If you are an accountant, bookkeeper, or tax adviser in the UK, verifying client identity is not optional. The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, commonly referred to as MLR 2017, require you to confirm who your clients are before you work with them, and in some cases, throughout the relationship.
The process is not complicated, but it does require consistency. A missed check, an incomplete record, or a poorly evidenced decision can leave your practice exposed during a supervisory visit.
This guide explains when the obligation applies, what you need to collect, and how to complete the client identity verification step by step, so you can onboard clients with confidence and stay on the right side of your regulator.
Key Points Summarised for Busy Readers
- Accountants, bookkeepers, and tax advisers are “relevant persons” under MLR 2017 and must apply Customer Due Diligence (CDD) to all clients before work begins.
- CDD is triggered when establishing a new business relationship, on occasional transactions of €15,000 or more, on suspicion of money laundering, or when doubts arise about previously verified identity.
- Verification must use reliable, independent sources. Documents issued by official bodies qualify; a document simply handed over by the client does not automatically meet this standard.
- For corporate clients, you must identify and verify the beneficial owners (individuals who own or control more than 25% of shares or voting rights, or who exercise ultimate control).
- If CDD cannot be completed, you must not act, and you must consider whether a Suspicious Activity Report is required. Records must be retained for at least five years.
What is AML Client Identity Verification?
AML client identity verification, formally called Customer Due Diligence, is the process by which accountants and other regulated professionals confirm that their clients are who they say they are and assess whether the business relationship presents an acceptable level of risk.
Under MLR 2017, accountants are classified as “relevant persons,” which means the full CDD regime applies to your practice. You are legally required to identify your clients, verify that identity using reliable and independent sources, and understand the nature and intended purpose of the relationship. The obligation sits with your firm, not your client, and it applies before work begins.
When Are You Required to Verify a Client's Identity?
You are required to verify client identity before establishing a business relationship, but that is not the only trigger. Regulation 27 of MLR 2017 sets out the specific circumstances in which CDD must be applied.
The Four Legal Triggers Under MLR 2017
The first trigger is the most common one for accountancy practices. A “business relationship” under MLR 2017 is one that arises from your business and is expected to have an element of duration. Most standard client engagements meet this definition.
When Must Client Identity Verification Be Completed?
Verification must be completed before the business relationship is established or before the transaction is carried out. That is the default position under Regulation 30.
There is a narrow exception. If completing verification beforehand would interrupt the normal conduct of business, and there is little risk of money laundering or terrorist financing, verification can be completed during establishment, provided it is finished as soon as practicable after first contact. This exception is not a general deferral. It cannot be used simply because chasing documents is inconvenient.
What Information Do You Need to Collect?
The information required depends on whether your client is an individual or a corporate entity. Regulation 28 sets out what you must obtain and verify in each case.
Individual Clients
For individual clients, you must identify and verify their full name, date of birth, and residential address. Verification must be based on documents or information from a source that is reliable and independent of the client. Documents issued or made available by an official body qualify as independent, even if the client hands them to you directly.
Acceptable photo identification
- Current valid passport (any nationality)
- Current UK, Isle of Man, or Channel Islands photocard driving licence (full or provisional)
- Current biometric residence permit (UK)
Acceptable proof of address
- Bank statement, paper copy, issued within three months
- Original utility bill, paper copy, issued within three months
- HMRC correspondence dated within the current tax year
- Council Tax bill for the current year, paper copy
- Mortgage statement, UK only, issued within three months
- Government benefit statement, UK and Channel Islands, issued within three months
Documents must be current, legible, and unaltered. Expired documents, mobile phone bills, and credit card statements are not acceptable.
Corporate Clients and Beneficial Owners
For companies and other legal entities, you must obtain and verify the name of the entity, its company registration number, and its registered office address. If the principal place of business differs from the registered address, that must be obtained too.
You must also take reasonable measures to determine and verify the law to which the body corporate is subject, its constitution, and the full names of its board of directors or equivalent management body.
Critically, you must identify the beneficial owners. Under MLR 2017, a beneficial owner is any individual who owns or controls more than 25% of the shares or voting rights in the entity, or who otherwise exercises ultimate control over its management. Complex corporate structures may require you to look through multiple layers of ownership to reach the natural persons who ultimately control the entity. Where beneficiaries are designated as a class rather than named individuals, you must verify their identity before any payment is made to them.
