A new client wants to work with you. They’ve sent their documents. Signed the engagement letter. Ready to start. Then someone on your team asks: “Have we done the AML check?” You pause. What exactly does that mean?
“AML check” gets thrown around in accounting practices like everyone knows exactly what it means. Most don’t.
One team member accepts a four-month-old utility bill. Another insists on three months maximum. One person Googles the client’s name for sanctions. Another skips it entirely. Different standards for every client create compliance gaps you’ll discover only when HMRC inspects.
This guide breaks down exactly what an AML check is, what it includes, when you must do it, and how to ensure consistent verification across your team.
Key Points Summarised for Busy Readers
- An AML check is the complete verification process required under Money Laundering Regulations 2017 before onboarding clients
- It includes five components: identity verification, address verification, beneficial ownership identification, sanctions/PEP screening, and risk assessment
- UK accountants, bookkeepers, and tax advisers must complete AML checks for every client receiving regulated services
- The check must happen before establishing the business relationship, not after you’ve started work
- Each component has specific requirements and acceptable documentation standards
- Proper documentation with audit trails is as important as conducting the check itself
- FigsFlow completes comprehensive AML checks in under 5 minutes with automatic documentation that proves compliance
What is an AML Check?
An AML check is the complete verification process you must complete before onboarding any client. It involves verifying identity, assessing money laundering risk, and screening against sanctions lists.
Money Laundering Regulations 2017 requires UK accountants, bookkeepers, and tax advisers to conduct Customer Due Diligence for every client receiving regulated services like tax advice, accountancy services, audit work, or trust formation. HMRC enforces this with penalties for non-compliance.
An AML check has five distinct components, each with specific documentation requirements. It’s not a one-time exercise. You have ongoing obligations to monitor clients throughout the relationship, conduct periodic reviews, and re-screen when circumstances change.
Done properly, the check protects your practice from regulatory penalties and proves you know who you’re dealing with.
Looking for Practical AML Guidance?
Explore our comprehensive guide on identity verification requirements, acceptable documents, and compliance best practices for UK accountants.
Dive deeper into AML ID checks: 2025 Anti-Money Laundering ID Check Guide for Accountants in UK – FigsFlow
When Must You Complete an AML Check?
Timing matters as much as content. Conducting checks too late creates regulatory breaches even if the checks themselves are thorough.
Here’s exactly when AML checks are required:
Before starting any work:
- Complete the check before providing regulated services, before the client pays you, before accessing confidential information
- No grace period exists. The check happens first, or the work doesn’t start
- Exception: if delaying would interrupt normal business and risk is low, you can verify during establishment but must finish before completing the transaction (rarely applies to accounting practices)
When significant changes occur:
- New directors or officers appointed
- Changes to beneficial ownership (anyone crossing the 25% threshold)
- Company restructuring or mergers
- Changes in control even without ownership changes
- Significant changes to business activities or risk profile
During periodic reviews:
- Low-risk clients: annual reviews minimum
- Medium-risk clients: quarterly or semi-annual reviews
- High-risk clients: continuous monitoring with formal reviews at least quarterly
- Re-screen against sanctions lists, confirm ownership hasn’t changed, verify contact details are current, reassess risk classification
When red flags arise:
- Unexplained wealth or unusual transactions
- Reluctance to provide updated information
- Behaviour inconsistent with known business activities
- May require Enhanced Due Diligence, source of wealth verification, or filing a Suspicious Activity Report (SAR) with the National Crime Agency
AML checks aren’t a one-time exercise. They’re required before starting work, when circumstances change, during periodic reviews, and whenever red flags appear. Missing these timing requirements creates regulatory breaches regardless of how thorough your verification process is.
Stay Updated on AML Regulatory Changes
The AML landscape evolves constantly. New rules, updated requirements, and changing enforcement priorities mean what was compliant last year might not be sufficient today.
Learn what’s changed in 2025: Accountants: The 2025 AML Rules You Can’t Afford to Ignore
The Five Components of a Complete AML Check
A proper AML check isn’t one action. It’s five distinct verification steps that work together to prove you know who you’re dealing with and understand the risks. Missing any component creates a compliance gap.
Component 1: Identity Verification
Verifying your client is who they claim to be by checking government-issued identity documents. For individuals, this means passport, UK driving licence, or national identity card. For companies, you verify the business entity through official registries and then verify the individuals controlling it.
Valid identity documents:
Expired documents, birth certificates, employee ID cards, provisional driving licences, and non-photographic documents aren’t acceptable. For companies, letterhead or invoices don’t verify the business entity.
Check expiry dates, verify security features (holograms, watermarks, microprinting), compare photographs to the person via video call or in-person meeting, and confirm details match across all information. For electronic verification, use certified systems that check against government databases.
