KYC Remediation — the UK back-book guide
Bringing an existing client base up to current MLR 2017 Reg 28 standards — when to remediate, the six-phase project structure, client communication, and the challenges that always surface.
By Mehmood Rajoka · Last updated 2026-06-08
TL;DR — Quick Summary
- •KYC remediation is the structured process of bringing an existing client base up to current Customer Due Diligence standards — refreshing identity verification, beneficial-ownership records, risk ratings, and ongoing monitoring evidence for clients onboarded under older or weaker frameworks.
- •Triggers include adverse supervisory findings (HMRC, SRA, FCA), regulatory changes (the 2019 5MLD update, the 2022 proliferation update, the 2023 FCA PS24/4 PEP differentiation), firm mergers/acquisitions, or internal recognition that legacy CDD doesn't meet current MLR 2017 Reg 28 standards.
- •A typical remediation runs 3-12 months depending on client-base size and complexity. Phased approach: risk-rate the existing portfolio, prioritise higher-risk clients, refresh in cohorts, document the project end to end.
- •Communication with clients matters — too aggressive risks the client switching firm; too cautious risks the deadline slipping. The standard framing: 'periodic review', 'updating our records', 'regulatory refresh'.
- •The remediation project itself becomes a document for future inspection — proving the firm took proactive action to close the gap rather than waiting for a finding to force it.
Answer-first summary
What is KYC remediation?
KYC remediation is the structured process of bringing an existing client base up to current Customer Due Diligence standards — refreshing identity verification, beneficial-ownership records, risk ratings, and ongoing monitoring evidence for clients onboarded under older or weaker frameworks. Typical triggers include adverse supervisory findings, material regulatory changes, firm mergers, or internal recognition that legacy CDD predates current Reg 28 standards. The remediation project itself becomes a future-inspection artefact showing the firm took proactive action.
- Typically 3-12 months depending on portfolio size
- Six-phase structure: scope, plan, communicate, collect, re-rate, document
- Standard 'periodic review' framing for client communication
- The project report becomes an inspection artefact
Four triggers for remediation
When the firm should consider a structured remediation project rather than ad-hoc refresh:
Supervisory finding or pre-emptive concern
HMRC, SRA, FCA, or professional-body inspection has flagged inadequate CDD on the existing portfolio. Or the firm anticipates a finding and acts pre-emptively.
Regulatory change
2019 5MLD scope extension, 2022 proliferation-financing dimension, 2023 FCA PS24/4 PEP differentiation, 2023 Companies House reform. Each material change creates a remediation rationale for the portion of the client base affected.
Firm merger or acquisition
Two CDD regimes need to be reconciled to a single standard. Without remediation, the firm carries forward inconsistent risk treatment across the merged book.
Internal recognition
The firm itself recognises that legacy CDD — particularly for clients onboarded before 2017 or under earlier softer regimes — doesn't meet current Reg 28 standards. Proactive remediation closes the gap before inspection.
The six-phase project structure
A standard remediation timeline. Phasing by risk priority means highest-impact remediation completes first:
Phase 1 — Scope and risk-rate
Run the entire client portfolio through the current firm-wide risk assessment framework. Categorise clients as High / Medium / Low risk and identify the priority cohort (typically higher-risk + older-onboarding intersection).
Phase 2 — Plan and resource
Realistic timeline based on cohort size and team capacity. Typical phasing: high-risk in months 1-3, medium-risk in months 4-9, low-risk in months 10-12. Resource allocation: dedicated team or distributed across client-facing partners.
Phase 3 — Client communication
Standard 'periodic review' framing — sent to clients in batches with a target response window. Communication explicitly avoids implying suspicion exists; it's positioned as regulatory hygiene. Templates for each client type (individual, company, trust).
Phase 4 — Collect and verify
Refresh identity, address, beneficial ownership, source of funds where required. Update Companies House / TRS / ROE checks. Run sanctions and PEP screening including post-2023 UK domestic-PEP treatment. Document each refresh in the file.
Phase 5 — Risk re-rate
Apply the current firm-wide risk assessment to each refreshed client. The new risk rating drives ongoing-monitoring cadence and CDD tier (Standard / EDD / SDD). Some clients move tier between old and new ratings — that's expected and documents the value of remediation.
