Electronic signatures, KYC, and AML come up in every accounting practice. They’re related enough to feel like parts of the same thing, but different enough that most practitioners aren’t entirely sure where one ends and the other begins. Is an electronic signature required for AML? What actually counts as KYC? Does AML happen at the same time, or after? What’s the right order?
There’s a lot of confusion here, and honestly, that’s common. Even our own senior analyst gets it mixed up more often than you’d think.
This post is your one-stop answer to all of it. What each one is, what it covers, and exactly how they connect.
What Is an Electronic Signature?
An electronic signature is admissible in evidence in any legal proceedings in relation to the authenticity or integrity of the communication it is attached to. This is the foundation of electronic signature validity in the UK.
The UK-retained eIDAS Regulation (Article 3(10)) defines electronic signature as, “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.”
In plain terms, an electronic signature includes typing your name at the bottom of a document, drawing your singature on a touchscreen, clicking on a checkbox that confirms agreement, and uploading scanned image of your handwritten singature.
There are three tiers of electronic signature recognised under UK law:
We’ve covered the differences between all three tiers in detail, including when each one applies in practice. Read it here: Simple vs Advanced vs Qualified Electronic Signature Explained
What Is KYC?
Know Your Customer (KYC) is the process of verifying a client’s identity before or at the point of establishing a business relationship.
KYC, or Know Your Customer, is an industry term that accountants and bookkeepers use interchangeably in practice. The legal framework refers to it as Customer Due Diligence (CDD). The two refer to the same process.
The CCAB Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing Guidance for the Accountancy Sector (June 2023) describes its purpose clearly: criminals often seek to mask their true identity using complex and opaque ownership structures. The purpose of CDD is to know and understand a client’s identity and business activities so that any money laundering, terrorist financing, and proliferation financing risks can be properly managed.
Under Regulation 28 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), CDD requires you to:
- Identify the client and verify their identity using documents or information obtained from a reliable source that is independent of the person being verified
- Where the client is a company, obtain and verify the registered name, company number, registered office, and principal place of business
- Identify the beneficial owners and take reasonable measures to verify their identity, so that you are satisfied you know who they are
- Take reasonable measures to understand the ownership and control structure of any legal person, trust, company, foundation, or similar arrangement
- Assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship
CDD is not a one-time exercise. Regulation 28(11) requires ongoing monitoring throughout the business relationship, including scrutiny of transactions to ensure they are consistent with your knowledge of the client, their business, and their risk profile, as well as regular review of existing records to keep them up to date.
What Is AML?
Anti-money laundering (AML) is the set of checks and controls designed to ensure that the funds or assets involved in a client relationship are not the proceeds of crime, and that your firm is not being used to launder money or finance terrorism.
Where KYC, or CDD, establishes who a client is, AML assesses the risk they represent. Accountants, bookkeepers, and tax advisers fall within the scope of the MLR 2017 under Regulation 8(2), which brings them within the same compliance framework as financial institutions.
For this category of professionals, the regulations impose several distinct AML obligations.
There’s a lot more to AML than this section can cover. We’ve written a full guide for accountants here: 2025 Anti-Money Laundering ID Check Guide for Accountants in UK – FigsFlow
How Electronic Signatures, KYC & AML Connect in Practice
Take a simple example: your accounting practice is onboarding a new client. Everyday work. Here’s how the three things come together.
First, your client signs the engagement letter. Then you conduct KYC, or CDD, to verify who you’re working with. Then you run AML checks, which determine whether you proceed with the relationship, carry out Enhanced Due Diligence first, or step away entirely.
Let’s go through each one in detail.
Step 1: Your Client Signs the Engagement Letter
The engagement letter comes first, and an electronic signature is how your client signs it. Under Section 7 of the Electronic Communications Act 2000, an electronically signed document is legally valid and admissible as evidence of authenticity, provided it’s captured with an appropriate audit trail.
This matters beyond just getting a signature on paper. Regulation 4 of the MLR 2017 defines a business relationship as one expected to have an element of duration, and the signed engagement letter is the clearest documented evidence that the threshold has been met. The electronic signature is what makes that document legally binding, and the compliance workflow that follows it legitimate.
Step 2: You Conduct KYC
Once the engagement letter is signed, KYC begins. This is the document collection and identity verification stage. You’re confirming that the person or entity in front of you is who they say they are, and that the ownership structure is transparent.
For individual clients, this means verified photo identification and proof of address from a reliable, independent source. For corporate clients, it means verifying the company, identifying all beneficial owners above the 25% threshold, and understanding the ownership and control structure. Regulation 28(19) confirms that electronic verification methods, including digital identity checks, can satisfy the verification requirement, provided the process is secure from fraud and capable of providing the necessary assurance.
