How often should accountants update CDD for existing clients?
Last updated: May 15, 2026
UK accountants do not have one fixed legal deadline for refreshing customer due diligence (CDD) on every existing client. Instead, the timing should be risk-based.
A firm’s AML procedures should set out when periodic CDD reviews take place, how those timings vary by client risk, and what events bring a review forward.
The important point is whether the firm’s timetable is deliberate, documented, followed in practice, and responsive when something material changes.
Contents
Key takeaways
- UK AML rules do not set one fixed CDD refresh interval for every client.
- Review timing should be risk-based and written into the firm’s AML procedures.
- CDD may need updating sooner if ownership, services, activity, risk, or other material circumstances change.
- Professional guidance gives example intervals, but they are not legal rules.
- A no-change review should still leave a clear record of what was checked and concluded.
Is there a legal deadline for updating CDD?
The Money Laundering Regulations require ongoing monitoring of a business relationship. Regulation 28 is the key provision: CDD is not something completed only when a client is first taken on and then forgotten.
The regulations do not, however, prescribe one refresh cycle for all accountancy clients. They do not say that every client file must be refreshed annually, or that every low-risk client can wait a fixed number of years.
The accountancy sector guidance takes the same broad approach. CCAB explains that routine periodic reviews should be used to update CDD information, and that the frequency should reflect the firm’s knowledge of the client and any changes in circumstances.
HMRC’s Economic Crime Supervision Handbook also treats review frequency as risk-based, with the timing depending on the nature of the customer relationship and the risks involved.
Accountancy firms should treat their review calendar as a control designed to keep CDD information up to date for the client’s risk.
Why CDD still needs reviewing for existing clients
CDD can become stale even when the client relationship feels familiar.
For example, an owner-managed business may change shareholders, appoint a new director, move into a different line of work, start trading internationally, or ask for a new service. Similarly, a long-standing personal tax client may become involved in a business, trust, or overseas structure that was not present when the original file was opened.
The purpose of a CDD review is to check whether the firm still understands who the client is, who controls them, what work is being done, and whether the original risk assessment still makes sense.
This does not mean every AML review needs to be a full re-onboarding exercise. Sometimes the result will be a short file note confirming that the information remains current.
In other cases, the firm may need updated identity evidence, beneficial ownership information, source of funds or source of wealth information, or a revised client risk assessment. For a more extensive breakdown of what to check, see our guide to CDD refresh for existing accountancy clients.
As a result, the review should be proportionate. A payroll-only client with no material changes will not usually need the same level of attention as a higher-risk client with complex ownership or cross-border activity.
How risk level affects CDD review frequency
AML procedures should set review timings by risk category.
Higher-risk clients should be reviewed more often because their circumstances, transactions, or ownership structures may present greater AML exposure.
Standard-risk clients, sometimes referred to as “normal-risk” clients, can usually be reviewed on a longer cycle, provided the firm has a way to spot material AML changes between reviews.
Lower-risk clients may justify a longer timetable, but they should not disappear from the firm’s AML process altogether.
The timetable should connect to the firm’s client risk assessment. If the file says a client is high risk, the review date should not look the same as a genuinely low-risk client without explanation.
Risk factors that may justify a shorter scheduled review cycle include::
- Complex or opaque ownership
- Politically exposed person (PEP) connections
- Higher-risk jurisdictions
- Unusual transactions or funding patterns
- Services involving company formation, restructuring, or asset movements
- Previous AML concerns or unexplained changes in client behaviour
Firms do not need overcomplicated models. On the contrary, a simple policy with clear categories is often easier to follow than a detailed matrix that no one maintains. What matters most to supervisory bodies is that the chosen approach is sensible, written down, and visible on client files.
CDD review intervals from professional guidance
Supervisory guidance gives useful reference points, but each firm still needs a timetable that fits its client base, services, and risk assessment process.
ACCA’s client due diligence factsheet gives one clear example model. It refers to standard-risk clients being reviewed every three years, low-risk clients every five years at a minimum, and high-risk clients more frequently, for example, at least every 12 months.
ICAEW material also supports the risk-based approach. Its smaller-practices guidance says there is no specific timeframe and that review frequency should be based on risk assessment and client circumstances. ICAEW refers to some firms reviewing standard or low-risk clients every three years and high-risk clients annually, provided robust trigger-event procedures are in place
ICAEW has also reported a monitoring case where a firm moved to six-monthly reviews for higher-risk clients and annual reviews for standard-risk clients. This example is useful because it shows how a firm might tighten its timetable during remediation. However, it should not be read as a universal ICAEW benchmark.
The table below summarises how the different CDD timing signals fit together:
| Client category | Example timing seen in guidance or supervisory material | Important caveat |
|---|---|---|
| Legal position | No single fixed interval | The law requires ongoing monitoring and up-to-date CDD, not one universal refresh cycle |
| High-risk clients | Annual review is a common benchmark in professional guidance | Very high-risk files may need a shorter diary period |
| Standard-risk clients | ACCA’s example model uses a review around every three years | A firm may choose a different cycle if it can justify it |
| Low-risk clients | ACCA’s example model uses a review around every five years | Low risk does not mean no review |
| All clients | Review sooner if something material changes | Trigger-event updates should override the diary date |
These examples should be treated as reference points rather than legal rules. The firm’s own timetable should be supported by procedures for changes between scheduled reviews.
When should CDD be updated before the next scheduled review?
