What is AML Risk A Complete Guide for Accountants & UK Firms
Mitigate AML risk with automated compliance. 30-day free trial.
Accountants, Blog

What is AML Risk? A Complete Guide for Accountants & UK Firms

Your professional status makes you a target for money launderers. MLR 2017 requires comprehensive risk assessments from all UK accountancy firms.
20 November 2025
21 Min Read
Start using FigsFlow today
  • Professional Proposals
  • Regulatory Compliant LOEs
  • Advanced Pricing Calculator
  • Automation & Integrations
  • Built-in E-Signature
Start 30-day Free Trial

Money laundering costs the UK economy billions each year. For accountancy firms, the stakes are even higher. A single compliance failure can result in unlimited fines, criminal prosecution, and irreparable reputational damage.

AML risk is no longer just a regulatory checkbox. It’s a fundamental business risk that every UK accountancy firm must understand, assess, and actively manage. Whether you’re a sole practitioner or part of a multi-office practice, the Money Laundering Regulations 2017 apply to you.

This guide explains what AML risk means for accountants, how to assess it properly, and what you need to do to stay compliant with UK regulations.

Key Takeaways  

  • AML risk refers to the potential for your firm to be exploited by criminals to launder money or conceal the proceeds of crime  
  • The Money Laundering Regulations 2017 (MLR17) require all UK accountancy firms to conduct and document firm-wide risk assessments  
  • You must assess five specific risk factors: client risk, service risk, geographic risk, transaction risk, and delivery channel risk  
  • Customer Due Diligence (CDD) is your primary defence against money laundering and must be conducted before establishing any business relationship  
  • High-risk services include tax planning, payroll, company formation, trustee services, and working with incomplete records  
  • You must file a Suspicious Activity Report (SAR) when you know or suspect money laundering activity  
  • Non-compliance can result in unlimited fines, criminal prosecution, and loss of your practising certificate 

What is AML Risk?

AML risk is the potential for your accountancy firm to be used for money laundering activities. Criminals use your services to disguise the origins of illegally obtained money and make it appear legitimate. 

Understanding how money laundering works helps you identify when you’re being exploited. The process typically occurs in three stages: 

  • Placement – Introducing illicit funds into the financial system through cash deposits, asset purchases, or client money accounts. 
  • Layering – Creating complex transactions through multiple transfers or cross-border movements to obscure the money’s criminal origin. 
  • Integration – Bringing laundered money back into the legitimate economy through real estate purchases, business investments, or other large legitimate transactions. 

Criminals need professional enablers at each stage. Your services provide exactly what they require to successfully launder money and avoid detection. 

Accountancy firms are specifically targeted because your professional status lends legitimacy to suspicious transactions. Criminals exploit accounts preparation services to overstate revenues and explain suspicious deposits. Company formation services help create complex structures with hidden ownership. Tax advisory services move money between jurisdictions or integrate criminal proceeds into apparently legal structures. 

The consequences are severe. Association with money laundering can destroy client trust, result in losing your professional body membership, and lead to criminal prosecution of firm principals. 

UK Regulatory Framework for AML Compliance

The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 form the backbone of UK anti-money laundering law. These regulations implement the EU’s Fourth and Fifth Money Laundering Directives and establish comprehensive requirements for all accountancy firms. 

MLR17 defines accountancy firms as relevant persons regardless of your professional body membership. Even if you’re not a member of any professional body, you’re still subject to these regulations if you provide audit, accountancy, tax, insolvency, or related services by way of business in the UK. 

The regulations require you to: 

  • Identify and assess the risks of your firm being used for money laundering or terrorist financing 
  • Consider how criminals could use your specific services to conceal criminal proceeds 
  • Implement policies, controls, and procedures that address these risks 
  • Ensure senior management approves and oversees your AML framework 

For sole practitioners, senior management means you. You need sufficient knowledge of money laundering risks and the authority to make decisions affecting your firm’s risk exposure. 

Professional bodies act as anti-money laundering supervisors under the regulations. ICAEW supervises its member firms in practice, while ACCA, CIOT, and AAT supervise their respective members. These supervisors monitor compliance through annual returns, thematic reviews, and compliance visits. 

