Steps of an AML Check (Explained for Accountants)- Can you prove you did all
Accountants, Blog

Steps of an AML Check (Explained for Accountants) 

Most firms think they're doing AML checks. They're actually doing identity verification and hoping for the best.
24 October 2025
13 Min Read
Start using FigsFlow today
  • Professional Proposals
  • Regulatory Compliant LOEs
  • Advanced Pricing Calculator
  • Automation & Integrations
  • Built-in E-Signature
Start 30-day Free Trial

You’re reviewing new client files. 

“AML done,” says the notes. But when you ask what politically exposed person (PEP) screening returned, nobody remembers running it. When you ask about the source of funds verification, someone says “they’re a limited company, so we didn’t need to.” 

Wrong. And now you’re exposed. 

“AML check” covers seven distinct procedures. Each has specific requirements. Each needs specific evidence. This guide shows you exactly what each step involves and how to document it properly. 

Key Points Summarised for Busy Readers 

  • An AML check is a seven-step verification process, not a single document review 
  • Each step has mandatory requirements and specific documentation standards 
  • The process must be completed before establishing the business relationship 
  • Proper documentation at every step creates the audit trail HMRC expects 
  • Missing any single step constitutes a regulatory breach under MLR 2017 
  • FigsFlow automates all seven steps with complete compliance documentation in under 5 minutes 

What Exactly is an "AML Check"?

Most practices use “AML check” to mean “we verified their passport.” That’s step two of seven. 

An AML check is the complete verification and assessment process required under Money Laundering Regulations 2017. While the regulations don’t prescribe a specific number of steps, best practice involves seven key procedures: 

  • collecting client information 
  • verifying identity and address 
  • identifying beneficial owners  
  • screening against sanctions lists 
  • assessing risk 
  • classifying the client 
  • establishing ongoing monitoring 

Each step serves a different compliance purpose. Identity verification proves who they are. Risk assessment determines how closely you monitor them. Sanctions screening ensures you’re legally allowed to work with them. 

You can perfectly execute six steps and still fail compliance if you miss one. HMRC doesn’t accept partial completion. 

Need Complete Guidance on AML Compliance? 

 Understand your complete obligations under Money Laundering Regulations 2017, from customer due diligence procedures to identity verification requirements and ongoing monitoring. 

 Read the Complete Guide: 2025 Guide to AML & Identity Verification Rules for Accountants → 

The Seven Steps of an AML Check

Before diving into client work, every AML process must begin with a clear understanding of who your client is. 

Step 1: Client Information Collection

The AML process starts with collecting complete and accurate client details for both the entity and the individuals who control it. Without a full information set, verification cannot proceed effectively. 

What to Collect: 

  • For Individuals – Full legal name, date of birth, residential address, nationality and occupation. 
  • For Companies – Registered name, company number, registered and trading addresses (if different) and the nature of business. 
  • For both: Details of all beneficial owners holding 25% or more ownership or control. 

It’s essential to record the date, method (email, secure portal, in-person) and person responsible for collecting the information. 

Failing to gather everything upfront leads to repeated client follow-ups and, more seriously, potential regulatory breaches if work begins before verification. 

Step 2: Identity Verification

After collecting client details, the next step is confirming that the individual or business is genuine.  

Identity verification ensures the documents provided are valid, current, and consistent with the information collected earlier. This is what many refer to as an “AML check,” though it’s only one part of the process. 

Client Type Acceptable Documents Notes
Individuals
  • Valid UK or international passport
  • UK photocard driving licence (not provisional)
  • National ID card from EEA countries
  • UK biometric residence permit
 Verify expiry date, check holograms or watermarks, and confirm the photograph matches the person via video call or in-person meeting.
Companies
  • Companies House registration or confirmation statement
  • Identification documents for all directors and beneficial owners
 Ensure company details match the information collected and verify all controlling individuals separately.

Expired documents, birth certificates, employee ID cards, and provisional driving licences are not acceptable. For companies, letterheads, invoices, or website details do not serve as valid verification. 

