HMRC AML Inspection — the complete UK guide
The four inspection stages, what HMRC asks for, the five recurring failings, and the five outcome tracks from no-action letter through to registration cancellation.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •HMRC inspects MLR-2017-supervised businesses to verify they're operating an effective AML compliance programme. For HMRC-supervised accountants, estate agents, TCSPs, high-value dealers, and money service businesses, inspection is the supervisory enforcement mechanism.
- •Inspections are scheduled (risk-rated firms see HMRC roughly every 3-5 years) or triggered (significant SAR, sector thematic review, intelligence-driven). Either way, the firm receives a notification letter with the inspection date and an information request.
- •HMRC asks for the firm-wide risk assessment first, the AML policies document second, and a sample of client CDD files third. Missing or stale documents at any of these three checkpoints flags the inspection as elevated-concern.
- •Outcomes range from no-action letter (clean), through compliance directions (remediate within 90 days), civil monetary penalties (fines), to registration cancellation (the firm cannot continue to operate in the regulated sector).
- •Preparation is continuous, not last-minute. The firms that pass inspection cleanly are the ones whose AML programme runs operationally year-round.
Answer-first summary
What is an HMRC AML inspection?
An HMRC AML inspection is the supervisory enforcement mechanism HMRC uses to verify that MLR-2017-regulated firms in its remit — unaffiliated accountants, estate agents, TCSPs, high-value dealers, money service businesses — are operating an effective AML compliance programme. The inspection covers the firm-wide risk assessment, written policies, MLCO/MLRO appointments, CDD files, training, ongoing monitoring, sanctions screening, and SAR pipeline. Outcomes range from no-action letter through to registration cancellation.
- Routine inspections every 3-5 years for lower-risk firms
- Pre-inspection information request covers 9 standard items
- Five outcome tracks: no-action / advisory / compliance direction / civil penalty / cancellation
- Continuous preparation beats last-minute scramble
The four inspection stages
From notification through findings letter — what each stage looks like and what the firm should be doing:
Notification letter
HMRC writes 4-6 weeks ahead of the inspection date. The letter sets out the scheduled date, the information request, and the names of the HMRC officers attending.
Pre-inspection information request
A standard list — firm-wide risk assessment, policies and procedures document, MLRO/MLCO appointments, training records, sample CDD files, ongoing-monitoring records, SAR register. The firm submits these in advance.
On-site / video inspection
Typically a half-day or full day. HMRC officers walk through the documents, ask the MLCO/MLRO to explain the firm's risk reasoning, sample CDD files at random, and ask about specific transactions or clients.
Findings letter
Issued typically within 6-12 weeks of the inspection. Records findings as no-action, advisory, compliance direction, civil monetary penalty, or registration cancellation. The firm has a right of reply before formal action.
What HMRC asks for
The standard pre-inspection information request — nine items, in this order of priority:
- 1Firm-wide AML risk assessment under MLR 2017 Reg 18 — most recent version + version history
- 2Written AML policies and procedures under MLR 2017 Reg 19
- 3MLCO and MLRO appointment documents under MLR 2017 Reg 21
- 4Training records for the past 12-24 months — who was trained, on what, by whom, when
- 5Sample of 10-30 client CDD files at random — including the firm's risk rating reasoning, ID/address verification evidence, beneficial ownership documentation, ongoing-monitoring records
- 6SAR register — log of internal disclosures, MLRO decisions, and external SARs submitted to the NCA
- 7Sanctions screening records — what was screened, when, results, match disposition
- 8Ongoing monitoring evidence — review cadence, transaction monitoring, change-of-circumstance updates
- 95-year retention proof under MLR 2017 Reg 40 for older closed relationships
The five recurring failings
These five appear in nearly every published HMRC enforcement update. Avoiding all five is the practical roadmap to a no-action letter:
Stale or missing firm-wide risk assessment
The #1 supervisory finding. The risk assessment exists but hasn't been reviewed in 18+ months, or it's a template document with no firm-specific analysis.
CDD evidence collected but not documented
The firm has the passport scan and the bank statement on file but no record of the risk reasoning, the verification source check, or who approved the file. Evidence without reasoning is incomplete.
Training gap — staff not trained or refresher overdue
MLR 2017 Reg 24 requires every relevant employee to be trained on the firm's policies. Inspections find untrained admin staff, partners who delegated training to staff who left, and refresher cycles that lapsed.