The Consultative Committee of Accountancy Bodies publishes approved guidance that interprets MLR17 for the accountancy sector. This guidance was last updated in 2023 to include information on proliferation financing and ongoing discrepancy reporting requirements. Following this guidance provides a safe harbour for demonstrating compliance and applies to all firms providing accountancy services in the UK. 

Top 5 AML Risk Factors You Must Assess

The regulations require you to consider five specific risk factors when assessing your firm’s exposure to money laundering. Each factor contributes differently to your overall risk profile and requires tailored mitigation strategies. 

Client Risk

Client risk varies significantly based on who you serve. Different client types present different levels of money laundering risk that you must identify and assess. 

Client Type Key Considerations
Politically Exposed Persons (PEPs) Individuals in prominent public functions are vulnerable to corruption, including family members and known close associates
Non-resident clients Complex international structures, harder to verify the source of wealth or funds
High-risk jurisdictions Clients from FATF-listed countries with weak AML regimes require enhanced due diligence
High net worth individuals Must verify sources of wealth, whether inherited, business-generated, or from property/investments
Complex corporate structures Multiple holding companies, offshore entities, or nominee arrangements warrant enhanced scrutiny. However, legitimate commercial reasons sometimes justify complexity
Cash-intensive businesses Restaurants, car washes, and nail bars lack clear audit trails, making it easier to introduce illegitimate funds
Agricultural and farming clients Specific modern slavery and human trafficking risks related to labour sourcing practices

Understanding your client’s risk profile is the foundation of effective AML compliance. 

Service Risk

Not all accountancy services carry equal money laundering risk. Some services can be easily exploited by criminals to conceal illicit funds or facilitate money laundering arrangements. 

Service Type Key Risks
Tax planning services Can be used to layer and integrate criminal proceeds through structures that move money between entities or jurisdictions. You must understand the genuine commercial rationale
Company formation and registered office Allows criminals to create entities with hidden beneficial ownership. Should never be offered as standalone services without other accountancy work for the same client
Payroll services Risk of fictitious employees extracting funds or paying exploited workers below minimum wage. Verify employees actually exist and review whether staff costs appear reasonable
Work with incomplete records Criminals may deliberately provide incomplete documentation to prevent identification of suspicious patterns
Trustee services Control over assets can be exploited to conceal beneficial ownership or receive criminal proceeds. Requires enhanced due diligence and ongoing monitoring

Your procedures should establish what supporting evidence exists and document reasonable explanations for any gaps or inconsistencies. 

Geographic Risk

Where your clients operate significantly affects your money laundering risk. Geographic risk encompasses not just where clients are based but where they trade, source funding, and maintain business relationships. 

Geographic Factor What You Need to Know
FATF high-risk jurisdictions Countries with strategic AML deficiencies or under increased monitoring. FATF regularly updates its lists
Highly corrupt jurisdictions Check Transparency International's Corruption Perceptions Index. Scrutinise payment practices and supply chains
Sanctioned countries/entities Check OFSI and FCDO lists. You cannot provide services to sanctioned individuals or entities, even when they're not your direct client
Unfamiliar jurisdictions Lack of experience increases risk as you're less able to identify unusual patterns or arrangements
Your firm's expertise Considerable experience with specific countries allows better risk assessment compared to unfamiliar jurisdictions

You must regularly check current FATF designations and sanctions lists, as these change frequently. 

Transaction Risk

Transaction risk focuses on the actual movement of money and assets. This is often where money laundering activity becomes most visible if you know what to look for. 

Transaction Type What to Watch For
Client money accounts Know the expected source of all deposits, monitor for unusual patterns, maintain compliance with Client Money Regulations
Large cash transactions Register as a High Value Dealer with HMRC if accepting cash payments exceeding €10,000
Transactions inconsistent with business profile International transfers to local retail businesses, payments from unexpected sources or unusual trading partners
Rapid fund movements Money arriving and departing quickly without clear business purpose suggests layering
Off-market asset valuations Assets purchased or sold at values significantly different from market rates may indicate value transfer or trade-based money laundering

Client money accounts present the highest transaction risk for accountants and require robust controls. 

