CDD refresh checklist for existing accountancy clients: What should be checked?
Last updated: May 15, 2026
A CDD refresh helps an accountancy firm decide whether the client information held on file remains accurate, reliable, and sufficient for AML purposes.
The Money Laundering Regulations require firms to keep CDD information up to date during a business relationship. This means reviewing the areas most likely to affect the firm’s AML understanding, including ownership, control, business activity, services provided, risk indicators, and supporting evidence.
Identity evidence may need updating in some cases, but a proper refresh should not be reduced to a new ID request. The purpose is to confirm whether the firm can still rely on its existing client file, or whether further enquiries, updates, or risk changes are needed.
Contents
Key takeaways
- A CDD refresh is wider than checking whether ID documents are still current.
- The review should focus on the parts of the client file most likely to affect AML risk.
- Ownership, control, business activity, services, jurisdictions, screening issues, source of funds or wealth, and consistency across records may all be relevant.
- A “no change” outcome still needs enough detail to show that a real review took place.
- The final record should help a reviewer, including supervisory bodies, understand the basis for the firm’s AML view.
Overview: What should a CDD refresh cover?
The table below provides a starting point for the main areas to review. The exact checks will depend on the client, the work involved, and any changes identified since the last refresh.
| What to check | Why it matters | Example evidence or source |
|---|---|---|
| Client identity and core details | Basic client information may have changed | Existing CDD file, client confirmation, ID, or address evidence where needed |
| Beneficial ownership and control | New owners or controllers can change the AML risk | Companies House, PSC information, partnership or trust records, client explanation |
| Directors, partners, trustees, or key individuals | Key people may change even where ownership stays the same | Companies House filings, engagement records, trustee or partner details, client instructions |
| Business activity | The firm should understand what the client now does | Accounts, tax returns, bookkeeping, payroll records, website, meeting notes |
| Services provided by the firm | A wider or different engagement may affect the firm’s exposure | Engagement letter, scope changes, new advisory or transaction work |
| Jurisdictions and overseas links | New countries or overseas relationships may introduce higher-risk factors | Client explanation, invoices, contracts, accounts, transaction records |
| Source of funds or wealth, where relevant | Important for higher-risk or unusual matters | Bank information, sale documents, accounts, client explanation |
| PEP, sanctions, or adverse information, where relevant | New screening issues may require further action | Screening results, public information, internal escalation note |
| Consistency across records | Mismatches may indicate outdated CDD or a risk issue | Companies House, accounts, tax filings, payroll, bookkeeping, existing CDD |
| Client risk assessment | The review should feed into the firm’s AML view of the client | Updated risk assessment and review note |
What is a CDD refresh for an existing client?
A CDD refresh is the review and updating of due diligence information for a client already known to the firm. The refresh should test whether the existing file still supports the firm’s AML view of the client.
In some cases, the process will be straightforward because the existing client information still appears accurate and no material AML changes have occurred. In others, the review may reveal ownership changes, new activities, overseas links, unexplained funds, or inconsistencies that need follow-up.
The refresh should lead to a clear outcome, such as CDD updated, further enquiries made, risk assessment changed, escalation considered, or the existing file confirmed as adequate.
The timing of that refresh should be handled separately through a risk-based review cycle. We discuss how often accountants should update CDD for existing clients in our separate article.
Core client details and identity checks
A sensible refresh usually starts with the information that identifies the client and anchors the rest of the AML file.
For an individual, this may include name, residential address, date of birth, and contact details. For a company, LLP, partnership, trust, or other structure, check the registered name, trading name, company number, registered office, business address, and any relevant registration details.
Updated evidence may be needed where, for example:
- The client’s name or address has changed
- The original evidence is incomplete or of poor quality
- Current records do not match the CDD file
- The client’s risk profile has increased
- New client work changes the AML context
Expired identity evidence should be considered as part of the wider refresh, rather than treated as an automatic request for a new document.
Beneficial ownership, control, and Companies House checks
For company and other non-individual clients, ownership and control are central to the refresh.
Assess whether the record of beneficial owners, directors, partners, trustees, PSCs, or other key individuals is still reliable. Since the last review, shares may have moved, trustees may have been replaced, or beneficial ownership may have changed in a way that affects the AML assessment.
Look beyond formal job titles, since the person giving instructions, funding the business, or making core decisions may be relevant, even if they are not the most visible name on the file.
Companies House can be used as a comparison point for UK companies and LLPs. It can help identify changes in registered details, directors, filings, and PSC information, but it should not replace the firm’s own CDD checks.
Where the legal requirement applies, material discrepancies between the firm’s CDD records and the PSC register may need to be reported under Regulation 30A of the Money Laundering Regulations.
If a mismatch is identified, record the enquiry made, the client’s response or other evidence obtained, and the decision reached.
CDD refresh scope
The wider client profile to review
A refresh should look beyond identity evidence and test whether the wider AML picture still holds.
Client details
Identity, address, contact details and core records.
Ownership & control
Beneficial owners, PSCs, directors and key people.
Business activity
What the client does and whether activity has changed.
Services provided
Whether the engagement has widened or changed.
Jurisdictions
Overseas links, higher-risk countries and cross-border activity.
Funds or wealth
Relevant funding, assets or wealth context where risk requires it.
Business activity, services, and client profile
A client can become more or less risky even when the legal entity and owners remain the same.