EDD applied inconsistently
Two clients with the same risk profile but different EDD treatment. The inspection trail asks why one client got senior approval and source-of-funds evidence but a substantively similar client did not.
Ongoing monitoring is theoretical not actual
The policy document says quarterly review for higher-risk clients. The file shows no review in 18 months. Documented policy without operating reality is its own finding.
The five outcome tracks
No-action letter
The inspection found the programme operating effectively. Issued where the firm's risk assessment, policies, files, and training are demonstrably in good order. The firm continues operating with no follow-up.
Advisory letter
Minor improvements suggested but no formal action required. Often issued when the programme is broadly sound but specific evidence or documentation could be strengthened. No formal sanction but recorded.
Compliance direction
Formal direction requiring specific remediation within a fixed period (typically 90 days). Failure to remediate escalates to formal sanction. Public record on HMRC's enforcement list.
Civil monetary penalty
Financial penalty for material breaches of MLR 2017. Scale depends on firm size, the severity of the breach, and the firm's compliance history. HMRC publishes the firm name and the penalty amount.
Registration cancellation
For the most serious breaches or repeat failures, HMRC can cancel the firm's MLR registration — meaning the firm cannot continue to operate in the regulated sector. Effective business closure for the regulated parts of the practice.
FAQ
Answer-first summary
What is an HMRC AML inspection?
An HMRC AML inspection is the supervisory enforcement mechanism HMRC uses to verify that MLR-2017-regulated firms in its remit — unaffiliated accountants, estate agents, TCSPs, high-value dealers, money service businesses, and others — are operating an effective AML compliance programme. The inspection covers the firm-wide risk assessment, written policies and procedures, MLCO/MLRO appointments, CDD files, training records, ongoing monitoring, sanctions screening, and SAR pipeline. Outcomes range from no-action through compliance directions and civil monetary penalties to registration cancellation.
Answer-first summary
How often does HMRC inspect?
Inspections are risk-rated. Most firms in HMRC's regulated population see an inspection every 3-5 years on a routine basis. Higher-risk firms (significant SAR history, sector thematic concern, complaint-driven referral) see them more frequently. Smaller and lower-risk firms may go longer between routine inspections. A triggered inspection — driven by a specific intelligence concern, complaint, or industry thematic review — can come at any time regardless of the routine cycle.
Answer-first summary
What does HMRC ask for in an inspection?
Nine standard items. (1) The firm-wide risk assessment under Reg 18. (2) Written policies and procedures under Reg 19. (3) MLCO and MLRO appointment documents. (4) Training records for the past 12-24 months. (5) A sample of 10-30 client CDD files at random. (6) The SAR register. (7) Sanctions screening records. (8) Ongoing monitoring evidence. (9) 5-year retention proof for older closed relationships. Each item is requested in advance and discussed in detail during the inspection itself.
Answer-first summary
What are the most common HMRC inspection failings?
Five recur in nearly every published HMRC enforcement update. A stale or missing firm-wide risk assessment. CDD evidence collected but with no documented risk reasoning. Training gaps — staff untrained or refresher cycles lapsed. EDD applied inconsistently between substantively similar clients. Ongoing monitoring that exists on paper but not in practice. Avoiding all five is the practical roadmap to a no-action letter.
Answer-first summary
What happens if HMRC finds breaches?
Five possible outcomes. No-action letter (clean inspection). Advisory letter (minor improvements suggested, no formal sanction). Compliance direction (formal direction to remediate within typically 90 days). Civil monetary penalty (financial fine, with the firm name published). Registration cancellation (the firm cannot continue in the regulated sector). The firm has a right of reply before formal action and can appeal escalated sanctions through the tribunal process.
Answer-first summary
How do I prepare for an HMRC AML inspection?
Treat preparation as continuous, not last-minute. (1) Keep the firm-wide risk assessment reviewed annually with a documented review date. (2) Maintain CDD file consistency — every file should answer 'why this risk rating, what evidence, who approved, when monitored'. (3) Run a mock inspection internally every 18-24 months — pick 10 random files and stress-test them against the standard inspection checklist. (4) Diarise training refreshers so they never lapse. (5) Make sure the policies document reflects the actual operating reality, not aspirational policy. Firms that pass inspection cleanly are the ones whose AML programme runs operationally year-round.