Anti-money laundering supervision is a statutory obligation for UK accountancy firms, set out in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended. For most firms, that obligation is discharged through supervision by one of the professional body supervisors (PBS) - ACCA, ICAEW, CIOT, AAT, ICAS, and the others listed in Schedule 1. Firms that fall outside a professional body register through HMRC as their default supervisor.
This handbook is written for compliance officers and managing partners in UK accountancy practices. It walks through the supervisor relationship, the documented risk assessments the regulations require, the practical mechanics of customer due diligence, and the most common findings in PBS inspection reports.
It does not replace the published guidance from the Anti-Money Laundering Supervisors Forum (AMLSF) or the Accountancy AML Supervisors Group (AASG), nor does it stand in for your firm's legal advice. It is meant as an operational reference that complements those texts.
Choosing and registering with a supervisor
A firm providing services within the scope of MLR 2017 must be supervised. For accountancy firms, the practical choice is between one of the professional body supervisors (where the principals hold an accountancy qualification within the membership) and HMRC (for firms outside the PBS regime, including many bookkeeping practices).
A firm cannot operate in scope while unsupervised. New firms must register with their supervisor before commencing work, and changes in control, ownership, or principal officers must be notified within the supervisor's timeframe. PBS supervision fees are typically tiered by firm size; HMRC supervision attracts a per-premises annual fee.
The four written documents you must hold
Inspections start with documentation. A firm that cannot produce its core AML policy set within a reasonable window of a supervisor inquiry will struggle on every other dimension. The four documents you should have, current and accessible, are:
- A practice-wide risk assessment that addresses the risks arising from your customer base, geographies, products and services, and delivery channels
- AML policies, controls, and procedures that are proportionate to the size and nature of the firm
- Customer risk assessment templates that are applied at onboarding and updated periodically
- A nominated officer (MLRO) appointment letter and a board-level statement of responsibility for AML matters
The MLRO role in practice
Every regulated firm must appoint a nominated officer - commonly referred to as the Money Laundering Reporting Officer (MLRO) - to receive internal disclosures and to make suspicious activity reports to the National Crime Agency. In small firms this is often the senior principal. In mid-sized firms it should be someone with sufficient seniority and independence to challenge engagement decisions.
The MLRO's practical workload includes maintaining the firm's policy framework, signing off high-risk client onboarding, receiving internal suspicion reports, drafting and filing SARs where appropriate, and presenting to the principals on AML performance. Most firms find quarterly MLRO reports to the leadership team a useful cadence.
Customer due diligence by risk tier
CDD is not a single check. The regulations prescribe a sliding scale from simplified due diligence at the lower-risk end, through standard CDD as the default, to enhanced due diligence for high-risk relationships and politically exposed persons. The tier is set by the client risk assessment, not by the client's preference.
Standard CDD covers identifying the customer and verifying the identity from a reliable independent source; identifying the beneficial owners (any individual with more than 25% control or who otherwise exercises control); understanding the nature and purpose of the business relationship; and conducting ongoing monitoring throughout the relationship. Enhanced due diligence adds source of funds enquiries, additional independent corroboration, and senior officer approval for the relationship.
PEPs, sanctions, and adverse media
Politically exposed persons are subject to enhanced due diligence as a matter of regulation. The definition covers individuals entrusted with prominent public functions, plus their close family members and known close associates. PEP status alone is not a reason to decline an engagement, but it does require senior officer sign-off and source of wealth enquiries.
Sanctions screening is a separate regime under OFSI rules and is mandatory regardless of MLR risk assessment. Firms should screen against the consolidated UK sanctions list at onboarding and on a periodic basis through the relationship. Adverse media screening is a sensible additional check for medium and high-risk clients, capturing investigative reporting that may not yet have produced formal sanctions or criminal action.
Source of funds and source of wealth
These are often conflated but are distinct enquiries. Source of funds asks where the money for a specific transaction came from. Source of wealth asks how the client accumulated their overall financial position. For higher-risk relationships, particularly those involving PEPs or large unexplained balances, both questions need to be answered with documentary support.
Documentary support can include audited accounts, recent payslips and employment contracts, contracts of sale for asset disposals, inheritance documentation, or settlement agreements. The standard is that an independent third party reviewing the file should be able to understand how the funds in question arose.
Suspicious activity reporting
A SAR is filed when the firm forms a knowledge or suspicion that property is the proceeds of crime, or that money laundering or terrorist financing is involved. The threshold is suspicion, not proof - but the suspicion must be objectively justifiable from the facts available.
A defence against money laundering (DAML) SAR is a separate device used when the firm needs consent from the NCA to proceed with a transaction it suspects may be tainted. DAMLs have a seven working day notice period and a 31 day moratorium period - practical implications for engagement timing that the MLRO and engagement partner should both understand.
Training requirements
All relevant employees must receive AML training that is appropriate to their role, with documented records of attendance and content. The regulations do not prescribe a frequency, but supervisor guidance generally expects refresher training at least every two years, and immediately upon any material change in the firm's risk profile or applicable law.
Effective training is more than a slide deck. It should cover the firm's own policies and red flags specific to the firm's client base. New joiners should receive AML training before they make their first onboarding decision.
Inspection readiness
PBS inspections vary in form but share a common shape: a desk-based review of the policy documents, followed by a sample file review, followed by an exit interview with the MLRO and a principal. HMRC inspections follow a similar pattern. Common findings include incomplete beneficial ownership records, missing ongoing monitoring evidence, weak source of funds documentation on higher-risk clients, and stale risk assessments that have not been refreshed despite firm growth.
The practical answer to inspection readiness is to operate as though an inspection might begin tomorrow. If your sample of files would not pass a supervisor review, no amount of weekend preparation will fix that - the work must be in the day-to-day workflow.
How Accupe supports AML compliance
Accupe brings AML into the everyday operating layer of your firm. OpenSanctions-powered screening checks new and existing clients against sanctions and PEP lists in real time. Compliance Radar provides a per-client risk score that updates as documentation and activity change. KYC document collection runs through the encrypted client portal, AI document analysis reads identity documents with source citation, and Companies House integration verifies beneficial ownership data automatically. Audit-ready reports can be generated for supervisor inspection with a few clicks, and the practice-wide risk assessment lives alongside the client list so it stays current as the firm grows.