Scheduled dates should not prevent an earlier review after a relevant change.
ACCA’s factsheet refers to event-driven reviews before the periodic review date. HMRC’s guidance also gives examples of changes that should trigger a review.
The broader point is that if the client’s risk profile changes, the CDD file may need to change with it.
Trigger-event check
CDD should be reconsidered sooner if something changes, such as:
In terms of expired identity evidence, this should be reviewed carefully rather than treated automatically.
While an expired document is no longer current, that does not automatically mean that a fresh ID must be collected immediately. The firm should consider whether updated evidence is needed, taking account of the client’s risk, the age of the existing evidence, and whether anything material has changed.
This is especially important in small firms, where relevant client knowledge may sit in the principal’s head. Therefore, the AML file should never rely on memory alone.
What firms should record when CDD is still current
A no-change review should still be visible on the client file.
Firms do not need to create unnecessary paperwork, but they should be clear that someone looked at the file and reached a reasoned conclusion. That record helps show supervisory bodies that the review cycle is being followed, rather than existing only in the AML manual.
When deciding what to record in a client AML review, ensure these points are covered:
- The date of review
- Who carried it out
- The client’s current risk rating
- What was checked
- Whether ownership, control, services, or risk factors have changed
- Whether any CDD information needs updating
- The conclusion reached
- The next scheduled review date
Where a firm decides that existing CDD remains adequate, the note should say so. Conversely, if the decision is borderline, the firm should add its rationale. For example, a firm may decide that no new ID is needed because the client is low risk, long established, and there has been no change in ownership, control, or services.
This level of AML record is particularly useful if a supervisor later asks why the firm did not refresh a file sooner. It can also help if a supervisor later inspects the client AML file, because the review note helps explain the judgement reached at the time.
Common mistakes to avoid
The most common weakness is having no defensible method for choosing, following, and evidencing the AML review timetable.
Accountancy firms should watch for these issues:
- Using one annual review date for all clients without thinking about risk: Annual reviews may suit some client files, while others may need shorter or longer cycles depending on risk.
- Copying guidance intervals without adapting them: Frequency examples from ACCA and ICAEW still need to fit the firm’s client base, services, and procedures.
- Letting low-risk files drift: A longer review cycle requires a diary date and a way to catch material changes before the next scheduled review.
- Missing trigger events: A three-year cycle is weak if a change in beneficial ownership sits unnoticed until the next scheduled review.
- Failing to record no-change decisions: If nothing has changed, say so briefly on the file. Silence can look like no review happened.
- Writing procedures that are not followed: A review timetable only helps if the firm follows it. If the AML procedures say clients are reviewed at set intervals, the files should show that those reviews happened.
Practical takeaway: Although this article is about existing AML duties, the wider supervisory picture still matters. As accountancy AML supervision moves toward the FCA, firms should expect greater emphasis on clear, consistent records. A CDD review timetable that exists in the AML manual but is not visible on client files may be difficult to defend later.
In summary
The safest approach for accountancy firms is a clear, risk-based timetable, backed by CDD trigger-event updates and short file notes that show the decision made.
Firms should avoid treating “annually for everyone” as the default legal answer. What matters is whether the chosen timing fits the client risk, is written into the firm’s AML procedures, and is followed in practice.
This leaves firms in a stronger position if a supervisor later asks why CDD was updated on that timetable, or why it was not updated sooner.
To keep track of CDD review expectations, supervisory updates, and future FCA developments affecting accountancy firms, subscribe to Evidentia’s free newsletter.
FAQs
Not for every client. UK AML rules require ongoing monitoring and up-to-date CDD, but they do not impose one annual refresh rule for all clients. Annual review may be appropriate for higher-risk clients or as a firm policy choice, but lower-risk or standard-risk clients may be reviewed on a longer cycle if that approach is justified and documented.
ACCA gives annual reviews as an example for high-risk clients. A firm may set a shorter period where the risk assessment supports it, but there is no automatic six-month or quarterly rule.
ACCA gives five years as an example for low-risk clients, yet firms should still be able to show how the timing was chosen and monitored. If the client’s circumstances change before the scheduled date, the CDD file may need updating sooner.
An early review may be needed where there is a change in ownership, control, directors, business activity, services, funding source, jurisdictional exposure, or anything else that affects the client’s risk. Concerns about the accuracy or reliability of existing CDD information should also prompt the firm to revisit the file.
Not always. Expiry is a warning sign that the file may need fresh evidence, especially for higher-risk clients. The firm should make a judgement based on the whole relationship, not the expiry date alone. If it decides not to collect a new ID straight away, the reason should be recorded.
An AML review record should normally show the review date, reviewer, current risk rating, areas checked, whether anything changed, whether further CDD was needed, the conclusion, and the next review date. It can be brief, especially where nothing has changed, but it should be clear enough to show that the review took place.
No. CDD reviews are one part of ongoing monitoring. The latter is broader because it includes staying alert to changes during the client relationship, not just checking the file on a scheduled date. Periodic reviews and trigger-event updates should work together.
References and Source Material
- ACCA, Technical factsheet: Client due diligence
- ICAEW, Anti-money laundering for smaller practices
- ICAEW, Updating customer due diligence
- ICAEW, AML report highlights need for customer due diligence
- HMRC, Economic Crime Supervision Handbook (ECSH33375 – Ongoing Monitoring)
- CCAB, Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing: Guidance for the Accountancy Sector
- Money Laundering Regulations 2017, Regulation 28
