Free Download

HMRC AML Audit Checklist

Prepare the AML evidence HMRC is likely to ask for during a supervision review, from risk assessment and CDD files to policies, training, monitoring, and record keeping.

What's included

PDF checklist • 2 pages

  • Pre-visit documentation checklist
  • Required policies and procedures
  • Client file requirements
  • Staff training records
  • Risk assessment documentation
  • Common HMRC questions and answers

Answer-first summary

What should accountants prepare for an HMRC AML inspection?

Accountants should prepare their firm-wide risk assessment, client CDD files, beneficial ownership evidence, PEP and sanctions screening records, AML policies and controls, staff training records, suspicious activity escalation process, and evidence of ongoing monitoring. The goal is to show what decisions were made, when, by whom, and why.

  • Keep records organised by client, risk level, and review date
  • Make risk decisions easy to explain, not just easy to store
  • Use this checklist as practical guidance, not legal advice

TL;DR — Quick Summary

  • HMRC expects a risk-based approach with records showing what your practice did and why
  • CDD evidence should include identity checks, risk assessment, beneficial ownership where relevant, and ongoing monitoring
  • Certivus helps organise screening, risk decisions, timestamps, and exportable audit records
INSPECTION PREPARATION

HMRC AML inspection evidence checklist

Business and firm-wide risk assessment

  • Current firm-wide AML risk assessment and review date
  • Customer, geography, service, transaction, delivery-channel, and funding risk factors
  • Evidence that controls were designed around the risks identified

Customer due diligence files

  • Client identity evidence and verification source
  • Beneficial ownership and authority-to-act records where relevant
  • Purpose and intended nature of the client relationship

Screening and ongoing monitoring

  • PEP and sanctions screening results and review decisions
  • Ongoing monitoring notes for changed circumstances or unusual activity
  • Enhanced due diligence evidence for higher-risk clients

Policies, controls, and training

  • AML policy, controls, and procedures with owner and review date
  • Staff training records and nominated officer escalation process
  • Suspicious activity reporting procedure and decision records

How to use the checklist

Start with the firm-wide risk assessment, then sample client files from different risk levels. For each file, confirm that the client identity evidence, risk rating, screening result, review decision, and any enhanced due diligence are easy to find and explain.

HMRC guidance says supervised businesses should use a risk-based approach, assess customer and business risk, design controls around those risks, and keep records of what was done and why. Link those records together so an inspector can follow the decision trail.

Keep primary guidance close by: HMRC risk assessment guidance and HMRC responsibilities and record keeping guidance.

This page is general information for UK practices and is not legal advice. For regulatory interpretations, speak to your supervisor, compliance adviser, or legal adviser.

Related reading

AML compliance for accountants

Everything UK accountants need to know about their AML obligations.

HMRC audit readiness software

How Certivus helps you build audit-ready evidence before HMRC visits.

What is KYC?

Identity verification — the core evidence HMRC inspectors expect to see.

AML software for MLROs

Certivus gives MLROs the oversight and evidence trail they need for supervision visits.