Surgeons needed a checklist. So do you.
In 2008, the WHO rolled out a simple 19-item surgical checklist. Not for junior doctors. For experienced surgeons in well-resourced hospitals. The result: deaths fell by 47%, complications by 36%. Atul Gawande, the surgeon who championed it, made the point clearly — the problem was never competence. Complexity and pressure cause even skilled professionals to skip steps they know by heart.
EDD has the same failure mode. Your firm understands the requirements. But consistent, documented, scrutiny-ready EDD does not happen through intent alone. It happens through the process.
That is exactly why we built this free Enhanced Due Diligence checklist. Scroll down, download it, and start using it today.
Download the Free UK Enhanced Due Diligence Checklist 2026
The checklist is available as a formatted PDF, structured across 8 areas that cover the full EDD lifecycle from client identification through to final sign-off and Suspicious Activity Reporting (SAR) obligations. It is built specifically for UK accounting firms and compliance teams operating under MLR 2017.
What Is in the Free EDD Checklist?
The first half covers the foundational layers of any EDD review:
- Confirming who the client actually is
- Categorising the level of risk they represent
- Establishing where their money comes from
- Assessing whether their transaction behaviour is consistent with what you would expect from someone in their position
The second half moves into the areas that firms most often treat as optional but are not. That means verifying ultimate beneficial ownership through the full ownership chain rather than just the named director, setting up a monitoring process that continues after onboarding, understanding when and how to escalate to a Suspicious Activity Report, and closing the file in a way that satisfies a regulatory audit.
This checklist is designed for accountants, compliance officers, and practice managers at firms subject to MLR 2017 supervision. If your firm handles client work that touches property, high-value transactions, corporate structures, or international payments, this is the document you want in your compliance toolkit.
When Does EDD Apply in the UK?
EDD is not applied to every client. MLR 2017 defines specific circumstances where it becomes mandatory, and missing those triggers is a compliance breach regardless of whether anything goes wrong.
-
Politically Exposed Person (PEP) match
Any client who is a PEP, or a close associate or family member of one, requires EDD. This applies even if the engagement appears low risk. The PEP status is what triggers the obligation, not the nature of the work.
-
High-risk third countries
If a client is based in, operates from, or is sending or receiving funds through a country on the FATF grey or black list, EDD is required under Regulation 33 of MLR 2017. The list is updated periodically, which means your firm needs a live checking process rather than relying on an outdated reference.
-
Complex or opaque ownership structures
Trusts, nominee arrangements, and multi-layered corporate structures where the ultimate beneficial owner is not immediately identifiable all require enhanced scrutiny. If you cannot clearly map ownership to a named individual holding 25% or more, EDD applies.
-
Unexplained inconsistencies in client behaviour
If something about the engagement does not sit right, whether that is unusual instructions, payment patterns that do not match the client's stated profile, or information that raises more questions than it answers, EDD applies. The threshold is suspicion, not proof. You do not need a confirmed flag to be obligated.
If any of these apply to a client relationship and EDD has not been completed and documented, your firm has a compliance gap regardless of how long the relationship has been in place.
The EDD Checklist: 8 Key Areas
The checklist below mirrors the downloadable PDF. Work through each section in order. They are sequenced to follow the logical flow of an EDD review, so skipping ahead tends to create documentation gaps that are difficult to fill retrospectively.
Customer Identification and Verification
-
Full legal name confirmed for the individual or business
-
Registered address and contact details verified
-
Date of birth or incorporation date confirmed
-
Official ID obtained and checked
-
Companies House search completed for UK-registered entities
-
Certificate of incorporation reviewed where applicable
-
Certified or notarised copies obtained where the client is based outside the UK
Risk Categorisation and Assessment
-
Client type identified — individual, limited company, trust, partnership, or NGO
-
Industry checked for risk exposure, including property, cryptocurrency, cash-intensive businesses, and regulated financial services
-
Jurisdictional risk checked against the FATF grey and black lists
-
Politically Exposed Person status confirmed
-
Sanctions and watchlist screening carried out across OFAC, UN, EU, FCA, and HM Treasury lists
-
Adverse media search completed
-
Reputational risk reviewed, including any history of regulatory fines, legal proceedings, or fraud allegations
Source of Funds and Wealth Verification
-
Source of funds identified and documented
-
Source of wealth established separately
-
Both recorded as separate obligations with separate evidence on file
-
Third-party validation completed where the client's own documentation is not sufficient
-
High-value transactions reviewed against your firm's risk threshold
-
Cross-border transactions assessed for country risk at both the sending and receiving end
Transaction Monitoring and Behaviour Analysis
-
Normal transaction behaviour documented at the point of onboarding
-
Unusual payment instructions noted and followed up
-
Third-party payments identified — if someone other than the client is sending funds, that needs to be escalated
-
Significant changes in invoice frequency, transaction volume, or payment routing flagged for review
-
Repeated transactions just below a reporting threshold are investigated for structuring
Ultimate Beneficial Ownership Verification
-
PSC Register checked via Companies House for all UK-registered entities
-
UBOs identified at the 25% ownership or control threshold as required under MLR 2017
-
Full ownership chain documented, not just the named director or primary contact
-
Nominee arrangements and trust structures traced through to the natural person in ultimate control
-
UBO identity verified through company registers, notarised documents, or third-party validation
-
Supporting evidence retained on file at each step of the ownership chain
Continuous Monitoring and Periodic Review
-
Annual review scheduled for high-risk clients
-
Review the cycle of two to three years applied for standard risk clients in line with your firm's AML policy
-
Event-triggered reviews built into the process, covering ownership changes, new jurisdictions, adverse media, and material changes to the engagement
-
Document expiry tracked for passports, driving licences, and proof of address
-
Sanctions and PEP re-screening carried out at each review and at key trigger events
-
Monitoring outcomes documented and kept in the client file
Suspicious Activity Reporting
-
Suspicious transactions identified, whether flagged by your system or spotted manually
-
Internal SAR completed and submitted to your firm's MLRO without delay
-
MLRO review completed and decision recorded
-
External SAR submitted to the National Crime Agency via SAR Online where required
-
Tipping off restrictions observed — the client must not be made aware of the SAR at any point
-
SAR patterns are reviewed periodically across the client base
Final Review and Sign-Off
-
All checklist sections completed with supporting documents on file
-
Risk decision documented with a clear written rationale — not just what was decided, but why
-
MLRO sign-off obtained for high-risk cases
-
EDD file stored securely and available for regulatory audit
-
Retention period confirmed — MLR 2017 Regulation 40 requires a minimum of five years from the end of the business relationship
-
Any outstanding actions noted with a follow-up date assigned
Common EDD Mistakes UK Accounting Firms Make
Most EDD failures are not dramatic. There are process gaps that go unnoticed until a supervisor asks a question that the file cannot answer.
