Client Identity Data Collection for AML Compliance with FigsFlow
Need Help Structuring Your Checks?

Client Identity Data Collection

Gather essential client information, including personal and business details, to ensure accurate identity verification, mitigate risks, and comply with AML regulations before establishing any business relationships.

AML Essentials Kit Breakdown:
Try FigsFlow Now

Under UK Money Laundering Regulations, you are legally required to verify the identity of every client before you begin working with them. This requirement extends beyond the client entity itself to include anyone who owns, controls or influences that entity, such as directors, beneficial owners, partners and trustees.

How to collect client data

Understand what information is required

Before you begin collecting information, your team must be clear on exactly what data is needed. The specific requirements depend on whether you are dealing with an individual client or a legal entity. Getting this right at the outset prevents delays and ensures you can move smoothly into identity verification and risk assessment.

For individual clients, you must collect:

  • Full name
  • Date of birth
  • Proof of ID (Passport or Diving License)
  • Proof of Address (Driving license, or Utility Bills, or Tax council bills)
  • A clear explanation of the purpose and intended nature of the business relationship
  • Email address and contact number (while not strictly required under MLR 2017, HMRC strongly advises collecting this information for practical communication and ongoing monitoring)

For companies, limited liability partnerships (LLPs), and trusts, you must collect:

  • Registered name and company or registration number
  • Registered office address and principal place of business (if different)
  • Full names of all directors, senior management, beneficial owners and directors authorised person (if the point of contact is not a director)
  • Constitutional documents, such as the articles of association, partnership agreement, or trust deed
  • A clear picture of the ownership and control structure, including details of all beneficial owners who meet the relevant thresholds
  • Information on any individuals authorised to act on behalf of the entity, particularly those who will be your day-to-day contact or who have authority to give instructions

Not all methods will suit every situation. Larger firms with high volumes may favour automated digital checks, while smaller practices may rely more on document inspection and personal meetings.

Additional considerations

At this stage, you should also identify whether any individuals connected to the client are politically exposed persons (PEPs), or whether there are any links to sanctioned individuals or jurisdictions. This forms part of your initial risk assessment and will influence the level of due diligence you apply.

Where a client structure is complex, such as a multi-tiered corporate group or discretionary trust, you may need to gather additional information to understand the full control and ownership chain. Professional judgement is required to determine how far up or across a structure you need to go to satisfy the requirements of Regulation 28.

Sanctions screening

Identity verification must always include screening against financial sanctions lists. You are required to check whether the individual or organisation, or any country they relate to, is subject to UK or international sanctions.

If a client or connected person appears on a sanctions list, you must not proceed with the relationship and you must report the matter immediately to the National Crime Agency, even if all other aspects of the onboarding appear legitimate.

Politically Exposed Persons (PEPs)

As part of your identity verification process, you must determine whether a client or any connected individual is a Politically Exposed Person.

A PEP is someone who holds or has held a prominent public position that may expose them to a higher risk of corruption or bribery. This includes heads of state, senior politicians, high ranking military officers, judges, central bank officials and board members of state-owned enterprises. It also extends to their immediate family members and known close associates.

There are three categories of PEPs:

  • Domestic PEPs: individuals who hold or have held prominent roles in the UK
  • Foreign PEPs: individuals who hold or have held such roles in other countries
  • International organisation PEPs: individuals in senior positions at organisations like the UN, NATO, the EU or the World Bank

PEP status does not automatically mean a client is involved in financial crime. However, it does mean they present a higher risk and must be subject to enhanced checks.

What you must do when you identify a PEP

If a client or connected person is identified as a PEP, you are required to:

  • Obtain senior management/MLRO approval before proceeding with the relationship
  • Apply enhanced due diligence measures, including gathering additional information about the source of their wealth and the source of the funds involved in the relationship
  • Conduct more frequent and detailed ongoing monitoring of the relationship

PEP status generally continues for 12 months after the individual leaves their public role, although you should assess the ongoing risk on a case-by-case basis. Some individuals may present an elevated risk beyond this period depending on the nature of their former position and current activities.

