Client Due Diligence (CDD) Checklist for UK Accountancy Firms

Client Due Diligence (CDD) is the process UK accountancy firms use to identify and verify clients, understand who owns or controls them, assess AML risk, and maintain appropriate records before and during the engagement. It is a core control under the Money Laundering Regulations 2017, not a paperwork exercise. 

In 2026, the operational picture has changed. The Economic Crime and Corporate Transparency Act 2023 introduced a separate identity verification regime for company directors and persons with significant control, now operational through Authorised Corporate Service Providers (ACSPs). This sits alongside, not within, the MLR CDD framework: both must be completed, but they can be run in parallel during onboarding. The OFSI Consolidated List has closed and the UK Sanctions List is now the sole authoritative source for sanctions screening. And HM Treasury and DSIT have, for the first time, formally recognised digital identity verification as a compliant pathway under MLR reg. 28 where the provider is DIATF-certified. 

This guide gives practice managers a repeatable, defensible CDD workflow that reflects the current regulatory position. It covers what must be done, what evidence the firm should retain, and where the most common errors occur. 

Sources: Money Laundering Regulations 2017 (as amended); Economic Crime and Corporate Transparency Act 2023; HM Treasury / DSIT joint guidance on Digital Verification Services (February 2026); HM Treasury / Home Office National Risk Assessment of Money Laundering and Terrorist Financing 2025 (NRA 2025); CCAB AML Guidance for the Accountancy Sector (January 2026); supervisory guidance from ICAEW, ACCA, and HMRC; UK Sanctions List at gov.uk. 

Why CDD Matters for Accountancy Firms 

CDD is the operational control through which the firm understands who its client is, how the engagement should be risk-rated, and whether the relationship is one the firm can and should take on. It is not a documentary exercise carried out for its own sake. The supervisory bodies — ICAEW, ACCA, AAT, HMRC and the others — assess firms on whether the underlying judgements were sound and supported, not on the volume of paper in the file. 

The accountancy sector’s exposure to money laundering risk is not theoretical. The HM Treasury and Home Office National Risk Assessment of Money Laundering and Terrorist Financing 2025 (NRA 2025) continues to rate the accountancy sector as high risk for money laundering, with company formation, trust and company services, and complex international structuring identified as areas of particular concern. The NRA is a required input to the firm’s business-wide risk assessment under regulation 18 of the MLRs; supervisors expect to see that the NRA’s findings have informed the firm’s risk methodology. 

A defensible CDD process supports five connected outcomes: accurate identity verification; understanding of beneficial ownership and control; a documented and risk-based assessment; complete and retrievable records; and ongoing monitoring that detects material changes. Where any of these is weak, the supervisory finding is typically that the firm “took an unduly mechanical approach” or “did not apply a risk-based methodology” — wording that consistently appears in the supervisory reports following thematic reviews. 

SDD vs CDD vs EDD: When Each Applies 

The Money Laundering Regulations provide for three intensities of due diligence, applied on a risk-based basis. The starting point for any new client is to determine which level applies and to document the reasoning. 

EDD applies where any of the following are present: a PEP relationship; a connection to a high-risk third country listed by the Treasury; complex or unusually structured arrangements; transactions inconsistent with the firm’s knowledge of the client; or specific risk indicators identified through the firm’s own risk methodology. The decision to apply EDD, or to step back from EDD to standard CDD where conditions change, must be documented in each case. 

The Client Due Diligence Checklist 

The following eight steps form the operational CDD workflow. Each step generates documentation that should be retained in the client file for five years from the end of the business relationship, per regulation 40 of the MLRs. 

Step 1: Identify the Client and the Engagement Purpose 

Confirm who the client is in legal terms: the named individual, the legal entity, or the trust or partnership. Confirm the service being provided, the expected nature and frequency of work, and any unusual features of the engagement — such as introductions through intermediaries, requests for unusually rapid setup, or instructions that do not align with the client’s apparent profile. 

