In November 2024, Metro Bank was fined nearly £17 million by the Financial Conduct Authority for failing to properly monitor potential money laundering activities. Just a month earlier, Starling Bank faced a £29 million penalty for similar compliance failures.
These aren’t isolated incidents. They represent a growing trend of UK regulators taking AML compliance seriously and imposing significant financial penalties on businesses that fall short.
You might be thinking that your small accounting practice bears little resemblance to a major banking institution. You would be right. But the Money Laundering Regulations 2017 apply to accounting firms just as strictly as they do to banks.
This guide breaks down your actual obligations and shows you practical implementation steps that work for small firms.
KEY TAKEAWAYS
- Small accounting firms must conduct customer due diligence when establishing new client relationships, when existing client circumstances change significantly, and for occasional transactions exceeding £15,000
- A risk-based approach allows you to tailor compliance procedures to actual threats your practice faces, with different measures for standard clients versus high-risk situations like politically exposed persons or non-face-to-face relationships
- Every firm must appoint a nominated officer to receive internal suspicion reports and file Suspicious Activity Reports with the National Crime Agency, regardless of practice size
- Proper record keeping of all due diligence measures, risk assessments, and client documentation must be maintained for five years after the business relationship ends
- A written policy statement documenting your AML procedures, staff training requirements, and internal reporting processes is mandatory even for sole practitioners and small practices
What is AML Compliance?
Anti-Money Laundering compliance refers to the legal framework designed to prevent criminals from disguising illegally obtained funds as legitimate income.
What are the stages of money laundering?
Money laundering typically occurs in three stages. During placement, criminals introduce illicit money into the financial system. The layering stage involves moving that money through various transactions to obscure its origin. Finally, integration sees the money reintroduced into the legitimate economy, appearing to come from lawful sources.
For accounting firms, AML compliance means implementing systems and controls that prevent your services from being used in any of these three stages. This includes:
- verifying client identities,
- understanding the source of funds you handle,
- monitoring for suspicious transactions, and
- reporting concerns to the appropriate authorities
The goal is not to turn you into a law enforcement officer. Rather, it is to ensure that professional service providers maintain vigilance and create barriers that make money laundering more difficult.
The risk-based approach at the heart of UK AML regulations acknowledges that not every client presents the same level of risk. A long-standing client who is a residential landlord with straightforward rental income presents different risks than a new client operating a cash-intensive business with complex ownership structures and international transactions. Your compliance measures should reflect these different risk profiles while meeting minimum regulatory requirements across your entire client base.
What Are the Main AML Regulations in the UK?
Three primary pieces of legislation govern AML compliance for UK accounting firms.
The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 form the backbone of your obligations. This regulation, commonly referred to as MLR 2017, was amended in 2019 to incorporate the EU’s 5th Anti-Money Laundering Directive into UK law. It sets out specific requirements for customer due diligence, record keeping, internal controls, and reporting obligations.
The Proceeds of Crime Act 2002 establishes the criminal offences associated with money laundering and outlines the framework for confiscating criminal proceeds. This Act is particularly important because it creates a legal obligation to report suspicious activity. Under POCA 2002, failing to report knowledge or suspicion of money laundering when you work in the regulated sector constitutes a criminal offence. The Act also protects you from breach of confidentiality claims when you make a report in good faith.
The Financial Services and Markets Act 2000 provides the regulatory framework for financial services in the UK and establishes the Financial Conduct Authority as a supervisory body. While most small accounting practices fall under HMRC supervision rather than FCA oversight, understanding the broader regulatory landscape helps contextualise your specific obligations.
Who Regulates AML in the UK?
Multiple supervisory authorities oversee AML compliance across different sectors in the UK.
HM Revenue and Customs serves as your primary supervisor for most small accounting practices. HMRC supervises accountancy service providers, tax advisers, and trust or company service providers.
This supervision includes the power to conduct compliance visits, request documentation, impose penalties for breaches, and, in serious cases, pursue criminal prosecutions.
The Financial Conduct Authority regulates firms providing financial services, including some larger accounting practices that offer regulated investment advice or other FCA-authorised activities. If your practice holds FCA authorisation for any services, you fall under dual supervision with different requirements and reporting obligations.
The National Crime Agency receives Suspicious Activity Reports from all regulated sectors and coordinates the law enforcement response to financial crime.
The Serious Fraud Office investigates major fraud and corruption cases, which may occasionally involve accounting firms either as victims or unwitting facilitators.
