What should accountants record in a client AML review?
Last updated: May 14, 2026
AML reviews for existing clients need to leave a clear record of the judgement made at the time. If the client file is reviewed later, the entry should make the judgement understandable. It needs to explain why the review took place, identify the material considered, and give the basis for the conclusion.
Under the Money Laundering Regulations, accountancy firms need to keep CDD information current and apply ongoing monitoring during the client relationship. In practice, that may mean recording a periodic AML review, or recording the effect of a change in client circumstances when it brings the AML position back into focus.
In both cases, the record needs to show the route from review reason to outcome, without turning the exercise into a full re-onboarding process.
Contents
Key takeaways
- A client AML review should identify why the existing client file was reviewed and what information was considered.
- If nothing material has changed, the record should say so clearly rather than leaving the conclusion implied.
- When the AML file no longer reflects the client relationship, the review entry should explain the impact on the client’s risk outlook.
- A defensible review record explains the outcome and supports it with a clear rationale.
- The same entry should identify the evidence used and what the firm did next, including any reasoned decision to take no further action.
Why the AML review record matters
The Money Laundering Regulations require ongoing monitoring and risk-sensitive CDD. Firms also need records capable of supporting their AML decisions. For an existing client, that means the review entry needs to do more than update a date or repeat a risk label.
It helps anyone reviewing the file, whether that’s a colleague or a supervisory inspector, understand the AML judgement made at the time.
When CDD remains current, the entry needs to make that conclusion visible. And if information has changed, the entry needs to show how the change was considered and whether it affected the recorded AML view.
The regulations do not prescribe one fixed format for an AML review note. Supervisory guidance points to the same concern: weak records make it difficult to demonstrate that the firm considered the client’s current AML information properly. The note needs to set out the basis for the review decision.
The two types of AML client reviews
Before setting out what to record, it helps to separate the two situations that accountancy firms typically deal with. Both require a clear AML review record, but the reason for the review affects what the entry needs to explain.
Periodic AML review
The firm revisits the client’s AML position as part of its risk-based review cycle. A lower-risk client may be reviewed less often than a higher-risk client, but the record still needs to show what was checked and why the AML position remains current.
Change in client circumstances review
Also called a trigger-event or event-driven review.
The firm reviews the AML position because something specific has changed or come to light. For example, the review may be prompted by a change in ownership or in the services provided. It may also arise where the client’s activity has changed or new information does not match the existing file.
While both situations use the same underlying record logic, the key difference is in emphasis.
A periodic review will often need to evidence why the firm concluded that existing CDD and risk information remained current. A change-driven review will usually need to identify the change and explain how the firm checked it. The entry should then record its effect on the client file.
The AML review record sequence in seven steps
The seven steps below are the structure for the rest of the article.
| Record element | What the record needs to establish |
|---|---|
| 1. Why the review happened | Whether the review is periodic or change-driven, and why the file is being considered now. |
| 2. What was reviewed | The relevant CDD, risk, ownership/control, service-scope, and supporting information considered. |
| 3. What changed | For a periodic review, whether anything relevant has changed since the last review. For event-driven cases, the specific change that brought the file forward. |
| 4. Outcome reached | The conclusion on CDD, risk rating, and final AML risk position, including whether the review can close. |
| 5. Rationale | The reasoning that connects the outcome to the client facts and records reviewed. |
| 6. Evidence relied on or referenced | The retrievable records that support the conclusion, without reproducing the whole AML file. |
| 7. Action taken, or the reason no further action was needed | What followed from the review, including reasoned non-action where that is the conclusion. |
How to record a client AML review: Step-by-step guide
The steps below help accountancy firms complete the AML review record in a clear, practical order without making the note longer than it needs to be.
Step 1: Record why the review happened
Start the entry by making clear why the client’s AML file is being reviewed at this point.
For a periodic AML review, that may simply be that the client has reached the firm’s scheduled review point.
For a change in client circumstances review, the reason will be more specific. The CDD trigger event might be a change in ownership or business scope. It might also be client information that alters the existing record.
