Get MTD for Income Tax ready
80% off your first 6 months + a £25 voucher offer

Get a £25 voucher when you send your first quarterly update to HMRC through Xero by the 7 August 2026 deadline. Voucher offer ends 7 August. Terms apply

Guide

AML compliance for accountants: a UK practice guide

How to build a robust AML framework, meet UK regulatory requirements, and streamline compliance across your practice.

A blue circle with a padlock and a smaller circle with a woman working at a laptop

Published Thursday 11 June 2026

Table of contents

Key takeaways

  • The Money Laundering Regulations 2017 (MLR 2017) set out your core obligations, from firm-wide risk assessments to customer due diligence (CDD), and appointing a money laundering reporting officer (MLRO).
  • HMRC increased AML enforcement actions by 400% year-on-year in FY 2024/25, conducting over 2,000 interventions, so supervisory scrutiny is intensifying across the profession.
  • Technology can reduce the manual burden of AML compliance; cloud-based tools like Xero Practice Manager help you centralise records, track deadlines, and maintain audit trails.
  • A risk-based approach to training and ongoing monitoring keeps your practice proportionate and audit-ready, rather than relying on a tick-box annual cycle.

What does AML compliance mean for UK accounting practices?

UK accounting practices that provide accountancy services, tax advisory, or trust and company services are subject to anti-money laundering (AML) regulations. Your primary obligations sit under three pieces of legislation: the MLR 2017, the Proceeds of Crime Act 2002 (POCA), and the Terrorism Act 2000.

The MLR 2017 requires you to carry out risk assessments, apply CDD, maintain internal controls, and report suspicious activity. POCA creates the criminal offences of money laundering itself, while the Terrorism Act addresses terrorist financing. Together, they form the regulatory framework you're expected to operate within.

Your AML supervisory body depends on your professional membership. If you're a member of ICAEW, ACCA, or AAT, your professional body supervises your AML compliance directly. Practices without professional body supervision fall under HMRC. The Office for Professional Body Anti-Money Laundering Supervision (OPBAS), part of the Financial Conduct Authority, oversees the consistency and effectiveness of professional body supervision across the sector.

Enforcement is accelerating. HMRC increased AML enforcement actions by 400% year-on-year in FY 2024/25, conducting over 2,000 interventions. Between October 2024 and March 2025, 91 accountancy firms received £538,916 in penalties. From 1 December 2025, every civil AML penalty also carries a £2,000 sanction administration charge. The regulatory direction is clear: non-compliance carries real financial and reputational consequences.

How to build an AML framework for your practice

An effective AML framework brings together risk assessment, due diligence, reporting structures, and internal controls into a coherent system. The MLR 2017 sets out the specific requirements, but building a framework that works in practice means going beyond the minimum and designing processes your team can follow consistently.

Conducting a firm-wide risk assessment

Regulation 18 of the MLR 2017 requires you to carry out a documented risk assessment that identifies and assesses the money laundering and terrorist financing risks your practice faces. This isn't a one-off exercise; it needs to reflect your current client base, services, and delivery channels.

Your risk assessment should consider factors including:

  • Client risk: the types of clients you act for, their ownership structures, and geographic locations.
  • Service risk: the nature of the services you provide, for example trust and company services carry higher inherent risk than personal tax returns.
  • Delivery risk: whether you deal with clients face to face or remotely, and how that affects your ability to verify identity.
  • Geographic risk: whether clients or their activities involve jurisdictions with weaker AML controls.

The assessment must be proportionate to the size and nature of your practice. A sole practitioner handling personal tax returns will have a different risk profile from a mid-tier firm providing corporate advisory services. Document your methodology, findings, and any risk-mitigation measures clearly. Cloud-based tools like Xero can help you maintain organised records that support your risk assessment documentation.

Customer due diligence: CDD and EDD

Standard CDD applies to all new client relationships and involves verifying the client's identity, understanding the nature of the business relationship, and identifying beneficial owners where relevant. You need to obtain this information before establishing the relationship, or during if delay is justified and documented.

Enhanced due diligence (EDD) is required in higher-risk situations. These include clients who are politically exposed persons (PEPs), relationships involving high-risk third countries, and complex or unusually large transactions without an apparent economic purpose. EDD means applying additional verification measures, scrutinising the source of funds more closely, and conducting more frequent ongoing monitoring.

Following the January 2024 amendment to the MLR 2017, domestic PEPs now require a risk-based approach rather than automatic EDD. You should assess the actual risk a domestic PEP presents and apply proportionate measures accordingly.

Under Regulation 40, you must retain CDD evidence for five years after the business relationship ends. This includes copies of identification documents, records of transactions, and correspondence relating to your due diligence process.

Appointing an MLRO

Regulation 21 of the MLR 2017 requires practices to appoint a nominated officer, commonly known as the MLRO. This person must be a member of the board of directors, senior management, or the management body, and they're responsible for receiving internal suspicious activity reports and deciding whether to submit a suspicious activity report (SAR) to the National Crime Agency (NCA).

The MLRO should have sufficient seniority and authority to make reporting decisions independently. They also need a thorough understanding of your practice's AML policies, the regulatory environment, and the types of risk your client base presents.

Setting up internal controls

Robust internal controls underpin every other element of your AML framework. The MLR 2017 requires you to establish and maintain policies, controls, and procedures that address risk assessment, CDD, reporting, record-keeping, and employee screening.

Your internal controls should cover:

  • Employee screening: checking the background and integrity of staff in AML-relevant roles before and during employment.
  • Policies and procedures: documented, accessible, and reviewed regularly to reflect regulatory changes and evolving risks.
  • Compliance oversight: a designated compliance officer, or the MLRO in smaller practices, with responsibility for monitoring adherence.
  • Independent audit: where appropriate given the size and nature of your practice, an independent audit function to test the effectiveness of your AML systems.