Step-by-Step Guide to Verifying Client Identity Under AML
The following steps reflect the standard CDD process for a new client engagement. For higher-risk clients, Enhanced Due Diligence applies in addition to these steps, covered in the section below.
Step 1: Assess the Client's Risk Level
Before collecting documents, form a preliminary view of the risk the client presents. Your firm’s own risk assessment, required under Regulation 18, should inform this, alongside the client-specific factors you observe at the point of enquiry.
Consider the client type: individual, company, trust, or partnership. Consider the sector in which they operate, since some industries carry higher inherent risk. Consider any geographical connections to high-risk third countries. Think about the nature of the services being requested, and where relevant, the likely source of funds.
This step determines whether Simplified, Standard, or Enhanced Due Diligence (EDD) applies. Getting the risk rating right at this stage prevents both under-compliance and unnecessary friction with straightforward low-risk clients.
Step 2: Collect Client Information
Request the personal and business details needed to establish the client’s identity. For individuals, this is their full name, date of birth, and residential address. For corporate clients, it covers the entity name, registration number, registered address, beneficial owner details, and directorship information.
Use a structured and consistent process for collecting this information. Sending a secure digital onboarding link means information arrives in a usable format, reduces the risk of missing fields, and creates a clear record of what was requested and when.
Step 3: Verify Identity Documents
Verify the identity of the client and any beneficial owners against acceptable documents from reliable, independent sources. For individual clients, this means at minimum one piece of photo ID and two proofs of address.
Where possible, use electronic verification to supplement manual document checks. Electronic tools can cross-reference submitted documents against official databases and surface inconsistencies automatically. For higher-risk clients or where document quality is uncertain, NFC chip verification adds a further layer of assurance. Keep copies of all documents reviewed as part of the client file.
Step 4: Run PEP and Sanctions Checks
PEP screening and sanctions checks are part of standard CDD. They apply to every new client, not just those who appear high risk at first sight.
Every new client must be screened against relevant sanctions lists, including OFSI (UK), UN, and EU lists, and against PEP databases covering individuals who hold or have held prominent public functions, together with their immediate family members and known close associates.
If a client is identified as a PEP, Enhanced Due Diligence applies automatically under Regulation 35. You must obtain senior management approval before establishing the relationship, take reasonable steps to establish the source of the client’s wealth and funds, and apply enhanced ongoing monitoring throughout the relationship.
Step 5: Assign a Customer Risk Rating
Once information has been collected, documents verified, and screening completed, assign the client a formal Customer Risk Rating. This classifies the relationship as low, standard, or high risk, and determines the CDD tier that applies going forward.
The rating must be documented and periodically reviewed. A change in the client’s business activity, a new beneficial owner, or an unusual transaction may all be grounds for reassessment.
Step 6: Apply Enhanced Due Diligence If Required
If the client is rated high risk, Enhanced Due Diligence must be applied under Regulation 33. EDD is additional to standard CDD, not a replacement for it.
EDD is mandatory when the client or a beneficial owner is a PEP, when the client is connected to a high-risk third country, when a transaction is unusually large or complex or has no apparent economic or legal purpose, and wherever your own risk assessment identifies elevated risk.
In practice, EDD requires you to examine the background and purpose of the relationship more thoroughly, seek additional independent sources to verify information, satisfy yourself as to the client’s source of wealth and funds, and increase the frequency and depth of ongoing monitoring. This is substantive additional work, and it must be clearly documented in the client file.
Step 7: Record and Retain
Document every step of the verification process and retain the records. Under Regulation 40, CDD records must be kept for at least five years from the date the business relationship ends. Records relating to transactions that occur within that relationship must be kept for at least five years from the end of the relationship, and for no more than ten years. For occasional transactions, the five-year period runs from the date the transaction is complete.
Records must include copies of the identification and verification documents obtained, the results of PEP and sanctions screening, the risk rating assigned and the basis for it, any EDD conducted, and a log of ongoing monitoring activity. These records must be available to your supervisory authority on request.
Simplified, Standard, and Enhanced CDD: Which Applies?
Not every client requires the same level of scrutiny. MLR 2017 establishes three tiers of CDD, each calibrated to the risk the relationship presents. Understanding which tier applies, and being able to justify that decision, is as important as the verification itself.
Simplified CDD under Regulation 37 applies where you have determined that the relationship presents a low degree of risk. You can adjust the extent, timing, and type of measures taken, but you cannot eliminate them entirely. Ongoing monitoring must still be sufficient to detect unusual or suspicious transactions, and the decision to apply simplified measures must be supported by your risk assessment.
