Onboarding new clients: a UK KYC checklist for accountants and law firms

A few years back I asked a partner at a mid-tier firm when she last opened her KYC procedures document. She laughed. "Not since the trainee printed it." That's the polite version of the answer most regulated firms would give. The checklist below is what the new version should look like.

Most regulated UK firms have a KYC pack somewhere. The problem is that half of them have not been updated since 2019. Here is a 2026-ready checklist you can lift wholesale.

Stage 1: Initial information capture

• Legal entity name and company number
• Registered office and trading address
• Nature of business and intended services from your firm
• Expected transaction volumes and values
• Source of funds (high level) and source of wealth (where required)

Stage 2: Entity verification

• Companies House snapshot saved to the file
• Status: Active
• Confirmation statement and accounts up to date
• Director list captured
• PSC register captured
• Outstanding charges noted

Stage 3: People verification

• ID verification on all directors and PSCs (electronic IDV or certified copies)
• Address verification on all directors and PSCs
• Sanctions and PEP screening on every individual (see our sanctions and PEP primer)
• Adverse media screening on every individual

Stage 4: Risk rating

Apply your firm-wide risk assessment to this client. Standard, high, or unacceptable. Document why.

Stage 5: Enhanced Due Diligence (if triggered)

• Documented source of funds and source of wealth
• Senior-management approval to onboard
• Reduced review cycle (e.g. 6 months instead of annual)
• Additional sanctions screening on counterparties

Stage 6: Documentation and sign-off

• Engagement letter signed
• AML risk assessment completed and signed (our AML compliance guide covers what supervisors expect)
• All evidence stored against the client file with timestamps
• Diary entry for next periodic review

Stage 7: Ongoing monitoring

Onboarding is a moment in time. Schedule periodic reviews based on risk, run automated daily sanctions and Companies House change monitoring (see why continuous monitoring matters), and react to alerts — otherwise the whole exercise was for nothing.

One file, every client, no gaps

You can run all of stages 2, 3 and the sanctions side of 4 above through CompanyCheckr and attach the dated PDF straight to the client file. Try a check or sign up to roll it out across your team.