Understanding which regulator supervises your firm helps you determine where you submit notifications, who might conduct compliance visits, and which guidance documents apply most directly to your situation.
Who is Subject to AML Regulations in the UK?
The Money Laundering Regulations cast a wide net across professional service providers. Accounting firms fall squarely within the regulated sector, and the regulations don’t distinguish between large practices and sole practitioners. A sole practitioner offering tax advice faces the same fundamental obligations as a multinational accounting network.
Your accounting firm is subject to AML regulations if you provide: accounts preparation, bookkeeping, tax advice, audit services, insolvency work, or act as a trust or company service provider.
Beyond traditional accounting services, you’re also regulated if you form companies for clients, act as a director or company secretary, provide registered office services, or act as a trustee. Estate agency work, high-value dealing in goods, and operating as a money service business trigger obligations too.
The obligations extend to everyone in your firm. You must ensure employees receive appropriate AML training, understand their responsibilities to report suspicions internally, and follow your documented procedures. The concept of a “relevant person“ under the regulations means anyone who encounters clients or handles transactions must be included in your compliance framework. Even your receptionist taking initial client calls should understand basic red flags and know how to escalate concerns.
Best AML Compliance Practices for Accounting Firms
Here are the core practices that keep your firm compliant with UK AML regulations.
Customer Due Diligence
You must conduct Customer Due Diligence (CDD) when establishing any new client relationship, regardless of whether it’s ongoing accountancy work or a one-off transaction. CDD is also required when you suspect money laundering, when you doubt previously obtained client information, or when a client’s circumstances change significantly.
The CDD process has three parts.
- First, identify your client by collecting their full name, residential address, and date of birth. For individuals, use passports, driving licenses, or government-issued photo ID. Verify addresses through utility bills, bank statements, or council tax bills. For corporate clients, check the company structure through Companies House, verify the entity exists, and identify beneficial owners controlling more than 25%.
- Second, verify information through independent sources. Don’t just accept documents at face value. Check against credit reference databases, the electoral register, or other authoritative sources.
- Third, understand why this client needs your services, where their funds come from, and what activity levels you expect from the relationship.
Risk Assessment Framework
The regulations adopt a risk-based approach explicitly, meaning you tailor procedures to actual threats rather than treating every client identically. When assessing customer risk, consider client type first. A long-standing UK resident with straightforward rental income presents different risks than a newly arrived individual with complex international business structures.
Services you provide matter too. Basic bookkeeping carries different risk profiles than corporate restructuring or trust administration. Geography plays a role, as clients operating solely in the UK present lower risk than those with interests in high-risk jurisdictions.
Document your risk assessment for each client. A simple file note explaining why you consider them standard, low, or high risk satisfies the requirement.
Enhanced Due Diligence Requirements
Enhanced Due Diligence (EDD) becomes mandatory in specific situations. When clients aren’t physically present during identification, you must take additional steps.
- Require the first payment from a bank account in the client’s name,
- obtain extra documentation, or
- use video verification technology
Politically exposed persons require enhanced measures regardless of other factors. PEPs include individuals in prominent public positions, their immediate family, and known close associates. UK domestic PEPs need lighter-touch measures compared to non-UK PEPs, but both require senior approval for new relationships and enhanced ongoing monitoring.
Clients from high-risk third countries identified by the EU also trigger enhanced due diligence. You must obtain source of wealth and source of funds information, apply additional verification measures, and conduct more frequent monitoring throughout the relationship.
Record Keeping Standards
Retain copies of all documents used in customer due diligence. This includes identification documents, verification checks, beneficial ownership information, risk assessments, and decision-making notes.
Keep transaction records showing services provided, amounts charged, and payments received. If you file a Suspicious Activity Report, retain a copy with supporting information.
The standard retention period is five years from the end of the business relationship or completion of an occasional transaction. Records can be kept as original paper documents, photocopies, scanned digital images, or computerised records. The requirement is accessibility and readability throughout the retention period, not specific format.
Appointing a Nominated Officer
Every accounting firm must appoint a nominated officer who receives internal suspicious activity reports and decides whether to file SARs with the National Crime Agency. In small practices, this is typically the principal or owner. Larger firms might designate a senior manager.
The position requires sound judgment, understanding of money laundering risks, and sufficient seniority to make independent decisions without fee-earning pressures influencing reports. If your firm is FCA-regulated, you must also appoint a Money Laundering Reporting Officer with broader compliance management responsibilities. In small firms, one person often serves both roles.