Here is where firms consistently get it wrong.
-
Treating EDD as a one-time exercise
EDD completed at onboarding does not stay valid indefinitely. MLR 2017 requires ongoing monitoring as a continuing obligation. A client who passed EDD in 2022 may present a materially different risk profile today if their ownership structure has changed, they have expanded into a higher-risk jurisdiction, or adverse media has emerged since the last review.
-
Conflating Source of Funds with Source of Wealth
These are separate obligations requiring separate evidence. Source of funds answers where the specific money in a transaction has come from. The source of wealth answers how the client accumulated their assets overall. Submitting a bank statement in response to both does not satisfy either, and supervisors know the difference.
-
Incomplete UBO mapping
Many firms identify the named director and treat that as sufficient. MLR 2017 requires tracing ownership through every layer of a structure until you reach the natural person who ultimately holds 25% or more. In a multi-tiered corporate structure that can require several steps, every step needs to be evidenced.
-
Completing the checklist without recording the reasoning
Regulators do not only want to see that you ran through the process. They want to understand why you reached the conclusions you did. If you classified a client as lower risk despite an indirect PEP connection, the rationale for that decision needs to be on file. Without it, a completed checklist still leaves your firm exposed.
A pattern runs through all four of these. The work was done, but the documentation does not demonstrate it. That is the gap this checklist is designed to close.
Helpful Resources
- CDD and EDD for Bookkeepers – Not sure where standard checks end and enhanced diligence begins? This breaks it down specifically for bookkeepers.
- Enhanced Due Diligence Explained – A clear walkthrough of what EDD actually involves, when it applies, and what firms are expected to do.
- EDD vs CDD vs SDD – Three levels, one framework. Understand how each tier differs and when your firm needs to move beyond standard checks.
- How FigsFlow Simplifies EDD for Accountants – See how FigsFlow takes the manual work out of enhanced due diligence so your firm stays compliant without the admin burden.
Conclusion
The firms that get EDD right are not the ones with the most complex processes. They are the ones with consistent, documented procedures that hold up when a supervisor asks to see them.
That is a lower bar than most firms think. But it still requires structure.
The checklist above covers every stage of the EDD lifecycle, reflects the specific obligations under MLR 2017, and is built for practical use rather than theoretical completeness. Not something to file away. Something to open on the next high-risk client review.
One more thing worth noting. The checklist itself needs reviewing, not just the clients on it. FATF grey list updates, shifting FCA supervisory expectations, and increasing scrutiny of the accounting sector mean your EDD process needs to move with the regulatory environment. An annual review of the checklist is a reasonable minimum.
Frequently Asked Questions (FAQs)
Five steps: identifying high-risk clients, gathering verified documentation, assessing the overall risk picture, recording the rationale behind decisions, and maintaining ongoing monitoring throughout the relationship. EDD is a continuous obligation, not a one-time exercise completed at onboarding.
Customer identification, beneficial ownership verification, risk assessment, and ongoing monitoring. These four pillars ensure firms know who they are dealing with, understand the nature of the relationship, and can detect meaningful changes in behaviour or risk profile over time.
A structured tool that guides firms through verifying client identities, confirming beneficial ownership, and assessing risk. It creates a consistent, repeatable process and provides an audit trail that demonstrates regulatory compliance during a supervisory review.
A detailed checklist applied to high-risk clients that goes beyond standard CDD. It covers the source of funds, ownership structures, transaction patterns, and ongoing monitoring obligations under MLR 2017 for elevated risk relationships.
Government-issued photo ID, proof of address, bank statements, tax returns, and source of wealth evidence such as inheritance records or business sale proceeds. For corporate clients, also incorporation certificates, PSC register extracts, and UBO verification documents depending on ownership complexity.
