CDD refresh for existing accountancy clients: What should be checked?
Last updated: June 18, 2026
A CDD refresh helps an accountancy firm decide whether the client information held on file remains accurate and sufficient for AML purposes.
The Money Laundering Regulations require firms to keep CDD information up to date during a business relationship, which means reviewing the areas most likely to affect the firm’s AML understanding. Key review areas include ownership and control, business activity, services, and risk indicators.
Identity evidence may need updating in some cases, but a proper refresh should not be reduced to a new ID request. The requirement is to confirm whether the firm can still rely on its existing client file, or whether further enquiries, updates, or risk changes are needed.
Key takeaways
- A CDD refresh is wider than checking whether ID documents are still current.
- The review should focus on the parts of the client file most likely to affect AML risk.
- Depending on the client, the review may need to cover beneficial ownership, the wider business profile, screening issues, and whether the records remain consistent.
- A “no change” outcome still needs enough detail to show that a real review took place.
- The final record should help a reviewer understand the basis for the firm’s AML view.
Overview: What should a CDD refresh cover?
The table below provides a starting point for the main areas to review. The exact checks will depend on the client, the work involved, and any changes identified after the last refresh.
| What to check | Why it matters | Example evidence or source |
|---|---|---|
| Client identity and core details | Basic client information may have changed | Existing CDD file, client confirmation, ID, or address evidence if needed |
| Beneficial ownership and control | New owners or controllers can change the AML risk | Companies House, PSC information, partnership or trust records, client explanation |
| Directors, partners, trustees, or key individuals | Key people may change even when ownership stays the same | Companies House filings, engagement records, trustee or partner details, client instructions |
| Business activity | The firm should understand what the client now does | Accounts, tax returns, bookkeeping, payroll records, website, meeting notes |
| Services provided by the firm | A wider or different engagement may affect the firm’s exposure | Engagement letter, scope changes, new advisory or transaction work |
| Jurisdictions and overseas links | New countries or overseas relationships may introduce higher-risk factors | Client explanation, invoices, contracts, accounts, transaction records |
| Source of funds or wealth, where relevant | Important for higher-risk or unusual matters | Bank information, sale documents, accounts, client explanation |
| PEP, sanctions, or adverse information, where relevant | New screening issues may require further action | Screening results, public information, internal escalation note |
| Consistency across records | Mismatches may indicate outdated CDD or a risk issue | Companies House, accounts, tax filings, payroll, bookkeeping, existing CDD |
| Client risk assessment | The review should feed into the firm’s AML view of the client | Updated risk assessment and review note |
What is a CDD refresh for an existing client?
A CDD refresh is the review and updating of due diligence information for a client already known to the firm. The refresh should test whether the existing file still supports the firm’s AML view of the client.
In some cases, the process will be straightforward because the existing client information still appears accurate and no material AML changes have occurred. In others, the review may reveal ownership changes, new activities, overseas links, unexplained funds, or inconsistencies that need follow-up.
The refresh should leave the firm clear on whether the existing file remains adequate, or if CDD updates, further enquiries, or a risk assessment change are needed.
The timing of that refresh should be handled separately through a risk-based review cycle. We discuss how often accountants should update CDD for existing clients in our separate article.
Core client details and identity checks
A sensible refresh usually starts with the information that identifies the client and anchors the rest of the AML file.
For an individual, this may include name, residential address, date of birth, and contact details. For a company, LLP, partnership, trust, or other structure, check the registered name, trading name, company number, registered office, business address, and any relevant registration details.
Updated evidence may be needed where, for example:
- The client’s name or address has changed
- The original evidence is incomplete or of poor quality
- Current records do not match the CDD file
- The client’s risk profile has increased
- New client work changes the AML context
Expired identity evidence should be considered as part of the wider refresh, rather than treated as an automatic request for a new document. See our guide to old ID documents during a CDD refresh.
Beneficial ownership, control, and Companies House checks
For company and other non-individual clients, ownership and control are central to the refresh.
Assess whether the record of beneficial owners, directors, partners, trustees, PSCs, or other key individuals is still reliable. Since the last review, shares may have moved, trustees replaced, or beneficial ownership changed in a way that affects the AML assessment.
Look beyond formal job titles, as the person giving instructions, funding the business, or making core decisions may be relevant, even if they are not the most visible name on the file.
Companies House can be used as a comparison point for UK companies and LLPs. It can help identify changes in registered details, directors, filings, and PSC information, but it should not replace the firm’s own CDD checks.
In terms of where the legal requirement applies, material discrepancies between the firm’s CDD records and the PSC register may need to be reported under Regulation 30A of the Money Laundering Regulations.
If a mismatch is identified, record the enquiry made, the client’s response or other evidence obtained, and the decision reached.
CDD refresh scope
The wider client profile to review
A refresh should look beyond identity evidence and test whether the wider AML picture still holds.
Client details
Identity, address, contact details and core records.
Ownership & control
Beneficial owners, PSCs, directors and key people.
Business activity
What the client does and whether activity has changed.
Services provided
Whether the engagement has widened or changed.
Jurisdictions
Overseas links, higher-risk countries and cross-border activity.
Funds or wealth
Relevant funding, assets or wealth context where risk requires it.