Ongoing Monitoring Procedures
Compliance doesn’t end after initial onboarding. You must maintain awareness of client affairs throughout the relationship through appropriate vigilance during normal interactions. When preparing annual accounts, consider whether the financial position changed dramatically or unexpectedly.
- Have new directors been appointed?
- Has ownership structure changed?
- Are transactions inconsistent with the stated business model?
Your annual engagement letter renewal provides a natural checkpoint to review client information and refresh risk assessments. If circumstances change in ways that increase risk, apply additional due diligence measures proportionate to the new risk level.
Written Policy Statement
Every accounting firm must maintain a written AML policy statement, even sole practitioners.
Your policy must name your nominated officer and define their responsibilities. It should explain how you conduct customer due diligence, including;
- how you identify and verify clients,
- how you assess risk levels, and
- what enhanced measures you apply in higher-risk situations?
Additionally, it should explain your ongoing monitoring approach, internal reporting procedures, staff training requirements and how you ensure everyone steps aware of their AML obligations.
Staff Training Requirements
Everyone in your firm needs training appropriate to their role.
- Client-facing staff must understand how to conduct due diligence, recognise red flags, and report concerns internally.
- Support staff need enough knowledge to identify unusual situations and escalate them appropriately.
Training doesn’t need to be elaborate or expensive. Annual sessions work for most small practices.
These sessions should cover basic money laundering awareness, your firm’s specific procedures, and examples of suspicious activity. Keep records of all training delivered, including dates, attendees, and topics covered. HMRC will request these records during supervision visits to verify you’re meeting training obligations.
Helpful Resources
- Complete Guide to AML Compliance & Financial Crime for UK Accountants: Complete Guide to AML Compliance & Financial Crime Prevention | FigsFlow
- List of AML Regulations & Regulators in the UK: List of UK AML Regulations for Accountants 2025 | FigsFlow
- How to Verify Client Identity for AML Compliance: Verify Client Identity in AML: Step‑by‑Step Guide | FigsFlow
- UKSanction Screening Guide for Professionals & Businesses: Sanction Screening UK Guide 2025/26 | FigsFlow
- Common Identity Verification Mistakes in AML: Common ID Verification Mistakes in AML | FigsFlow
Conclusion
AML compliance for small accounting firms doesn’t need to be overwhelming. The risk-based approach allows you to implement proportionate measures focused on knowing your clients, understanding their money sources, keeping proper records, and reporting genuine suspicions.
Start with the essentials: appoint a nominated officer, create a written policy, develop systematic customer due diligence procedures, and build record-keeping into your existing file management. Small practices have natural advantages. You know your clients well, can spot unusual behaviour easily, and can implement changes quickly without bureaucratic hurdles.
Understanding AML Requirements When Buying or Selling Property
Frequently Asked Questions ( FAQs)
The four pillars are: Risk Assessment (identifying money laundering risks in your business), Customer Due Diligence (verifying client identities and understanding their activities), Transaction Monitoring (detecting unusual or suspicious activity), and Compliance Programs (implementing policies, procedures, and staff training).
An AML risk framework is the structured system of policies and procedures that businesses use to prevent money laundering and terrorist financing. It includes customer verification (KYC), ongoing transaction monitoring, sanctions screening against regulatory watchlists, and risk-based controls tailored to your business activities.
The Financial Conduct Authority (FCA) regulates and supervises firms’ compliance with anti-money laundering requirements. It ensures businesses have effective systems to prevent money laundering, terrorist financing, bribery, corruption, and sanctions breaches, conducting reviews and taking enforcement action when firms fail to meet standards.
The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) is the primary legislation, as amended by the 2019 and 2022 regulations. These implement EU directives and set out requirements for customer due diligence, record-keeping, and suspicious activity reporting.
Multiple supervisory bodies oversee AML compliance depending on your sector. The Financial Conduct Authority supervises financial services firms, while professional bodies like HMRC, the Solicitors Regulation Authority, and professional accounting bodies supervise their respective sectors under a shared regulatory framework.
From May 2025, all letting agents must conduct financial sanctions checks on every tenancy agreement, regardless of rental value. Previously, checks were only required for tenancies exceeding £10,000 monthly rent. The new rules remove this threshold, requiring sanctions screening for all landlords and tenants without exception.
