“We’ll go with another accountant. Your onboarding process takes too long.”
You’ve lost another client to a competitor with faster systems. But rushing ID verification in AML to win business creates compliance risks that dwarf any lost fee.
The Money Laundering Regulations 2017 require electronic verification, sanctions screening, and documented risk assessments. Manual ID verification in AML forces you to choose between client experience and regulatory compliance.
You shouldn’t have to choose.
This guide shows how FigsFlow lets you onboard clients in minutes while exceeding HMRC’s verification standards, using automated systems that protect your firm and improve client satisfaction.
Key Points for Busy Readers
- ID verification must include electronic verification against government databases, not just visual document checks
- Three verification levels exist: Standard CDD for most clients, Simplified DD for low-risk situations, Enhanced DD for high-risk scenarios
- Acceptable ID documents: valid passport, photo card, driving licence, or national identity card with a machine-readable zone
- Address verification requires documents dated within specific timeframes (3 months for utility bills, 12 months for mortgage statements)
- Beneficial owners (25%+ ownership) must be identified and verified in addition to the client
- Records must be kept for 5 years from when the business relationship ends or the transaction completes
- Common failures: accepting online bank statements without certification, missing beneficial owner identification, not applying EDD when required
- FigsFlow automates the entire workflow: document collection, electronic verification, sanctions screening, risk assessment, and audit trails
- Complete compliance from £18/month (£8 base + £10 AML module + £2.10 per verification)
What is ID Verification in AML Compliance?
ID verification means confirming your client is who they claim to be through documentary evidence and electronic checks. It’s the foundation of Customer Due Diligence (CDD) under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).
The goal is to prevent criminals from using your accounting services to launder money. Criminals need legitimate professionals to move illicit funds through the financial system. Without proper ID verification, your practice becomes an unwitting accomplice.
MLR 2017 requires you to obtain and verify three core elements:
- the client’s full name
- their residential address
- their date of birth
You must also see a photograph on an official identity document. This applies to individuals, beneficial owners behind companies, and anyone authorised to give you instructions.
But here’s what most firms miss: visual inspection alone doesn’t satisfy the regulations.
You need electronic verification against authoritative sources like government databases, credit reference agencies, or the electoral register. The regulations expect you to use independent, reliable sources to confirm that the information your client provides matches official records.
For companies, you must:
- verify the entity itself using Companies House records
- identify the beneficial owners (individuals with 25% or more ownership or control
- trace ownership through several entities until you reach the ultimate human controllers
The verification standard escalates based on risk. Low-risk clients may qualify for Simplified Due Diligence with reduced checks. High-risk situations demand Enhanced Due Diligence with additional verification from multiple independent sources.
AML Regulations & ID Verification Requirements in 2025
The Money Laundering Regulations 2017 set specific standards for what documents you can accept and how you must verify them. These aren’t just suggestions. They’re real requirements that HMRC tests during supervision visits.
What Documents Are Acceptable for ID Verification?
MLR 2017 and HMRC guidance recognise three acceptable documents:
- a valid UK or foreign passport with a machine-readable area,
- a full UK or foreign driving licence with photo, or
- a national identity card with photo and a machine-readable area
The document must be current, in date, and signed by the holder. Expired passports don’t count even if the photo still looks like your client. Provisional driving licences aren’t sufficient because they lack the verification standards of full licences.
The machine-readability requirement is critical. This is the section at the bottom of passports and identity cards containing encoded data that electronic verification systems read. Documents without this feature can’t be electronically verified against government databases, which means they don’t meet the regulatory standard.
What Documents Are Acceptable for Address Verification?
Address verification confirms where your client actually lives. You need a second form of identification that shows their permanent residential address, ideally from an independent source that has already verified the person lives there.
Acceptable documents (Proof of address) include:
- a full UK driving licence bearing the residential address (if not already used as your ID document),
- UK or foreign bank statements or credit card statements dated within the last three months,
- UK mortgage statements dated within the last 12 months,
- UK council tax bills for the current year, or
- utility bills less than three months old
Water bills follow different timing rules. They must relate to the current charging period, which may be longer than three months.
TV licence letters or Direct Debit schedules less than 12 months old work, but they must confirm the person’s name, address, and existence of a TV licence. Electoral register searches through credit reference agencies provide strong independent verification.
