What do AML reviewers look for in an accountancy client file?
Last updated: May 15, 2026
An accountancy client AML file is tested when someone outside the practice has to understand it. If the reasoning is thin or trapped in memory, good work can still look weak under supervisory review.
This article explains how AML supervisors may read an accountancy client file during a review, monitoring visit, or inspection, and what can make the firm’s reasoning easier to follow.
Contents
Key takeaways
- A client AML record needs to explain the substance of the engagement through the forms and identity evidence held.
- The service being provided should fit what is known about the client.
- Ownership and control information matters where it helps explain who stands behind the client or how the engagement is understood.
- The strongest records make the rationale clear from the file itself.
The AML supervisor’s core question
When an AML supervisor reviews an accountancy client file, the central issue is whether the record supports the judgement made on that client. The review is concerned with whether the file shows a clear understanding of the business and a due diligence response that follows from the recorded risk reasoning.
File material is valuable where it supports that rationale. A clear record gives enough context for the AML response to be assessed before any detailed judgement on risk assessment or verification work.
What the AML file communicates about the client relationship
The client entry should contain substantive information rather than relying only on basic file material.
For a low-complexity engagement, a brief explanation may be enough if it makes clear why the service fits the client’s activity and purpose.
When ownership or control is relevant, the record also needs to identify who stands behind the client. For companies and other structures, beneficial ownership changes, PSC details, or other control indicators may support that position.
These points need careful treatment because ownership evidence matters only where it affects the engagement or the risks being considered.
The purpose and intended nature of the engagement also need to be apparent. The record should make clear why the client approached the practice and how the work fits their circumstances. This foundation gives the risk rating weight and makes the due diligence easier to assess.
Practical takeaway: A clear file gives enough context to support the AML work that follows.
AML risk assessment as the bridge between facts and judgement
Once the relevant facts have been captured, the client risk assessment gives them regulatory meaning. This is where the practice explains why particular features of the work point towards a lower, standard, or higher money laundering risk.
A risk rating carries weight when the reasoning can be traced back to the facts already identified. The conclusion should reflect the work being carried out and any client-specific features that affect risk.
Moreover, the explanation should be concise, where appropriate, and should show why the chosen rating fairly reflects the information available
The firm-wide risk assessment may also have a practical influence.
Where it identifies a relevant area of higher exposure, that thinking will usually be expected to appear at the client level.
The client-level conclusion should reflect the relevant risks identified in the wider assessment and remain consistent with the practice’s overall risk profile.
Generic ratings are usually the hardest to defend. A low-risk conclusion may be entirely appropriate for a simple client profile, provided the rationale explains why.
The difficulty arises where the same rating appears repeatedly, and the file gives limited case-specific reasoning to support it. This can make the rating look administrative, with limited evidence of a considered AML conclusion.
This connection gives the later CDD work context and helps explain why the response was suitable.
ICAEW AML supervision findings 2024/25
12.6% of firms reviewed had ineffective risk assessment documentation.
ICAEW also reported ineffective client identification procedures in 11.9% of firms, ineffective verification procedures in 10.2%, and failure to update CDD throughout the client relationship in 11.6%.
CDD and verification as a proportionate response
Regulation 28 of the Money Laundering Regulations includes identifying and verifying the client and understanding the purpose and intended nature of the business relationship as part of CDD. These measures must be applied in a way that is proportionate to the AML risk.
HMRC’s supervision manual also frames CDD testing around whether those measures are appropriate to the risks identified. That judgement is assessed against the reasoning behind the rating.
Verification is more persuasive when it responds to the actual features that informed the rating. A straightforward client with limited risk indicators may justify a simpler approach. Yet, a higher-risk or more complex relationship is likely to require stronger evidence and a clearer explanation of the steps taken.
Compliance depends on relevance to the concern being tested. Additional papers are useful when they address the weakness identified. Equally, a concise due diligence approach may be reasonable where the risk assessment explains why the client and work present limited exposure.
The CDD response should remain connected to the recorded risk conclusion, especially where the firm later carries out a CDD refresh for an existing client.
Practical takeaway: The route from risk to response needs to be visible in a small accountancy practice, with CDD work matching the level recorded.
Coherence across the AML client file
Supervisory pushback often arises where the AML record points in different directions. A client may be marked as low risk while another part of the file suggests a more complex picture. Verification evidence may be present even though the identified concern remains unanswered.
Notes may also suggest that relevant information was held informally and absent from the recorded assessment. Across the file, the client material needs to support a consistent explanation.
Common client-file weaknesses and reviewer concerns
AML supervisory inspections often point to the same underlying problem. The client file may contain material, but the reasoning is difficult to follow.
The examples below show common client-file weaknesses and why they can raise questions during review.
| Client-file weakness | Why it may concern a reviewer | Caution |
|---|---|---|
| CDD evidence is missing or disconnected from the assessment | Checks may appear to have been completed as a separate exercise disconnected from the AML rationale. | Treat this as a warning sign. Further context is needed before drawing a compliance conclusion. |
| Repeated low-risk conclusions with little explanation | This may indicate that the assessment has become formulaic. | A low-risk conclusion may be appropriate where the file supports it. |
| AML forms are completed with generic answers | Generic answers can make the rationale harder to follow because they give little client-specific explanation. | Standard forms can be useful when they are completed with care. |
| The material gives a limited picture of the client’s business activity or structure | A narrow picture may suggest that the practice captured limited information to support its conclusion. | The depth required will depend on the nature and risk of the work. |
| Verification work does not answer the concern identified elsewhere | A gap may exist between the issue recognised and the checks performed. | The key test is whether the evidence is relevant to the concern. |
| Later notes appear inconsistent with the earlier AML conclusion | An unexplained change could weaken the support for the earlier AML conclusion. | A later development may be acceptable where the reasoning remains clear. |
In summary
A client file withstands scrutiny when the AML decision is understandable to someone outside the engagement.
When the record links the client background, risk conclusion, and due diligence work, the firm is better placed to answer supervisory questions. If that link is missing, even genuine work can look unsupported.
These regulatory requirements may matter even more as the FCA takes over AML supervision for accountancy firms. With policy moving toward more consistent oversight, weak or unclear client-file reasoning will become more difficult to defend.
FAQs
A supervisor will usually look for enough detail to understand the engagement and the AML judgement reached. The material should show why the work fits the client’s circumstances and why the AML position is reasonable.
The explanation can be concise where the engagement is straightforward. It should still show why the chosen rating fits the facts known about the client.
Yes. A low-risk rating may be appropriate, but it should be supported by client-specific reasoning. Repeated low-risk outcomes with little explanation can make the assessment look formulaic.
Ownership and control information helps explain who stands behind the client where that matters to the engagement. It is especially relevant when it affects how the practice understands the risk.
It may raise questions about whether the checks respond to the issues identified. Documentation is usually more persuasive when the evidence relates directly to the concern being assessed.
A practical approach is to make the route from client background to compliance conclusion easy to follow. The supporting material should point in the same direction so the judgement does not depend on memory.
References and Source Material
- Money Laundering Regulations 2017 (Regulation 18, 27, 28, 30A, 33, 40)
- HMRC, Economic Crime Supervision Handbook (ECSH33320, ECSH33325, ECSH52650)
- CCAB, Anti-Money Laundering Guidance for the Accountancy Sector
- ICAEW, What do we find on proactive AML monitoring reviews
- ICAEW, AML Supervision Report 2024/25
- ACCA, UK and Ireland anti-money laundering (AML) supervision report