Accountancy firms should check whether the client’s business activity still matches their understanding. Has the client entered a new sector, started trading overseas, changed its customer base, become cash-intensive, expanded quickly, or moved from dormant to active?
Useful sources may already be available through routine accountancy work, including accounts, tax returns, VAT records, payroll data, bookkeeping records, invoices, websites, and meeting notes.
Also consider whether the firm’s role has changed. Limited payroll support may carry a different AML profile from broader advisory work, depending on what the firm actually provides.
Routine accounts preparation is different from helping with a sale, acquisition, restructuring, overseas transaction, or company formation. Therefore, the client profile should be connected with the actual engagement. If the work has widened or changed direction, the AML assessment may need updating too.
Risk factors, jurisdictions, PEPs, sanctions, and adverse information
A proportionate refresh includes checking for new risk indicators.
Relevant questions may include:
- Has the client developed overseas links?
- Are any higher-risk countries involved?
- Has a beneficial owner, director, or key individual become a politically exposed person (PEP)?
- Do sanctions, PEP, or adverse-information checks need to be updated in light of the client, owners, counterparties, or jurisdictions involved?
- Has adverse information emerged?
- Do recent transactions or instructions fit the client’s known profile?
Lower-risk clients often require a short, sensible review using the information already available to the firm. In contrast, higher-risk, complex, or unusual clients may need more detailed checks.
Practical takeaway: Old client profiles become risky when the facts have moved on. This is why ongoing monitoring for accountancy firms matters throughout the client relationship.
Source of funds or source of wealth
Source of funds and source of wealth checks are not the same for every client. They are especially relevant where the client is higher risk, involved in significant funds or assets, or their circumstances have changed in a way that needs explanation.
Further enquiry may be appropriate if:
- A new investor appears
- Funds come from outside the UK, from a higher-risk jurisdiction, or from a source that does not fit the client’s known profile
- The client’s financial position changes sharply
- A transaction falls outside the usual pattern
- The firm is asked to support work involving substantial assets
Sometimes the explanation will be clear from accounts, tax records, or other work already performed. In other cases, the firm may need a client explanation or supporting documents.
The review note needs to make clear why the firm was satisfied, or what further action was taken.
What to do if CDD information is inconsistent?
Inconsistencies should be followed up on, but not be treated as suspicious by default. This is because a mismatch can be administrative.
Companies House might not yet reflect a recent change, a client could have moved address without mentioning it, or a director may have resigned after the last accounts were prepared.
As such, any enquiries should be reasonable in the circumstances. Depending on the facts, the firm may need to consider:
- Updating the CDD file
- Asking the client for clarification
- Obtaining additional evidence
- Changing the client risk assessment
- Applying enhanced due diligence
- Escalating to the nominated officer or MLRO
- Considering whether a SAR is warranted
The dividing line is whether the explanation is credible. If the facts remain unclear, illogical, or concerning, accountancy firms must follow their internal AML procedures.
What should be recorded after a CDD refresh?
The refresh record should show why the firm was comfortable with the outcome.
It should ideally identify the main sources checked, any updates made, unresolved issues, the risk assessment outcome, and follow-up action. Where no update is needed, the note should link that conclusion to the checks performed.
A short record is fine, provided it explains the decision clearly enough for someone else to understand later. For further reading, see our guide on what accountants should record in a client AML review.
Conclusion
A CDD refresh should leave accountancy firms with a clear basis for continuing, updating, or escalating the client relationship from an AML perspective.
The review should confirm whether the information on file still supports the firm’s understanding of the client. Where it identifies a change, gap, inconsistency, or new risk factor, firms must update the relevant record, reconsider the client risk assessment, and document any follow-up action.
Handled properly, a CDD refresh provides more than an updated file. It gives a defensible record of how the client was reviewed and why the firm’s AML position remained appropriate.
FAQs
A CDD refresh is an existing-client review to decide whether the AML file can still be relied on. It should confirm whether the firm’s understanding of the client remains sound or whether the file needs updating.
No. ID may be relevant, but the review should look at the client relationship more broadly. The main question is whether anything has changed that affects the firm’s AML view.
Not automatically. Expired ID should prompt a judgement about whether the file still gives enough assurance, taking account of risk, previous checks, and any changes since the evidence was obtained.
The refresh should focus on the areas most likely to affect AML risk, including who owns or controls the company, who gives instructions, what the business now does, and whether records still line up.
Companies House is a useful external cross-check for UK companies and LLPs. It may highlight changes or inconsistencies, but the firm still needs to make and record its own CDD judgement.
Source of funds or wealth should be reviewed where the money, assets, transaction, or client profile makes it relevant. It is usually more important where the matter is higher risk, unusual, or not easily explained by the existing client file.
A mismatch should be followed up on and recorded. If the explanation is clear, the file can be updated; if it remains unclear or concerning, the firm may need to escalate or reconsider the risk assessment.
The record should explain the basis for the outcome. It should be clear what was reviewed, what changed or did not change, and why the firm was comfortable continuing, updating, or escalating.
References and Source Material
- Money Laundering Regulations 2017, Regulation 28
- HMRC, Economic Crime Supervision Handbook (ECSH33375 – Ongoing Monitoring)
- CCAB, Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing: Guidance for the Accountancy Sector
- ACCA, Technical factsheet: Client due diligence
- Companies House, Report a discrepancy about a PSC or a registrable beneficial owner
- ICAEW, Updating customer due diligence
- ATT, Client Due Diligence (CDD) Requirements