Component 2: Address Verification
Confirming your client’s residential or business address through independently verifiable documentation dated within the last three months. This proves they have genuine physical presence and aren’t using fictitious addresses.
Valid proof of address documents:
Mobile phone bills, documents older than three months, insurance documents, letters from non-official sources, TV licences, and gym memberships don’t count.
Special considerations: For clients in shared accommodation, get a letter from the homeowner plus their proof of address plus their ID. For recently moved clients without utility bills yet, bank statements showing the new address work. For companies, Companies House address alone may be insufficient if it’s a registered office service. So, verify the actual trading address.
Component 3: Beneficial Ownership Identification
Identifying and verifying the actual people who ultimately own or control the business. UK regulations define beneficial owners as anyone holding 25% or more ownership or control. This prevents criminals from hiding behind complex corporate structures.
You must identify every individual:
- Owning 25% or more of the company
- Exercising 25% or more voting rights
- Holding the right to appoint or remove majority of directors, or
- Exercising significant influence or control.
For trusts, identify settlors, trustees, beneficiaries with defined interests, and anyone else with control.
Check Companies House PSC (Persons with Significant Control) register for UK companies. Review company shareholding structure and articles of association. Request written ownership declarations from clients. For complex structures, trace ownership through holding companies to ultimate individuals. For non-UK companies, obtain equivalent beneficial ownership records from their jurisdiction. Verify each beneficial owner’s identity and address using the same process as the client entity.
When no one meets the 25% threshold, identify senior managing officials (directors or equivalent), verify their identities, and document why no beneficial owners were identified.
Component 4: Sanctions & PEP Screening
Checking whether your client, their beneficial owners, or directors appear on sanctions lists or are Politically Exposed Persons (PEPs). This prevents you from providing services to individuals or entities prohibited under UK and international law.
You must screen the client (individual or company name), all beneficial owners, all directors and officers, all authorised signatories, and for trusts: settlors, trustees, and beneficiaries against:
- HM Treasury sanctions list
- OFAC (US Office of Foreign Assets Control) list
- United Nations Security Council sanctions list
- European Union sanctions list
- World Bank debarment list
- Interpol wanted lists
- PEP databases covering current and former officials, family members, and close associates
Here’s what the screening results mean for you:
Screen at initial onboarding before establishing the relationship, continuously throughout the relationship as lists update daily, at each periodic review, and when you become aware of changes to individuals involved.
Component 5: Risk Assessment
Evaluating the money laundering risk the client presents based on their business sector, location, transaction patterns, and ownership structure. This determines whether standard Customer Due Diligence is sufficient or Enhanced Due Diligence is required.
You must assess each client’s risk into low, medium, or high classification based on factors like business sector (cash-intensive businesses, property development, gambling), geographic location (FATF high-risk jurisdictions, offshore centres), transaction patterns (high-value, complex, or unusual transactions), ownership structure (complex chains, offshore entities, nominee directors), and client behaviour (reluctance to provide information, frequent ownership changes, negative media). Your classification determines the level of due diligence required.
Document your risk assessment with written rationale explaining the classification, specific factors considered, date of assessment and who conducted it, and reassess when circumstances change.
Understanding KYC vs AML
Many practices confuse KYC with AML or use the terms interchangeably. Understanding the difference helps you structure proper compliance processes.
Read the complete breakdown → Difference Between KYC & AML: What You Need to Know | FigsFlow
How to Do AML Checks
Now you know what an AML check includes. Here’s the practical process for conducting one properly.
[GRAPHIC: Flowchart showing AML check process from document collection → verification → screening → risk assessment → appropriate diligence level → ongoing monitoring]
Step 1: Collect Documents – Request government-issued photo ID, proof of address dated within three months, and for companies, Companies House confirmation plus beneficial owner details. Use a standardised template so nothing gets missed.
Step 2: Verify Identity & Address – Check documents are genuine, current, and match across all records. Verify the person matches the photograph. Confirm addresses are complete and documents are within the three-month requirement.
Step 3: Identify Beneficial Ownership – Search Companies House PSC register. Identify each individual holding 25% or more ownership or control. For complex structures, trace through holding companies to reach actual people. Verify each beneficial owner’s identity and address.
Step 4: Screen Against Sanctions & PEPs – Check all individuals against HM Treasury, OFAC, UN, EU sanctions lists, PEP databases, and adverse media. This is where manual processes typically fail. Manual Google searches catch perhaps 10% of actual matches. You need access to comprehensive databases.
Step 5: Conduct Risk Assessment – Evaluate business sector, geography, transaction patterns, ownership structure, and client behaviour. Classify as low, medium, or high risk with written rationale.