Delivery Channel Risk

How you interact with clients affects your ability to verify their identity and detect suspicious activity. Remote relationships increase risk because you have fewer opportunities to assess clients directly. 

Delivery Channel Considerations
Face-to-face meetings Allows observation of behaviour, natural follow-up questions, and verification of original documents
Video calls Better than phone-only, but still limits ability to verify original documents
Intermediary relationships Reduced visibility when communicating primarily through referrers. You cannot rely solely on an intermediary's due diligence
Reliance on third-party CDD MLR17 allows this for certain third parties, but you remain responsible. Must satisfy yourself they conducted adequate due diligence
Online-only relationships Prevents verification of original documents, making stolen or fake identities easier to use. Requires enhanced due diligence from multiple independent sources
Complete avoidance of contact Clients refusing to meet in person or via video warrant enhanced scrutiny

While remote working has become more common, complete avoidance of personal contact warrants enhanced scrutiny and additional verification measures. 

How to Conduct Your Firm-Wide Risk Assessment

MLR17 legally requires you to conduct and document a firm-wide risk assessment. This isn’t merely a compliance exercise but a practical tool for focusing resources on your highest-risk areas. 

The Three-Step Process: Identify, Assess, Mitigate

The risk assessment methodology follows three fundamental steps that together create a comprehensive view of your firm’s money laundering exposure. 

How to Conduct Your Firm-Wide Risk Assessment

Step 1 – Identify all money laundering risks your firm faces. Consider how criminals could use each service you offer, review your complete client base and industries served, and examine the jurisdictions you have exposure to. 

Step 2 – Assess each risk by considering likelihood (from “rare” to “almost certain”) and impact (from “minor” to “critical”). For example, it’s almost certain that criminals would want to use a chartered accountant to legitimise proceeds, but rare that a local client you meet regularly will lie about their identity. 

Step 3 – Mitigate risks through customer due diligence procedures, enhanced due diligence for higher-risk situations, MLRO approvals for high-risk clients, second-partner reviews, and more frequent monitoring of high-risk areas. 

Documenting & Reviewing Your Assessment

Documentation is not optional. The regulations explicitly require you to document your firm-wide risk assessment. Without proper documentation, you cannot demonstrate compliance. 

Your documented assessment should clearly show: 

  • The methodology you used 
  • All risks identified across the five risk factors 
  • How you assessed the likelihood and impact of each risk 
  • What mitigating actions you implement or plan to implement 
  • Who is responsible for each mitigating action and by what date 

Include specific examples rather than generic statements. Instead of “we serve limited companies,” specify “we serve approximately 30 limited companies, primarily in manufacturing and trades, with two clients in the agricultural sector. All clients operate within the UK with no international connections.” 

Regular reviews are mandatory. Regulation 19 of MLR17 requires annual reviews as a minimum. However, you must review your assessment whenever there are material changes, such as taking on a new service line, expanding into a new geographic market, or winning a major new client type. 

Senior Management Responsibilities

Senior management bears ultimate responsibility for your AML compliance. Under MLR17, senior management must approve the policies, controls, and procedures that address and mitigate identified risks. 

Senior management means an officer or employee with sufficient knowledge of money laundering risks and sufficient authority to make decisions affecting risk exposure. In a sole practice, this is you. In partnerships, it’s typically the managing partner or compliance partner. 

This responsibility cannot be delegated. While you can appoint a Money Laundering Reporting Officer to manage day-to-day compliance, senior management remains accountable. Your signature on the risk assessment demonstrates that you’ve personally reviewed and approved it. 

Customer Due Diligence (CDD) Requirements

Customer due diligence represents your most important defence against money laundering. CDD helps you know who your clients are, understand their businesses, and detect when something doesn’t make sense. 

When & How to Conduct CDD

You must conduct customer due diligence before establishing a business relationship with any client. This means before you agree to provide any accountancy, tax, audit, or related services. Once you’ve begun work, withdrawing becomes much more difficult if CDD reveals concerns. 