Capture, at a minimum: 

• Legal entity or individual name 
• Trading names, where different 
• Nature and scope of the engagement 
• Expected activity and volume 
• How the firm came to be instructed 
• Any intermediaries involved 
• Any unusual instructions or features 

Step 2: Carry Out and Record a Risk Assessment 

Every client should be assigned a risk rating based on the firm’s AML risk methodology. The methodology itself must be documented in the firm’s business-wide risk assessment under regulation 18, informed by the NRA 2025 sector findings and by the firm’s own client portfolio characteristics. 

The risk factors that should feed the client-level rating include: 

• Client type: individual, corporate, trust, partnership, charity
• Geography: country of residence, country of operation, jurisdictional connections 
• Service risk: the inherent risk of the service being provided (e.g. company formation versus annual accounts) 
• Delivery channel: face-to-face vs remote; whether identity verification can be conducted in person 
• Ownership complexity: simple individual ownership vs layered corporate structures or trust arrangements 
• Adverse media or sanctions concerns: any negative information identified through screening or open-source research 

The risk rating drives the level of due diligence applied. It is not a one-time assessment: it must be reviewed when circumstances change and, in any event, periodically in line with the firm’s risk-based review cycle. 

Step 3: Verify Identity 

Identity verification under regulation 28 of the MLRs requires the firm to verify the client’s identity from a reliable and independent source. The form of verification depends on the client type and the engagement risk. 

For individuals, acceptable evidence typically includes: 

• A government-issued photo identity document such as a passport or driving licence 
• Evidence of the client’s current address, such as a recent utility bill or bank statement 
• Electronic verification through a reliable provider, where the firm’s risk assessment supports this 

For entities, acceptable evidence typically includes: 

• Companies House records confirming registration, registered office, and current officers
• Constitutional documents (memorandum and articles of association) 
• Evidence of the registered office or principal place of business 
• Confirmation of the legal existence and current good standing of the entity 

Step 3a: Digital Verification Services under the DIATF (February 2026) 

In February 2026, HM Treasury and the Department for Science, Innovation and Technology (DSIT) published joint guidance confirming that Digital Verification Services (DVS) certified under the UK Digital Identity and Attributes Trust Framework (DIATF) can satisfy the identity verification requirements of regulation 28 of the MLRs. This is the first formal government recognition of digital identity as a compliant pathway under the Money Laundering Regulations. 

For accountancy firms, this means that a DIATF-certified DVS provider can be used as the primary route for verifying individual client identity in place of, or in addition to, manual document collection. The practical implications: 

• Provider certification: the firm must satisfy itself that the chosen DVS provider holds current DIATF certification at the appropriate level of confidence for the firm’s use case. The DIATF certified providers list is published and updated by DSIT. 
• Audit-trail preservation: the firm must retain the DVS verification record (or a verifiable reference to it) in the client file. The output of the DVS verification — not just the fact that one was performed — is the evidence the supervisor will look for. 
• Risk-based override: the firm retains responsibility for the overall identity verification decision. Where the firm’s risk assessment indicates a need for additional checks beyond what the DVS provides, those checks must still be performed. 
• Not a substitute for beneficial ownership verification: DIATF-certified DVS verifies an individual’s identity. It does not, on its own, satisfy the obligation to identify and verify beneficial owners of entities (Step 4 below). 

✅  Why this matters for onboarding workflow 

Until February 2026, the position on whether and how digital identity verification could satisfy MLR reg. 28 was inferred from supervisory guidance rather than confirmed by formal government recognition. The HM Treasury / DSIT joint guidance changes that. For firms onboarding remote clients — individuals operating wholly online, clients without local document evidence, or clients in locations where face-to-face meetings are impractical — DIATF-certified DVS now provides a clean, compliant verification route with explicit government endorsement. Firms whose onboarding workflows still require physical document collection by default may be applying a higher friction threshold than the regulations now require. 

