Every UK accountancy firm has to perform Know Your Client (KYC) checks. Most do, but few do it in a way that would survive a close look from a regulator.
This isn’t because firms are wilfully cutting corners, but it is because the process usually lives across email, spreadsheets and good intentions.
So, what does good KYC actually require under UK law, why getting it right matters more than ever, and what a well-run KYC process looks like in a small or mid-sized practice.
What KYC means for an accountancy firm
KYC is information gathered and the set of checks a firm carries out to verify who its clients are and assess the risk of taking them on. For UK accountants, KYC isn’t a best practice or a nice-to-have. It’s a legal obligation under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, usually shortened to the Money Laundering Regulations 2017 or MLR 2017.
The regulations apply to almost every accountancy firm in the UK, including sole practitioners. Your supervisory body, typically ICAEW, ACCA, AAT, or CIOT, check that you’re meeting them.
What you’re legally required to collect
Under MLR 2017, before you start work for a new client, you need to:
- Identify the client. For an individual, that means verifying their full name, date of birth, and current address from a reliable, independent source — typically a passport or driving licence plus a recent utility bill or bank statement.
- Identify the beneficial owners of any company, trust, or partnership. For a limited company, that means anyone holding more than 25% of the shares or voting rights, or who otherwise exercises control.
- Understand the purpose and intended nature of the business relationship. What work are you doing for them, and why?
- Carry out a risk assessment at the client level. Is this a low-, medium-, or high-risk client, and on what basis?
- Screen against sanctions and politically exposed persons (PEP) lists before taking the client on.
- Keep records of everything above, securely, for at least five years after the relationship ends.
For higher-risk clients — those in higher-risk jurisdictions, those holding PEP status, or those whose business model raises flags — you need to carry out enhanced due diligence (EDD), which means going further on source of funds and source of wealth.
Why it matters more than firms often realise
Three reasons KYC has moved up the priority list for UK accountancy firms in recent years.
- Supervisory bodies are looking more closely. ICAEW, ACCA, and others have all increased the frequency and depth of their AML inspections. Inspectors don’t just ask whether you did the check, they ask to see it. Firms that did the work but can’t produce the record fail in the the same way as firms that didn’t do it.
- The penalties are real. Failures range from formal warnings and required remediation through to substantial fines and, in serious cases, loss of supervisory body membership. The reputational cost of a public sanction often outweighs the fine itself.
- Clients have changed. Stringent ID verification is now standard for opening a current account. When a new client onboarding journey with your firm feels less rigorous than opening their business bank account, it raises questions — both about your professionalism and about whether their accountant is taking compliance seriously.
Why manual KYC creates risk
Most small firms run KYC manually: a checklist, a folder of scanned documents, a spreadsheet for the AML log. It works, until it doesn’t.
The common failure points are predictable. An ID check is done but the verification record is missing. A risk assessment is in the partner’s head but not in the file. A sanctions screen was run six months ago and was never refreshed. The engagement letter is signed but the date doesn’t quite line up with when the work started.
None of these are major breaches on their own. Stacked together, they look like a process that wasn’t built to be fully compliant and inspected.
How software changes the picture
Cloud-based client onboarding software handles the parts of KYC that don’t need a human judgement call. ID verification runs against an authoritative source. Sanctions and PEP screening happens automatically. Risk assessment is captured in a structured form, not a free-text note. The whole record sits in one place, time-stamped, ready to produce.
What’s left for the firm is the work that genuinely needs a person, such as judging context, classifying risk on a borderline case, deciding whether to take a client on.
That’s the right division of labour.