CDD is also required for occasional transactions of €15,000 or more, whether as a single transaction or a series of linked transactions. This most commonly affects insolvency practitioners selling assets. 

Existing relationships require renewed CDD at appropriate times: 

  • When you have doubts about previously obtained identification information 
  • Material changes to a client’s business, such as expanding into new markets 
  • Significant changes in beneficial ownership 
  • Unusual transactions that don’t fit the client’s known profile 
  • The passage of time since your last CDD update 

The CDD process has four core elements: identify and verify your client’s identity using reliable sources, identify and verify beneficial owners who own or control 25% or more of a corporate client, understand the purpose and intended nature of the business relationship, and conduct ongoing monitoring throughout the relationship. 

Standard vs Enhanced Due Diligence

Standard due diligence suffices for clients who present normal money laundering risks. This includes verifying identity through a passport or driving license plus proof of address, understanding the client’s business activities and industry, establishing the purpose of the professional relationship, and identifying beneficial owners of corporate entities. 

Enhanced due diligence becomes mandatory for: 

  • Politically exposed persons and their family members or associates 
  • Clients from high-risk jurisdictions 
  • Non-resident clients 
  • Unusual or complex beneficial ownership structures without a clear commercial rationale 

Enhanced due diligence goes beyond basic identity verification. You might conduct adverse media checks to identify any negative press associated with the client or beneficial owners. Source-of-wealth verification requires understanding how they accumulated their assets over time. Source of funds verification for specific transactions requires understanding where particular money came from. 

More frequent monitoring is essential for high-risk clients. While you might update a low-risk client’s due diligence every three years, a high-risk client might require annual or even more frequent reviews. 

Simplified due diligence applies only in limited situations where risks are demonstrably lower, such as certain public authorities or companies listed on regulated markets. However, simplified CDD still requires verifying identity and understanding the relationship’s nature. 

Deep Dive into Enhanced Due Diligence 

Learn when Enhanced Due Diligence is required, what additional checks you need to perform, and how to implement EDD procedures effectively. 

Read: Enhanced Due Diligence (EDD) Explained in Detail → 

Ongoing Monitoring Obligations

CDD doesn’t end once you verify a client’s identity at onboarding. Regulation 28 requires ongoing monitoring throughout the business relationship. This means scrutinising transactions and activities to ensure they remain consistent with what you know about the client. 

You should monitor for transactions inconsistent with the client’s normal business pattern. For instance, if a client’s accounts typically show revenues of £200,000 annually, then bank statements revealing £500,000 in deposits require explanation. 

Changes in beneficial ownership trigger additional CDD requirements. When shareholders or partners change, you must verify the identity of new beneficial owners who cross the 25% threshold. 

Red flags requiring immediate attention include: 

  • Reluctance to provide routine information 
  • Implausible explanations for transactions or business activities 
  • Sudden requests for services outside your normal scope 
  • Defensive or evasive behaviour when asked reasonable questions 

Document your ongoing monitoring activities. Your files should show what monitoring you conducted, when you conducted it, and the results. If you identified issues requiring further investigation, document the investigation and its conclusions. 

Master the Art of Transaction Monitoring 

Discover how to effectively monitor client transactions, identify suspicious patterns, and maintain compliance throughout the business relationship. 

Read: AML Transaction Monitoring Explained → 

High-Risk Services & Red Flags

Certain accountancy services inherently carry higher money laundering risks. Understanding these risks and the red flags that indicate potential problems helps you protect your firm. 

Accountancy Services That Pose Higher Risks

Tax planning services can be exploited to layer criminal proceeds through structures that move assets between entities and jurisdictions. Ensure genuine commercial rationale exists for any structures you recommend. 

Payroll services present modern slavery risks. Verify that employees actually exist and review whether staff costs appear reasonable for the business size and industry. 

Company formation services allow criminals to create entities with obscured beneficial ownership. Never offer these as standalone services. Provide them only to clients for whom you also perform other substantive accountancy work. 

Trustee services can conceal beneficial ownership. The trust, its settlor, and beneficiaries all require thorough due diligence, including verification of asset sources. 