This matters because the review reason frames the judgement being made. A scheduled review of a long-standing tax client may mainly need to confirm that the existing AML record still reflects the current relationship.
Yet, a review opened because a company has added a shareholder needs to focus on whether ownership or control has changed, and if it affects the recorded AML position.
Step 2: Record what was reviewed
Next, identify the scope of the review. This means recording the areas of the AML file and client information considered, rather than reproducing every document in the file.
The scope then follows from that reason. The entry might cover the current risk assessment and any client information relevant to the reason, such as control records or an external check.
For example, a small practice reviewing a limited company client might record that it checked the risk assessment against the client’s current ownership and service profile. Where relevant, it could also refer to the Companies House position.
This provides enough context to see that the review engaged with the client’s AML picture, rather than simply changing a review date.
Step 3: Record what changed, or whether nothing material changed
The next step is to record what actually changed, although this may depend on the review type.
Periodic reviews often only require a short statement that no relevant change has been identified against the existing client understanding. Silence is weaker than a clear no-change conclusion because it leaves a supervisor guessing whether the point was considered.
With a material change in client circumstances, the entry should be more specific. When a development has prompted the review, the record needs to identify that change clearly. A new beneficial owner or service change may be enough to explain why the review was needed.
Practical takeaway: ICAEW has reported cases where firms checked whether CDD needed updating but did not record the review. This is the risk this step is designed to avoid: the work may have been done, but the AML file provides no clear trace of it.
Step 4: Record the outcome reached
Once the relevant information has been considered, the entry needs to state the review outcome clearly.
The outcome may be simple: the existing record is current and no further AML work is needed. The outcome may instead be that the client file needs updating. Where the review identifies a concern or unresolved point, the entry can state what further work is required before completion.
That last outcome is normal, since a review does not always close in one sitting. For example, if the client is now dealing with customers in a higher-risk jurisdiction, the firm may need more information before confirming the risk position or deciding whether any CDD update is needed.
Importantly, reviews must ensure they keep the outcome separate from the reasoning.
Step 5: Record the rationale
The rationale connects the outcome to the client facts and materials considered. Bare conclusions such as “normal risk” or“no issue” do little to explain the reasoning behind the review.
If the risk rating remains unchanged, the entry should give the reason. For example, the client work may still be limited to accounts and tax, with no new risk indicators identified during the review.
Supervisory note
ACCA’s client-risk guidance says the rationale for a client’s risk rating should be clearly documented in the client file. It also refers to documenting, on a periodic basis, where the risk rating has been reviewed and has not changed.
That is why the rationale step matters.
If the existing CDD is still sufficient, the rationale should explain why. In the event of a risk rating change, the rationale should identify the fact that drove the development.
This is especially important in small accountancy firms where much of the client knowledge may sit with one partner or manager. Familiarity alone is too thin as a recorded basis for the decision.
Step 6: Record the evidence relied on or referenced
The evidence reference is what helps the review stand up if the file is inspected. Regulation 40 and HMRC record-keeping material support the need for CDD information and supporting records to be retained in a way that can evidence the firm’s AML position.
| Review situation | Evidence reference might point to |
|---|---|
| Periodic review with no material change | Current risk assessment and existing CDD records checked during the review |
| Ownership change | Client notification, updated ownership record and Companies House information reviewed |
| Service-scope change | Engagement correspondence and the updated client risk assessment, where the service affects AML risk |
| Escalated AML concern | Internal note or MLRO review record, where relevant |
Crucially, if a supervisor inspects the file, the record should point clearly to the material relied on so the firm is not left trying to reconstruct the decision afterwards.
Step 7: Record the action taken
The final step is to record what the firm did after reaching its conclusion.
That may be a practical update, such as amending the CDD record or risk assessment. The entry can also record any clarification requested or internal escalation made. If the firm kept the current assessment in place, the action entry can say so.
