What ongoing monitoring means for accountants under UK AML rules
Last updated: May 14, 2026
Ongoing monitoring is the part of AML compliance that starts after a client has been onboarded.
This is where many firms run into trouble. AML is often treated as a front-loaded exercise: collect ID, understand the client, assess the risk, and open the file. But Regulation 28 of the Money Laundering Regulations makes clear that the client’s AML position cannot simply be frozen at onboarding.
In practice, ongoing monitoring means keeping that position current, explainable, and evidenced over time. The file should show what the firm knew about the client, what changed or did not change, whether the risk assessment still made sense, and why the firm was comfortable continuing to act.
The key point is that the client file should continue to reflect reality, without forcing the firm to repeat full CDD where nothing material has changed.
Contents
Key takeaways
- Ongoing monitoring starts after onboarding and continues throughout the client relationship.
- For accountants, it means keeping CDD, client risk, services, ownership, activity, and other relevant information current.
- While it does not require bank-style automated transaction monitoring, the client file should show what was checked, what changed and what did not, and what the firm concluded.
Ongoing AML monitoring for UK accountancy firms
Ongoing monitoring sits within customer due diligence (CDD) under Regulation 28 of the Money Laundering Regulations.
Accountants need to scrutinise transactions during the business relationship to check they are consistent with the firm’s knowledge of the client, their business, and their risk profile.
They also need to keep CDD documents, data, and information up to date. This aspect is often the biggest challenge.
A small firm may not have a bank-style monitoring system, and in most cases would not need one. But it may still see enough information through accounts preparation, tax work, bookkeeping, payroll, or advisory conversations to know whether the client’s position has changed.
This means ongoing monitoring is not a passive exercise. It is a continuing discipline of asking: Does what we now know about this client still match the AML file?
HMRC guidance supports this interpretation by describing ongoing monitoring as both transaction scrutiny during the relationship and keeping CDD information current.
How ongoing monitoring differs from onboarding CDD
Onboarding CDD is the initial understanding of the client. It helps the firm establish who the client is, who owns or controls them, what services they need, and what level of AML risk they present.
Ongoing monitoring is the work of keeping that understanding up to date.
A client who appeared straightforward at the start of the relationship may later change in ways that affect the original risk assessment. A firm may also see transactions or records that do not fit its earlier understanding of the client’s business.
While this does not automatically reflect an AML concern, the file may still need to be reviewed to ensure compliance with the Money Laundering Regulations.
A useful distinction for accountancy firms:
- Ongoing monitoring: The legal umbrella under Regulation 28
- Periodic reviews: Planned checks used to keep the file current
- Trigger-event reviews: When a change or concern arises
- CDD refresh: The practical update made where a review shows that existing client CDD needs to be checked or updated
What accountancy firms should monitor
Ongoing monitoring should be built around the reality of the client relationship.
Firms should consider whether the client’s AML file still reflects what is known from day-to-day work. This might include checking whether changes have occurred with ownership, control, directors, or key office holders, whether the services provided have expanded, or if the client’s business activity looks different from the original understanding.
It may also include considering whether new jurisdictions, unusual transactions, PEP involvement, adverse information, or inconsistent records change the client’s risk profile.
This does not need to become a long exercise every time. A low-complexity client with no changes may only need a short recorded review. In contrast, a higher-risk or changing client may need a more detailed update.
Where firms provide bookkeeping, payroll, or tax work, they should not assume the AML regime is irrelevant.
HMRC guidance treats professional bookkeeping as an accountancy service. Payroll also needs a closer look: it may be covered where the work includes accounting support or tax advice, while more limited administrative services may fall outside the rules depending on what is actually provided.
The safer approach is to assess the real service, whether it is provided by way of business, and the firm’s supervisory position.
When monitoring should lead to a CDD refresh or AML risk review
Ongoing monitoring does not always result in new documents. Sometimes the correct conclusion is that nothing material has changed.
Where a review identifies outdated, incomplete, or inconsistent information, the firm should update the client file. This may mean refreshing identity or ownership information, revising the client risk assessment, asking further questions, or recording why no further action was needed.
CCAB guidance recognises both periodic and event-driven reviews as ways to keep CDD current. The law does not set one fixed timetable for every client, so firms should set risk-based review intervals in their AML procedures and be able to justify them. For a more detailed breakdown, see our guide on how often accountants should update CDD for existing clients.
Professional guidance gives example review cycles, such as annual reviews for high-risk clients and longer cycles for standard or lower-risk clients. Some firms may choose shorter cycles, such as six-monthly reviews, for higher-risk cases.
These are examples, not legal rules; the firm’s timetable should be risk-based, documented, and brought forward if something material changes for AML purposes.
Nonetheless, the timetable should be risk-based, written into the firm’s procedures, followed in practice, and evidenced in the client file.
In addition, a scheduled review should be brought forward where a material change or concern affects the firm’s understanding of the client or their risk profile. Our guide to CDD trigger events for accountants explains when client changes should prompt an earlier AML review.
What evidence should be kept in the client file?
An AML review that is not properly recorded may be difficult to evidence later.
Supervisors typically want to see that the firm’s AML process was followed, not just hear that the principal “knows the client”. As such, the AML reasoning must be clear enough for someone reviewing an accountancy client file to follow.
HMRC says inspection officers may examine transactions, CDD procedures, risk assessments, policies, controls, procedures, training logs, and other records showing how AML systems work.
