AML policy template for UK accountancy practices
A free, customisable AML and counter-terrorist financing policy template covering all areas required by HMRC supervision — including CDD procedures, PEP screening, record keeping, MLRO appointment, and staff training.
TL;DR — Quick Summary
- •All HMRC-supervised accountants are legally required to have a written AML policy under the MLR 2017
- •Your policy must cover risk assessment, CDD, PEP screening, record keeping, MLRO appointment, and training
- •A generic policy that does not match your actual procedures is a common HMRC supervision finding
- •The policy must be reviewed at least annually and updated after significant changes to your practice
- •Use this template as a starting point — customise it before treating it as compliant
Answer-first summary
What should an AML policy for accountants include?
An AML policy for UK accountants must cover six core areas required by The Money Laundering Regulations 2017: a firm-wide risk assessment documenting your client base and service risks; customer due diligence procedures including Standard, Simplified, and Enhanced CDD; PEP and sanctions screening processes; record keeping and retention procedures (minimum five years); formal MLRO appointment with documented responsibilities; and an annual staff training programme. The policy must reflect your actual procedures — not aspirational standards. HMRC supervisors ask to see the policy and will cross-check it against your client files during visits.
- Firm-wide risk assessment — covering client types, services, geographies, and delivery channels
- CDD procedures — Standard, Simplified, and Enhanced, with evidence requirements for each
- PEP and sanctions screening — frequency, lists checked, and match escalation procedure
- Record keeping — what to keep, how long (five years minimum), and how to retrieve it
- MLRO appointment — formal designation, responsibilities, and SAR authority
- Staff training — annual requirements, who it applies to, and how records are kept
What this template covers
The template includes all six sections required to meet HMRC AML supervision expectations. Each section has placeholder text you must replace with your firm's actual procedures.
Firm-wide risk assessment
A framework for documenting your practice's risk appetite — covering client types, services, geographies, and delivery channels.
CDD procedures
Standard, Simplified, and Enhanced CDD steps, including what evidence to collect, how to verify it, and who is responsible.
PEP and sanctions screening
How to carry out PEP and sanctions screening, which lists to check, frequency, and what to do when a match is identified.
Record keeping
What records to keep, in what format, for how long (minimum five years), and how to store and retrieve them.
MLRO appointment
Formal appointment of your Money Laundering Reporting Officer, with documented responsibilities and escalation authority.
Staff training
Your annual AML training requirements, who training applies to, how records are kept, and the consequences of non-compliance.
Before you use this template
This template is a starting point. Your AML policy must reflect your firm's actual procedures, client base, risk appetite, and structure. A generic policy that does not match your practice is a common HMRC finding. Review with your MLRO and your professional body guidance (ICAEW, ACCA, or CIMA).
AML policy template
Replace all text in [square brackets] with your firm's actual details before using this policy.
Free to use — customise before treating as compliant
[Practice Name] — AML and Counter-Terrorist Financing Policy
Version: 1.0 | Date: [Date] | Review date: [Date + 12 months] | Approved by: [MLRO Name]
1. Introduction and scope
This policy sets out the anti-money laundering (AML) and counter-terrorist financing (CTF) procedures for [Practice Name]. It applies to all partners, directors, employees, and contractors involved in the provision of regulated accountancy services. This policy is maintained in accordance with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended).
2. Firm-wide risk assessment
[Practice Name] has completed a firm-wide risk assessment that considers: the types of clients we serve; the services we provide; the geographic markets in which our clients operate; the delivery channels through which we interact with clients. Our risk assessment is reviewed at least annually and updated following any significant changes to our practice or client base.
[Insert summary of your firm's risk level and key risk factors here.]
3. Customer due diligence (CDD)
We apply CDD to all clients before commencing a business relationship or carrying out an occasional transaction above the relevant threshold. Our standard CDD includes: verification of the client's identity using a current government-issued photo ID and proof of address dated within the last three months; for corporate clients, identification of beneficial owners with more than 25% ownership or control; an initial assessment of the client's risk level.
[Add any additional CDD steps specific to your practice here.]
4. Enhanced Due Diligence (EDD)
We apply Enhanced Due Diligence in the following circumstances: the client is a Politically Exposed Person (PEP) or is closely associated with a PEP; the client is from or operates in a high-risk jurisdiction; the transaction or business relationship is unusual, complex, or high-value with no apparent legitimate purpose; any other circumstances that suggest higher money laundering risk.
EDD includes: additional verification of the client's identity and background; investigation of the source of funds and source of wealth; senior management approval before commencing the business relationship.
[Add practice-specific EDD triggers here.]
5. PEP and sanctions screening
All clients are screened against PEP lists and international sanctions lists at onboarding and [state your ongoing monitoring frequency]. We use [name your screening tool or describe your manual process]. Where a match is identified, we [describe your escalation procedure]. Results of all screening are recorded and retained for a minimum of five years.