A compliant verification record should include copies of verified documents, the date of verification, the method used, and the name of the person who conducted it.  

Step 3: Address Confirmation

The third step is confirming that the client genuinely resides or operates at the address provided.  

This must be supported by independently verifiable documents. The required timeframe varies by document type to ensure currency while recognising different update frequencies. Address confirmation helps ensure the client has a real, traceable presence and reduces the risk of impersonation or false representation. 

Client Type Acceptable Documents Notes
Individuals
  • Bank or building society statement
  • Credit card statement
  • Utility bill (gas, electricity, water)
  • Council tax bill
  • Mortgage statement
  • HMRC tax calculation
 Documents must show the client's full name and current residential address. Timeframes vary by document type - typically bank/utility statements within 3 months, council tax bills within 12 months.
Companies
  • Companies House registration confirmation
  • Official correspondence from HMRC
  • Proof of address for all directors and beneficial owners
 Confirm that the address represents the genuine trading location, not only a registered office service.

Mobile phone bills, insurance documents, gym memberships, or documents that are excessively old relative to your firm’s risk-based policies are not valid proof of address. Most firms require bank statements and utility bills dated within 3-6 months, while accepting council tax bills and tenancy agreements within 12 months.  

For special cases, clients in shared accommodation should provide a letter from the homeowner along with their own proof of address and ID. Clients who have recently moved can use a bank statement showing their new address. 

Each verification record should include a copy of the address proof, the date it was verified, and confirmation that the document meets your firm’s acceptance criteria for that document type based on your risk assessment. 

Step 4: Beneficial Ownership Identification

Identifying the individuals who ultimately own or control the business is a key part of an AML check.  

UK regulations define a beneficial owner as anyone holding 25% or more ownership or control of a company, or someone who exercises significant influence over its management. 

Criteria for Beneficial Owner Notes
Holds 25% or more of shares or voting rights Can be direct or indirect through other entities
Holds the right to appoint or remove the majority of directors Demonstrates control over key decisions
Exercises significant influence or control Includes financial, operational, or strategic influence
Trusts Include settlors, trustees, and beneficiaries with defined interests

How to identify beneficial owners:

  • Review the company’s shareholding structure and, for complex ownership chains, trace through holding companies to the ultimate individuals. 
  • Request a written ownership declaration from the client. 
  • For non-UK entities, obtain equivalent beneficial ownership records. 

It is critical to verify the identity and address of each beneficial owner using the same standards as Steps 2 and 3. The PSC register shows who they are, but verification is still required. 

If no individual meets the 25% threshold, identify and verify senior managing officials such as directors, and document why no beneficial owners were found. 

Step 5: Sanctions & PEP Screening

Checking whether your client, their beneficial owners, or directors appear on sanctions lists or are Politically Exposed Persons. This prevents you from providing services to individuals or entities prohibited under UK and international law. 

The screen involves checking against key lists like HM Treasury sanctions list, OFAC (US) list, United Nations Security Council sanctions list, European Union Sanctions List, PEP databases and more. 

Here’s what the screening result means to accountants:

Screening Result What You Must Do
Sanctions match Legally prohibited from establishing relationship. Cannot provide services. Must report to relevant authority. No exceptions.
PEP identification Apply Enhanced Due Diligence: senior management approval, source of wealth verification, enhanced monitoring.
Adverse media match Investigate further. May trigger Enhanced Due Diligence or relationship refusal.

Screening should occur during onboarding, be updated continuously as lists change, at each periodic review, and whenever key individuals in the client entity change. 

All checks must be documented, including date, lists reviewed, results, and who conducted the screening. Manual checks alone are insufficient. 

Step 6: Risk Assessment & Classification

After completing client verification, address confirmation, beneficial ownership checks, and sanctions/PEP screening, the next step is evaluating the money laundering risk the client may pose. This helps determine how closely you need to monitor the relationship and what level of due diligence is required. 

You can consider factors like the client’s business sector (for example, cash-intensive businesses, property development, gambling, or cryptocurrency), geographic location (high-risk jurisdictions or offshore centres), transaction patterns (high-value, complex, or unusual transactions), ownership structure (complex chains, offshore entities, frequent changes), and client behaviour (reluctance to provide information or adverse media coverage).  