Step 3b: ECCTA / ACSP Identity Verification — a separate parallel obligation 

The Economic Crime and Corporate Transparency Act 2023 introduced a separate identity verification regime for company directors, persons with significant control (PSCs), and other individuals filing with Companies House. This regime is operationally distinct from MLR CDD: both must be completed for relevant clients, but they can be performed in parallel during onboarding rather than as sequential gates. 

The ECCTA identity verification regime is delivered either directly through Companies House or through an Authorised Corporate Service Provider (ACSP). Accountancy firms that are ACSP-registered can deliver this verification on behalf of clients as part of their onboarding workflow. Accountancy firms that are not ACSP-registered should ensure that their clients’ directors and PSCs are verified through Companies House or another ACSP before the relevant Companies House filings are accepted. 

The two obligations differ in scope: 

In an onboarding workflow that includes a corporate client, the two streams — MLR CDD and ECCTA IDV — should be initiated in parallel. They produce different evidence, retained in different parts of the client file, but they share underlying data (the identities of directors and PSCs are relevant to both). A workflow that treats them as a single check, or that defers one until after the other, creates either compliance gaps or onboarding delays. 

Step 4: Identify Beneficial Owners and Controllers 

Accountancy firms must look beyond the named client to identify the natural persons who ultimately own or control the client. The starting point is the beneficial ownership threshold set by regulation 5 of the MLRs. For a body corporate, a beneficial owner is, among other things, an individual who: 

• Owns more than 25% of the shares or voting rights in the entity 
• Otherwise controls the entity through other means 
• Exercises significant influence or control where the entity does not have a beneficial owner within the meaning of the ownership-based tests 

The “more than 25%” threshold is exact. A 25.0% holding is not a beneficial owner; a 25.1% holding is. Firms whose onboarding processes use “25%” as the threshold, or “25% or more”, are misstating the test under regulation 5 and may either miss valid beneficial owners or include holdings that do not meet the statutory definition. 

Ownership is not the only test. The “control through other means” and “significant influence or control” tests capture individuals who exercise effective control through arrangements that do not show up on a share register: family or trust relationships, voting agreements, contractual rights, or unusual governance arrangements. For partnerships, trusts, and unincorporated associations, the Regulations provide separate tests appropriate to each structure. For layered structures, the firm must look through holding entities to the ultimate natural person, not stop at the first corporate layer. 

Verification of beneficial owners should be proportionate to risk. For straightforward UK companies with simple ownership, Companies House PSC information is a useful starting point but is not, on its own, sufficient verification. PSC data is self-reported by the company and is not independently verified by Companies House (though the ECCTA regime is changing this in stages). The firm must satisfy itself that the beneficial owner identification it relies on is accurate. 

AML Compliance for Accountants: A Practical Guide for UK Practices — for the wider risk assessment and supervisory framework

Step 5: Screen for PEPs, Sanctions, and Adverse Media 

Screening is a standard part of a risk-based CDD process. It serves three distinct purposes: identifying political exposure that may trigger enhanced due diligence; identifying sanctions designations that may prevent the firm from acting; and identifying adverse media that may affect the risk assessment. 

The principal screening sources for UK accountancy firms are: 

• The UK Sanctions List: the sole authoritative UK source for financial sanctions designations, published by OFSI on gov.uk. The OFSI Consolidated List closed on 28 January 2026; firms whose screening configuration or vendor feed still references the Consolidated List should migrate to the UK Sanctions List immediately. 
• PEP databases: commercial or vendor-supplied databases identifying domestic, foreign, and international organisation PEPs, plus their family members and known close associates. 
• UN Security Council sanctions lists: where relevant to the firm’s client base. 
• Adverse media: open-source media coverage that may identify concerns about the client’s integrity, regulatory history, or connections. 

