If your accountancy practice provides audit, insolvency, tax advisory, trust or company services, or handles client money in any form, you are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017, as amended in 2019 and 2022). This is not optional. Failure to comply is a criminal offence, and the penalties are severe enough to close a practice permanently.
Accountancy is one of the sectors most heavily targeted by money launderers. The profession's access to company formation, tax structuring, trust administration, and client account management makes it a natural conduit for disguising the origins of criminal funds. HM Treasury's National Risk Assessment has consistently rated the accountancy sector as high-risk for money laundering, and supervision has tightened accordingly.
Your AML supervisor depends on whether you belong to a professional body that has been approved by HM Treasury as an AML supervisor. The major professional body supervisors are ICAEW, ACCA, CIOT, ICAS, AAT, and CIPFA. If your firm is a member of one of these bodies, that body is your AML supervisor. If your firm is not a member of any approved professional body, HMRC is your supervisor by default.
This distinction matters. Professional body supervision typically involves more detailed, sector-specific guidance and a deeper understanding of the services accountancy firms provide. HMRC supervision, while competent, takes a more standardised approach. Whichever body supervises you, the underlying legal requirements are identical: MLR 2017 applies equally.
The Office for Professional Body Anti-Money Laundering Supervision (OPBAS) oversees the professional bodies themselves. OPBAS publishes regular reports on the quality of supervision provided by each body, and these reports have consistently identified weaknesses. Your supervisor being a professional body does not guarantee that supervision will be light touch.
Every firm must produce a written risk assessment that identifies and assesses the money laundering and terrorist financing risks relevant to its business. The risk assessment must consider client risk factors (who you act for), service risk factors (what you do for them), geographic risk factors (where the client or their funds originate), and delivery channel risk factors (how you interact with the client).
A firm providing bookkeeping for local sole traders has a very different risk profile from a firm handling offshore trust administration for non-resident clients. The risk assessment must reflect that reality. It cannot be a template downloaded from your professional body's website and left unedited. HMRC and professional body inspectors have seen every generic template in circulation and will identify one immediately.
The risk assessment must be reviewed at least annually, and whenever there is a material change to the firm's services, client base, or operating environment. It must be approved by the firm's management and available for inspection.
Before establishing a business relationship with any client, you must verify their identity. For individuals: photographic identification and proof of address. For companies: confirmation of the legal entity's existence (Companies House check), identification of the beneficial owners (anyone holding more than 25% of the shares or voting rights), and verification of the identity of at least one director or equivalent.
You must also understand the purpose and intended nature of the business relationship. This means documenting why the client is instructing you and what services you will provide.
Simplified due diligence may be applied where the risk of money laundering is assessed as low. This allows reduced verification measures, but it does not mean no verification at all. The firm must still identify the client and must document its rationale for applying simplified CDD. If at any point the risk profile changes, standard or enhanced measures must be applied retrospectively.
Enhanced due diligence is mandatory in specific circumstances: where the client is a politically exposed person (PEP) or a family member or close associate of a PEP; where the client or transaction involves a high-risk third country identified by HM Treasury or the FATF; where the relationship or transaction is unusually complex or large without an obvious lawful purpose; and any other situation where the firm's own risk assessment identifies elevated risk.
EDD requires additional measures: establishing the source of funds and source of wealth, obtaining senior management approval for the relationship, and conducting enhanced ongoing monitoring. For PEPs, these obligations continue for at least 12 months after the person ceases to hold a prominent public function.
The Trust Registration Service (TRS) expanded significantly under the Fifth Money Laundering Directive, transposed into UK law in 2022. All UK express trusts must now be registered, not just those with a tax liability. As the professional most likely to administer trusts, accountancy firms bear a direct obligation to ensure their clients' trusts are registered and that the beneficial ownership information is accurate and up to date.
Failure to register a trust, or providing inaccurate beneficial ownership information, is a separate offence under the MLR 2017 amendments. Firms acting as trust service providers have an enhanced duty to verify the identities of all parties to the trust: the settlor, the trustees, the beneficiaries (or class of beneficiaries), and any person exercising effective control.
If you know or suspect, or have reasonable grounds for knowing or suspecting, that a person is engaged in money laundering or terrorist financing, you must submit a Suspicious Activity Report (SAR) to the National Crime Agency (NCA). The obligation to report exists regardless of whether the transaction proceeds. Failing to report is a criminal offence carrying up to five years' imprisonment.
Tipping off is equally serious. If you disclose to your client or to any other person that a SAR has been or is about to be filed, you commit a criminal offence. This creates a practical tension for accountancy firms: you may need to delay a transaction while awaiting NCA consent, without being able to explain why. Your internal procedures must cover this scenario, including template language for communications that does not alert the client to the existence of a SAR.
CDD records and transaction records must be retained for five years from the date the business relationship ends (not from the date of the transaction). Records include copies of identification documents, the results of any verification or screening, and any supporting documentation for the firm's risk assessment of the client. Transaction records must be sufficient to permit reconstruction of individual transactions.
For accountancy firms with long-standing client relationships, this means records can accumulate for decades. When a client who has been with the firm for fifteen years finally leaves, the five-year clock starts from that departure date. The identification documents taken at onboarding in 2010 must still be retrievable in 2030.
All relevant employees must receive AML training at the point they join the firm and at regular intervals thereafter. "Regular" is not defined in the legislation, but supervisory bodies generally expect at least annual refresher training. Training must cover the legal obligations, the firm's internal policies and procedures, how to recognise suspicious activity, and the process for internal reporting.
The firm must appoint a nominated officer (also called the Money Laundering Reporting Officer, or MLRO) responsible for receiving internal disclosures of suspicious activity and, where appropriate, making SARs to the NCA. In a sole practitioner firm, this will be the practitioner themselves. In a larger firm, it must be someone with sufficient seniority and independence to act effectively.
OPBAS publishes themed reviews of professional body supervision. The recurring findings in accountancy firm supervision include:
The pattern is consistent. Firms understand that they have AML obligations. They have policies on paper. What they lack is the operational discipline to maintain those policies over time: updating the risk assessment, refreshing CDD when a client's circumstances change, documenting training, and filing records in a retrievable format.
That operational discipline is where most firms fall short, and it is exactly the kind of structured, repeatable documentation that technology handles better than people. Slatewick builds compliance tools for regulated industries. If your firm is spending hours maintaining CDD files, tracking training dates, and rewriting risk assessments, there is a more reliable way to manage it.
Slatewick helps regulated businesses manage the documentation that supervisors actually check. Risk assessments, training records, client files, and audit trails.
Learn more about SlatewickCompliance tools for regulated industries. Built with the tools of tomorrow, guided by the values of yesterday.