CDD refresh for existing accountancy clients: What should be checked?

Accountant reviewing client files during a CDD refresh

Last updated: June 18, 2026

A CDD refresh helps an accountancy firm decide whether the client information held on file remains accurate and sufficient for AML purposes.

The Money Laundering Regulations require firms to keep CDD information up to date during a business relationship, which means reviewing the areas most likely to affect the firm’s AML understanding. Key review areas include ownership and control, business activity, services, and risk indicators.

Identity evidence may need updating in some cases, but a proper refresh should not be reduced to a new ID request. The requirement is to confirm whether the firm can still rely on its existing client file, or whether further enquiries, updates, or risk changes are needed.

Key takeaways

  • A CDD refresh is wider than checking whether ID documents are still current.
  • The review should focus on the parts of the client file most likely to affect AML risk.
  • Depending on the client, the review may need to cover beneficial ownership, the wider business profile, screening issues, and whether the records remain consistent.
  • A “no change” outcome still needs enough detail to show that a real review took place.
  • The final record should help a reviewer understand the basis for the firm’s AML view.

Overview: What should a CDD refresh cover?

The table below provides a starting point for the main areas to review. The exact checks will depend on the client, the work involved, and any changes identified after the last refresh.

What to checkWhy it mattersExample evidence or source
Client identity and core detailsBasic client information may have changedExisting CDD file, client confirmation, ID, or address evidence if needed
Beneficial ownership and controlNew owners or controllers can change the AML riskCompanies House, PSC information, partnership or trust records, client explanation
Directors, partners, trustees, or key individualsKey people may change even when ownership stays the sameCompanies House filings, engagement records, trustee or partner details, client instructions
Business activityThe firm should understand what the client now doesAccounts, tax returns, bookkeeping, payroll records, website, meeting notes
Services provided by the firmA wider or different engagement may affect the firm’s exposureEngagement letter, scope changes, new advisory or transaction work
Jurisdictions and overseas linksNew countries or overseas relationships may introduce higher-risk factorsClient explanation, invoices, contracts, accounts, transaction records
Source of funds or wealth, where relevantImportant for higher-risk or unusual mattersBank information, sale documents, accounts, client explanation
PEP, sanctions, or adverse information, where relevantNew screening issues may require further actionScreening results, public information, internal escalation note
Consistency across recordsMismatches may indicate outdated CDD or a risk issueCompanies House, accounts, tax filings, payroll, bookkeeping, existing CDD
Client risk assessmentThe review should feed into the firm’s AML view of the clientUpdated risk assessment and review note

What is a CDD refresh for an existing client?

A CDD refresh is the review and updating of due diligence information for a client already known to the firm. The refresh should test whether the existing file still supports the firm’s AML view of the client.

In some cases, the process will be straightforward because the existing client information still appears accurate and no material AML changes have occurred. In others, the review may reveal ownership changes, new activities, overseas links, unexplained funds, or inconsistencies that need follow-up.

The refresh should leave the firm clear on whether the existing file remains adequate, or if CDD updates, further enquiries, or a risk assessment change are needed.

The timing of that refresh should be handled separately through a risk-based review cycle. We discuss how often accountants should update CDD for existing clients in our separate article.

Core client details and identity checks

A sensible refresh usually starts with the information that identifies the client and anchors the rest of the AML file.

For an individual, this may include name, residential address, date of birth, and contact details. For a company, LLP, partnership, trust, or other structure, check the registered name, trading name, company number, registered office, business address, and any relevant registration details.

Updated evidence may be needed where, for example:

  • The client’s name or address has changed
  • The original evidence is incomplete or of poor quality
  • Current records do not match the CDD file
  • The client’s risk profile has increased
  • New client work changes the AML context

Expired identity evidence should be considered as part of the wider refresh, rather than treated as an automatic request for a new document. See our guide to old ID documents during a CDD refresh.

Beneficial ownership, control, and Companies House checks

For company and other non-individual clients, ownership and control are central to the refresh.

Assess whether the record of beneficial owners, directors, partners, trustees, PSCs, or other key individuals is still reliable. Since the last review, shares may have moved, trustees replaced, or beneficial ownership changed in a way that affects the AML assessment.

Look beyond formal job titles, as the person giving instructions, funding the business, or making core decisions may be relevant, even if they are not the most visible name on the file.

Companies House can be used as a comparison point for UK companies and LLPs. It can help identify changes in registered details, directors, filings, and PSC information, but it should not replace the firm’s own CDD checks.

In terms of where the legal requirement applies, material discrepancies between the firm’s CDD records and the PSC register may need to be reported under Regulation 30A of the Money Laundering Regulations.

If a mismatch is identified, record the enquiry made, the client’s response or other evidence obtained, and the decision reached.

CDD refresh scope

The wider client profile to review

A refresh should look beyond identity evidence and test whether the wider AML picture still holds.

Client details

Identity, address, contact details and core records.

Ownership & control

Beneficial owners, PSCs, directors and key people.

Business activity

What the client does and whether activity has changed.

Services provided

Whether the engagement has widened or changed.

Jurisdictions

Overseas links, higher-risk countries and cross-border activity.

Funds or wealth

Relevant funding, assets or wealth context where risk requires it.

Business activity, services, and client profile

A client can become more or less risky even when the legal entity and owners remain the same. By extension, accountancy firms should check whether the client’s business activity still matches their understanding.

The review may need to consider whether the client has moved sector, started trading overseas, changed customer profile, grown abnormally quickly, or moved from dormant to active.

Much of that picture may already be visible from routine accountancy work, rather than requiring a separate investigation.

