Navigating Customer Due Diligence Under the UK Money Laundering Regulations 2017: Legal Framework and Practical
Book a demo to see our CDD & AML compliance tools in action.
Blog

Navigating Customer Due Diligence Under the UK Money Laundering Regulations 2017: Legal Framework and Practical Implementation

Explore the essential CDD requirements under MLR 2017, from risk-based assessments to ongoing monitoring, and learn how upcoming 2025 reforms will streamline compliance.
Last Updated:May 11, 2026
12 Min Read
Start using FigsFlow today
  • Professional Proposals
  • Regulatory Compliant LOEs
  • Advanced Pricing Calculator
  • Automation & Integrations
  • Built-in E-Signature
  • AML & ID Verification
Start 30-day Free Trial

The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 set out the legal framework for customer due diligence in the UK. For accountants, bookkeepers, and tax advisers, CDD is not a background compliance concern. It sits at the centre of every new client relationship.

This guide works through what the regulations actually require, how to carry out each step in practice, and what is at stake if you do not.

Who Does CDD Apply To?

The MLRs apply to “relevant persons” – a defined category of businesses and individuals operating in sectors that are considered higher risk for money laundering and terrorist financing.

For the accounting profession, this includes accountants, tax advisers, auditors, insolvency practitioners, bookkeepers, and trust and company service providers. If your work involves preparing or carrying out financial transactions on behalf of clients, handling client money, or advising on tax or business structuring, you are within scope.

This is not optional compliance. Being a relevant person under the regulations creates a legal obligation to have policies, controls, and procedures in place, and to apply them consistently.

When Does CDD Apply? (Regulation 27)

Regulation 27 sets out the four circumstances that trigger the obligation to carry out CDD. Many firms treat CDD as a new client exercise only, but the regulation is broader than that.
CDD is required when you:
  • Establish a business relationship
  • Carry out an occasional transaction of €15,000 or more (or €10,000 in cash for high-value dealers)
  • Suspect money laundering or terrorist financing, regardless of transaction value
  • Have doubts about the veracity or adequacy of documents or information you previously obtained
The third and fourth triggers are easy to overlook. Furthermore, Regulation 27(8) creates an ongoing obligation to apply CDD to existing clients at appropriate times on a risk-based approach. If something about a client’s circumstances changes and it raises a concern, the obligation to carry out CDD is live again, even for a longstanding client relationship.

What CDD Requires You to Do (Regulation 28)

Regulation 28 sets out the specific measures that must be applied once the obligation to carry out CDD is triggered. There are six distinct requirements. Each one is a separate legal duty.

Verify Your Customer's Identity

You must identify the customer and verify their identity using documents or information from a reliable, independent source. For individuals, this typically means government-issued photo ID such as a passport or driving licence, plus proof of address from a utility bill, bank statement, or council tax bill.

Identity verification must be based on sources that are independent of both the customer and the firm. A document provided by the client alone does not satisfy the requirement unless you can verify it against an independent source.

Identify Beneficial Owners

Where the customer is not an individual acting on their own behalf, you must identify any beneficial owner. Under the regulations, a beneficial owner is a person who ultimately owns or controls more than 25% of the shares or voting rights in a company, or who otherwise exercises control over the management of the entity.

For private companies, this often requires looking beyond the registered directors to the individuals who actually hold influence. For trusts, you must identify the settlor, trustees, and beneficiaries. The regulations are clear that you cannot rely solely on information from Companies House or other registries to satisfy this requirement.

Verify Anyone Acting on the Customer's Behalf

If someone is acting on behalf of your client, you must verify that they are authorised to do so, identify them, and verify their identity using independent documents or information. This applies whether the person is an employee, agent, or a representative acting under a power of attorney.

Understand the Purpose and Nature of the Business Relationship

You must assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction. This goes beyond knowing who the client is. You need to understand what they want from you, what they do commercially, and whether that is consistent with what you know about them.

For most clients this is straightforward. For clients with complex structures, offshore connections, or activity that falls outside their stated business purpose, this assessment carries more weight.

Ongoing Monitoring

Regulation 28(11) requires you to conduct ongoing monitoring of the business relationship. This includes scrutinising transactions to ensure they are consistent with your knowledge of the customer and their risk profile, and keeping the information you hold up-to-date.

