What ongoing monitoring means for accountants under UK AML rules
Last updated: July 1, 2026
Ongoing monitoring is the part of AML that starts after a client has been onboarded. It is also where the compliance process becomes less structured.
This is because AML is often treated as a front-loaded exercise: collect ID, understand the client, assess the risk, and open the file. But Regulation 28 of the Money Laundering Regulations makes clear that the client’s AML position cannot simply be frozen at onboarding.
In practice, ongoing monitoring means keeping that position current, explainable, and evidenced over time.
The file should show what the firm knew about the client and whether anything material has changed. It should also explain why the risk assessment still made sense and why the firm was comfortable continuing to act.
The key point is that the client file should continue to reflect reality, without forcing the firm to repeat full CDD if nothing material has changed.
Key takeaways
- Ongoing monitoring starts after onboarding and continues throughout the client relationship.
- Accountants should keep CDD and client risk information current, and ensure the file reflects changes to services, ownership, and business activity.
- While it does not require automated monitoring of the kind used in financial services, the client file should show what was reviewed, whether anything material changed, and what the firm concluded.
Ongoing AML monitoring for UK accountancy firms
Ongoing monitoring sits within customer due diligence (CDD) under Regulation 28 of the Money Laundering Regulations.
Accountants need to scrutinise transactions during the business relationship to check they are consistent with the firm’s knowledge of the client, their business, and their risk profile.
They also need to keep CDD documents, data, and information up to date. This aspect is often the biggest challenge.
A small firm will see enough information through accounts preparation, tax work, bookkeeping, payroll, or advisory conversations to know whether the client’s position has changed.
This means ongoing monitoring is not a passive exercise. It is a continuing discipline of asking: Does what we now know about this client still match the AML file?
HMRC guidance supports this interpretation by describing ongoing monitoring as both transaction scrutiny during the relationship and keeping CDD information current.
How ongoing monitoring differs from onboarding CDD
Onboarding CDD is the initial understanding of the client. It helps the firm establish who the client is, who owns or controls them, what services they need, and what level of AML risk they present.
Ongoing monitoring is the work of keeping that understanding up to date.
A client who appeared straightforward at the start of the relationship can later change in ways that affect the original risk assessment. A firm might also see transactions or records that do not fit its earlier understanding of the client’s business.
While this does not automatically reflect an AML concern, the file might still need to be reviewed to ensure compliance with the Money Laundering Regulations.
A useful distinction for accountancy firms:
- Ongoing monitoring: The legal umbrella under Regulation 28
- Periodic reviews: Planned checks used to keep the file current
- Trigger-event reviews: When a change or concern arises
- CDD refresh: The practical update made where a review shows that existing client CDD needs to be checked or updated
What accountancy firms should monitor
Ongoing monitoring should be built around the reality of the client relationship.
Firms should consider whether the client’s AML file still reflects what is known from day-to-day work. This might include checking whether there have been material changes to the client’s ownership, management, services, or business activity since the original assessment.
It may also include considering whether the client’s risk profile has changed. Relevant factors could include new jurisdictions, unusual transactions, PEP involvement, adverse information, or inconsistent records.
This does not need to become a long exercise every time. A low-complexity client with no changes may only need a short recorded review. In contrast, a higher-risk or changing client may need a more detailed update.
Firms that provide bookkeeping, payroll, or tax services should check exactly how those services are treated under the AML regime.
HMRC guidance treats professional bookkeeping as an accountancy service, while payroll depends on the substance of the work. Payroll may fall within scope where it includes accounting support or tax advice, but limited administrative processing may be treated differently.
The safer approach is to assess the real service, whether it is provided by way of business, and the firm’s supervisory position.
When monitoring should lead to a CDD refresh or AML risk review
Ongoing monitoring does not always result in new documents. Sometimes the correct conclusion is that nothing material has changed.
Where a review identifies outdated, incomplete, or inconsistent information, the firm should update the client file. This may mean refreshing identity or ownership information, or revising the client risk assessment. In other cases, the firm might need to ask further questions or record why no further action was needed.
CCAB guidance recognises both periodic and event-driven reviews as ways to keep CDD current. The law does not set one fixed timetable for every client, so firms should set risk-based review intervals in their AML procedures and be able to justify them. For a more detailed breakdown, see our guide on how often accountants should update CDD for existing clients.

Professional guidance gives example review cycles, such as annual reviews for high-risk clients and longer cycles for standard or lower-risk clients. Some firms may choose shorter cycles, such as six-monthly reviews, for higher-risk cases.
These are examples, not legal rules; the firm’s timetable should be risk-based, documented, and brought forward if something material changes for AML purposes.
Nonetheless, the timetable should be risk-based, written into the firm’s procedures, followed in practice, and evidenced in the client file.
In addition, a scheduled review should be brought forward where a material change or concern affects the firm’s understanding of the client or their risk profile. Our guide to CDD trigger events for accountants explains when client changes should prompt an earlier AML review.
What evidence should be kept in the client file?
An AML review that is not properly recorded may be difficult to evidence later.
Supervisors typically want to see that the firm’s AML process was followed, not just hear that the principal “knows the client”. As such, the AML reasoning must be clear enough for someone reviewing an accountancy client file to follow.
HMRC says inspection officers may examine transactions, CDD procedures, AML risk assessments and policies, controls, procedures, training logs, and other records showing how AML systems work.