ICAEW’s recent AML supervision findings also show that updating CDD remains a live compliance weakness. It previously found that 20% of firms reviewed were non-compliant, and 11.6% had failed to update CDD throughout the duration of client relationships.
In terms of what to record in a client AML review, a good monitoring note shows the date of review, who carried it out, the checks completed, any material findings, any CDD or risk assessment update, and the conclusion reached.
Example: A concise ongoing monitoring record
- Client: ABC Trading Ltd
- Review type: Periodic AML review
- What triggered the review: Scheduled AML review under the firm’s standard review cycle.
- What was reviewed: Companies House record, directors and PSCs, services provided, year-end bookkeeping records, jurisdiction exposure, and existing client risk assessment.
- Evidence relied on: Companies House check completed on 12 June 2026. Bookkeeping records were reviewed during year-end accounts work. Existing CDD files were reviewed.
- Conclusion: No material change identified. Client remains standard risk.
- Action taken: No CDD refresh required. Client risk assessment confirmed unchanged. Next AML review to follow the standard review cycle.
This kind of record is concise, but it still gives a supervisor a clear basis for understanding what was reviewed, what was concluded, and why no further action was taken
Common mistakes accountancy firms should avoid
Supervisory findings suggest that many firms struggle to evidence what they have done, even where the principal knows the client well. While that knowledge is valuable, if it affects AML risk, it should be reflected in the file.
This means that long-standing clients may deserve particular attention. Familiarity can make stale files easier to miss, since ownership, control, services, and business activity can all shift gradually over time.
Firms should also avoid treating monitoring as automatic annual re-verification. The right level of work depends on risk, the quality of the existing information, and whether anything material has changed.
Moreover, a written AML procedure is not enough by itself. If the procedure says clients are reviewed periodically, the files should show that those reviews actually happened.
How the FCA transition affects ongoing monitoring
The ongoing monitoring duty itself is not new, but the way firms are expected to evidence it may come under much sharper scrutiny as accountancy AML supervision moves toward the FCA.
The issue for some firms is whether the client file shows that the process actually happened. This means a supervisor should be able to see when the client was reviewed, what information was considered, whether anything material had changed, and why the firm’s conclusion still made sense.
The FCA transition should therefore be seen as another reason to tighten existing-client records now, not as something to wait for. Ongoing monitoring is already required; the difference is that weak or missing review evidence may become harder to defend under a more centralised supervisory model.
Making ongoing monitoring workable
Ongoing monitoring should be part of the firm’s normal rhythm, not a separate annual panic.
Small practices, in particular, may find that the easiest approach is to connect AML checks to work already being done, such as annual accounts, tax returns, bookkeeping reviews, payroll changes, new engagements, and recurring client meetings.
A simple process is usually enough:
Set risk-based review intervals in the firm’s AML procedures.
Use routine client work to identify relevant changes.
Record a concise review note.
Make any necessary updates.
Follow up on unresolved issues.
While this process does not require a dedicated compliance department, it needs to be done consistently. The central question is whether the AML record supports the decision to continue acting.
In summary
Ongoing monitoring is the practical discipline of keeping an existing client’s AML position current over time.
Under Regulation 28, this includes scrutinising client activity during the relationship and keeping CDD information up to date. When accounting firms notice changes in ownership, control, services, business activity, or risk, then recording what was checked and concluded becomes important.
A short, consistent, and well-recorded review process is often the difference between informal knowledge and evidence that a supervisor can understand. After all, supervisory bodies expect accurate, risk-based, and explainable files.
For updates on AML supervision, ongoing monitoring, and small-firm compliance issues, subscribe to the Evidentia newsletter.
FAQs
Ongoing monitoring is continuing to check, after onboarding, that the firm’s understanding of the client still holds true. This includes looking at relevant activity during the relationship and updating client information where it has become inaccurate, incomplete, or out of date.
No. Ongoing monitoring is the wider obligation. A CDD refresh is only needed where the review shows that existing information needs updating or can no longer be relied on.
Yes, where the client relationship falls within the UK Money Laundering Regulations. The amount of monitoring should depend on the client’s risk, the work being done, and whether anything has changed.
There is no fixed legal review frequency. Firms should set a risk-based timetable, record it in their AML procedures, and review sooner if a client change or concern arises. Annual reviews for high-risk clients, longer cycles for lower-risk clients, and shorter cycles for very high-risk cases are all examples, not universal rules.
A review should be brought forward when the firm becomes aware of a material client change or concern, such as a new beneficial owner, new service, overseas activity, inconsistent records, or adverse information.
The AML record should make the decision understandable. It should state when the review happened, who completed it, what was looked at, whether anything relevant was found, what action followed, and whether the client’s risk rating changed.
Yes. A brief note is still useful where the firm has checked the position and decided that no update is needed. It helps show that the file was actively reviewed rather than ignored.
References and Source Material
- Money Laundering Regulations 2017, Regulation 28
- HMRC, Economic Crime Supervision Handbook (ECSH33375 – Ongoing Monitoring)
- HMRC, How HMRC checks on businesses registered for money laundering supervision
- HMRC, Check if you need to register for money laundering supervision if you’re an accountancy service provider
- CCAB, Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing: Guidance for the Accountancy Sector
- ICAEW, Examining non-compliance: AML supervision report 2024/25