Additional Steps for Corporate Clients

Where the customer is a company, Regulation 28(3) requires you to obtain and verify the company name, registration number, and registered office address. You must also take reasonable measures to determine and verify the law to which the company is subject and its constitution.


You must also take reasonable measures to identify the full names of the board of directors and the senior persons responsible for the company’s operations. Crucially, under Regulation 30A, you must also report any material discrepancies you find between your own beneficial ownership findings and the information held on public registers.

When Must Verification Be Completed? (Regulation 30)

The default position under Regulation 30 is clear: verification must be completed before the business relationship is established or the transaction is carried out. You should not start work until you have verified your client.
 
There are two limited exceptions. First, verification can be completed during the establishment of the relationship if doing so is necessary to avoid interrupting normal business conduct and there is little risk of money laundering or terrorist financing. Crucially, in these cases, verification must still be completed as soon as practicable after contact is first established.

Second, credit and financial institutions can open an account before verification is complete, provided no transactions are permitted until verification is done.
 
For most accounting firms, the practical implication is simple. Do not take on client work, issue an engagement letter, or begin any chargeable activity until identity verification is complete. The exceptions are narrow and do not cover standard onboarding delays.

How to Apply a Risk-Based Approach

The regulations do not require the same level of scrutiny for every client. They require a risk-based approach, meaning the depth of CDD must reflect the money laundering and terrorist financing risk each client presents. There are three levels.

Standard CDD

Standard CDD is the default. It applies to the majority of clients and involves the full set of measures under Regulation 28 without enhancement or reduction. Most individuals and straightforward corporate clients fall here.

Simplified Due Diligence

Regulation 37 allows simplified due diligence (SDD) where a business relationship or transaction presents a low degree of risk, based on your firm’s risk assessment and the risk factors set out in the regulations. SDD does not mean no due diligence. It means you can adjust the extent, timing, or type of the measures you carry out.

However, you must still comply with Regulation 30A regarding the reporting of material discrepancies found on beneficial ownership registers.

 

Clients that may qualify include public authorities, regulated financial institutions subject to equivalent AML standards, and certain low-risk financial products. You must still carry out ongoing monitoring sufficient to detect unusual or suspicious transactions. SDD cannot be applied on a blanket basis; each determination must be grounded in your firm’s risk assessment and documented

Enhanced Due Diligence

Regulation 33 sets out when enhanced due diligence (EDD) is mandatory. You must apply EDD and enhanced ongoing monitoring in any case you identify as high risk, including:

  • Business relationships or transactions involving persons or entities from a high-risk third country
  • Clients identified as Politically Exposed Persons (PEPs), or their family members and known close associates (Regulation 35)
  • Transactions that are complex, unusually large, or follow an unusual pattern with no apparent economic or legal purpose
  • Cases where the client has provided false or stolen identification and you propose to continue the relationship
  • Any other situation that by its nature presents a higher risk

EDD requires you to examine the background and purpose of the transaction more thoroughly, seek additional independent sources to verify information, and increase the frequency and intensity of monitoring. For PEPs and high-risk third-country relationships, senior management approval is required before onboarding.

Risk Level CDD Type Key Trigger
Low Simplified Due Diligence Low-risk clients, public bodies, regulated institutions
Default Standard CDD The majority of individual and corporate clients
High Enhanced Due Diligence PEPs, high-risk countries, complex structures, suspicious activity

Ongoing Monitoring: What It Means in Practice (Regulation 28(11))

CDD does not end once a client is onboarded. Regulation 28(11) requires ongoing monitoring throughout the business relationship. This has two components.
The first is transaction scrutiny. You must review transactions to ensure they are consistent with your knowledge of the client, their business, and their risk profile. Under Regulation 28(11)(a), this scrutiny must include, where necessary, an assessment of the source of funds. If a client’s transactions look inconsistent with what you know about their income, activity, or stated purpose, that is a flag that requires attention.
The second is keeping records current. Documents and information obtained for CDD purposes must be reviewed and updated. Crucially, under Regulation 30A(2A), you must also continue to collect register excerpts and report any material discrepancies you find between your findings and the information held on beneficial ownership registers. A client whose circumstances change, engages in new business activity, changes address, adds new beneficial owners, or moves to a higher-risk jurisdiction may need to be re-verified.
In practice, while many firms use annual reviews as a baseline, Regulation 28(12) mandates that the frequency and intensity of monitoring must be determined by the client’s risk profile. It also means having a process to detect anomalies in transaction data and act on them when they arise.