ICAEW’s recent AML supervision findings also show that updating CDD remains a live compliance weakness. It previously found that 20% of firms reviewed were non-compliant, and 11.6% had failed to update CDD throughout the duration of client relationships.
In terms of what to record in a client AML review, a good monitoring note shows the date of review, who carried it out, and the checks completed. It should also record material findings, any CDD or risk assessment updates, and the conclusion reached.
Example: A concise ongoing monitoring record
- Client: ABC Trading Ltd
- Review type: Periodic AML review
- What triggered the review: Scheduled AML review under the firm’s standard review cycle.
- What was reviewed: Companies House record, directors and PSCs, services provided, year-end bookkeeping records, jurisdiction exposure, and existing client risk assessment.
- Evidence relied on: Companies House check completed on 12 June 2026. Bookkeeping records were reviewed during year-end accounts work. Existing CDD files were reviewed.
- Conclusion: No material change identified. Client remains standard risk.
- Action taken: No CDD refresh required. Client risk assessment confirmed unchanged. Next AML review to follow the standard review cycle.
This kind of record is concise, but it still gives a supervisor a clear basis for understanding what was reviewed, what was concluded, and why no further action was taken
Common mistakes accountancy firms should avoid
Supervisory findings suggest that many firms struggle to evidence what they have done, even where the principal knows the client well. While that knowledge is valuable, if it affects AML risk, it should be reflected in the file.
This means that long-standing clients still deserve particular attention. Familiarity can make stale files easier to miss, since ownership, control, services, and business activity can all shift gradually over time.
Firms should also avoid treating monitoring as automatic annual re-verification. The right level of work depends on risk, the quality of the existing information, and whether anything material has changed.
Moreover, a written AML procedure is not enough by itself. If the procedure says clients are reviewed periodically, the files should show that those reviews actually happened.
How the FCA transition affects ongoing monitoring
The ongoing monitoring duty itself is not new, but the way firms are expected to evidence it could come under much sharper scrutiny as accountancy AML supervision moves toward the FCA.
The issue for some firms is whether the client file shows that the process actually happened. This means a supervisor should be able to see when the client was reviewed, what information was considered, whether anything material had changed, and why the firm’s conclusion still made sense.
The FCA transition should therefore be seen as another reason to tighten existing-client records now, not as something to wait for. Ongoing monitoring is already required; the difference is that weak or missing review evidence can become harder to defend under a more centralised supervisory model.
Making ongoing monitoring workable
Ongoing monitoring should be part of the firm’s normal rhythm, not a separate annual panic.
Small practices, in particular, often find that the easiest approach is to connect AML checks to work already being done. This might include annual accounts, tax returns, bookkeeping reviews, payroll changes, new engagements, or recurring client meetings.
A simple process is usually enough:
Set risk-based review intervals in the firm’s AML procedures.
Use routine client work to identify relevant changes.
Record a concise review note.
Make any necessary updates.
Follow up on unresolved issues.
While this process does not require a dedicated compliance department, it needs to be done consistently. The central question is whether the AML record supports the decision to continue acting.
In summary
Ongoing monitoring is the practical discipline of keeping an existing client’s AML position current over time.
Under Regulation 28, this includes scrutinising client activity during the relationship and keeping CDD information up to date. When accounting firms notice changes in ownership, control, services, business activity, or risk, then recording what was checked and concluded becomes important.
A short, consistent, and well-recorded review process is often the difference between informal knowledge and evidence that a supervisor can understand. After all, supervisory bodies expect accurate, risk-based, and explainable files.
Firms reviewing CDD procedures should also consider whether the 2026 AML Amendment Regulations affect their client checks or EDD triggers.
FAQs
Ongoing monitoring is continuing to check, after onboarding, that the firm’s understanding of the client still holds true. This includes looking at relevant activity during the relationship and updating client information where it has become inaccurate, incomplete, or out of date.
No. Ongoing monitoring is the wider obligation. A CDD refresh is only needed where the review shows that existing information needs updating or can no longer be relied on.
Yes, where the client relationship falls within the UK Money Laundering Regulations. The amount of monitoring should depend on the client’s risk, the work being done, and whether anything has changed.
There is no fixed legal review frequency. Firms should set a risk-based timetable, record it in their AML procedures, and review sooner if a client change or concern arises. Annual reviews for high-risk clients, longer cycles for lower-risk clients, and shorter cycles for very high-risk cases are all examples, not universal rules.
A review should be brought forward when the firm becomes aware of a material client change or concern, such as a new beneficial owner, new service, overseas activity, inconsistent records, or adverse information.
The AML record should make the decision understandable. It should state when the review happened, who completed it, what was looked at, whether anything relevant was found, what action followed, and whether the client’s risk rating changed.
Yes. A brief note is still useful where the firm has checked the position and decided that no update is needed. It helps show that the file was actively reviewed rather than ignored.
References and Source Material
- Money Laundering Regulations 2017, Regulation 28
- HMRC, Economic Crime Supervision Handbook (ECSH33375 – Ongoing Monitoring)
- HMRC, How HMRC checks on businesses registered for money laundering supervision
- HMRC, Check if you need to register for money laundering supervision if you’re an accountancy service provider
- CCAB, Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing: Guidance for the Accountancy Sector
- ICAEW, Examining non-compliance: AML supervision report 2024/25