Here’s what you cannot accept:
- utility bills printed from the internet,
- mobile telephone bills,
- store card statements, or
- any documents showing a care-of address or non-residential address
Online bank statements may only be accepted if they’re stamped and certified bearing the account holder’s address.
The rationale is straightforward. Documents printed from online portals can be easily manipulated. Physical documents mailed to an address provide stronger evidence the person actually receives correspondence there.
Beneficial Owner Identification Requirements
Beneficial owners are the individuals who ultimately own or control your client entity. MLR 2017 defines this as anyone holding more than 25% of shares, voting rights, or control over the company, partnership, or trust.
For UK companies, you must check the People with Significant Control (PSC) register at Companies House. This register has been mandatory since July 2016 and should list all individuals with significant control plus any registrable legal entities.
But don’t stop there.
The PSC register shows current ownership. You need to understand if control changed hands recently or if complex arrangements exist that aren’t immediately obvious from the register alone.
For non-UK companies, you need certified copies of the shareholders register, directors register, and evidence of registered address. If the beneficial ownership traces through multiple layers of companies, you must work through each entity until you reach the human beings at the top.
For each beneficial owner identified, you must complete the same ID and address verification as you would for the client themselves. If a company has four beneficial owners each holding 25% or more, you’re conducting ID verification on five parties total (the company plus four individuals).
Record Keeping: What, How Long & In What Format?
You must keep comprehensive records of all customer due diligence measures you carry out. This includes:
- actual documents you obtained,
- copies of identification documents,
- risk assessments,
- details of verification checks performed, and
- dates when everything occurred
The retention period is five years. For business relationships, that’s five years from when the relationship ends. For one-off transactions, it’s five years from when the transaction completed.
Acceptable formats include originals, photocopies, microfiche, scanned copies, or computerised records. The format doesn’t matter as long as the records are readily accessible and can be produced quickly when HMRC requests them during supervision visits.
What matters is completeness. Your records must show not just that you collected documents but what verification you performed, when you performed it, what sources you checked, and what results you obtained. A passport copy sitting in a file proves you received a passport. It doesn’t prove you verified it against any database or checked sanctions lists.
This is where manual processes fall apart. Creating and maintaining these detailed audit trails manually takes significant time and introduces risk of incomplete documentation.
When Different Levels of ID Verification Apply
Not every client requires the same verification intensity. MLR 2017 establishes a risk-based approach with three distinct levels:
- Standard Customer Due Diligence for most situations,
- Simplified Due Diligence when risks are demonstrably low, and
- Enhanced Due Diligence when high-risk factors are present.
Understanding which level applies is critical. Apply insufficient verification to a high-risk client and you breach the regulations. Apply excessive verification to every client and you waste resources while frustrating low-risk customers with unnecessary delays.
Standard Customer Due Diligence (CDD)
Standard CDD represents your baseline compliance obligation. It applies to most clients in most situations where no specific low-risk or high-risk factors are present.
Standard CDD requires you to:
- identify your customer and verify their identity using reliable, independent sources
- identify the beneficial owner and take reasonable measures to verify their identity
- obtain information on the purpose and intended nature of the business relationship
You must apply standard CDD when establishing a business relationship, when carrying out an occasional transaction worth £15,000 or more (£10,000 for high value dealers), when you suspect money laundering or terrorist financing, or when you have doubts about previously obtained customer identification information.
The timing matters.
For business relationships, you should verify identity when you establish the relationship or, where necessary to avoid interrupting normal business, within a reasonable time afterwards. You cannot establish a relationship, wait six months, and then think about verification.
Simplified Due Diligence (SDD)
Simplified Due Diligence allows you to reduce the extent, timing, or type of customer due diligence measures when a business relationship or transaction represents low risk of money laundering or terrorist financing.
Regulation 37 MLR 2017 sets out the framework. You must consider your own risk assessment, relevant information published by HMRC, and the lower risk factors specified in the regulations themselves.
Lower risk customers may include:
- UK public authorities,
- financial institutions subject to UK or equivalent overseas AML supervision,
- companies whose securities are listed on regulated markets, or
- customers based in countries with effective systems to counter money laundering and low levels of corruption
But here’s the critical point: the presence of low-risk factors doesn’t automatically mean you can apply SDD. You must assess each case individually. A listed company operating in a high-risk sector might not qualify. A UK financial institution conducting unusual transactions might not qualify.
When you do apply SDD, you’re still required to identify and verify your customer. What changes is how much you do and when you do it. You might verify identity using fewer independent sources, conduct less frequent monitoring, or obtain less detailed information about the purpose and nature of the relationship.
