AML Supervision for Accountancy Firms in the UK and Ireland

AML Supervision for Accountancy Firms in the UK and Ireland

Every accountancy firm in the UK and Ireland must be supervised for anti-money laundering compliance by a designated supervisory authority. In the UK, that is currently a professional body supervisor such as ICAEW, ACCA, AAT or CIOT — or HMRC if no professional body covers the firm — with the whole system overseen by OPBAS and, following the government's 2025 reform decision, gradually transitioning towards a single supervisor: the Financial Conduct Authority. In Ireland, the designated accountancy bodies (including Chartered Accountants Ireland) supervise their members, with the Anti-Money Laundering Compliance Unit of the Department of Justice covering accountants and tax advisers who belong to no body.

Who is my AML supervisor in the UK?

Under the Money Laundering Regulations 2017, supervision for the accountancy sector is currently shared between:

• Professional body supervisors (PBSs): the accountancy and tax bodies listed in the regulations — including ICAEW, ACCA, AAT, CIOT, ATT, ICAS, Chartered Accountants Ireland (for its UK members) and others — each supervising firms where the relevant principals are members.
• HMRC: the default supervisor for accountancy service providers, bookkeepers and tax advisers not supervised by a professional body. If you provide accountancy services by way of business and no PBS supervises you, you must register with HMRC — operating unsupervised is an offence.
• OPBAS: the Office for Professional Body Anti-Money Laundering Supervision, housed within the FCA, which does not supervise firms directly but oversees the consistency and effectiveness of the PBSs themselves.

A firm cannot choose to have no supervisor, and firms with principals in multiple bodies should confirm which body actually holds supervisory responsibility — an administrative point that catches out merged practices.

How is UK AML supervision changing?

This is the live issue for 2026. In 2025 the government announced that the FCA will become the single AML/CTF supervisor for the legal, accountancy and trust and company service provider sectors, replacing the more than 20 professional body supervisors and relevant parts of HMRC's role. HM Treasury consulted on the FCA's powers in late 2025, and the change requires primary legislation, so the transfer will take years to complete — commentary anticipates a phased transition running through the late 2020s, with full FCA supervision not expected until the regime, funding and registration processes are built.

What this means operationally for firms right now:

• Nothing changes today. Your current PBS or HMRC remains your supervisor, with full inspection and enforcement powers, until the transfer happens. Letting compliance drift "because the FCA is coming" is the single worst response.
• Expect a more data-driven, assertive supervisory style over time. The FCA's approach in financial services — regulatory returns, thematic reviews, significant fines — is widely expected to carry across.
• Get your house in order early: firms with a current firm-wide risk assessment, clean CDD files and documented training will find any future registration or fit-and-proper process far easier.
• Watch for the enabling legislation and your professional body's transition guidance — the bodies will continue regulating professional standards even after AML supervision moves.

Who supervises accountancy firms in Ireland?

Ireland's framework sits in the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, as amended. Accountants, auditors and tax advisers are "designated persons", and competent authorities for supervision are:

• The designated accountancy bodies — including Chartered Accountants Ireland, ACCA and CPA Ireland — which supervise their own members and member firms for AML compliance, typically through risk-based monitoring visits alongside practice reviews.
• The Anti-Money Laundering Compliance Unit (AMLCU) of the Department of Justice, which supervises external accountants, bookkeepers and tax advisers who are not members of a designated body, as well as trust or company service providers, which also require authorisation.
• The Law Society and Central Bank cover solicitors and financial institutions respectively — relevant where your firm sits in a group or referral network.

Irish supervision is risk-based: Chartered Accountants Ireland, for example, reviews higher-risk firms on a much shorter cycle than low-risk firms, and substantial findings trigger follow-up monitoring. Ireland is also implementing the EU's new AML package, which over the coming years introduces a single EU rulebook and the EU-level supervisor AMLA — primarily aimed at financial institutions, but with knock-on effects for national supervision of professionals worth monitoring.

What does an AML supervisory inspection actually cover?

Whether ICAEW, ACCA, HMRC, Chartered Accountants Ireland or the AMLCU, monitoring visits converge on the same evidence requests:

• Firm-wide / business risk assessment: current, tailored to the firm, covering clients, geography, services, transactions and delivery channels, with a conclusion.
• Policies, controls and procedures: a live document that matches what staff actually do, reviewed and approved at senior level.
• Governance: a properly appointed MLRO/nominated officer and compliance officer; in the UK, approved BOOMs with criminality checks.
• Client files: sample testing of CDD, beneficial ownership, client risk ratings, EDD for PEPs and high-risk countries, and ongoing monitoring evidence.
• Suspicious activity reporting: the internal reporting route, the SAR/STR log, and the documented reasoning behind decisions.
• Training: records showing all relevant staff receive AML training appropriate to their role, refreshed regularly — one of the most frequently cited gaps, and the easiest to fix through ongoing CPD.
• Record-keeping: retention of CDD and transaction records, generally for five years.

How do you prepare for a supervisory visit?

Most supervisors give notice of a monitoring review and send an information request in advance. A sensible preparation sequence:

• Re-read your own documents first. The most damaging inspection moments come when the firm's answers contradict its own written procedures. If the procedures say files are reviewed annually and they are not, fix either the practice or the wording before the visit.
• Run a pre-visit file sample. Pull ten client files across risk ratings and check them against your CDD checklist: identity, beneficial ownership, purpose of relationship, risk rating with rationale, screening evidence, review dates. Remediate gaps and document the remediation — supervisors respond far better to "we found this and fixed it" than to discovery.
• Reconcile your client list. Be ready to explain how many clients you have, how they break down by risk rating, and how many are PEPs or have high-risk-country connections. Not knowing your own numbers is itself a finding.
• Assemble the evidence pack: firm-wide risk assessment with version history, policies and procedures, MLRO appointment and board approval records, BOOM approvals, training logs, the internal report and SAR registers (with content appropriately protected), and screening records.
• Brief the people who will be interviewed. Reviewers commonly speak to junior staff as well as the MLRO, specifically to test whether training has landed. Staff who can describe how they would escalate a suspicion are worth more than any policy document.

After the visit, treat the findings letter as a project plan: assign owners and dates to each action, evidence completion, and report closure to the partners. Repeat findings at a follow-up visit are treated far more seriously than first-time ones.

What are the consequences of supervisory findings?

Outcomes range from action plans and follow-up reviews through fines, publication of enforcement outcomes, conditions on practising certificates, and removal from the register — which, because supervision is mandatory, can end a firm's ability to trade. HMRC publishes lists of businesses penalised for AML failures, and professional bodies publicise disciplinary outcomes. The pattern across published enforcement is consistent: firms are rarely sanctioned for sophisticated criminality, and routinely sanctioned for missing basics — no firm-wide risk assessment, no CDD evidence on file, no training records. For partners, the message is that supervisory risk is overwhelmingly a documentation and discipline problem, and one that a structured annual compliance cycle largely eliminates.

Study with Learnsignal

Whichever supervisor you answer to — and whoever it becomes over the next few years — evidenced, role-appropriate training is the requirement that never changes. Learnsignal provides CPD-accredited AML and compliance training online, so partners, MLROs and staff across UK and Irish firms can stay inspection-ready on a flexible schedule. Find the right course at Learnsignal CPD.