For UK accountancy firms supervised by HMRC for AML purposes (those not supervised by ICAEW, ACCA, CIOT, IPA, AAT or CILEx Regulation), the supervision visit is the single most consequential touchpoint with the regulator. HMRC has been steadily expanding the number of visits it conducts per year, has published its expectations clearly, and has not been shy about issuing penalties where it finds material weaknesses. Knowing what they ask for is the difference between a quiet exit interview and a six-figure fine.
How visits are triggered
Visits are partly routine (selected from the supervised population on a risk-rated basis) and partly intelligence-led (triggered by SAR data, whistleblower reports, news coverage, or referrals from other agencies). The firm typically receives written notice with a date and a list of documents to prepare. In a smaller number of cases the visit is unannounced.
Routine visits cover a fixed agenda. Intelligence-led visits often start with a specific concern and broaden outward. Either way, the document list is broadly the same - and largely predictable.
Document 1 - The firm-wide risk assessment
HMRC will ask for the current firm-wide risk assessment, the previous version, evidence of review, and the link between the assessment and the firm's policies, controls and procedures. They are testing whether the document reflects the actual client base, the actual services offered, and the actual jurisdictions the firm touches.
The most common finding here is a generic firm-wide risk assessment downloaded from a supervisor template and lightly customised. HMRC examiners spot these instantly. The assessment should reference the firm's specific client mix, with quantified breakdowns where possible.
Document 2 - Policies, controls and procedures
The written AML policy. Onboarding procedures. EDD procedures. Sanctions screening procedures. Internal SAR procedures. Training policy. Record-retention policy. HMRC will pick a procedure and trace it through to actual execution on a sampled file.
A common weakness is a beautifully drafted policy that the team does not actually follow. The cure is to test the policy quarterly internally - pick a file, walk through whether the documented procedure was actually performed, and remediate gaps before HMRC finds them.
Document 3 - The client list with risk ratings
HMRC will ask for the complete client list with risk classifications attached. They use this to draw their sample for file review. Firms that cannot produce this list - because risk ratings live in scattered Excel files or in nobody's head - fail at this stage before any files are even sampled.
Holding the risk rating against each client profile in the practice management system, with a clear refresh history, is the operational fix. Accupe's Compliance Radar maintains this against the client record so exporting a current risk-rated client list is a one-click task.
Document 4 - A sample of client files
HMRC selects a sample, weighted toward higher-risk clients. For each sampled file they expect to see: the onboarding CDD pack, beneficial-ownership identification and verification, the firm-wide risk-assessment outcome applied to this client, any EDD evidence (including SoF and SoW where required), sanctions and PEP screening evidence with timestamps, ongoing monitoring evidence, and any internal reports raised.
The single most cited finding is "incomplete CDD on file" - usually because a document was collected by email and never filed against the client record, or because the verification step was performed but never written down.
Document 5 - Training records
Who has been trained, on what, when, by whom, and how the firm evidenced attendance and understanding. Expect HMRC to interview at least one fee-earner and one administrator to test whether the training has stuck. Staff who cannot describe their internal SAR escalation path will produce an adverse finding regardless of how good the training PDF looks.
Document 6 - MLRO annual report and senior management sign-off
The most recent MLRO annual report and the documented senior-management response. HMRC will read this carefully - it is the clearest single indicator of whether AML is being treated as a live programme or a paper exercise. Reports without findings, or with findings that have not been actioned year-over-year, are red flags.
The exit interview
At the end of the visit the inspector usually conducts an exit interview, walking through preliminary findings. The formal letter follows in writing, typically within a few weeks. Findings are graded by severity, with required actions and deadlines. Penalties - civil monetary penalties under Regulation 76 - apply where breaches are material.
Engage constructively. Where you disagree with a finding, respond in writing with evidence rather than verbally on the day. Where you agree, fix it before the deadline and provide evidence of remediation. The firms that fare worst are those that argue every finding without addressing any of them.
Preparing in advance
Run an internal mock visit annually. Pick a partner outside the MLRO function, hand them the HMRC document list, give them four hours, and see what they can assemble. Whatever they cannot produce inside that window is what HMRC will find when they actually visit.
Closing
HMRC supervision visits are not designed to trap firms. They are designed to verify that the regime is being run with discipline. Firms that maintain clean, accessible records - across CDD, EDD, screening, training and the MLRO report - pass them with a short letter and a few minor actions. Firms that improvise on the day do not.