KYC and Customer Due Diligence for Accountancy Practices

KYC and Customer Due Diligence for Accountancy Practices

Customer due diligence (CDD) is the process by which an accountancy firm identifies its client, verifies that identity using reliable independent sources, identifies any beneficial owners, and understands the purpose and intended nature of the business relationship. In the UK it is required by the Money Laundering Regulations 2017 (MLR 2017); in Ireland by the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 as amended. KYC — know your customer — is the broader discipline that turns those legal requirements into a working onboarding and monitoring process.

When must an accountancy firm carry out CDD?

CDD is required at defined trigger points, not just at onboarding:

• Before establishing a business relationship — i.e. before you start acting for a new client.
• For occasional transactions above the thresholds set in the regulations.
• Where money laundering or terrorist financing is suspected, regardless of any threshold.
• Where there are doubts about previously obtained information — for example, documents that no longer add up.
• At appropriate intervals for existing clients, on a risk-sensitive basis and when relevant circumstances change (new ownership, new services, a change in risk profile).

Note for UK firms: HM Treasury laid draft amending regulations before Parliament in 2026 that, among other changes, convert the euro-denominated thresholds in MLR 2017 to sterling and refine when enhanced due diligence is mandatory. Check your supervisor's current guidance for the figures in force at the time you read this rather than relying on older training materials.

What does standard CDD actually involve?

Individuals

• Verify name, date of birth and residential address from reliable, independent sources — typically a passport or driving licence plus proof of address, or an electronic identity verification (eIDV) check.
• If using eIDV, understand what the tool actually checks and record the result; an electronic check is evidence, not a substitute for judgement.

Companies and other entities

• Confirm the entity exists: name, registered number, registered office and principal place of business.
• Obtain and verify the identity of beneficial owners — generally individuals ultimately owning or controlling more than 25% of shares or voting rights, or otherwise exercising control.
• Do not treat the Companies House register (UK) or the RBO (Ireland) as verification on its own. Both regimes expect firms to check registers against their own findings, and UK firms have a duty to report material discrepancies in the people-with-significant-control information they find.
• Understand the ownership and control structure — and document it, ideally with a structure chart for anything beyond a simple single-shareholder company.

Purpose and nature of the relationship

This is the part firms most often skim. You should be able to answer, from the file: what does this client do, where does their money come from, what services will the firm provide, and does the engagement make commercial sense? An engagement that makes no sense for the client is itself a risk indicator.

When is enhanced due diligence required?

Enhanced due diligence (EDD) means deeper verification, senior approval and closer monitoring. Triggers include:

• Politically exposed persons (PEPs), their family members and known close associates — requiring senior management approval, source of wealth and source of funds checks, and enhanced ongoing monitoring.
• Clients or transactions connected to high-risk third countries. Under the UK's 2026 amendments, automatic EDD is focused on the FATF "call for action" jurisdictions, with a risk-based approach to other listed countries — again, verify the current list before relying on it.
• Unusually complex or unusually large transactions, unusual patterns, or transactions with no apparent economic or legal purpose. Both UK and Irish law require firms to examine the background and purpose of such transactions.
• Any situation your own risk assessment rates as high risk — for example cash-intensive businesses, opaque offshore structures, or clients who resist providing information.

Simplified due diligence remains available where your risk assessment supports it, but it is a reduction in the extent of measures, never an exemption from CDD altogether.

What does ongoing monitoring look like in practice?

CDD is not a one-off onboarding task. Firms must scrutinise transactions through the relationship to ensure they are consistent with what the firm knows about the client, and keep CDD information up to date. Operationally this means:

• Assigning every client a risk rating at onboarding and reviewing it on a defined cycle (commonly annually for high risk, with longer cycles for lower-risk clients).
• Building review triggers into workflow: change of ownership, new high-risk services, adverse media, sanctions list changes.
• Recording each periodic review, even when the conclusion is "no change".

How should you risk-rate clients?

The client risk assessment is the hinge between your firm-wide risk assessment and the level of due diligence applied to each file. A workable model for an accountancy practice:

• Define the factors: client type and sector, geography of the client and its owners, services provided, transaction profile, and how the client was introduced. These mirror the categories in your firm-wide assessment, which is deliberate — the two documents should speak the same language.
• Define the ratings: low, standard and high is enough for most firms. Crucially, define what each rating means in consequence: what verification level, what approval, what review frequency.
• Record the rationale: a rating with no reasoning is a recurring inspection finding. Two sentences explaining why a client is low risk will satisfy most reviewers; an unexplained tick-box will not.
• Make high risk mean something: high-risk ratings should trigger EDD measures, partner-level approval and an annual review — and someone should check those actions actually happened.

Source of funds versus source of wealth

These are distinct concepts that files frequently blur. Source of funds is where the money in a specific transaction comes from — the sale proceeds, the loan, the trading income. Source of wealth is how the client built their overall asset base. Standard CDD rarely demands either in depth, but PEP relationships and other EDD situations require both, and "client confirmed funds are from savings" without corroboration is the kind of note supervisors quote in their published findings. Bank statements, completion statements, sale contracts and audited accounts are the corroborating evidence to look for.

Reliance and outsourcing

Firms in networks, or taking over clients from another practice, often want to lean on due diligence performed elsewhere. The regulations permit reliance on certain other regulated persons, but only with the right arrangements in place, and the relying firm remains liable for any failure. Outsourcing CDD processing to a provider is different again: the provider does the legwork, but the regulatory responsibility never moves. In both cases, get the underlying documents onto your own file — "the previous accountant had it" has never satisfied an inspector.

What are the most common supervisor findings on CDD?

Inspection reports from UK and Irish supervisory bodies repeatedly highlight the same gaps:

• Identity verified, but no evidence of beneficial ownership checks for corporate clients.
• No record of the purpose and intended nature of the relationship.
• No client risk assessment, or a rating with no rationale behind it.
• EDD triggers (PEPs, high-risk countries) not identified because no screening was performed.
• CDD never refreshed for long-standing clients — "we've known them for years" is not due diligence.
• Reliance on another firm's CDD without the required agreements, or treating outsourced checks as transferring responsibility (it never does).

What records must you keep?

Keep copies of, or references to, the documents and information obtained to satisfy CDD, plus supporting records of transactions, generally for five years after the end of the business relationship or the completion of the transaction. Build the file so that a reviewer who has never met the client could reconstruct who they are, who owns them, why you act for them and why you rated the risk as you did. Structured training helps embed this discipline across the practice — a topic Learnsignal covers in its CPD-accredited compliance courses.

Study with Learnsignal

Strong CDD depends on every fee-earner, not just the MLRO, knowing what good looks like. Learnsignal's CPD-accredited AML and compliance training gives your whole team practical, up-to-date knowledge through flexible online courses. Browse the catalogue at Learnsignal CPD.