Record Keeping: What to Keep & For How Long (Regulation 40)

Regulation 40 imposes a separate and distinct obligation on record-keeping. Many firms apply CDD correctly but fall short on documentation.

You must keep copies of all documents and information obtained to satisfy your CDD requirements. This includes identity documents, evidence of beneficial ownership, risk assessments, EDD reports, and records relating to any material discrepancies found and reported on beneficial ownership registers (Regulation 30A).

You must also retain sufficient supporting records for each transaction subject to CDD or ongoing monitoring to enable reconstruction of that transaction.

The retention period is five years, beginning from the date the transaction is complete (for occasional transactions) or the date the business relationship ends. Under Regulation 40(4), there is a maximum retention period of ten years for transaction records within an ongoing relationship.

Once these periods have expired, Regulation 40(5) requires you to delete any personal data obtained for the purposes of the regulations unless you have a specific legal basis to retain it, such as for court proceedings or with the customer’s explicit consent. Data protection obligations run alongside these requirements to ensure personal data is handled appropriately.

What Happens If You Do Not Comply (Regulation 76)

Part 9 of the MLRs sets out the enforcement framework. The consequences of non-compliance are not theoretical. The FCA and HMRC both have the power to act.

Under Regulation 76, a designated supervisory authority, either the FCA or HMRC, can impose a civil penalty of whatever amount it considers appropriate on any person who has contravened a relevant requirement. There is no statutory cap on the fine.

In addition to financial penalties, the supervisory authority can publish a public statement censuring the firm or individual. Where an officer of a business was knowingly involved in the contravention, a penalty may be imposed directly on that individual, not just on the firm.

Regulation 77 goes further. If a firm fails to comply with a relevant requirement or repeatedly fails to provide required information on funds transfers, the FCA can suspend or cancel its permissions and registrations altogether.

Two things are worth noting. First, the penalty can be avoided only where the firm can show it took all reasonable steps and exercised all due diligence to ensure compliance. Good intentions are not a defence; clear documentation of your policies and the actions you took is. Second, Regulation 76(6) requires supervisory authorities to consider whether the firm followed relevant guidance issued by the FCA or approved by the Treasury when determining whether a contravention occurred.

Tools to Help You Stay Compliant

Managing CDD manually is time-consuming and leaves room for error. Across a growing client base, keeping identity documents current, running sanctions checks, and maintaining audit-ready records becomes a significant administrative burden.

FigsFlow is built specifically for accountants, bookkeepers, and tax advisers in the UK. Its AML module covers the full CDD workflow in one place.

Client identity documents are verified in under a minute. Checks run automatically against sanctions lists, PEP databases, watchlists, and the Amberhill database. Companies House verification for company directors is built in. The platform covers Customer Risk Rating, Enhanced Due Diligence, and Firm-Wide Risk Assessment, with a complete audit trail and AML report generated at the end of each check.

What FigsFlow Covers Detail
Identity verification Passport, driving licence, biometric residence permit, proof of address
Liveness check Live selfie matched against identity document in real time
PEP and sanctions screening Automatic, surfaced in a single reviewable report
Companies House verification Director and beneficial owner checks
Customer Risk Rating Simplified, Standard, or Enhanced classification
Enhanced Due Diligence Multi-section EDD questionnaire for high-risk clients
Firm-Wide Risk Assessment Practice-level risk assessment tool
Audit trail Every check logged, retained, and exportable

AML checks start from £3 per ID check on a pay-as-you-go basis, or £2.10 per check with the £8 per month plan that includes risk assessment tools. There are no hidden per-check fees. PEP screening, sanctions, liveness, and Companies House verification are all included in a single price.

Start a free 30-day trial or book a demo at figsflow.com.

Conclusion

CDD under the MLRs 2017 is not a one-time exercise. It is an ongoing obligation that covers who you take on, what you know about them, how you monitor them, and how long you keep the evidence.