You cannot apply SDD where factors indicate higher risk. If your client is a PEP, established in a high-risk third country, or involved in complex transactions, SDD is not appropriate regardless of other low-risk characteristics.
Enhanced Due Diligence (EDD)
Enhanced Due Diligence represents the highest verification standard required when specific high-risk factors are present. EDD is mandatory, not discretionary, when these triggers apply.
Seven situations require EDD:
- customers established in high-risk third countries on the FATF list,
- politically exposed persons and their family members or known close associates,
- high-risk factors identified in your own business risk assessment,
- high-risk factors identified in HMRC guidance for your sector,
- situations involving false or stolen documentation,
- complex or unusual transactions, or
- any other case that by its nature presents higher money laundering risk
The phrase “established in” for high-risk countries means resident (for individuals) or incorporated/principal place of business (for companies). A client born in a high-risk country but resident in the UK for 20 years doesn’t trigger the high-risk third country requirements.
For high-risk third countries, you must obtain additional information about the customer and beneficial owners, understand the intended nature of the relationship in greater depth, obtain information proving source of funds and source of wealth, establish the transaction purpose, get senior management approval to establish or continue the relationship, and conduct enhanced ongoing monitoring.
For politically exposed persons, you need senior management approval, adequate measures to establish source of wealth and source of funds, and enhanced ongoing monitoring for business relationships.
You cannot outsource EDD to third parties under reliance arrangements. This is a critical difference from standard CDD. When EDD applies, your firm must conduct the additional measures directly.
7 Common ID Verification Mistakes That Trigger HMRC Penalties
HMRC supervision visits reveal patterns of failure across accounting firms. Understanding these common ID Verification mistakes helps you avoid them in your own practice.
Mistake 1: Accepting Documents Without Electronic Verification
Many firms visually inspect passports and driving licences but never verify them electronically against government databases or credit reference agencies. The regulations require independent verification from reliable sources. Looking at a document and deciding it appears genuine doesn’t satisfy this requirement.
The 2025 ICAS thematic review found 55% of firms had misjudged their money laundering risks. A significant portion of these failures involved inadequate verification procedures.
Mistake 2: Using Online Bank Statements Without Certification
Firms routinely accept bank statements printed from online portals as address verification. MLR 2017 specifically excludes these unless they’re stamped and certified bearing the account holder’s address. Statements that can be printed and modified at home don’t provide reliable independent verification.
The same principle applies to utility bills. Physical documents mailed to an address provide stronger evidence than anything printed from a website.
Mistake 3: Missing Beneficial Owner Identification
Some firms verify the company itself but fail to identify and verify the beneficial owners behind it. Others check the PSC register but don’t verify those individuals’ identities. Both approaches breach the regulations.
Every individual with 25% or more ownership or control must be identified and verified using the same standards as the company itself. For complex structures, this might mean verifying ten or more individuals across multiple jurisdictions.
Mistake 4: Not Recognising EDD Triggers
An accountancy firm provided services to a customer with beneficial owners in a high-risk third country but conducted no EDD. When questioned, they explained they thought “high-risk countries” meant conflict zones. They hadn’t reviewed HMRC guidance since registering five years earlier.
Another common failure involves not recognising PEP status. Firms rely entirely on client self-declaration without conducting independent PEP screening. When the client doesn’t understand what a PEP is or chooses not to disclose, the firm misses the trigger entirely.
Mistake 5: Having Procedures But Not Following Them
An art market participant had written EDD procedures requiring nominated officer approval for third-party payments. During inspection, HMRC found a third-party payment where only standard CDD was conducted. None of the documented EDD procedures were followed.
This represents a double breach: failing to apply EDD and failing to follow documented procedures. Both violations indicate systemic control failures rather than isolated errors.
Mistake 6: Superficial Checks That Don’t Mitigate Risk
A high-value dealer requested bank statements to verify source of funds for large cash payments. However, staff routinely accepted statements showing large credits from third parties without investigating where that money originated. The check was performed but didn’t actually reduce the risk.
Going through the motions without substance doesn’t satisfy compliance obligations. Your verification must actually address the risks you’ve identified.
Mistake 7: Inadequate Record Keeping
Firms keep passport copies but maintain no records of when verification occurred, what sources were checked, who performed the checks, or what results were obtained. When HMRC asks for evidence of compliance, the firm can prove they received documents but cannot prove they verified them.
