operating reality.
- •Tipping-off considerations apply throughout — particularly during pre-completion due diligence where the acquiring firm sees the acquired firm's SAR history and ongoing investigation context.
Answer-first summary
Why does AML matter in accountancy and law firm mergers?
Because the acquired firm's client base, CDD evidence, risk-rating framework, and SAR history all become the acquiring firm's responsibility from completion day. The acquirer inherits the regulatory exposure of the acquired firm's AML programme. Material weakness can affect deal valuation, indemnity drafting, post-completion remediation budget, and supervisory exposure for years. Pre-completion AML due diligence is now an expected M&A workstream; post-completion integration runs in two phases — stabilisation (90 days) and full remediation (6-12 months).
- Acquired AML programme becomes acquirer's regulatory exposure
- Pre-completion AML DD is now an expected M&A workstream
- Two-phase integration: 90-day stabilisation + 6-12 month remediation
- Supervisor notification within 14-30 days of completion
Pre-completion AML due diligence
Five workstreams the acquirer should run in parallel with commercial DD:
Firm-wide risk assessment review
Does the acquired firm have a current, documented MLR 2017 Reg 18 firm-wide risk assessment? When was it last reviewed? Does it reflect the acquired firm's actual client base, services, and geographies?
Client-base risk profile
Risk-rating distribution across the acquired client base. Higher-risk concentration in specific sectors or jurisdictions. PEP and sanctions exposure. Beneficial-ownership complexity. The acquirer needs a credible picture of what it's inheriting.
CDD file sampling
Random sampling of acquired CDD files to test consistency with current Reg 28 standards. Identification, verification, beneficial ownership, purpose-of-relationship. Gaps surface here — and inform the remediation budget.
SAR history and ongoing matters
Volume of SARs filed in recent years, MLRO decision-making pattern, any active NCA enquiries, any DAML matters in moratorium. Tipping-off-safe disclosure protocols apply during this review.
MLCO/MLRO transition
Who in the acquired firm currently holds these roles? Will they continue post-merger? If not, who in the unified entity will hold them, and is the handover documented? Acquired-firm MLCO/MLRO leaving without proper transition is a known integration weakness.
Stabilisation phase — first 90 days
- Day 0 (completion) — notify the acquired firm's AML supervisor of the change of control. Confirm the unified entity's MLCO and MLRO. Document the day-0 inherited risk position.
- Days 1-30 — bulk import acquired CDD data into the acquiring firm's AML system. Reconcile risk ratings (the acquired firm's High may be the acquirer's Medium, or vice versa). Document the reconciliation methodology.
- Days 31-60 — refresh CDD for all acquired active clients with a current engagement. Use the standard 'periodic review' framing — clients should not infer that the merger is the cause of the refresh.
- Days 61-90 — train acquired-firm staff on the unified entity's AML policies, MLRO escalation path, and operating procedures. Document training completion before letting acquired-firm staff onboard new clients under the unified brand.
Full remediation — months 3-12
- Months 3-6 — extend CDD refresh to the higher-risk segment of the acquired inactive-client population. Apply the standard KYC remediation methodology (see /guides/kyc-remediation).
- Months 6-9 — continue to medium-risk inactive clients. Document any cohorts where the firm decides not to refresh (e.g. dormant client relationships likely to be terminated rather than continued).
- Months 9-12 — complete the lower-risk inactive cohort and document project closure. The remediation project report becomes an inspection artefact for the next supervisory visit.
- Beyond month 12 — the firm-wide risk assessment is refreshed to reflect the combined operating reality. The unified entity now operates one programme, not two.
Five recurring merger AML risks
Acquired firm's SAR history surfaces post-completion
Pre-completion AML due diligence may not have surfaced every SAR or pending NCA matter. Post-completion discovery creates exposure for the acquiring firm — who may need to file new SARs or extend existing DAML matters. Indemnity drafting should address this.
Inconsistent risk ratings between firms
Acquired firm rated a client Medium; acquiring firm's methodology would rate the same client High. Reconciliation happens during stabilisation — but inconsistent treatment in the weeks immediately after completion creates exposure.
Acquired-firm staff continuing old habits
Without proper training and policy adoption, acquired-firm staff continue to operate the old firm's CDD habits — different verification standards, different escalation paths, different tipping-off-safe communication templates. The unified entity's programme becomes inconsistent at office level.
Supervisory notification missed or delayed
Each AML supervisor (HMRC, ICAEW, ACCA, SRA, etc.) typically requires formal notification of change of control within a defined window. Missing the notification creates a regulatory finding in its own right.
Tipping-off during pre-completion AML DD
The acquiring firm sees acquired-firm SAR history and possibly the identities of clients subject to ongoing investigation. Pre-completion communication protocols must be tipping-off-safe — privileged-process protections and confidentiality agreements alone do not displace POCA s.333A obligations.
FAQ
Answer-first summary
Why does AML matter in accountancy mergers?
Because the acquired firm's client base, CDD evidence, risk-rating framework, and SAR history all become the acquiring firm's responsibility from completion day. The acquirer inherits the regulatory exposure of the acquired firm's AML programme. Material weakness in the acquired firm's compliance can affect deal valuation, indemnity drafting, post-completion remediation budget, and ongoing supervisory exposure for years after completion.
Answer-first summary
What is pre-completion AML due diligence?
A structured workstream within the wider M&A process to understand the acquired firm's AML position. Typical scope: firm-wide risk assessment review, client-base risk profile analysis, CDD file sampling, SAR history and ongoing matters review, MLCO/MLRO transition planning. Findings inform deal valuation, indemnity drafting, and the post-completion remediation budget. Tipping-off-safe protocols apply throughout — particularly during SAR history review.
Answer-first summary
What does post-merger AML integration look like?
Two phases. Stabilisation (90 days): supervisor notification on day 0, bulk data import days 1-30, refresh CDD for active clients days 31-60, staff training days 61-90. Full remediation (months 3-12): extend the unified standard across the whole acquired book starting with higher-risk clients. Beyond month 12, the firm-wide risk assessment is refreshed to reflect the combined operating reality. The remediation project report becomes a key inspection artefact for the next supervisory visit.
Answer-first summary
Does the AML supervisor need to be notified?
Yes. Each AML supervisor (HMRC, ICAEW, ACCA, SRA, etc.) typically requires formal notification of change of control within a defined window — usually 14-30 days depending on supervisor. The notification confirms the unified entity's MLCO and MLRO, the registered office, and any material change in services or client base. Missing the notification creates a regulatory finding in its own right and complicates future supervisory dealings.
Answer-first summary
Can we tip off about SARs during merger discussions?
Tipping-off-safe protocols apply throughout pre-completion AML due diligence. Privileged-process protections (between merging firms' counsel) and confidentiality agreements do not displace POCA s.333A obligations. Where the acquired firm has filed SARs or has ongoing NCA matters, the disclosure to the acquiring firm needs structured handling — typically via the MLROs of both firms with documented decision rationale. Generic 'we've checked everything' representations to the broader deal team can drift into tipping-off territory if not carefully framed.
Answer-first summary
How does Certivus support merger integration?
Certivus is designed for the consolidation use case — bulk data import from legacy systems, reconciliation of risk ratings between methodologies, structured remediation workflows by client cohort, and an integration project report that doubles as inspection documentation. Mid-market firms operating mergers typically deploy Certivus as the unified post-merger AML system of record, with the acquired firm's data migrated into the acquirer's existing Certivus instance during stabilisation.