AML Compliance for Small UK Accounting Firms (2026 Guide)

Updated April 2026 · 12 min read

Anti-money laundering (AML) compliance is one of the most stressful parts of running a small UK accounting firm. The rules are complex, the penalties are real, and most guidance is written for large firms with dedicated compliance teams. This guide is for the rest of us — solo practitioners, bookkeepers, and small firms who need to get AML right without spending a fortune.

Do you need AML compliance?

If you are an accountant, bookkeeper, tax adviser, or auditor in the UK, the Money Laundering Regulations 2017 (MLR 2017) apply to you. There is no minimum firm size and no exemption for solo practitioners. The regulations apply if you provide accountancy services in the course of business — period.

The penalties for non-compliance are severe: unlimited fines, up to 2 years in prison for serious breaches, and being struck off your professional register. Your AML supervisor (ICAEW, ACCA, AAT, HMRC, or another body depending on your membership) will inspect your records. Inspections are increasingly frequent and detailed.

The 5 things every small firm must do

1. Register with your AML supervisor

If you are a member of a professional body (ICAEW, ACCA, AAT, CIMA, ATT, CIOT, IFA, ICAS, CIPFA), they supervise you automatically as part of your membership. You may need to confirm to them that you provide AML-regulated services.

If you are not a member of any of these bodies, you must register with HMRC. The annual fee is currently around £300. You cannot legally provide accounting services to the public without being supervised.

2. Conduct a firm-wide risk assessment

Before you assess individual clients, you need a documented assessment of the risks your firm faces. This covers your client base (do you have many cash-intensive businesses?), the services you offer (company formation is higher risk than basic bookkeeping), the geographic locations of your clients (international clients in high-risk jurisdictions), and your delivery channels (face-to-face vs remote).

The output is a written risk assessment document. Update it at least annually and whenever your firm changes significantly. Inspectors will ask to see this on day one.

3. Customer Due Diligence (CDD) for every client

Before you start work for a new client — and periodically for existing clients — you must verify who they are. The standard requirements:

• Identity verification: passport, photo driving licence, or national ID card.
• Address verification: utility bill, bank statement, mortgage statement, or council tax bill — dated within the last 3 months.
• Beneficial owners: for company clients, identify and verify anyone owning more than 25% of the company.
• Source of funds: where is their money coming from? Salary, business income, inheritance, sale of property?
• Source of wealth: how did they accumulate their overall wealth?

For higher-risk clients (politically exposed persons, complex offshore structures, cash-intensive businesses), conduct Enhanced Due Diligence (EDD): additional checks, senior management approval, and ongoing monitoring.

4. Ongoing monitoring and record keeping

AML is not a one-time check at onboarding. Throughout the engagement you must monitor for unusual activity: large unexpected transactions, requests for unusual services, payments from unrelated third parties, sudden changes in business model.

Keep all AML records — ID copies, risk assessments, CDD notes, monitoring logs, internal SAR considerations — for at least 5 years from the end of the client relationship. Records must be retrievable on demand.

5. Suspicious Activity Reports (SARs)

If at any point you know or suspect that a client is involved in money laundering or terrorist financing, you must file a Suspicious Activity Report (SAR) with the National Crime Agency (NCA). There is no minimum threshold — even small amounts can trigger a SAR if the activity looks suspicious.

You must never tell the clientthat you have filed a SAR. This is called "tipping off" and is a criminal offence carrying up to 5 years in prison. SARs are confidential between you and the NCA.

Common mistakes that get firms in trouble

• Storing ID documents in email. Email is not a secure document store. If your account is hacked, every client's passport copy is compromised — and your supervisor will treat this as a serious data breach on top of an AML failure.
• No documented risk assessment. Your firm-wide risk assessment is the first thing any inspector asks for. "We do it informally" is not an acceptable answer.
• Forgetting periodic reviews. CDD is not just at onboarding. High-risk clients need re-checking annually; medium-risk every 2-3 years; low-risk every 3-5 years.
• Missing beneficial owners. For company clients, you must identify everyone owning more than 25%. "The director told me there are no other shareholders" is not verification.
• No staff training. Even if you are a sole practitioner, you must document that you have trained yourself on AML. Firms with staff need annual training records for each employee.

How software helps you stay compliant

You can technically run an AML programme on paper. Most small firms do — until their first inspection, when it becomes obvious that paper-based compliance is a liability. The alternative: a practice management platform that bakes compliance into your client workflow.

What to look for in software for AML:

• Encrypted document storage: ID copies, address proofs, and beneficial owner records stored with AES-256 encryption, never in email.
• Per-client compliance notes: a dedicated area on each client's file for risk assessment, CDD evidence, and ongoing monitoring notes.
• Full audit trail: every document upload, view, edit, and download timestamped with the user who did it.
• Secure client portal: clients upload ID documents directly to you instead of emailing them, eliminating insecure email transfers.
• Review reminders: automated reminders to re-do CDD on schedule (annually for high-risk, every 3 years for low-risk).
• 5-year data retention: documents and audit logs preserved for the required retention period — even after a client leaves.

FirmFlow handles all of this in one place — the encrypted document storage, the per-client compliance area, the audit trail, the secure client portal. Starting at €29/month flat for up to 5 team members. Setup takes 10 minutes.

What a real inspection looks like

Your AML supervisor (ICAEW, ACCA, HMRC, etc.) will visit your office or do a remote inspection. They typically ask for:

• Your firm-wide written risk assessment (current and historical versions).
• Your written AML policies and procedures document.
• A list of all clients with risk ratings (low / medium / high).
• For a sample of clients (typically 5-10): all CDD evidence, risk assessment notes, and ongoing monitoring records.
• Your training records for yourself and any staff.
• Evidence that you have considered and (if required) filed SARs.

Firms that pass inspections share one thing: their evidence is organised and instantly retrievable. Firms that fail share another: scrambling for paper files, half-remembered conversations, and ID copies scattered across email folders.

Quick AML compliance checklist

• ☐ Registered with appropriate AML supervisor
• ☐ Written firm-wide risk assessment, dated within last 12 months
• ☐ Written AML policies and procedures document
• ☐ Each client has documented risk rating
• ☐ Each client has verified ID + address evidence on file
• ☐ Each company client has beneficial owners identified and verified
• ☐ Source of funds and source of wealth documented for each client
• ☐ Ongoing monitoring notes for each engagement
• ☐ All AML records stored securely (encrypted, not email)
• ☐ AML training completed and documented annually
• ☐ SAR procedures documented and known by all staff

Frequently asked questions

This article provides general guidance on UK AML compliance for accounting firms. It is not a substitute for professional advice. For specific compliance questions, consult your supervising body or a qualified compliance specialist.