When the existing CDD and verification remain adequate, the entry can record that the review was closed on that basis. For example, after a periodic review with no relevant change, the firm may record that the existing CDD and risk position were confirmed and the review was closed.
The review then has a clear closing point, with the basis for closing it visible on the AML record.
If the AML review cannot be closed yet
Some AML reviews cannot initially be completed in full. The firm may need client input or an internal decision before finalising the AML conclusion.
The problem arises when the open point is left in someone’s inbox or memory and the AML file gives the impression that the review has either closed or stalled without explanation.
A clear interim entry shows that the firm recognised the issue and understood what was still missing. The review should not appear complete before the conclusion is ready.
For example, a small firm may be told that a new individual has taken a significant shareholding in a company client, but the client has not yet confirmed whether that person has a controlling role. The review entry can remain open while that point is clarified.
An open review record should explain why the review remains open and identify the unresolved point. It also needs to state what is required before closure and who is responsible for progressing it.
If client work will continue while the AML matter remains outstanding, the record should make the interim position clear enough to withstand supervisory review.
Weak AML review records to avoid
Weaknesses often arise when the review is treated as an admin update rather than a recorded AML decision. The table below shows where that can create avoidable doubt.
| Weak record pattern | Why it causes concern | Better record approach |
|---|---|---|
| Review date updated with no explanation | The file may not show why the review happened or what prompted it. | State the review reason clearly, such as a scheduled review or a specific client development. |
| Risk rating confirmed with no rationale | A “low risk” or “normal risk” label may look unsupported. | Record why the rating was confirmed or revised. |
| CDD marked as current without context | A supervisor may not see what was checked before that conclusion was reached. | Briefly identify the records or client information considered. |
| Evidence described only as “client information” | The source may be difficult to trace during supervisory review. | Identify the specific record, correspondence, filing or note that supports the decision. |
| Open point left only in emails | The review may look complete even though a decision is still unfinished. | Record the unresolved matter in the AML review entry and explain what remains outstanding. |
It should record the point considered without implying that every client change requires a comprehensive CDD refresh or escalation.
In summary
A client AML review entry needs to be understandable when revisited, with enough detail to support the decision. If the review remains open, the outstanding issue should be visible, and the interim position must make sense.
Ultimately, a completed review should have a clear recorded basis. This gives the firm a record capable of supporting the decision later.
FAQs
A defensible AML review note explains why the client file was reviewed and what information was checked. It then records the conclusion and links it to the client facts. The note needs enough detail to support the decision during a supervisory inspection.
Yes. A short entry is usually enough, provided it shows that the firm considered the relevant client information and found nothing significant has changed. Leaving the point unstated can make the review look unfinished or unsupported.
No. A review may confirm that the existing CDD still fits the client relationship. Fresh checks are more likely to be needed when the information held no longer matches the client’s circumstances or risk profile.
The record should identify the specific change that prompted the review. For example, a new owner may require the firm to consider whether the ownership record still reflects the client. The entry should then explain the outcome and record any follow-up separately.
An open review needs to say what point remains outstanding and what is needed before it can be closed. It is also useful to name who is dealing with the next step. The wording should avoid giving the impression that the AML decision has already been finalised.
A defensible note is specific enough to show the basis for the decision. It points to the records checked and explains the conclusion in practical terms. The ideal output is a record that still makes sense when reviewed by the firm or a supervisor.
References and Source Material
- Money Laundering Regulations 2017, Regulation 18
- Money Laundering Regulations 2017, Regulation 19
- Money Laundering Regulations 2017, Regulation 28
- Money Laundering Regulations 2017, Regulation 40
- HMRC, Your responsibilities under money laundering supervision
- CCAB, Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing: Guidance for the Accountancy Sector
- HMRC, Economic Crime Supervision Handbook (ECSH33520 – Record keeping)
- Companies House, Report a discrepancy about a PSC or a registrable beneficial owner
- ICAS, AML Supervision Report 2024/25
- ACCA UK and Ireland AML supervision annual report 2024/25
