Record keeping guide

AML record keeping for UK accountants: what to keep, how long, and why

UK accountants must keep AML records — including customer due diligence evidence, screening results, and risk decisions — for a minimum of five years after the end of the client relationship or transaction. This guide covers every record type, how long to keep it, and what HMRC inspectors look for when they check.

TL;DR — Quick Summary

  • The five-year minimum retention period starts from the end of the business relationship or transaction — not when the record was created
  • Records include identity documents, PEP and sanctions screening results, risk decisions, and review notes
  • HMRC inspectors specifically check AML records during supervision visits and desk-based reviews
  • Both paper and electronic formats are acceptable if records are secure and retrievable
  • Early deletion of AML records is a compliance failure that can result in civil penalties

Answer-first summary

What AML records must UK accountants keep?

UK accountants supervised for AML purposes must keep five categories of records under Regulations 40 and 41 of The Money Laundering Regulations 2017: identity and CDD evidence; PEP and sanctions screening results; risk assessment decisions and their rationale; transaction and business relationship records; and staff training and AML policy records. All CDD-related records must be kept for a minimum of five years from the end of the client relationship or the completion of the transaction. Failing to retain records — or retaining incomplete records — is a compliance breach that HMRC inspectors frequently identify during supervision visits.

  • Identity and CDD evidence — for every client in a regulated relationship
  • Screening records — PEP and sanctions screens, with date, result, and action taken
  • Risk decisions — the assigned rating and the documented rationale behind it
  • Business relationship records — nature of services provided and relevant correspondence
  • Training and policy records — staff training completion and historical policy versions
What to keep

The five record categories

The MLR 2017 requires UK accountants to maintain records across five categories. Each must be kept for a minimum of five years from the end of the relevant relationship or transaction.

Identity and CDD evidence

Copies of all documents used to verify a client's identity — government-issued photo ID, proof of address, and for corporate clients, beneficial ownership documentation. These must be kept for every client in every relationship, regardless of risk rating.

Screening records (PEP and sanctions)

A record of every PEP and sanctions screen carried out — including the date of the screen, the lists checked, the result, and any action taken. If you use software, the screen report constitutes the record. If you screen manually, your notes must be detailed enough to demonstrate the check was carried out.

Risk assessment decisions

The risk rating assigned to each client (Low, Medium, High, or EDD) and the documented rationale for that rating. A risk rating without reasoning is a compliance gap. HMRC inspectors frequently ask to see the basis on which a risk decision was made — particularly where a high-risk client was rated Low.

Transaction and business relationship records

Records of the business relationship itself — the nature of the services provided, correspondence relevant to AML decisions, and any notes documenting changes to the client's circumstances that affected their risk profile. The purpose is to reconstruct what occurred if ever challenged.

Training and policy records

Evidence that all relevant staff have completed AML training — including the date, content covered, and method of delivery. Also retain previous versions of your AML policy so you can demonstrate what your procedures were at any given point in time.

How long to keep records

Retention periods at a glance

The table below summarises the minimum retention period for each record type and when the clock starts. The five-year period is a minimum — many practices retain records longer, particularly for complex or high-risk relationships.

Record typeRetention periodWhen the clock starts
CDD evidence (identity documents, beneficial ownership)5 years minimumEnd of business relationship
PEP and sanctions screening results5 years minimumEnd of business relationship
Risk decisions and rationale5 years minimumEnd of business relationship
Transaction records5 years minimumTransaction completion
Staff training records3 years recommendedDate of training
AML policy versionsKeep current + 3 previous versions
Storage format

What format is acceptable

The MLR 2017 does not mandate a specific format. What matters is that records are secure, complete, and can be retrieved promptly for inspection.

Paper records

Paper is acceptable under the MLR 2017 provided records are stored securely, protected from unauthorised access, and can be retrieved promptly. HMRC recommends a retrieval time of 48 hours or less. Fire and flood risk should be considered in your storage arrangements.

Electronic records (preferred)

Electronic records are generally preferred because they are easier to organise, retrieve, and export for inspection. If you use AML software such as Certivus, the system generates a timestamped audit trail automatically. Electronic records must be stored securely with appropriate access controls and backed up regularly.

Hybrid approach

Many practices keep original identity documents as paper copies and record CDD decisions and screening results electronically. Both formats are acceptable. What matters is that all records are complete, clearly linked to the relevant client, and retrievable within a reasonable time.

