Client Identity Verification
Everything your firm needs to know about client identity verification, from legal requirements to common mistakes.
AML Essentials Kit Breakdown:
Client Identity Verification is a legal requirement under MLR 2017. You must establish, using credible and independent evidence, that the person or organisation you are dealing with is who they claim to be. Getting it wrong leaves your firm open to enforcement action and to the risk of facilitating financial crime.
The obligation goes further than most firms expect. It covers not just the client, but the directors, beneficial owners, trustees and partners behind them.
This page covers what the law requires, who you need to verify, when it must happen, and how FigsFlow handles it.
What the Law Requires
Under Regulation 27 and Regulation 28 of MLR 2017, you must apply customer due diligence measures before or during the establishment of a business relationship, or when carrying out an occasional transaction. Identity verification is a core part of that. The evidence you use must come from a source that is independent of the client and reliable enough to satisfy a reasonable standard of scrutiny.
The regulations do not prescribe a single method. What they require is that the approach you take is proportionate to the risk presented by the client and the nature of the work. A higher-risk client warrants more rigorous checks. A lower-risk client may require less, but verification still must happen.
Who You Must Verify
Your client identity verification obligations extend beyond the client entity. You are required to verify:
- The client, whether an individual or an organisation
- Any individual who beneficially owns or controls the client, including shareholders holding more than 25% of the ownership or voting rights
- Directors and partners
- Trustees and settlors of trusts
- Anyone purporting to act on behalf of the client
This is not a one-time exercise. If the ownership or control structure changes, for example a new director is appointed or shares are transferred, you must update your verification records accordingly.
When Client Identity Verification must Take Place
As a general rule, you must complete client identity verification before the business relationship is established or the transaction is carried out. This applies whether you are taking on an ongoing client or carrying out a one-off piece of work such as a company incorporation.
There is a narrow exception. Where it would interrupt the normal conduct of business and the risk of money laundering or terrorist financing is low, verification can be completed during the establishment of the relationship, provided it is done as soon as practicable. This exception is not a general licence to verify later. It applies in specific, limited circumstances and should not be treated as routine.
The same obligation applies to one-off engagements. If you are carrying out a transaction or a piece of advisory work that does not lead to an ongoing relationship, such as a company incorporation, verification must still take place before you proceed.
Acceptable Methods of Client Identity Verification
There are two broad approaches, and you can use either or a combination of both.
Document-Based Verification
This involves inspecting original identity documents in person or reviewing certified copies. Acceptable photo identification includes a current passport, a photocard driving licence or a biometric residence permit. For proof of address, you would typically use a recent utility bill, bank statement or council tax correspondence, issued within the last three months.
Electronic Verification
This uses technology to cross-reference a person’s details against independent data sources, such as credit reference records, the electoral register, Companies House or global watchlists. Electronic methods can cover more ground more quickly, and for many firms handling volume onboarding, they are more practical than document-based checks alone.
How FigsFlow Handles Client Identity Verification
FigsFlow gives you two ways to run an ID check, depending on how your onboarding works.
Whichever method you use, every check covers the same ground. FigsFlow screens the authenticity of the identity document submitted, runs the individual against sanctions databases and global watchlists, carries out an Amberhill check, verifies the address provided and performs a liveness check to confirm that the person presenting the document is genuinely present. Where required, it also covers Companies House identity verification for directors and persons with significant control.
The result is a single, consolidated report for each check, with every outcome recorded and ready to review.
What Your Audit Trail Must Show
Your regulator or supervisor can ask to see evidence of your verification at any point. The audit trail needs to show who was verified, when the check was carried out, what the outcome was, and whether any sanctions or PEP flags were reviewed and resolved.
FigsFlow logs all of this automatically. Every check is recorded by date, result, PEP outcome, sanctions outcome and review status. Records are retained indefinitely, so you are not scrambling to reconstruct a compliance history when an inspection comes around.
Common Client Identity Verification Mistakes to Avoid
These are the errors that come up most often, and the ones supervisors look for.
- Taking documents at face value without verifying their authenticity or checking that they have not expired
- Skipping verification for familiar clients, on the assumption that you know them well enough. MLR 2017 makes no such allowance
- Assuming any electronic tool is automatically compliant without checking what data sources it uses and how it produces its results
- Relying on checks carried out by another firm without reviewing the underlying evidence yourself. You remain responsible
- Failing to re-verify when there is a change in ownership, control or the structure of a client
Your compliance checklist
Use this as a quick reference before you begin any new engagement.
- Complete all identity verification before commencing work
- Verify the client entity and every individual who owns or controls it
- Use evidence that is independent of the client and current
- Screen every individual against sanctions lists and watchlists
- Apply enhanced scrutiny where the risk level warrants it
- Keep a clear audit trail for every check, including how any flags were reviewed and resolved
- Update records if the client’s ownership or control structure changes
- Remember that you are responsible for the adequacy of verification, even where a third party has assisted
Conclusion
Client identity verification is not a box to tick once at onboarding and forget. It is an ongoing obligation that follows the client relationship.
The standard MLR 2017 sets is straightforward: independent evidence, the right scope, proportionate to risk. Where ownership changes, the obligation refreshes. Where something looks off, you act.
FigsFlow keeps the process fast without cutting corners. Every check produces a complete, auditable record so your firm stays compliant and stays protected.
Run Your Next ID Check in FigsFlow
Frequently Asked Questions (FAQs)
Before the business relationship is established or the transaction takes place. Regulation 30(3) of MLR 2017 does allow for completion during establishment in limited circumstances, where risk is low and normal business would otherwise be interrupted, but this is an exception rather than a default. If in doubt, verify first.
Because the company is a legal structure. The people who own and control it are where the actual risk sits. MLR 2017 is explicit on this: you must verify beneficial owners, directors and others with significant control, not just the entity name on the letterhead. Checking the company and stopping there is not sufficient.
Not necessarily on a fixed schedule, but you are required to keep verification records current. If something changes, a new director joins, ownership transfers, the nature of the work changes, or you notice something that does not add up, you must update your checks. Longstanding relationships are not exempt from client identity verification. MLR 2017 requires ongoing monitoring of business relationships, which includes keeping the underlying verification up to date.
In limited circumstances, yes. MLR 2017 allows you to rely on checks carried out by certain third parties, but you remain fully responsible for the adequacy of the verification. You must obtain the underlying evidence from them immediately on request, and they must agree to retain it for the required period. If that arrangement is not in place, you cannot rely on their checks.
Commonly accepted documents include a recent utility bill, bank statement, mortgage statement or council tax correspondence. They should be in the client’s name, show their current address, and be issued within the last three months. A driving licence can serve as proof of address if it was not already used as the primary photo ID document.
Amberhill is a database maintained by law enforcement that flags individuals with known links to organised crime. It is part of a thorough AML check alongside sanctions screening and PEP checks. Not all verification tools include it. FigsFlow runs an Amberhill check as part of every ID verification, at no extra cost.
AML Essentials Kit Breakdown:
Don’t forget to share this post!
