The three flavours of due diligence - simplified (SDD), standard customer due diligence (CDD), and enhanced (EDD) - are well defined in regulation but poorly applied in practice. Most UK accounting firms either over-apply CDD (collecting a passport and a utility bill for everyone, treating it as a tick-box) or under-apply EDD (failing to escalate when the risk profile clearly demands it).
This guide turns Regulations 27 to 35 of MLR 2017 into a working decision tree that an onboarding administrator can actually follow, with the judgement calls flagged for review by the MLRO.
Step 1 - Confirm the relationship triggers CDD at all
CDD obligations are triggered when establishing a business relationship, carrying out an occasional transaction above the relevant threshold, suspecting money laundering or terrorist financing, or doubting the veracity of previously obtained identification.
For most accounting and bookkeeping firms taking on recurring clients, the trigger is "establishing a business relationship" - the moment the engagement letter is signed. That triggers a baseline CDD obligation: identify the client, verify the identity, identify beneficial owners and verify their identity on a risk-sensitive basis, and obtain information on the purpose and intended nature of the relationship.
Step 2 - Apply the firm-wide risk assessment lens
Before deciding whether to step up or down from standard CDD, route the prospective client through your firm-wide risk factors. Geography (do they operate in or trade with higher-risk third countries listed by the UK), sector (cash-intensive businesses, money service businesses, dealers in high-value goods), structure (complex ownership, nominee arrangements, recent restructures), and product (does the engagement give you control over client money or any signing authority).
Score each factor against your matrix. The output is a provisional risk rating - low, standard, or high - which then determines whether you continue with SDD, CDD or EDD.
Step 3 - When SDD is genuinely available
Simplified due diligence is narrower than most firms believe. Under Regulation 37, SDD is available only where the firm has determined the business relationship presents a low degree of risk, having considered the factors in Schedule 3 and any relevant guidance from the supervisor.
Typical SDD candidates: UK-listed companies, UK or EEA credit institutions, UK public authorities, certain regulated pension schemes. A small UK limited company with a single director who is a long-standing existing client of the firm is not automatically SDD-eligible - the determination must be documented, and you still need to identify and verify the client and beneficial owners. SDD reduces the intensity of measures, it does not remove them.
Step 4 - When standard CDD is sufficient
For the majority of UK accountancy clients - owner-managed limited companies, sole traders, partnerships, small charities - standard CDD is the right starting point. That means: identifying the client and verifying using documents, data or information from a reliable independent source; identifying every beneficial owner holding more than 25% (or otherwise exercising control); understanding the ownership and control structure; and obtaining information on the purpose and intended nature of the relationship.
The "reliable independent source" point matters. A client self-certifying their own ID does not meet the standard. Companies House data, government-issued ID with electronic verification, and credit-reference data are the typical sources. Accupe pulls Companies House data directly into the client profile during onboarding, which removes one of the most common CDD weaknesses - typo-laden registered addresses copied from the client's email signature.
Step 5 - When EDD becomes mandatory
EDD is not optional once any of the following apply: the client or beneficial owner is established in a high-risk third country listed under Regulation 33; the relationship involves a PEP, family member or known close associate; the client has provided false or stolen identification documents; the transaction is complex, unusually large, or has no apparent economic or legal purpose; or the firm-wide risk assessment otherwise classifies the relationship as high risk.
EDD obligations layer on top of CDD. They typically include obtaining additional information on the client and beneficial owner, additional information on the intended nature of the relationship, information on the source of funds and source of wealth, enhanced ongoing monitoring, and (for PEPs) senior management approval before establishing or continuing the relationship.
Step 6 - Document the decision, not just the outcome
The single most common supervision finding is not that firms made the wrong CDD/EDD call - it is that they cannot show why they made the call they did. Whichever path the decision tree leads to, the file must contain: the risk factors considered, the rating applied, the procedures performed, the documents obtained, the person who reviewed them, and the date.
Operationally this is much easier to enforce if the practice management system records the risk classification against each client and timestamps the review. Accupe's Compliance Radar holds this against the client profile so the audit trail is automatic rather than reconstructed from email at supervision time.
Step 7 - Re-run the tree on trigger events
The risk rating set at onboarding is not permanent. Ongoing monitoring under Regulation 28(11) requires firms to scrutinise transactions and to keep CDD documents and data up to date. Trigger events that should re-run the decision tree include: change of beneficial ownership, change of registered office, change of business activity, unusual transaction patterns, adverse media hits, sanctions list updates, and PEP status changes.
Calendar-driven refresh (every 12 months for high risk, every 24-36 for standard) plus event-driven refresh is the standard model. Firms running purely on calendar refresh miss the events that matter most.
A note on the UAE touchpoint
UK firms with clients holding UAE structures should be alert to the UAE's own AML regime under Federal Decree-Law No. 20 of 2018 and the goAML reporting platform operated by the UAE FIU. UAE freezones each have their own beneficial-ownership disclosure requirements, and the UAE was on the FATF grey list between 2022 and early 2024 - clients with UAE corporate vehicles often warrant additional source-of-funds enquiry as part of EDD.
Closing
A good decision tree is not a substitute for judgement, but it dramatically reduces the variance between team members. Train every onboarding administrator and every fee-earner to walk through the same seven steps, record the answers, and escalate to the MLRO on any EDD trigger. The volume of supervision findings drops sharply when every file looks like every other file.