AML compliance for UK SMEs: what you actually need to do

HMRC fined UK businesses over £3.2m for AML breaches in its last published year. Almost none of those firms thought they were doing anything wrong. They had a policy. They just couldn't show, on demand, that it was being followed.

That gap — between having a policy and operating one — is what this guide is about.

If you are an accountant, solicitor, estate agent, letting agent, trust company, crypto firm or art dealer in the UK, AML is not optional. The Money Laundering Regulations 2017 (as amended) apply whether you are a sole trader or a 200-person partnership.

Here is what a UK SME actually needs in place — without the consultancy fluff.

1. A written firm-wide risk assessment

Document the risks your firm faces: client types, services, geographies, delivery channels. It does not need to be 40 pages — it does need to be specific to you, dated, and reviewed at least annually.

2. Policies, controls and procedures (PCPs)

Write down how your firm meets each AML obligation. Include onboarding, ongoing monitoring, sanctions screening, SAR reporting, training and record keeping.

3. Customer Due Diligence (CDD)

For every business relationship you need to:

• Identify the customer and verify their identity from a reliable source
• Identify the beneficial owner(s) and take reasonable steps to verify
• Understand the purpose and intended nature of the relationship
• Conduct ongoing monitoring of the relationship

For UK corporate clients, that means a Companies House check, PSC identification and ID verification on the people who control the business. Our UK due diligence guide walks through the full process, and the KYC checklist for accountants and law firms is a copy-and-use version for client files.

4. Enhanced Due Diligence (EDD)

EDD is triggered by higher-risk situations: PEPs, high-risk third countries, complex ownership, unusual transactions. EDD typically adds source-of-funds and source-of-wealth evidence, senior-management sign-off and more frequent reviews.

5. Sanctions screening

Sanctions screening is a strict-liability obligation under the UK’s sanctions regime. Screen at onboarding and on an ongoing basis — lists change frequently. See our sanctions and PEP screening primer for practical detail.

6. SAR reporting

Suspicious Activity Reports go to the National Crime Agency. Your nominated officer (MLRO) makes the call. Train staff to escalate — not to investigate themselves and not to tip off the client.

7. Training and record keeping

All relevant staff need AML training appropriate to their role, refreshed regularly. Keep CDD records for at least 5 years after the relationship ends.

What “good” looks like to a supervisor

HMRC, the FCA, the SRA and the professional bodies all run thematic reviews. The firms that pass cleanly tend to have:

• A risk assessment that genuinely reflects their client base
• Tooling that automates Companies House, PSC and sanctions checks
• A clear audit trail for every client file
• Evidence of ongoing monitoring — not just an onboarding snapshot

Make the audit trail boring

The firms that sail through a supervisor visit have the same dull thing in common: every client file looks identical, dated, and signed off. CompanyCheckr gives you the Companies House, PSC, sanctions and adverse-media layer of that file in one PDF. Try a check or create an account to standardise onboarding across your team.