OFAC and other foreign sanctions lists are not UK legal requirements but should be screened against where the firm or its client has a relevant US or other foreign nexus. 

All screening results must be reviewed and the decisions documented. A clean screening result should be recorded with the date and source. An alert must be assessed: confirmed false positives recorded with the basis for the dismissal; confirmed or probable matches escalated to the MLRO with the supporting evidence. 

Understanding PEPs and Sanctions Screening: A Guide for UK Accountants — for the full PEP framework, sanctions response workflow, tipping-off rules under s.333A POCA, and the 2026 enforcement landscape

Step 6: Consider Source of Funds and Source of Wealth 

Source of funds and source of wealth are related but distinct concepts: 

• Source of funds is where the money for a specific transaction or engagement comes from — the bank account, the third party paying, or the asset being realised 
• Source of wealth is how the client has accumulated their assets overall — the historic earnings, inheritance, business proceeds, or investment returns that have generated the client’s wealth profile 

Both are risk-based checks. Neither is a universal requirement for every client. The trigger for proportionate enquiry is where: the engagement is higher-risk; the structure is complex; the funds involved are unusually large; the source is not obviously consistent with the firm’s knowledge of the client; or the client’s profile does not align with the service being requested. 

Where source of funds or wealth enquiry is undertaken, the firm should obtain documentary evidence proportionate to the risk — self-certification alone is generally not adequate for a higher-risk relationship — and document the conclusion reached. EDD-level engagements typically require both source-of-funds and source-of-wealth verification with supporting documentation. 

Step 7: Reliance on Another Regulated Person (Regulation 39) 

Regulation 39 of the MLRs permits a firm to rely on customer due diligence conducted by another regulated person, in defined circumstances. This is a common scenario in accountancy practice: a new client comes in from another regulated firm; a corporate client has been verified by its bank; or one regulated professional has carried out the CDD on a joint engagement. 

Reliance under regulation 39 is permitted, but it is not a shortcut. Three conditions must be satisfied: 

• Written agreement: there must be a written agreement between the firms confirming the basis of the reliance. The agreement should identify the client, the scope of the CDD relied upon, and the parties’ obligations. 
• Information available on request: the firm relied upon must agree to provide, on request, copies of the underlying CDD information within two working days. The relying firm must be in a position to obtain that evidence quickly if challenged by a supervisor or required to take regulatory action. 
• Liability remains with the relying firm: regulation 39(5) is explicit. The firm that relies on another’s CDD remains liable for any failure to comply with the CDD obligations. Reliance shifts the operational task but does not shift the legal responsibility. 

Practically, the relying firm should test reliance arrangements: request a sample of the underlying CDD evidence to confirm that the two-working-day commitment is operationally real, review the scope of what the original firm verified, and assess whether anything material has changed since the original CDD was performed. A reliance arrangement that has not been exercised since it was entered into is not necessarily reliable; supervisors will expect to see that the relying firm has satisfied itself the underlying CDD is genuinely accessible. 

Step 8: Record Decisions and Set Review Triggers 

CDD is not a one-time onboarding task. The Regulations require ongoing monitoring of the business relationship, which depends on the quality of the records created at onboarding. The firm should document, in a single client file or system record: 

• The risk rating assigned to the client and the reasoning behind it 
• The verification evidence obtained, including the source, the date, and the verifier 
• The beneficial ownership analysis including the structure mapping and the identification of natural persons 
• The screening results for PEPs, sanctions, and adverse media, with the date and source 
• Any escalation to the MLRO and the decision reached 
• The next review date and the trigger events that should prompt an earlier review 

Ongoing monitoring should be triggered by: 

• Changes in ownership or control 
• Changes in business activity or geographic footprint 
• Adverse media identified through monitoring or client interaction 
• Updated sanctions or PEP database results 
• Changes in the nature or volume of instructions 
• Periodic review dates set in the file 

CDD records must be retained for five years from the end of the business relationship, in line with regulation 40 of the MLRs. The record must be sufficient to demonstrate to the supervisor what was done, by whom, when, and on what basis. 