Standard CDD is the default. It applies to most client relationships and requires full identification and verification, PEP and sanctions screening, and an understanding of the nature and purpose of the relationship.
Enhanced CDD under Regulation 33 applies in addition to standard measures wherever the risk is elevated. It is mandatory in specific circumstances and must also be applied wherever your firm’s risk assessment points to higher risk. The decision to apply, or not apply, EDD must be documented and defensible.
What Happens If You Cannot Verify a Client?
If CDD cannot be completed, you cannot act. That is what Regulation 31 says, and the consequences of proceeding anyway are serious.
Where you are unable to verify a client’s identity, you must not establish the business relationship or carry out any transaction. If a relationship is already in place and CDD cannot be completed retrospectively, you must terminate it. You must also consider whether a Suspicious Activity Report to the National Crime Agency is required before you disengage.
Failing to apply CDD measures and continuing to act is a criminal offence under MLR 2017. Supervisory bodies including HMRC, ICAEW, ACCA, and CIOT can impose civil penalties, publish details of non-compliance, and refer matters for criminal prosecution. Beyond the regulatory exposure, onboarding a client whose identity cannot be verified creates reputational risk and potential liability if that client is later connected to financial crime.
How FigsFlow Helps You Verify Client Identity
FigsFlow handles the full AML client identity verification process within your onboarding workflow, from collecting client information through to the audit-ready compliance record.
You send a secure digital onboarding link to the client, or upload documents directly on their behalf. FigsFlow validates the identity document using MRZ and NFC chip verification, runs a liveness check, and screens automatically against global PEP and sanctions databases.
The resulting AML report covers identity, document validity, liveness, PEP outcome, and sanctions status in a single reviewable record. Risk ratings are assigned and stored, with EDD workflows triggered automatically for high-risk clients. Every check is logged and retained for supervisory inspection.
AML sits inside FigsFlow’s onboarding workflow alongside proposals, engagement letters, and payment collection. One platform, nothing missed.
Additional Resources
- Ways to Help Clients Prepare for Companies House Identity Verification Requirements: How to Help Clients Prepare for Companies House Identity Verification – FigsFlow
- Step-by-Step Guide to Verify Identity through ACSP: Identity Verification Through ACSP Is Now a Business Essential
- Directors’ Identity Verification Engagement Letter Templates: Identity Verification Engagement Letter Templates – Accountants
- ACSP: How Can Accountants Prove & Verify Clients’ Identity: Understand How to Prove Identities Under ACSP | FigsFlow
- Everything You Need to Know About ACSP: What Do Accountants Need to Know About ACSP Registration | FigsFlow
Conclusion
Verifying client identity under AML is a legal obligation for all accountants, bookkeepers, and tax advisers in the UK. The requirement applies when establishing a new business relationship and in three other specific circumstances under Regulation 27 of MLR 2017.
The process covers collecting and verifying the client’s identity using reliable, independent sources; running PEP and sanctions checks; assigning a risk rating; applying Enhanced Due Diligence where the relationship warrants it; and keeping records for at least five years. Where CDD cannot be completed, you must not proceed, and you must consider whether a Suspicious Activity Report is required.
Getting this right every time means having a process that is consistent, well-documented, and practical to follow. The steps above give you the framework to do exactly that.
Further Reading: Client Identity Verification – AML Essentials Kit | FigsFlow
Frequently Asked Questions (FAQs)
MLR 2017 requires CDD for all new business relationships. For existing clients onboarded before the regulations came into force, you are required to apply CDD on a risk-sensitive basis; typically, when the relationship is reviewed, when the client’s circumstances change materially, or when doubts arise about the accuracy of existing records.
A current valid passport of any nationality, a UK photocard driving licence (full or provisional), or a current biometric residence permit. The document must be in date, legible, and unaltered. Student cards and blue badges are not acceptable forms of photo ID for AML purposes.
You cannot establish the business relationship or carry out the transaction. You should also consider whether the refusal is itself suspicious and whether a Suspicious Activity Report is required before you disengage from the client.
Not routinely, but you must apply ongoing monitoring and reassess the risk rating when circumstances change. A material change in the client’s business, ownership structure, or financial activity may require you to refresh your verification records.
At least five years from the end of the business relationship, or from the date of an occasional transaction. Records relating to transactions within a business relationship must be kept for at least five years from the end of that relationship, and for no more than ten years in total.