Phase 6 — Document and close
Project report — what was reviewed, when, what was found, what was refreshed, what triggered any tier movement. This becomes a future-inspection artefact showing the firm took proactive action.
Five challenge areas to plan for
Client refusal to provide updated information
Some clients refuse to provide refreshed CDD evidence. Treat refusal as a Reg 33 EDD trigger — and if refusal is sustained, as a Reg 31 trigger to consider termination and a SAR. Document the refusal and the decision chain.
Historical files with gaps
Some legacy files have no record of who verified, when, or against what. Treating gaps as zero is the safest assumption — the file is refreshed from scratch even if the client claims they previously provided ID.
Source of funds for older relationships
EDD-tier clients onboarded years ago may not have source-of-funds evidence. Refresh requires plausible documentation — not always easy for legacy private-wealth or trust structures with no contemporaneous record.
Beneficial ownership chain changes
Beneficial ownership picture today differs from the original onboarding. Trace the changes — share transfers, director appointments, trust amendments — and reconstruct the current chain. PSC, TRS, and ROE register data are the starting points.
Tipping-off considerations
Where remediation surfaces suspicion that wasn't visible at original onboarding, the firm crosses into SAR-relevant territory. The 'periodic review' communication framing should continue while the MLRO decision chain operates.
FAQ
Answer-first summary
What is KYC remediation?
KYC remediation is the structured process of bringing an existing client base up to current Customer Due Diligence standards — refreshing identity verification, beneficial-ownership records, risk ratings, and ongoing monitoring evidence for clients onboarded under older or weaker frameworks. Typical triggers include adverse supervisory findings, material regulatory changes (5MLD, proliferation, PEP differentiation, Companies House reform), firm mergers/acquisitions, or internal recognition that legacy CDD doesn't meet current Reg 28 standards.
Answer-first summary
When does my firm need to remediate?
Four trigger categories. First, supervisory finding or pre-emptive concern — HMRC, SRA, FCA, or professional-body inspection flags inadequate CDD on the existing portfolio. Second, material regulatory change — the 2019 5MLD scope extension, the 2022 proliferation dimension, the 2023 FCA PS24/4 PEP differentiation. Third, firm merger or acquisition. Fourth, internal recognition that legacy CDD predates current standards. Proactive remediation closes the gap before inspection forces it.
Answer-first summary
How long does KYC remediation take?
3-12 months depending on client-base size and complexity. Typical phasing: scope-and-risk-rate (month 1), high-risk cohort refresh (months 2-4), medium-risk cohort (months 5-9), low-risk cohort (months 10-12), document-and-close (month 12). Smaller firms with simpler portfolios complete faster; larger firms with complex international clients can run 12-18 months. Phasing by risk priority ensures the highest-impact remediation completes first regardless of total project duration.
Answer-first summary
How do I communicate remediation to clients?
Standard framing: 'periodic review', 'updating our records', 'regulatory refresh'. Templates for each client type (individual, company, trust). The communication explicitly avoids implying suspicion exists — it's positioned as regulatory hygiene applicable to all clients, not targeted concern about this client. Most clients accept periodic-review framing without question. Where they push back, the standard response is to reference MLR 2017 and supervisory expectations rather than suggest the client specifically is the concern.
Answer-first summary
What if a client refuses to provide updated CDD?
Refusal to provide reasonable CDD evidence is itself a Reg 33 EDD trigger — escalate to EDD and document the refusal. If refusal is sustained despite reasonable follow-up, Reg 31 applies: the firm must consider terminating the relationship and filing a SAR. Document the refusal, the follow-up attempts, the MLRO decision, and any resulting action. Treating refusal as a routine commercial setback rather than a regulatory red flag is a known weakness in supervisory inspections.
Answer-first summary
Does the remediation project itself need to be documented?
Yes — emphatically. The remediation project report (scope, timeline, methodology, client cohorts, refresh outcomes, tier movements, exceptional cases including refusals and SARs) becomes a key inspection artefact for the next supervisory visit. It proves the firm took proactive action to close the gap rather than waiting for a finding to force it. Inspectors look favourably on documented remediation; treating remediation as informal cleanup defeats half the point.