Following this, you can then classify the clients, which determines your approach.  

Risk Level Requirements
Low risk Standard Customer Due Diligence, annual reviews, routine monitoring
Medium risk Additional verification, quarterly or semi-annual reviews, closer monitoring
High risk Enhanced Due Diligence, senior approval, source of wealth verification, continuous monitoring, minimum quarterly reviews

It’s important to document the assessment properly. Keep a record of the completed risk assessment, the classification decision with a brief written rationale, the date of assessment, who conducted it, and the appropriate sign-off. This ensures transparency, supports future reviews, and forms an integral part of the steps of an AML check for accountants.  

Step 7: Ongoing Monitoring & Periodic Reviews

Continuous verification ensures client information remains accurate and that the business relationship operates as expected.  

It includes tracking transactions for unusual patterns, keeping client records up to date, re-screening against daily-updated sanctions lists, reviewing changes in ownership or control, and flagging any suspicious activity for investigation. 

You must also conduct periodic reviews of clients based on their risk level. Low-risk clients should be reviewed at least once a year, medium-risk clients every three to six months, and high-risk clients require continuous monitoring with formal reviews at least quarterly.  

In some circumstances, accountants may need to conduct an immediate re-assessment if specific triggers arise. These include:

  • Appointment of new directors or beneficial owners
  • Changes in business activities 
  • Unexplained wealth or unusual transactions 
  • Adverse media coverage 
  • Client reluctance to provide updated information 

When suspicious activity is identified, accountants may need to carry out Enhanced Due Diligence or file a Suspicious Activity Report (SAR) with the National Crime Agency. 

Always ensure that documentation is maintained for each review, including the date of completion, findings, updates to client information or risk classification, next review due date, and the name of the reviewer. 

Need the Complete List of AML Requirements? 

See every regulatory obligation accountants must meet under Money Laundering Regulations 2017, from registration requirements to record-keeping standards. 

Read the Complete List: 2025 AML Rules for Accountants in the UK → 

Documentation: The Eighth "Hidden" Step

You can execute all seven steps perfectly and still fail compliance if you can’t prove it. Documentation transforms verification actions into compliance evidence. 

Here’s what HMRC expects: 

  • Timestamped records of every action at each step 
  • Clear audit trail showing who did what when 
  • Documented rationale for decisions, especially risk classification 
  • Retention of all source documents 
  • Immediate accessibility during inspections 

During HMRC inspections, you must produce evidence on demand. “We definitely did it” without documentation is identical to not doing it at all. The documentation is the compliance. 

Common Mistakes at Each Step of AML Check

Even practices with good intentions create compliance gaps through common mistakes. Here’s what goes wrong at each stage and how to fix it. 

Step Common Mistake How to Fix It
1. Client Information Collection Starting work before collecting all required information Use standardised intake forms that block progression until complete
2. Identity Verification Accepting expired documents or not verifying photo matches individual Check expiry dates systematically and require video call or in-person meeting
3. Address Confirmation Accepting documents beyond acceptable timeframes for their type or not verifying company trading addresses Date-check every document and verify where business actually operates
4. Beneficial Ownership Identification Accepting PSC register without verifying individuals or missing beneficial owners in complex structures Verify each beneficial owner's identity and address. Trace through holding companies
5. Sanctions and PEP Screening Manual Google-only searches or screening client but not beneficial owners Use comprehensive databases and screen every individual identified
6. Risk Assessment Inconsistent classification between clients or no documented rationale Use standardised assessment templates and document specific factors considered
7. Ongoing Monitoring No scheduled reviews or not re-screening when sanctions lists update Calendar periodic reviews and implement continuous re-screening

Most mistakes aren’t intentional. They’re gaps in processes or understanding. Systematic approaches eliminate them. 

How FigsFlow Handles All Seven Steps of AML Check

Here’s the workflow in FigsFlow: 

Steps of an AML Check (Explained for Accountants)

FigsFlow unifies every stage of AML compliance into a single, intuitive workflow that mirrors how accounting practices operate. 