Also consider whether the firm’s own role has changed. Limited payroll support may not carry the same AML profile as wider advisory work, depending on what the firm actually provides.

However, if the work has expanded into areas such as restructuring or company formation, the AML assessment may need to be revisited.

Risk factors, jurisdictions, PEPs, sanctions, and adverse information

A proportionate refresh includes checking for new risk indicators.

Relevant questions may include:

  • Has the client developed overseas links?
  • Are any higher-risk countries involved?
  • Has a beneficial owner, director, or key individual become a politically exposed person (PEP)?
  • Do sanctions, PEP, or adverse-information checks need to be updated in light of the client, owners, counterparties, or jurisdictions involved?
  • Has adverse information emerged?
  • Do recent transactions or instructions fit the client’s known profile?

Lower-risk clients often require a short, sensible review using the information already available to the firm. In contrast, higher-risk, complex, or unusual clients may need more detailed checks.

Practical takeaway: Old client profiles become risky when the facts have moved on. This is why ongoing monitoring should be implemented throughout the client relationship.

Source of funds or source of wealth

Source of funds and source of wealth checks are not the same for every client. They are especially relevant if the client is higher risk, involved in significant funds or assets, or their circumstances have changed in a way that needs explanation.

Further enquiry may be appropriate if:

  • A new investor appears
  • Funds come from outside the UK, from a higher-risk jurisdiction, or from a source that does not fit the client’s known profile
  • The client’s financial position changes sharply
  • A transaction falls outside the usual pattern
  • The firm is asked to support work involving substantial assets

Sometimes the explanation will be evident from accounts, tax records, or other work already performed. In other cases, the firm may need a client explanation or supporting documents.

The review note needs to make clear why the firm was satisfied, or what further action was taken.

What to do if CDD information is inconsistent?

Inconsistencies should be followed up on, but not be treated as suspicious by default. This is because a mismatch can be administrative.

Companies House might not yet reflect a recent change, a client could have moved address without mentioning it, or a director may have resigned after the last accounts were prepared.

As such, any enquiries should be reasonable in the circumstances. Depending on the facts, the firm may need to consider:

  • Updating the CDD file
  • Asking the client for clarification
  • Obtaining additional evidence
  • Changing the client risk assessment
  • Applying enhanced due diligence
  • Escalating to the nominated officer or MLRO
  • Considering whether a SAR is warranted

The dividing line is whether the explanation is credible. If the facts remain unclear, illogical, or concerning, accountancy firms must follow their internal AML procedures.

What should be recorded after a CDD refresh?

The refresh record should show why the firm was comfortable with the outcome.

It should ideally show the sources relied on and whether the file needed updating. It should also note any unresolved issues, the risk assessment result, and follow-up actions. If the periodic review finds no material client change, the note should still link that conclusion to the checks performed.

A short record is fine, provided it explains the decision clearly enough for someone else to understand later. For further reading, see our guide on what accountants should record in a client AML review.

Conclusion

A CDD refresh should leave accountancy firms with a strong basis for continuing, updating, or escalating the client relationship from an AML perspective.

When a review identifies a material issue, the file needs to move with it. The AML record should make the firm’s response clear and ensure any unresolved points remain visible.

Handled properly, a CDD refresh gives firms more than an updated file. It leaves a defensible record of how the client was reviewed and why the AML position remains appropriate.

Kane Pepi, Founder of Evidentia Compliance
Kane Pepi Founder, Evidentia Compliance

Kane Pepi is the founder of Evidentia Compliance, with a strong academic background in accounting, finance, and financial crime, and peer-reviewed research in money laundering and terrorist financing.

His work focuses on making AML compliance more practical for small regulated firms that face rising supervisory expectations and limited compliance capacity.

AMLWATCH BY EVIDENTIA
AML compliance updates and regulatory guidance for the accountancy sector

Stay informed on AML supervision, FCA developments, enforcement trends, and common compliance weaknesses affecting UK accountancy firms. AMLWATCH by Evidentia is written for small practices that need AML insight without the regulatory jargon.

    FAQs

    What is a CDD refresh?

    A CDD refresh is an existing-client review to decide whether the AML file can still be relied on. It should confirm whether the firm’s understanding of the client remains sound or whether the file needs updating.

    Is a CDD refresh just an ID check?

    No. ID may be relevant, but the review should look at the client relationship more broadly. The main question is whether anything has changed that affects the firm’s AML view.

    Do I need to replace expired ID for every client?

    Not automatically. Expired ID should prompt a judgement about whether the file still gives enough assurance, taking account of risk, previous checks, and any changes since the evidence was obtained.

    What should be checked for a company client?

    The refresh should focus on the areas most likely to affect AML risk, including who owns or controls the company, who gives instructions, what the business now does, and whether records still line up.

    Should Companies House be checked during a refresh?

    Companies House is a useful external cross-check for UK companies and LLPs. It may highlight changes or inconsistencies, but the firm still needs to make and record its own CDD judgement.

    When should source of funds or wealth be reviewed?

    Source of funds or wealth should be reviewed when the money, assets, transaction, or client profile makes it relevant. It is usually more important when the matter is higher-risk, unusual, or not easily explained by the existing client file.

    What if CDD information does not match?

    A mismatch should be followed up on and recorded. If the explanation is clear, the file can be updated; if it remains unclear or concerning, the firm may need to escalate or reconsider the risk assessment.

    What should a CDD refresh record include?

    The record should explain the basis for the outcome. It should be clear what was reviewed, what changed or did not change, and why the firm was comfortable continuing, updating, or escalating.

    References and Source Material

    Leave a Reply

    Your email address will not be published. Required fields are marked *