Step 6: Apply Appropriate Diligence – Low-risk clients proceed with standard verification and annual reviews. Medium-risk clients may need additional verification and quarterly reviews. High-risk clients require Enhanced Due Diligence: senior approval, source of wealth verification, and continuous monitoring.
Step 7: Ongoing Monitoring – Conduct periodic reviews based on risk level. When circumstances change (new directors, ownership changes, unusual transactions), reassess risk classification and adjust diligence accordingly. Document everything and retain for five years after the relationship ends.
Manual vs Automated AML Checks
All of these can be done manually or via automated tools like FigsFlow.
When done manually, it takes 30 to 45 minutes per client. Manual Google searches catch only 10% of sanctions matches, and comprehensive database access requires expensive subscriptions.
But you don't have to. Tools like FigsFlow complete comprehensive checks in under 5 minutes with automatic sanctions screening, continuous re-screening, and complete audit trails.
How FigsFlow Can Help
FigsFlow automates the entire AML check process, completing comprehensive verification in under 5 minutes with automatic documentation that proves compliance. Here’s how FigsFlow transforms AML compliance for UK accounting practices.
- Automated Document Collection & Verification – Clients receive a branded secure portal to upload documents via mobile. FigsFlow automatically extracts information, verifies authenticity against government databases, and completes identity verification in 30 seconds.
- Companies House Integration – Enter the company number and the system automatically pulls company details, identifies all Persons with Significant Control, maps ownership structure, and alerts you when records update.
- Comprehensive Sanctions & PEP Screening – Screens clients, beneficial owners, and directors against major national and international sanctions lists and PEP databases. Continuously re-screens your entire client base whenever lists update daily.
- Guided Risk Assessment – Pre-built templates guide you through evaluating business factors and automatically score risk with written rationale.
- Complete Audit Trail & Ongoing Monitoring – Every action generates timestamped records. Export compliance reports with one click. The system schedules periodic reviews, re-screens automatically, and sends document expiry alerts.
Besides AML compliance, FigsFlow also handles proposal management, engagement letters, and pricing solutions in a single integrated platform, making it the only software that manages your entire client onboarding and compliance workflow from first contact through ongoing relationship management.
All of this comes at a price you won't believe.
Just £8/month for proposals and engagement letters + £10/month for AML module + £2.10 per check. Compare that to standalone AML tools charging £60 to £80 per check or £200+ monthly subscriptions, and you'll see why FigsFlow is the most affordable yet reliable AML software for UK accounting practices.
Don't believe us yet? Try FigsFlow free for 30 days and see for yourself.
Additional Resources
- Money Laundering Regulations 2017 – Money Laundering Regulations 2017: consultation – GOV.UK
- HMRC Customer Due Diligence Guidance – ECSH33335 – Enhanced due diligence – HMRC internal manual – GOV.UK
- Complete Guide to AML Software for Accountants – Complete Guide to AML Software for Accountants, Bookkeepers & Tax Advisors | FigsFlow
- Why Accountants Should Prioritise AML – AML & KYC Compliance: Accountants Must Prioritise | FigsFlow
Conclusion
An AML check is the complete verification process required before onboarding any client under Money Laundering Regulations 2017. It’s five distinct components with specific requirements and documentation standards, not a single passport copy.
HMRC expects complete checks before work begins. Partial checks or poor documentation create compliance gaps. You can spend 30 to 45 minutes per client manually or use purpose-built software like FigsFlow that completes comprehensive checks in under 5 minutes with automatic audit trails.
Ready to simplify AML compliance?
See how FigsFlow completes proper AML checks in under 5 minutes. Book a demo → See FigsFlow in action
Frequently Asked Questions
KYC (Know Your Customer) refers specifically to the identity and address verification components of an AML check. An AML check is broader, including KYC verification plus beneficial ownership identification, sanctions and PEP screening, and risk assessment.
Manual AML checks typically take 30 to 45 minutes per client when done properly. With purpose-built AML software like FigsFlow, comprehensive checks complete in 3 to 5 minutes with better accuracy and automatic documentation.
No. Money Laundering Regulations 2017 explicitly require completing Customer Due Diligence before establishing the business relationship. Starting work before verification creates a regulatory breach regardless of whether you complete the check later.
You need government-issued photo ID (passport, photocard driving licence, or national identity card), proof of address dated within three months (utility bill, bank statement, or council tax bill), and for companies, Companies House confirmation plus beneficial owner details with ID and address for each.
You must conduct ongoing monitoring and periodic reviews. Low-risk clients require annual reviews minimum, medium-risk clients need quarterly or semi-annual reviews, and high-risk clients require continuous monitoring with formal reviews at least quarterly.
English (UK) 
English