The process starts with client verification, collecting and confirming identity and address documents via email or a secure portal. Once verified, the details are added to the client record, creating a clear foundation for compliance. 

Clients are then screened against global sanctions lists, adverse media, and government databases to ensure regulatory requirements are met. The system generates clear compliance reports, making review straightforward and reducing manual effort. 

Risk assessments are tailored to each client type, allowing junior staff to gather information while senior staff assign the final rating. Based on this rating, the appropriate level of due diligence (CDD and EDD) is performed, whether simplified, standard or enhanced. Additional documentation can be requested as needed, ensuring the process remains consistent and policy-driven. 

Additionally, FigsFlow also provides proposal management, engagement letters, and pricing solutions in a single integrated platform. You can manage your entire client onboarding and compliance workflow from first contact through ongoing relationship management. 

All this comes at a price of: 

£8/month for proposals and engagement letters + £10/month for AML module + £2.10 per check. Compare that to standalone AML tools charging £60 to £80 per check or £200+ monthly subscriptions. 

Want to see how FigsFlow handles all seven steps with complete audit trails? 

Try FigsFlow free for 30 days and see for yourself how it completes AML checks in minutes with automatic documentation that proves compliance. 

Start Your Free Trial → 

Additional Resources 

Money Laundering Regulations 2017 – Money Laundering Regulations 2017: consultation 

HMRC Customer Due Diligence Guidance – ECSH33335 – Enhanced due diligence 

What is an AML Check? – What is an AML Check| FigsFlow

Complete Guide to AML Software for Accountants – Everything you need to know about AML software

Explore Top AML Software for Accountants – Top 6 AML Software for Accountants in 2025 | FigsFlow

Conclusion

Most firms think they’re doing AML checks. Most firms are actually doing identity verification plus a few other bits when they remember. 

The gap between “I’ve done the AML check” and actually completing all seven steps with proper documentation creates the compliance failures HMRC finds during inspections. 

Close the gap by understanding what each step requires, documenting every action, and using systems that ensure nothing gets missed. Manual processes work when they’re thorough. Automated processes work because they’re thorough by design. 

Want to see how FigsFlow handles all seven steps with complete audit trails? 

 Book a demo and we’ll show you exactly how it works for your practice.  

Book a Demo → 

Frequently Asked Questions

What are the steps of AML check?

The steps of an AML check are client information collection, identity verification, address confirmation, beneficial ownership identification, sanctions and PEP screening, risk assessment and classification, and ongoing monitoring. All seven steps must be completed before establishing a business relationship with any client. 

How long does an AML check take?

Manual AML checks typically take 30 to 45 minutes per client when done properly. With purpose-built AML software like FigsFlow, comprehensive checks complete in 3 to 5 minutes with better accuracy and automatic documentation. 

What documents are needed for AML checks?

You need government-issued photo ID (passport, photocard driving licence, or national identity card), proof of address (utility bill or bank statement dated within 3 months, or council tax bill dated within 12 months), and for companies, Companies House confirmation plus beneficial owner details with ID and address for each. All documents must be current, with expired documents being unacceptable for compliance purposes. 

What is the difference between KYC and AML?

KYC (Know Your Customer) refers specifically to the identity and address verification components of an AML check. An AML check is broader, including KYC verification plus beneficial ownership identification, sanctions and PEP screening, risk assessment, and ongoing monitoring. KYC is steps 2 and 3 of the complete seven-step AML process. 

Who needs to do AML checks in the UK?

UK accountants, bookkeepers, tax advisers, auditors, and trust or company service providers must conduct AML checks for every client receiving regulated services. Money Laundering Regulations 2017 requires these professionals to complete Customer Due Diligence before onboarding clients. HMRC enforces compliance with penalties for firms that fail to conduct proper checks. 

Don’t forget to share this post!

The Future of Proposals, Pricing & Engagement is Here!
Sign Up
Book a Demo
figsflow demo & trial

Related Articles

Log In
Book a Demo
Start 30-day free trial