Step 3: You Run AML Checks
AML checks run in parallel with or immediately after KYC. The identity you’ve verified now gets screened against PEP databases, sanctions lists, and adverse media sources to confirm the client doesn’t represent a financial crime risk.
The outcome, combined with your client risk assessment under Regulation 18, determines what happens next. Standard CDD is sufficient for most clients. If Enhanced Due Diligence (EDD) is triggered, the additional documentation and approvals must be completed before the relationship proceeds. If a Suspicious Activity Report is required at any point, the tipping-off prohibition applies immediately and the rules around what you can do with the client change.
Counter Proliferation Financing: The Obligation Most Firms Are Missing
AML checks establish whether the source of funds is legitimate and whether the client is who they say they are. That covers the standard risk: money laundering, terrorist financing, PEP status, high-risk jurisdictions.
But here’s what most firms miss. The MLR 2017 also requires you to identify, assess, and manage proliferation financing risk as a standalone obligation, separate from everything above, and with its own regulations.
Counter proliferation financing (CPF) is the act of providing funds or financial services for use, in whole or in part, in the manufacture, acquisition, development, export, or transfer of chemical, biological, radiological or nuclear weapons, in contravention of a relevant financial sanctions obligation.
In practice, this means your compliance framework must:
- Assess proliferation financing risk across your client base, covering the countries or geographic areas you operate in, the nature of your services, and the transactions you handle
- Identify and scrutinise any transaction that is complex, unusually large, or has no apparent economic or legal purpose, with a specific eye on whether it could be related to proliferation financing
- Flag and apply additional measures to any product or transaction that might favour anonymity
- Keep a written record of your risk assessment and your policies, controls and procedures, approved by senior management, and available to your supervisory authority on request
Most accounting practices treat their sanctions screening as an AML exercise and stop there. Regulations 18A and 19A require something more deliberate: a separate proliferation financing risk assessment, documented policies built around it, and controls that are reviewed and updated as your client base and services change.
For the full picture on CPF, including obligations, dual-use goods, and red flags, we’ve covered it here: Counter Proliferation Financing (UK Accountants Guide)
Conclusion
An electronic signature is the mechanism your client uses to make the engagement legally binding. KYC, officially termed Customer Due Diligence, is the process of confirming who you’re dealing with. AML is the broader set of checks that assess the risk they carry. And CPF sits alongside all of it, asking a question your standard AML controls weren’t designed to answer.
These aren’t three separate processes. They’re three parts of one client onboarding journey. Your client signs the engagement letter, making the relationship legally documented. That triggers your CDD obligations. Which feeds into your AML checks, determining whether you proceed, dig deeper, or step away.
You’re required to do it all. And managing each stage correctly, across every client, adds up. That’s where a purpose-built platform helps. If you want to see what that looks like in practice, our roundup of the 10 best e-signature software for accountants covers everything: 10 E-Signature Software for Accountants | FigsFlow
Frequently Asked Questions (FAQs)
Anti-money laundering (AML) refers to the set of laws, regulations, and controls that prevent criminal funds from entering the financial system. In the UK, the primary framework is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, which applies to accountants, bookkeepers, tax advisers, and other regulated professionals.
The core legislation is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). These require regulated businesses to carry out customer due diligence, monitor client relationships, report suspicious activity, and maintain records. The Proceeds of Crime Act 2002 and the Terrorism Act 2000 sit alongside them.
AML supervision in the UK is split across multiple bodies depending on the sector. For accountants, bookkeepers, and tax advisers, supervision falls to professional bodies such as ICAEW, ACCA, and HMRC, as listed in Schedule 1 of the MLR 2017. The Financial Conduct Authority supervises financial institutions.
KYC, or Know Your Customer, is the industry term for Customer Due Diligence (CDD). It’s the process of verifying a client’s identity before or at the point of establishing a business relationship. Under the MLR 2017, this means identifying the client, verifying their identity from independent sources, and understanding the ownership structure.
Yes. Know Your Customer is a legal requirement under the MLR 2017 for all regulated professionals, including accountants, bookkeepers, and tax advisers. It must be carried out before establishing a business relationship and at appropriate points throughout it. Failure to comply can result in civil penalties or criminal prosecution.
Yes. Under Section 7 of the Electronic Communications Act 2000, an electronic signature is admissible in legal proceedings as evidence of authenticity. The UK-retained eIDAS Regulation recognises three tiers: simple, advanced, and qualified. For most engagement letters in an accounting context, a simple or advanced electronic signature is sufficient.