The cascade effect compounds these failures. Missing EDD typically also means you failed to identify the risk properly, establish appropriate procedures, or train staff adequately. One visible breach usually signals deeper problems across your entire AML framework.
How FigsFlow Handles ID Verification: Complete Workflow
FigsFlow automates the entire ID verification process from initial client contact through compliance certification. The workflow eliminates manual document handling, ensures consistent application of risk-based measures, and creates comprehensive audit trails automatically.
Step 1: Automated Client Onboarding (HubSpot to FigsFlow)
Won deals in HubSpot automatically import to your FigsFlow dashboard. No manual data entry required. Client information flows seamlessly from your CRM into your compliance workflow.
You send professional proposals, engagement letters, and service pricing with just nine clicks. The entire process takes 30 seconds or less. Client accepts with a binding e-signature through FigsFlow, triggering the AML compliance workflow automatically.
This integration eliminates the compliance gap that exists when client acceptance happens in one system and AML checks happen separately weeks later. The moment a client becomes yours, verification begins.
Step 2: Secure Document Collection Portal
You onboard clients through two methods.
- Email onboarding uses predefined templates that guide clients through document submission.
- Trust ID onboarding provides a secure link specifically designed for AML document collection.
Clients upload their identification documents, proof of address, and any additional documents required for their risk profile directly to a secure portal. No more documents arriving via unsecured email attachments. No more chasing clients for missing information.
The portal guides clients through exactly what’s needed based on their situation. Individual clients see requests for passport and address verification. Company clients see additional requests for incorporation documents and beneficial owner information.
Documents upload in real-time. You see immediately when clients submit information and can review it without delay.
Step 3: Automated ID Verification & Sanctions Screening
Once documents arrive, you can conduct electronic verification against government databases and sanctions screening against PEP lists, watchlists, and adverse media. This takes approximately 30 seconds.
The system returns an AML status for the client and generates an AML check certificate with:
- full details of what was verified,
- which databases were checked, and
- what results were obtained.
Every check is timestamped automatically.
This is electronic verification as MLR 2017 requires it. You’re not visually inspecting documents and making subjective judgments. You’re verifying against authoritative independent sources and documenting the results.
The sanctions screening covers:
- politically exposed persons (domestic, foreign, and international organisation PEPs),
- individuals and entities on financial sanctions lists, and
- adverse media mentions indicating potential money laundering or terrorist financing risks.
When the system identifies a potential match, it alerts you for manual review. You assess whether the match is genuine or a false positive based on additional information. Your decision and reasoning get recorded in the audit trail.
Step 4: Risk Assessment with Pre-Built Templates
FigsFlow provides risk assessment templates customised to specific client types:
- property portfolios
- trust and estate work
- trading businesses
- high-net-worth individuals
- cross-border clients
These templates follow HMRC guidance for the accountancy sector. They address the specific risk factors HMRC expects you to consider, formatted in a way that makes sense for how accountants actually work.
You complete the risk assessment using information you already gathered during onboarding and verification. The template asks relevant questions about the client’s business, transaction patterns, beneficial ownership, and geographic factors.
The system calculates an overall risk rating based on your responses.
You can use the templates repeatedly at no extra cost. When client circumstances change, you complete a fresh risk assessment to determine if your due diligence level remains appropriate.
Step 5: Senior Management Approval Workflow
When verification results or risk assessments indicate high-risk factors requiring senior management approval, FigsFlow routes the case automatically to designated senior managers.
The senior manager sees the complete picture:
- verification results,
- risk assessment,
- documents submitted, and
- any flags or concerns identified.
They approve or reject based on whether the firm can manage the risks to an acceptable level.
Every approval is timestamped and recorded with the senior manager’s identity. You can prove not just that approval occurred but who approved it, when they approved it, and what information they reviewed when making the decision.
Step 6: Enhanced Due Diligence When Required
When high-risk factors trigger EDD requirements, FigsFlow provides the framework to document the additional measures needed.
For high-risk third countries, you can record additional customer information, source of wealth and funds documentation, transaction purpose, and enhanced monitoring frequency within the client record.
For PEPs, you can document senior management approval, source of wealth and funds, and schedule enhanced monitoring for business relationships.
All additional measures stay connected to the client record rather than scattered across different systems or paper files.