Business activity, services, and client profile
A client can become more or less risky even when the legal entity and owners remain the same. By extension, accountancy firms should check whether the client’s business activity still matches their understanding.
The review may need to consider whether the client has moved sector, started trading overseas, changed customer profile, grown abnormally quickly, or moved from dormant to active.
Much of that picture may already be visible from routine accountancy work, rather than requiring a separate investigation.
Also consider whether the firm’s own role has changed. Limited payroll support may not carry the same AML profile as wider advisory work, depending on what the firm actually provides.
However, if the work has expanded into areas such as restructuring or company formation, the AML assessment may need to be revisited.
Risk factors, jurisdictions, PEPs, sanctions, and adverse information
A proportionate refresh includes checking for new risk indicators.
Relevant questions may include:
- Has the client developed overseas links?
- Are any higher-risk countries involved?
- Has a beneficial owner, director, or key individual become a politically exposed person (PEP)?
- Do sanctions, PEP, or adverse-information checks need to be updated in light of the client, owners, counterparties, or jurisdictions involved?
- Has adverse information emerged?
- Do recent transactions or instructions fit the client’s known profile?
Lower-risk clients often require a short, sensible review using the information already available to the firm. In contrast, higher-risk, complex, or unusual clients may need more detailed checks.
Practical takeaway: Old client profiles become risky when the facts have moved on. This is why ongoing monitoring should be implemented throughout the client relationship.
Source of funds or source of wealth
Source of funds and source of wealth checks are not the same for every client. They are especially relevant if the client is higher risk, involved in significant funds or assets, or their circumstances have changed in a way that needs explanation.
Further enquiry may be appropriate if:
- A new investor appears
- Funds come from outside the UK, from a higher-risk jurisdiction, or from a source that does not fit the client’s known profile
- The client’s financial position changes sharply
- A transaction falls outside the usual pattern
- The firm is asked to support work involving substantial assets
Sometimes the explanation will be evident from accounts, tax records, or other work already performed. In other cases, the firm may need a client explanation or supporting documents.
The review note needs to make clear why the firm was satisfied, or what further action was taken.
What to do if CDD information is inconsistent?
Inconsistencies should be followed up on, but not be treated as suspicious by default. This is because a mismatch can be administrative.
Companies House might not yet reflect a recent change, a client could have moved address without mentioning it, or a director may have resigned after the last accounts were prepared.
As such, any enquiries should be reasonable in the circumstances. Depending on the facts, the firm may need to consider:
- Updating the CDD file
- Asking the client for clarification
- Obtaining additional evidence
- Changing the client risk assessment
- Applying enhanced due diligence
- Escalating to the nominated officer or MLRO
- Considering whether a SAR is warranted
The dividing line is whether the explanation is credible. If the facts remain unclear, illogical, or concerning, accountancy firms must follow their internal AML procedures.
What should be recorded after a CDD refresh?
The refresh record should show why the firm was comfortable with the outcome.
It should ideally show the sources relied on and whether the file needed updating. It should also note any unresolved issues, the risk assessment result, and follow-up actions. If the periodic review finds no material client change, the note should still link that conclusion to the checks performed.
A short record is fine, provided it explains the decision clearly enough for someone else to understand later. For further reading, see our guide on what accountants should record in a client AML review.
Conclusion
A CDD refresh should leave accountancy firms with a strong basis for continuing, updating, or escalating the client relationship from an AML perspective.
When a review identifies a material issue, the file needs to move with it. The AML record should make the firm’s response clear and ensure any unresolved points remain visible.
Handled properly, a CDD refresh gives firms more than an updated file. It leaves a defensible record of how the client was reviewed and why the AML position remains appropriate.
FAQs
A CDD refresh is an existing-client review to decide whether the AML file can still be relied on. It should confirm whether the firm’s understanding of the client remains sound or whether the file needs updating.
No. ID may be relevant, but the review should look at the client relationship more broadly. The main question is whether anything has changed that affects the firm’s AML view.
Not automatically. Expired ID should prompt a judgement about whether the file still gives enough assurance, taking account of risk, previous checks, and any changes since the evidence was obtained.
The refresh should focus on the areas most likely to affect AML risk, including who owns or controls the company, who gives instructions, what the business now does, and whether records still line up.
Companies House is a useful external cross-check for UK companies and LLPs. It may highlight changes or inconsistencies, but the firm still needs to make and record its own CDD judgement.
Source of funds or wealth should be reviewed when the money, assets, transaction, or client profile makes it relevant. It is usually more important when the matter is higher-risk, unusual, or not easily explained by the existing client file.
A mismatch should be followed up on and recorded. If the explanation is clear, the file can be updated; if it remains unclear or concerning, the firm may need to escalate or reconsider the risk assessment.
The record should explain the basis for the outcome. It should be clear what was reviewed, what changed or did not change, and why the firm was comfortable continuing, updating, or escalating.
References and Source Material
- Money Laundering Regulations 2017, Regulation 28
- HMRC, Economic Crime Supervision Handbook (ECSH33375 – Ongoing Monitoring)
- CCAB, Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing: Guidance for the Accountancy Sector
- ACCA, Technical factsheet: Client due diligence
- Companies House, Report a discrepancy about a PSC or a registrable beneficial owner
- ICAEW, Updating customer due diligence
- ATT, Client Due Diligence (CDD) Requirements