Working with incomplete records makes it harder to identify suspicious patterns. Document what evidence exists and note reasonable explanations for gaps. 

Common Red Flags & Warning Signs

Combinations of these red flags significantly elevate suspicion: 

  • Client Reluctance – Evasive answers, implausible explanations, or defensive behaviour about reasonable requests 
  • Complex Structures – Multiple offshore layers without a clear commercial rationale for small businesses 
  • Inconsistent Transactions – Bank deposits that don’t match stated revenues or business activities 
  • Frequent Bank Account Changes – May indicate fraud or attempts to redirect payments 
  • High-Risk Jurisdictions – Payments from weak AML control countries without a clear business purpose 
  • Cash Anomalies – Unusually high deposits or revenues disproportionate to business size 
  • Urgency or Secrecy – Artificial time pressure or requests to keep arrangements confidential 

Master the Art of Transaction Monitoring 

Discover how to effectively monitor client transactions, identify suspicious patterns, and maintain compliance throughout the business relationship. 

Read: AML Transaction Monitoring Explained → 

Industry-Specific Concerns

Certain industries pose elevated money laundering risks based on their characteristics and how criminals have historically exploited them. 

Industry Key Risks Warning Signs
Agricultural and farming Modern slavery and human trafficking Low staff costs, high turnover, poor worker conditions
Property development Cash purchases, value manipulation All-cash deals, off-market values, frequent transactions
Professional services Sham firms, false invoices No real offices, unqualified staff, no track record
Construction Inflated contracts, subcontracting chains Inflated invoices, unusual suppliers, suspicious costs
Healthcare and care homes Fraud, resident exploitation Patient numbers misaligned with staffing and capacity

Understanding these industry-specific risks helps you assess client risk and identify suspicious patterns early. 

Reporting Suspicious Activity

When you know or suspect money laundering, the law requires you to report it. Failure to report is itself a criminal offence carrying up to five years imprisonment. 

When to File a SAR & the DAML Process

You must make a Suspicious Activity Report when you know or suspect that a person is engaged in money laundering or terrorist financing. 

The suspicion threshold is lower than proof. If your suspicion is more than fanciful and based on reasonable grounds, you must report. The requirement extends to any criminal conduct whose proceeds enter the financial system, including tax evasion, fraud, theft, drug trafficking, and corruption. 

Defence Against Money Laundering requests are a special type of SAR you submit when you need consent to proceed with a transaction involving suspected criminal property. The National Crime Agency has seven working days to grant or refuse consent. If you hear nothing within seven days, consent is deemed granted. If refused, you cannot proceed for a further 31 days unless they give earlier consent. 

Avoiding the Tipping Off Offence

Tipping off occurs when you disclose that a SAR has been made or is being considered, and that disclosure is likely to prejudice an investigation. The offence carries up to two years’ imprisonment. 

You must never tell your client that you’ve submitted a SAR about them. This restriction continues indefinitely, not just during the investigation. The prohibition extends to disclosures to third parties who might relay the information to the subject of the SAR. 

Your working papers should never contain copies of SARs you’ve submitted. Be extremely careful with reports to creditors or regulators to ensure they don’t reveal that SARs were submitted. 

Limited exceptions exist. You can disclose SAR submissions to your professional body supervisor during monitoring activities and discuss potential SARs with your MLRO or compliance team before submission. 

Working with Your MLRO

Your Money Laundering Reporting Officer acts as your firm’s focal point for AML compliance. In sole practices, you fulfil this role yourself. Larger firms appoint a dedicated person. 

The MLRO receives internal reports of suspicious activity from staff and determines whether they meet the threshold for external SARs to the NCA. Staff should report suspicions as soon as they arise using internal reporting templates. 

The MLRO needs sufficient seniority and authority to challenge partners or directors about compliance concerns. An MLRO who lacks authority or fears career consequences for raising issues cannot function effectively. Senior management must demonstrate that they value and support the MLRO’s work. 

Want to Learn More About the MLRO Role? 

Discover the complete responsibilities, regulatory framework, and best practices for Money Laundering Reporting Officers in our detailed guide. 