How to screen for PEPs

You can identify PEPs through direct questioning during onboarding, by reviewing publicly available information, or by using specialist screening databases. Many electronic verification tools include PEP screening as part of their service.

Failing to identify a PEP or treating them as a standard client without applying enhanced measures, is a serious compliance breach and exposes your firm to regulatory action.

Key responsibilities

  1. Your firm remains responsible for the quality and sufficiency of all identity checks, regardless of whether you carry them out yourself or rely on third party tools or service providers.
  2. You should never assume that checks carried out by another firm are adequate. If you are relying on verification completed elsewhere, you must review the underlying evidence and satisfy yourself that it meets the required standard.
  3. When there is a change in ownership, control or structure of a client entity, you must repeat the verification process for any new individuals who fall within scope.

Avoiding common mistakes

Many firms fall into avoidable errors when carrying out identity verification. The most frequent mistakes include:

  • Accepting documents without checking whether they are genuine or current
  • Failing to verify clients who are considered familiar or low risk
  • If any digital tool automatically meets regulatory requirements
  • Relying on another firm’s checks without independently reviewing the evidence or documentation
  • Not updating verification when client circumstances change, such as new directors or beneficial owners
  • Failing to screen for PEPs or treating them as standard clients without enhanced measures

Not obtaining senior management/MLRO approval before onboarding a PEP

Summary

Client data collection is the foundation of your entire AML process. Without accurate and complete information at the outset, you cannot properly verify identity, assess risk, or maintain effective ongoing monitoring.

When approached systematically, client data collection delivers tangible benefits. It makes your onboarding process more efficient by reducing the need for follow up requests. It enables you to apply the correct level of due diligence from the start, whether that is simplified, standard, or enhanced. And it gives you the context needed to spot inconsistencies or unusual activity as the relationship develops.

The key is to make your data collection process structured, thorough, and proportionate to the level of risk presented by each client. A well-designed approach at this stage strengthens your compliance framework as a whole and ensures that the decisions you make later on are based on solid, reliable information.

Frequently Asked Questions

What documents do I need to provide as an individual client?

You will need to provide proof of identity and proof of address. For identity, we accept a valid passport or driving licence. For address verification, we can accept a driving licence, a recent utility bill, or a council tax bill. We also need your full name, date of birth, email address and contact number so we can communicate with you effectively.

I run a limited company. What information do you need from my business?

For a company, we need the registered name, company number, registered office address and principal place of business if it is different. We also require the full names of all directors and details of anyone who owns or controls more than 25% of the company. You will need to provide constitutional documents such as your articles of association, and we may ask for information about anyone authorised to act on behalf of the company.

What is a beneficial owner and why does it matter?

A beneficial owner is anyone who ultimately owns or controls your business. This includes individuals who hold more than 25% of the shares or voting rights, or who otherwise exercise control over the company’s affairs. We are required to identify and verify all beneficial owners as part of our legal obligations. This helps ensure transparency and prevents the misuse of corporate structures for illegal purposes.

Is my information kept secure?

Yes. We are required to handle your personal information in accordance with data protection laws. The information you provide is used solely for the purpose of complying with our legal obligations and managing our professional relationship with you. We store your data securely and only share it where required by law or with your explicit consent.

What happens if I am identified as a Politically Exposed Person?

If you hold or have recently held a prominent public position, such as a senior politician, judge or central bank official, you are classified as a Politically Exposed Person or PEP. This does not mean you have done anything wrong. It simply means we must apply additional checks before we can work with you. We will need approval from senior management, gather more detailed information about your finances, and monitor the relationship more closely. PEP status usually applies for 12 months after you leave the public role, although we assess each case individually.

AML Essentials Kit Breakdown:

Don’t forget to share this post!

Unlock the Future of AML Compliance
Sign Up
Book a Demo
figsflow demo & trial
Log In
Book a Demo
Start 30-day free trial