6. Record keeping and retention
We retain the following records for a minimum of five years from the date on which the business relationship ends or the transaction is completed: copies of identity verification documents; copies of any other documents obtained during CDD; supporting evidence for risk decisions; screening results; any notes relating to suspicious activity.
Records are stored [describe your storage method — paper, electronic, or both] and are accessible within [state your retrieval time, e.g. 48 hours] upon request.
7. MLRO appointment and responsibilities
The Money Laundering Reporting Officer (MLRO) for [Practice Name] is [MLRO Name], [Job Title]. The MLRO is responsible for: receiving internal reports of suspicious activity; deciding whether to submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA); maintaining this AML policy and ensuring it is reviewed annually; overseeing the firm's AML training programme; acting as the primary point of contact for HMRC AML supervision. The MLRO has the authority to decline to proceed with a transaction or business relationship where money laundering concerns cannot be resolved.
8. Staff training
All partners and relevant staff receive AML training at least once every [12 months / 24 months]. Training covers: the legal requirements under the MLR 2017; how to identify suspicious activity; our CDD procedures; how to make an internal suspicious activity report; the consequences of tipping off. Training records are maintained by [name/role] and are available for inspection.
9. Reporting suspicious activity
Where a partner or staff member suspects that a client or transaction may be connected to money laundering or terrorist financing, they must report this to the MLRO immediately using [describe your internal reporting method]. The MLRO will review the report and decide whether to submit a SAR to the NCA. Under no circumstances should a client be informed that they are under suspicion (tipping off).
10. Policy review
This policy is reviewed at least annually by the MLRO and updated to reflect any changes to: relevant legislation or HMRC guidance; the practice's client base or services; findings from HMRC supervision visits or internal reviews. The current version of this policy supersedes all previous versions.
Signed: [MLRO Signature] | Date: [Date]
Compliance notice: This template is provided for information purposes only. It is a starting point — not a finished, compliant policy. You must customise it to reflect your firm's actual procedures, client base, and risk profile before relying on it. Certivus does not provide legal or compliance advice. If you are unsure whether your AML policy meets your obligations, seek guidance from your professional body (ICAEW, ACCA, or CIMA) or a qualified compliance professional.
AML policy questions answered
Is this AML policy template free to use?
Yes — this template is provided free of charge for UK accountancy practices. You may use it as a starting point for your own AML policy. You must customise it to reflect your firm's actual procedures, client base, risk appetite, and structure before it can be used as a compliant AML policy. A template that has not been customised is not a compliant policy.
Do UK accountants legally need a written AML policy?
Yes. The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 require all businesses in the regulated sector — including accountants supervised by HMRC, ICAEW, ACCA, or CIMA — to have written policies, controls, and procedures in place. The policy must cover customer due diligence, record keeping, risk assessment, training, and the role of the MLRO. HMRC supervisors regularly ask to see a firm's AML policy during supervision visits and desk-based reviews.
How often must an AML policy be reviewed?
Best practice — and the standard expected by HMRC and the major professional bodies — is annual review at minimum. Your policy should also be updated whenever there is a significant change to your practice: a new service line, entry into a new market, a change in your client base, a change in your MLRO, or following a supervision visit or internal review that identifies gaps. The date of the last review and the name of the reviewer should be recorded on the policy document.
What is the difference between a firm-wide risk assessment and a client risk assessment?
A firm-wide risk assessment looks at the inherent money laundering risks in your practice as a whole — the types of clients you serve, the services you provide, the geographies you operate in, and how you deliver your services. A client risk assessment is carried out for each individual client and results in a risk rating (Low, Medium, High, or EDD). The firm-wide risk assessment informs your policies and procedures; the client risk assessment drives how much CDD you apply to a specific client.
What happens if my AML policy does not match my actual procedures?
This is one of the most common findings HMRC supervisors identify during accountancy firm visits. A policy that says you carry out a particular check — but where file reviews show that check is not being done — creates a dual compliance failure: the written policy is inaccurate, and the underlying procedure is absent or inconsistent. Both are reportable findings. Your policy must describe what you actually do, not what you intend to do in theory.
Related reading
AML record keeping guide
What records to keep, how long to keep them, and what HMRC inspectors check.
Enhanced Due Diligence explained
When EDD applies, what it involves, and how to evidence it.
What is CDD?
Standard, Simplified, and Enhanced CDD — when each applies and what evidence to collect.
HMRC AML supervision guide
What to expect during an HMRC supervision visit and how to prepare.
Keep your AML records organised — not just your policy
Certivus gives UK accountants a structured workflow to carry out CDD, store evidence, run PEP and sanctions screening, and export a timestamped audit trail — all in one place.