Step 7: Complete Audit Trail & Timestamped Records
Every action in FigsFlow creates a timestamped audit trail entry. You can see exactly who did what, when they did it, and what information they reviewed.
Document uploads are timestamped. Verification checks are timestamped. Risk assessments are timestamped. Approvals are timestamped. Every single compliance action is recorded automatically as it occurs.
This satisfies record-keeping requirements under MLR 2017.
The audit trail proves not just that you have documents but that you verified them, assessed risks, applied appropriate due diligence levels, obtained required approvals, and monitored the relationship. It’s comprehensive evidence of compliance rather than just a collection of files.
Why Choose FigsFlow
FigsFlow isn’t just AML software. It’s a complete client onboarding platform built by accountants who got tired of stitching together five different systems just to onboard one client.
Everything in One Place
Proposals, engagement letters, document collection, ID verification, sanctions screening, risk assessments, and audit trails. One workflow. One client record. No switching between platforms or logging clients into multiple portals.
Surprisingly Affordable
Most firms spend £95-320 monthly across separate tools for proposals, engagement letters, document management, and AML software. FigsFlow does it all from £18 per month. That’s not a typo.
Built by People Who Actually Do This Work
Generic compliance software tries to fit everyone. FigsFlow was built specifically for UK accounting practices by accountants who faced the same frustrations you do. The workflows make sense because they’re designed by people who use them daily.
Action Plan: What Firms Should Do Now
Understanding ID verification requirements is one thing. Actually implementing them is what protects your firm.
Audit Your Current Process
Compare what you’re doing against the requirements in this guide. Do you conduct electronic verification or just visual inspection? Do you verify beneficial owners or just the company? Do you maintain audit trails or just keep document copies?
Fix the Gaps
Review recent client intake for missing verifications. Update your high-risk country lists. Train client-facing staff on what documents are acceptable and when different due diligent levels apply.
Stop Relying on Manual Processes
Electronic verification, automated sanctions screening, comprehensive audit trails, and approval workflows are difficult to manage consistently through spreadsheets and email.
We know, we’ve just poured thousands of things at you, and we can feel how overwhelming it must seem. So today, just take a first step.
Register for a FigsFlow demo, invest 30 minutes of your time, and see what it does. Believe us, you’ll discover a gem.
Additional Resources
- Money Laundering Regulation 2017: The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
- Economic Crime Supervision Handbook: Economic Crime Supervision Handbook – HMRC internal manual – GOV.UK
- FATF High-Risk Jurisdictions Lists: High-risk and other monitored jurisdictions
- Guide to AML Software: Complete Guide to AML Software for Accountants, Bookkeepers & Tax Advisors | FigsFlow
- How to Write an AML Policy for Your Firm: Writing an AML Policy: Full Guide 2025| FigsFlow
- AML Simplified: AML Meaning: Explanation for Accountants| FigsFlow
Conclusion
Compliant ID verification comes down to three things: verify electronically, screen thoroughly, document everything.
Getting it right protects your firm from penalties, your clients from fraud, and your reputation from damage. Getting it wrong exposes you to regulatory action and reputational risk that takes years to rebuild.
Manual verification can’t scale. Paper trails don’t satisfy auditors. Scattered systems create the gaps that supervisors find.
Stop managing compliance. Start automating it.
See ID Verification Done Right
Watch FigsFlow verify clients electronically, screen sanctions automatically, and build audit trails in real time. All in under three minutes per client.
Frequently Asked Questions
Yes, but only if certified by a qualified lawyer, accountant, notary public, or bank official with specific wording confirming it’s a true copy. However, you still need electronic verification against government databases. The physical document alone doesn’t satisfy MLR 2017 requirements.
Non-face-to-face relationships trigger Enhanced Due Diligence under Regulation 33. You must obtain additional independent verification and ensure the first payment comes from an account in the customer’s name at a regulated institution. FigsFlow’s electronic verification satisfies these requirements without physical meetings.
Source of funds is the origin of money in this specific transaction. Source of wealth is the origin of total accumulated assets over time. EDD for high-risk countries and PEPs requires you to establish both.
Yes. The PSC register identifies beneficial owners but doesn’t verify their identity. You must conduct the same ID and address verification for each beneficial owner as you would for any individual client.
It depends on risk level. Low-risk clients need updates when circumstances change. Medium-risk warrant annual reviews. High-risk requires frequent monitoring. FigsFlow schedules reviews automatically based on risk ratings.
English (UK) 
English