Read: Money Laundering Reporting Officer: Role & Responsibilities | FigsFlow  

Practical Risk Mitigation Strategies

Understanding risks accomplishes nothing unless you implement effective controls. The following strategies form the foundation of practical AML risk management. 

  • Written Policies & Procedures – Document your AML policy with clear senior management commitment, detailed client take-on procedures specifying acceptable identification and approval processes, risk assessment guidance with relevant red flags, and record-keeping requirements that comply with MLR17’s five-year retention period. Regular annual reviews ensure procedures remain current as risks evolve and regulations change. 
     
  • Staff Training – All staff require basic AML awareness training covering what money laundering is and their legal obligations, with annual refreshers. Client-facing staff need detailed role-specific training on customer due diligence procedures, risk indicators for their services, and handling suspicious situations. Use practical case studies relevant to your firm’s work to help staff connect concepts to real situations they might encounter. 
     
  • Screening & Monitoring Controls – Implement systematic beneficial ownership verification to identify individuals who own or control 25% or more of corporate clients. Conduct PEPs and sanctions screening at client take-on and periodically thereafter, remembering that PEP status extends to family members. Perform ongoing monitoring at risk-based frequencies, from quarterly reviews for high-risk clients to every three years for low-risk clients, checking for business changes, ownership changes, and transaction consistency. 

Effective implementation of these strategies creates a robust defence against money laundering while demonstrating your firm’s commitment to compliance. 

One smart way to stay compliant is to use RegTech. Find out what RegTech is and how it can benefit you: AI and RegTech: Transforming AML Compliance in 2026 | FigsFlow 

Additional Resources 

Conclusion

AML risk management is not optional. It’s a legal requirement that protects your firm, your clients, and the integrity of the UK financial system. 

The framework is clear. Assess your risks across all five factors, document your findings, implement proportionate mitigations, and review regularly. Customer due diligence forms your primary defence, but training, monitoring, and a culture of compliance all play essential roles. 

Start today if you haven’t already. Review your current risk assessment against the methodology outlined here. Update your CDD procedures. Train your staff. The investment pays dividends through regulatory compliance, reduced exposure to criminals, and the confidence that you’re protecting your practice properly. 

Mitigate All Your AML Risks with Top-Notch AML Software – FigsFlow 

Streamline your AML compliance from start to finish. FigsFlow handles complete client onboarding – from proposal and engagement letter to KYC and AML checks – all in one platform. 

Starting at just £18 per month. But for you, it’s free for the next 30 days. 

Claim Your Free 30-Day Trial → 

Frequently Asked Questions

What is the difference between AML risk and AML compliance?

AML risk is the potential for your firm to be exploited for money laundering. AML compliance is the policies, procedures, and controls you implement to mitigate those risks. Compliance is your response to risk. 

How often should UK firms review their AML risk assessment?

MLR17 requires regular reviews but doesn’t specify the exact frequency. Most firms conduct annual reviews, which regulators consider acceptable. You must also review whenever material changes occur, such as adding new service lines or taking on significantly different client types. 

What happens if my firm fails an AML compliance check?

ICAEW can issue civil penalties ranging from warnings to fines exceeding £100,000. Your practising certificate may be suspended or withdrawn. Serious failures can result in criminal prosecution with potential imprisonment. Compliance failures also damage your reputation and typically result in lost clients. 

Do small practices have the same AML obligations as large firms?

Yes, MLR17 applies to all firms regardless of size. However, you can take size into account when designing procedures. A sole practitioner’s risk assessment can be more succinct than a multi-office firm’s, but you must still properly identify and mitigate your specific risks. 

What should I do if I suspect a client is involved in money laundering?

Submit a Suspicious Activity Report to the National Crime Agency as soon as practicable. If you need to deal with suspected criminal property, submit a DAML request and wait for consent before proceeding. Never tell the client or anyone else that you’ve made a SAR, as this constitutes tipping off. 

Don’t forget to share this post!

The Future of Proposals, Pricing & Engagement is Here!
Sign Up
Book a Demo
figsflow demo & trial

Related Articles

Log In
Book a Demo
Start 30-day free trial