Common CDD Mistakes 

The following failures appear regularly in supervisory file picks and AML thematic reviews. Each is identifiable, recurring, and preventable with structured controls. 

• Collecting documents without assessing risk: a file full of passports and utility bills is not CDD. CDD is the risk assessment that the documents support. A file that records the documents but not the assessment is structurally incomplete.
• Misstating the beneficial ownership threshold: applying “25%” or “25% or more” rather than the statutory “more than 25%” test under regulation 5. The error is small in description but consistent across many firms. 
• Failing to identify beneficial owners properly: stopping at the first corporate layer rather than identifying the ultimate natural person, or relying on Companies House PSC data without verification. 
• Relying too heavily on verbal assurances: source of wealth or source of funds enquiries closed out on the basis of what the client said in a meeting, with no documentary support recorded. 
• Not recording the rationale for decisions: particularly for risk ratings and for any departure from the firm’s standard process. Supervisors look for reasoning, not just outputs. 
• Failing to refresh records: onboarding CDD that is several years old, with no refresh triggered by changes in the relationship. 
• Treating CDD as a one-off process rather than an ongoing control: the same failure mode in a different form. Ongoing monitoring is not optional. 
• Referencing the closed OFSI Consolidated List: the Consolidated List closed on 28 January 2026. Any policy, vendor configuration, or staff training material still referring to it must be updated. 
• Treating ECCTA / ACSP IDV as part of MLR CDD: the two are separate obligations. Both must be completed. Treating one as a substitute for the other creates gaps in both regimes. 

The 2026 Compliance Landscape 

Three developments in 2026 have changed the operational reality of CDD for UK accountancy firms. 

First, the National Risk Assessment of Money Laundering and Terrorist Financing 2025 (NRA 2025) continues to rate the accountancy sector as high risk for money laundering. The NRA is a required input to the firm’s business-wide risk assessment under regulation 18 of the MLRs. Firms whose risk methodology pre-dates the NRA 2025 should review whether the new findings warrant changes to their risk model, particularly for company formation, trust and company services, and complex international structuring engagements. 

Second, the Economic Crime and Corporate Transparency Act 2023 identity verification regime is now operational. ACSP-registered firms can deliver mandatory IDV for directors and PSCs as part of their onboarding workflow. For accountancy firms registered as ACSPs, this is both a compliance obligation for affected clients and a potential service offering. For firms not registered as ACSPs, it is an obligation to ensure that clients’ directors and PSCs are verified through Companies House or another ACSP route before Companies House filings are made. 

Third, the OFSI Consolidated List closed on 28 January 2026. The UK Sanctions List, published by OFSI on gov.uk, is now the sole authoritative source for UK financial sanctions screening. Firms whose vendor configuration, policy documentation, or staff training still references the Consolidated List by name should update immediately. The HM Treasury / DSIT joint guidance of February 2026 confirming DIATF-certified Digital Verification Services as a compliant route under MLR reg. 28 is a parallel development that affects the practical execution of identity verification across the same workflow. 

From Compliance Cost to Revenue Opportunity: How IRIS Elements Supports CDD 

Manual CDD is operationally expensive. A practice processing 50 new clients per year through a spreadsheet-and-shared-drive process is absorbing material partner and administrator time on inconsistent onboarding: chasing documents, version-controlling spreadsheets, building risk assessments from memory, and producing audit trails after the fact rather than in real time. The non-billable admin time is the visible cost; the invisible costs — delays to engagement commencement, gaps in audit trails, and the supervisory exposure they create — are typically larger. 