How to identify and report suspicious activity

Recognising suspicious activity is as much about professional judgement as it is about following checklists. Your team needs to understand what constitutes a red flag and know exactly how to escalate concerns internally.

Common red flags to watch for include:

  • Large cash deposits or transactions that don't match the client's known profile or business activity.
  • Unusually complex ownership structures with no clear commercial rationale.
  • Reluctance to provide identification documents or evasiveness about the source of funds.
  • Third-party funding of transactions where the relationship between parties is unclear.
  • Frequent changes to company structures, directors, or beneficial owners without obvious business reasons.

When a member of your team suspects money laundering or terrorist financing, they should report it internally to the MLRO. The MLRO then assesses whether to file a SAR with the NCA. SARs can be submitted through the NCA's online reporting portal.

Be aware of the tipping-off offence under POCA. Once you know or suspect a SAR has been or will be filed, disclosing that fact to the client, or anyone else who might prejudice an investigation, is a criminal offence. Train your team to handle these situations carefully and to seek guidance from the MLRO before discussing concerns with clients.

How to use technology to streamline AML compliance

AML compliance generates significant administrative overhead: identity verification, record retention, ongoing monitoring, and audit documentation all demand time. The right technology can reduce that burden and improve the consistency of your processes.

Digital identity verification is becoming more standardised. The UK government published the Digital Verification Services (DVS) trust framework in February 2026, setting standards for digital identity verification services. This gives you confidence that certified digital identity providers meet a consistent benchmark, making electronic verification a more reliable alternative to manual document checks.

Companies House reforms are also changing the compliance landscape. The Authorised Corporate Service Provider (ACSP) registration, voluntary from March 2025 and mandatory from spring 2026, requires accountants and other professional agents to register with Companies House before filing on behalf of clients. This introduces another layer of identity verification at the registration stage.

Cloud-based practice management software helps you centralise AML records alongside your broader client management. Xero Practice Manager lets you track client engagements, manage workflows, and set compliance deadlines in one place. For Companies House filings, CAS 360 integrates directly, helping you manage company secretarial tasks and maintain accurate corporate records.

Centralised digital records also strengthen your audit trail. When your supervisory body reviews your AML compliance, having well-organised, searchable records demonstrates that your policies aren't just documented but actively followed.

AML training and ongoing monitoring

Training is a regulatory requirement, but it's most effective when it's tailored to the actual risks your practice faces rather than delivered as a generic annual exercise. The MLR 2017 requires you to ensure relevant employees receive appropriate AML training, but it doesn't prescribe a fixed annual cycle.

A risk-based approach to training frequency works better. Consider more frequent training when your practice takes on new service lines, enters new markets, or experiences significant changes to its client base. New joiners should receive AML training as part of their induction, and refresher training should be triggered by regulatory updates or emerging risk trends rather than a calendar date alone.

Ongoing monitoring means reviewing existing client relationships, not just new ones. CDD refresh should be triggered by specific events: a material change in the client's business, a transaction that doesn't fit the established pattern, or a change in beneficial ownership. Documenting when and why you refresh CDD demonstrates a proportionate, risk-based approach to your supervisor.

Quality assurance ties everything together. Periodically review a sample of client files to check that CDD was completed correctly, that risk assessments are up to date, and that any red flags were properly escalated. Tools like Xero HQ can help you maintain oversight of your client portfolio while you manage compliance workflows. Keep records of your quality assurance reviews as evidence of your compliance culture.

Simplify AML compliance with Xero

Building a strong AML framework doesn't have to mean more complexity. With the right tools and a structured approach, you can turn compliance into an efficient, integrated part of your practice operations. Join the partner programme to access practice management tools, support, and resources that help you stay organised and audit-ready.

FAQs on AML compliance for accountants

Here are some frequently asked questions about AML compliance for accounting practices in the UK.

What are the AML obligations for accountants in the UK?

UK accountants providing regulated services must comply with the MLR 2017, which requires firm-wide risk assessments, customer due diligence, appointment of an MLRO, and suspicious activity reporting. Failure to meet these obligations can result in civil penalties, criminal prosecution, and reputational damage.

What is the difference between CDD and EDD?

CDD involves verifying a client's identity, understanding the business relationship, and identifying beneficial owners. EDD applies in higher-risk situations, such as dealing with PEPs or clients in high-risk jurisdictions, and requires additional verification measures and closer scrutiny of the source of funds.

Who supervises accountants for AML in the UK?

It depends on your professional body membership. If you hold membership with a recognised body, that body acts as your supervisor. Otherwise, HMRC supervises your practice directly. Check your supervisor's website for their specific AML guidance, as requirements and inspection approaches vary between bodies.

What are the penalties for AML non-compliance?

Penalties range from financial sanctions to criminal prosecution. HMRC regularly publishes lists of fined businesses, and the amounts can be significant for practices of any size. Since December 2025, every civil penalty also carries an additional administration charge, increasing the overall cost of non-compliance.

Do sole practitioners need to appoint an MLRO?

Yes. Regulation 21 of the MLR 2017 requires all practices to appoint a nominated officer responsible for receiving internal reports and deciding whether to file SARs with the NCA. For sole practitioners, this typically means appointing yourself as MLRO and documenting that decision formally.

Become a Xero partner

Join the Xero community of accountants and bookkeepers. Collaborate with your peers, support your clients and boost your practice.

Disclaimer

Xero does not provide accounting, tax, business or legal advice. This guide has been provided for information purposes only. You should consult your own professional advisors for advice directly relating to your business or before taking action in relation to any of the content provided.