AML compliance guide

What is AML compliance for UK accountants?

AML compliance is the legal requirement for UK accountants and law firms to take active steps to prevent their services being used to launder criminal proceeds. It is not a one-off ID check — it is an ongoing, risk-based operating system that runs through every client relationship.

TL;DR — Quick Summary

  • AML compliance is a legal requirement under the Money Laundering Regulations 2017 for UK accountants providing relevant services
  • The four core obligations are: customer due diligence, firm-wide risk assessment, ongoing monitoring, and five-year record keeping
  • Most accountants are supervised by HMRC or their professional body (ICAEW, ACCA, CIMA)
  • Failures can result in unlimited financial penalties, prosecution, and loss of practising certificate
  • Certivus helps accountancy practices run AML workflows — client intake, risk scoring, evidence vault, and audit export — in one place

Answer-first summary

What does AML compliance mean for accountants?

AML compliance for accountants means having a documented, risk-based programme to prevent your practice from being used to launder money or finance terrorism. The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017) require you to know your clients, assess their risk, verify their identity, monitor the relationship, report suspicion, and keep records — not just once at onboarding, but throughout the life of each client relationship.

  • Verify client identity before providing services — not after
  • Assess whether each client is low, medium, or high risk and document why
  • Apply enhanced checks for higher-risk clients, including PEP and sanctions screening
  • Keep evidence for five years after the relationship ends
  • Report suspicious activity to the National Crime Agency via your nominated MLRO
Legal obligations

What does AML law require?

The Money Laundering Regulations 2017 set out four core obligations that every accountancy practice within scope must meet. Each one is operational — it requires decisions, evidence, and records.

Customer due diligence

Identify and verify every client before acting for them. Collect identity evidence, confirm address, understand the purpose of the relationship, and — where relevant — establish who the beneficial owner is.

Risk assessment

Assess the risk each client poses and maintain a firm-wide written risk assessment covering your client types, services, geographies, delivery channels, and funding sources. Revisit it regularly.

Ongoing monitoring

Keep watching. When a client's circumstances change — new ownership, new country of operation, unusual transactions — review the file and update the risk rating. Don't treat verification as a one-time task.

Record keeping

Keep evidence for at least five years after the client relationship ends. This includes identity documents, risk assessments, screening results, decision notes, and training records.

Supervisory bodies

Who supervises UK accountants for AML?

Every UK accountancy practice within scope of MLR 2017 must be supervised by an approved body. Your supervisor sets the AML standards you must meet, monitors compliance, and can impose sanctions — including financial penalties — if you fall short. Knowing who supervises you and what they expect is the starting point for any AML programme.

HMRC

HMRC supervises most accountants, bookkeepers, and tax advisers who are not members of a recognised professional body. If you are HMRC-supervised, expect periodic reviews and the possibility of unannounced inspection visits.

ICAEW, ACCA, CIMA and others

Members of recognised professional bodies are supervised by their own body rather than HMRC. Supervision means your body sets AML standards, reviews your compliance, and can impose sanctions for failures.

FCA

The Financial Conduct Authority supervises accountants and advisers that carry out certain financial services activities. If you provide investment advice or financial services alongside accountancy, check whether FCA supervision applies.

Risk and penalties

What happens if you fail AML checks?

AML failures are not treated as minor administrative issues. Supervisors and prosecutors treat them as serious failures of professional obligation — and the consequences range from financial penalty through to criminal prosecution. The reputational damage often outlasts any fine.

Potential consequences of AML non-compliance

  • Civil financial penalties from your supervisory authority — potentially unlimited in serious cases
  • Criminal prosecution for knowingly facilitating money laundering
  • Suspension or withdrawal of your practising certificate by your professional body
  • Reputational damage that is difficult to reverse once it reaches the press
  • Loss of professional indemnity insurance cover
  • Mandatory reporting of failures by your supervisor to other regulators

For HMRC's own guidance on penalties, see HMRC's responsibilities and record keeping guidance. This page is general information, not legal advice.

How Certivus helps

Certivus turns AML obligations into a repeatable workflow

Certivus is AML compliance software built for UK accountants. It organises the evidence, decisions, and records your practice needs — without replacing your MLRO, your policies, or your professional judgement.

Client intake and KYC requests

Send clients a branded digital request for identity and address evidence. They upload securely from any device. No email attachments, no chasing.

Learn more

AML checklist and risk scoring

Score every client as Low, Medium, or High risk using a structured checklist aligned to HMRC guidance. Override scores with a decision note when professional judgement requires it.

Learn more

Evidence vault and audit export

Keep all CDD evidence, risk decisions, screening results, and timestamps in one exportable record. Print or download an audit-ready PDF before any HMRC or professional body review.

Learn more
Frequently asked questions

AML compliance questions answered

What is AML compliance?

AML compliance — Anti-Money Laundering compliance — is the set of legal obligations that require certain businesses, including UK accountants and law firms, to take steps to prevent their services from being used to launder the proceeds of crime or to fund terrorism. For accountants, this means maintaining a risk-based programme covering client due diligence, risk assessment, ongoing monitoring, suspicious activity reporting, and record keeping.

Who needs AML compliance in the UK?

Any business that falls within the scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) must comply. For accountants, this covers those providing audit, accountancy, tax advisory, insolvency, or certain other services. It also applies to law firms providing relevant legal services, estate agents, and certain financial businesses.

What is CDD in AML?

CDD stands for Customer Due Diligence. It is the core process of identifying who a client is, verifying that identity against reliable independent sources, and understanding the purpose and intended nature of the business relationship. Standard CDD applies to most clients. Enhanced Due Diligence (EDD) is required where the risk is higher — for example, for clients with political exposure or from high-risk countries.

What is EDD in AML?

EDD stands for Enhanced Due Diligence. It applies when a client or transaction presents a higher level of money laundering risk. EDD requires additional verification steps beyond standard CDD — for example, verifying the source of funds or wealth, obtaining senior management approval before onboarding, or conducting more frequent ongoing monitoring. Common triggers include Politically Exposed Persons (PEPs), clients in high-risk countries, or complex ownership structures.

What are PEP checks in AML?

A PEP check screens a client against databases of Politically Exposed Persons — individuals who hold or have held prominent public functions, such as government ministers, senior civil servants, senior military officials, and their close associates and family members. PEPs carry a higher money laundering risk because of their access to public funds or decision-making power. A positive PEP match does not mean refusing the client, but it does require Enhanced Due Diligence.

How long do you need to keep AML records?

Under MLR 2017, you must keep AML records for at least five years from the end of the business relationship or, for transaction records, from the date the transaction was completed. Records to retain include CDD evidence, identity documents, risk assessments, screening results, decision notes, training records, and policies. Some firms keep records for longer as a matter of practice, but five years is the minimum legal requirement.

For more definitions, see the AML and KYC glossary.

Related reading

What is KYC?

How Know Your Customer verification works for UK accountants and what documents to collect.

What is Customer Due Diligence?

The three levels of CDD — Standard, Simplified, and Enhanced — and when each applies.

CDD software for accountants

How Certivus structures client due diligence into a clear workflow with evidence trail.

AML and KYC glossary

Plain-English definitions of 20 key compliance terms every accountant needs to know.

Best AML software for UK accountants

A comparison of the leading AML compliance tools for accountancy practices.

Get started

Start your AML compliance workflow today

Join accountancy practices using Certivus to run structured client intake, risk scoring, and audit-ready records — without the manual admin.

Free plan availableNo credit card requiredHMRC-ready evidence