The regulations are specific. The penalties for getting it wrong are real. And the good news is that the process, when handled properly, does not need to take over your day.

Know your triggers. Apply the right level of scrutiny. Keep your records. And review your clients regularly. That is what navigating CDD in practice actually looks like.

Take the Next Step in Ensuring Compliance

Get Started with Seamless Customer Due Diligence and AML Compliance Tools
Start Your Free Trial

Frequently Asked Questions

What are the four customer due diligence requirements?

The four key Customer Due Diligence (CDD) requirements are:

  1. Verify the customer’s identity.

  2. Identify the beneficial owner(s).

  3. Understand the purpose of the business relationship.

  4. Continuously monitor the relationship and transactions.

What is customer due diligence meaning?

Customer Due Diligence (CDD) refers to the process of verifying the identity of clients and assessing potential risks to prevent financial crimes like money laundering and terrorism financing.

What is CDD with an example?

Customer Due Diligence (CDD) involves verifying a customer’s identity and understanding their business relationship. For example, a bank verifies a client’s identity with a passport and utility bill before opening an account.

What is CDD vs KYC?

CDD (Customer Due Diligence) is a process within KYC (Know Your Customer). KYC refers to the overall procedure of verifying a customer’s identity, while CDD focuses on assessing risk and monitoring ongoing transactions.

Don’t forget to share this post!

The Future of Proposals, Pricing & Engagement is Here!
Sign Up
Book a Demo
figsflow demo & trial

Related Articles

  • Solutions
    Sectors We Cover

    Proposal Software

    FigsFlow simplifies proposal drafting for accountants.

    AML Software for Accountants

    FigsFlow simplifies AML verification for accountants.

    Engagement Letter Software

    FigsFlow helps accountants track the success of their engagement letters.

    Pricing Software

    FigsFlow enables accountants to set consistent prices for their services.

    Proposal Software

    FigsFlow develops winning proposals for bookkeepers.

    AML Software for Bookkeepers

    FigsFlow simplifies AML verification for bookkeepers.

    Engagement Letter Software

    FigsFlow allows bookkeepers to automate engagement letter process.

    Pricing Software

    FigsFlow allows bookkeepers to set consistent prices for their services.

    Proposal Software

    Tax advisers get to draft professional proposals easily with FigsFlow.

    Engagement Letter Software

    FigsFlow simplifies engagement letter development for tax advisers. 

    Pricing Software

    FigsFlow allows tax advisers to set consistent prices for their services.

    AML Software for Tax Advisers

    FigsFlow simplifies AML verification for tax advisers.

    Templates

    Engagement Letter Templates

    Guide & Help Centre is available!

    Explore Now
  • Product

    Proposal Management

    Engagement Letter Management

    Pricing Solutions

    Team Management

    Automation Tools

    Reporting and Analytics

    See All Features

    Integrations

    Additional Information

    Guide & Help Center

    Introductory guides for new users.

    Learning Centre

    Introductory video guides for new users.

    Coming Soon!

    Release Updates

    Have a glance at FigsFlow’s latest updates.

    Coming Soon!
    Templates

    Engagement Letter Templates

    Guide & Help Centre is available!

    Explore Now
  • Pricing
  • Resources

    Blogs

    Trending blog posts about accounting, tax, and bookkeeping.

    Guide & Help Center

    Introductory guides for new users.

    AML Essentials Kit

    The AML Essentials Kit by FigsFlow gives you practical, actionable guidance to meet every requirement under UK Money Laundering Regulations.

    Documents

    Agreement Documents

    Secure and professional contracts

    Meeting Minutes

    Record discussions and decisions

    Resolutions

    Formal corporate decisions

    Templates

    Proposal Templates

    Customisable templates for proposals.

    Engagement Letter Templates

    Pre-built templates for engagement letters.

    Pricing Templates

    Templates to simplify billing.

    Break Even Calculator

    Corporation Tax Calculator UK

    Profit Margin Calculator

    VAT Calculator UK

    Billable Rate Calculator USA

    Charge Out Rate Calculator UK

    Charge Out Rate Calculator AU

    Making Tax Digital Calculator

    Contact Support

    Get help from our team.

    FAQs

    Commonly asked questions about features, pricing, and more.

Log In
Book a Demo
Start 30-day free trial