Consequences

What happens if records are missing

Incomplete or missing AML records can result in:

  • HMRC civil penalties under Regulation 86 of the MLR 2017
  • Professional body sanctions, including referral for disciplinary action
  • Potential loss of supervised status — meaning you cannot legally provide regulated services
  • Reputational damage if findings are published in HMRC's supervision transparency reports
How Certivus helps

How Certivus supports AML record keeping

Certivus automates the record-keeping obligations that HMRC inspectors check most often — so you are always inspection-ready without the manual overhead.

1

Evidence vault

Store identity documents, CDD evidence, and screening results against each client record. Every upload is timestamped and linked to the client. Export a full audit-ready PDF for any client in one click.

Learn more
2

AML checklist

Track outstanding CDD and record-keeping tasks across your client base. Each completed item is timestamped, creating a built-in audit trail of when each obligation was fulfilled.

Learn more
3

HMRC audit checklist

Run through the standard HMRC AML supervision checklist at any time to identify record-keeping gaps before an inspector does. Prepare a compliant evidence pack in minutes, not days.

Learn more

Compliance notice: This guide reflects the record-keeping obligations set out in The Money Laundering Regulations 2017. Certivus supports AML record keeping but does not provide legal or compliance advice. If you are unsure whether your record-keeping procedures meet your regulatory obligations, consult your professional body (ICAEW, ACCA, or CIMA) or a qualified compliance professional.

Frequently asked questions

AML record keeping questions answered

What AML records must UK accountants keep?

UK accountants supervised by HMRC must keep five categories of AML records: identity and CDD evidence for each client; PEP and sanctions screening results; risk assessment decisions and their rationale; transaction and business relationship records; and staff training and AML policy records. All records must be kept for a minimum of five years from the end of the relevant business relationship or the completion of the transaction. The MLR 2017 (Regulations 40–41) set out these obligations.

When does the five-year clock start for AML record retention?

For records relating to a business relationship — such as CDD evidence and risk decisions — the five-year clock starts on the date the relationship ends, not on the date the record was created. For occasional transactions, it starts on the transaction completion date. This means that for a long-standing client relationship of ten years, you must retain all CDD records for at least fifteen years in total (ten years of relationship plus five years of mandatory retention).

What happens if AML records are deleted too early?

Deleting AML records before the mandatory five-year retention period expires is a compliance failure under Regulation 41 of the MLR 2017. HMRC can impose civil penalties under Regulation 86, which include financial penalties and public censure. Your professional body may also take disciplinary action. In serious cases, premature deletion could be treated as evidence of deliberate concealment. HMRC supervision teams specifically check retention compliance during desk-based reviews and on-site visits.

Does the five-year rule apply to staff training records?

The MLR 2017 does not specify a retention period for staff training records in the same way it does for CDD evidence. However, three years is the widely accepted minimum recommended by HMRC and the professional bodies. In practice, keeping training records for at least five years is prudent — it allows you to demonstrate during a supervision visit that staff training was carried out consistently over time, and aligns with the broader retention framework in your practice.

Can I store AML records electronically?

Yes. Electronic storage is acceptable and generally preferred. The key requirements are that records are stored securely with appropriate access controls, are protected against loss or corruption through regular backups, and can be retrieved promptly — typically within 48 hours. If you use AML compliance software such as Certivus, timestamped electronic records with a full audit trail satisfy the record-keeping obligations under Regulation 41. Paper records are also acceptable but must meet the same retrieval and security standards.

What do HMRC inspectors look for when checking AML records?

HMRC AML supervision teams check several things during a records review: whether CDD has been completed for all clients in regulated relationships; whether the identity documents obtained are current and the right type; whether risk ratings are documented with a rationale (not just assigned); whether PEP and sanctions screens have been carried out and the results recorded; whether records for former clients are being retained for the full five-year period; and whether staff training records exist. A common finding is that records exist but are incomplete — for example, a risk rating with no documented reasoning.

Related reading

Free AML policy template

A customisable policy template covering all six HMRC supervision requirements.

Evidence vault

Store, organise, and export client CDD evidence with a full timestamped audit trail.

Enhanced Due Diligence explained

When EDD applies, what it involves, and how to evidence it for HMRC.

HMRC audit checklist

Prepare for an HMRC AML supervision visit with a step-by-step inspection checklist.

Get started

Keep every AML record inspection-ready

Certivus stores CDD evidence, screening results, and risk decisions with a timestamped audit trail — and exports a full client evidence pack in one click when HMRC comes calling.

Free plan availableNo credit card requiredHMRC-ready evidence