Customer due diligence under the Money Laundering Regulations 2017 is not a tick-box exercise. A proper client file evidences who the client is, who owns and controls them, where their funds come from, and that the firm has applied the right level of scrutiny based on a documented risk assessment.
This listicle sets out the eight documents that should be present in every standard-risk client file at a UK accountancy or professional service firm. The list is not exhaustive - enhanced due diligence engagements will add more, and simplified due diligence engagements may require less - but it is a practical baseline that aligns with AMLSF and AASG guidance.
1. Photographic identity verification
A current passport, photocard driving licence, or national identity card for each individual you need to identify - typically the directors and beneficial owners of a company client, plus the client themselves where they are a sole trader.
Verification is not just about having a copy. The standard is to satisfy yourself that the document is genuine and that the photograph matches the person you are dealing with. In 2026, electronic ID verification using biometric matching is widely accepted as part of a CDD process, provided the vendor and the methodology are documented in the firm's policies.
2. Proof of residential address
A second document, dated within the last three months in most firms' policies, that confirms the individual's current residential address. Acceptable documents typically include:
- A utility bill (not mobile phone)
- A bank or credit card statement on the institution's letterhead
- A council tax bill or HMRC tax document
- A current tenancy agreement
- A solicitor's letter confirming a recent property transaction
3. Companies House certificate of incorporation
For limited company clients, the certificate of incorporation evidences legal existence. Pair it with a current Companies House extract showing the registered office, directors, and persons with significant control. A document dated more than 30 days before the onboarding date should be refreshed.
Verifying against Companies House directly is a near-zero-cost step that catches a meaningful number of inconsistencies - directors who have resigned, registered offices that have moved, ownership changes that have not been disclosed by the client. Many practice management platforms now offer a live Companies House lookup at the point of onboarding.
4. Articles of association and any shareholder agreement
The current articles, together with any unanimous shareholder agreement, govern the company's decision-making and the rights of different share classes. Without them, you cannot reliably establish who exercises control.
Pay particular attention to weighted voting rights, veto rights held by minority shareholders, and any provisions that allow a third party to direct the company's actions. These elements determine beneficial ownership in substance, not just on the share register.
5. Beneficial ownership register and PSC statement
A documented register of persons with significant control - anyone with more than 25% of the shares or voting rights, or who otherwise exercises significant control over the company. The PSC information held by Companies House should be cross-referenced with the company's internal register and any group structure documentation.
For complex group structures, request an organisation chart that traces ownership up to the ultimate beneficial owner. Where ownership passes through non-UK entities, additional verification of foreign incorporation documents and registers will usually be needed.
6. Source of funds confirmation
For most standard-risk clients, a written statement from the client describing the source of funds for the business is sufficient at onboarding. For higher-risk clients, documentary evidence is needed - recent payslips, audited accounts, contracts of sale, inheritance documentation, or settlement agreements that corroborate the explanation given.
The bar to clear is that an independent reader of the file should be able to follow how the funds in question arose. Vague statements like "private wealth" or "family money" are not adequate on their own, regardless of risk tier.
7. Sanctions and PEP screening output
Every client, beneficial owner, and director should be screened against the UK consolidated sanctions list and against politically exposed persons lists at onboarding and on a periodic basis through the engagement. The screening output - including the search terms used, the date and time of the search, and the result - should be saved in the client file.
A negative screening result is not the end of the work. PEP status, sanctions hits, and adverse media flags trigger enhanced due diligence and senior officer approval. Be sure your workflow distinguishes between a clear pass and a result that needs partner review.
8. Signed client risk assessment
The final document is the firm's own. A written risk assessment, signed by the engagement partner or MLRO, that records the conclusion of the CDD work and the basis for assigning the client to a particular risk tier. It should reference the documents collected, the screening results, the sector and geography of the client, and any specific factors that drove the assessment up or down.
A clean risk assessment is the document that an inspector will ask for first. If it is missing, every other document in the file is harder to defend; if it is present and properly reasoned, the rest of the file falls into place around it.
Storage, retention, and refresh
KYC documents must be retained for at least five years from the end of the client relationship under MLR 2017. They should be stored securely, with access controlled and audit-logged. Documents should be refreshed periodically - annually for higher-risk clients, biennially for standard risk, and on any material change in the client's circumstances.
A common failing in supervisor inspections is the absence of a refresh trail. Even where documents are present, if they are all dated from the original onboarding and the firm cannot show that ongoing monitoring has been applied, the file falls short.
How Accupe handles KYC collection
Accupe collects, verifies, and stores KYC documents within a single secure workflow. The encrypted client portal handles document upload; Companies House integration pulls company data automatically; OpenSanctions screening returns sanctions and PEP results in seconds; AI document analysis reads identity documents and extracts the relevant fields with source citation; and Compliance Radar tracks expiry dates so refresh cycles never lapse. The complete CDD pack is available as an inspection-ready export at any time.