In 2026, the commercial picture is no longer just about reducing the cost of compliance. The Economic Crime and Corporate Transparency Act regime has created a new chargeable onboarding service. Accountancy firms that register as Authorised Corporate Service Providers can deliver mandatory ECCTA identity verification for directors and PSCs as a fee-bearing service. For practice managers, the question is no longer only “how do we reduce the burden of CDD?” but “how do we turn the onboarding workflow into a revenue line?” 

IRIS Elements supports this shift in three ways: 

• Workflow-driven onboarding: MLR CDD and ECCTA identity verification can be configured as parallel workstreams within a single client onboarding case, removing the need to manage the two regimes in separate systems. 
• Standardised process, billable as a service: the same workflow that satisfies the firm’s own MLR obligations supports the delivery of ECCTA IDV as an ACSP service to the firm’s clients. Standardisation makes the service repeatable; repeatability makes it billable at a predictable cost. 
• Auditable evidence in a single record: every check, every decision, every escalation and every approval is captured against the client record with a timestamp and a named user. The supervisory file pick that used to take three days to prepare becomes an export from a single system. 

IRIS Elements supports the workflow; it does not make the compliance judgements. The risk rating, the EDD decision, the acceptance or refusal of the engagement, and the application of regulation 39 reliance all remain the firm’s responsibility. What well-configured workflow software does is convert what was a fragmented manual process into a standardised, evidenced, and — in the ECCTA context — chargeable service. 

CDD for UK Accountants: Frequently Asked Questions 

How long must I keep client due diligence records? 

Regulation 40 of the Money Laundering Regulations 2017 requires firms to keep CDD records for five years from the end of the business relationship with the client, or from the date of the last occasional transaction. The records must be sufficient to demonstrate compliance with the firm’s CDD obligations. This includes copies of identity documents, verification evidence, risk assessments, screening results, beneficial ownership analysis, and any correspondence relevant to the CDD decisions. Records may be retained electronically provided the format is reliable and accessible for the full retention period. 

What is the difference between CDD and KYC? 

Customer Due Diligence (CDD) is the term used in the UK Money Laundering Regulations 2017 and is the specific compliance obligation that UK regulated firms are required to meet. Know Your Customer (KYC) is a broader, more loosely defined term used internationally to describe the general practice of understanding who a client is and what they do. 

In UK accountancy practice, the term that matters is CDD: that is what supervisors assess against, what the Regulations require, and what the firm’s policy documentation should reference. KYC is sometimes used informally to describe the same activity, but the technical and supervisory reference point is CDD. 

Can I rely on the CDD completed by a previous accountant? 

Yes, subject to the conditions of regulation 39. The firm must have a written agreement with the previous accountant covering the reliance; the previous accountant must agree to provide the underlying CDD information within two working days on request; and liability for any CDD failure remains with the firm relying on the previous accountant’s work. See Step 7 in the main checklist above for the full conditions and practical implementation guidance. 

Does ECCTA identity verification replace MLR CDD? 

No. The ECCTA identity verification regime, delivered through Companies House or an Authorised Corporate Service Provider, is a separate obligation from MLR CDD. Both must be completed for relevant clients, but they can be performed in parallel during onboarding. ECCTA IDV verifies the identity of directors, persons with significant control, and others required to verify under the ECCTA regime for the purpose of accurate Companies House records. MLR CDD is the accountancy firm’s own risk-based assessment of the client and beneficial owners for the purpose of managing money laundering risk in the engagement. 

Can I use digital identity verification to meet the MLR requirements? 

Yes. In February 2026, HM Treasury and the Department for Science, Innovation and Technology published joint guidance confirming that Digital Verification Services certified under the UK Digital Identity and Attributes Trust Framework can satisfy the identity verification requirements of regulation 28 of the MLRs. This is the first formal government recognition of digital identity as a compliant pathway under the Regulations. The firm must satisfy itself that the chosen DVS provider holds current DIATF certification at the appropriate level for the firm’s use case, must retain the verification evidence as part of the CDD record, and remains responsible for the overall identity verification decision.