This guidance sets out the top eight areas where sole practitioners and smaller firms should focus their attention to support compliance with the Money Laundering Regulations.
What are the key anti-money laundering (AML) compliance requirements for small firms?
To comply with the Money Laundering Regulations, firms should focus on:
- Firm-wide risk assessment
- Written AML policies and procedures
- Customer due diligence (CDD)
- Ongoing monitoring
- Suspicious activity reporting (SARs)
- AML training
- Regular AML compliance reviews
- Persons of significant control (PSC) discrepancy reporting
These areas form the foundation of an effective AML framework and will be the main focus during ICAEW monitoring reviews.
We have included links to relevant resources throughout. You can also watch our recent webinar on the same topic for more detail:
1. What is a firm-wide risk assessment and why is it required?
The firm wide risk assessment is the foundation of anti-money laundering (AML) compliance. It requires the firm to step back and consider the key money laundering and terrorist financing risks inherent in the practice. These risks might be found within the type of client it has, the service it provides, the geographical exposure, the type of transaction the firm is involved with and the way in which it delivers the service.
A strong risk assessment shapes how AML procedures are designed and implemented. It also identifies whether controls remain effective and highlights new or emerging risks identified through sector updates or supervisory insights. For sole practitioners, the assessment can be narrative in format, provided it clearly explains how risks are identified and mitigated. It must be reviewed regularly and inform the firm’s AML policies and procedures.
We expect all our firms to have a firm-wide risk assessment and will always review this as part of a firm’s AML monitoring review.
ICAEW resources:
- Read our Firm-wide risk assessment methodology template
- Watch our AMLbites video on firm-wide risk assessments
- Refer to the AASG Risk Outlook and the National Risk Assessment 2025
2. What are the requirements around written policies and procedures?
AML policies and procedures translate the firm-wide risk assessment into practical steps that guide day to day work. They explain how customer due diligence is performed, how suspicions are escalated, how records are kept, and how the firm maintains compliance.
Policies should reflect the specific risks identified in the risk assessment and be proportionate to the size and nature of the firm. They should be reviewed regularly to keep pace with regulatory developments and emerging risks.
ICAEW resources:
- Read our AML Policies and Procedures template
- Consider subscribing to the ICAEW AML Service
3. What are the customer due diligence requirements for small firms?
CDD helps firms understand who their client is, what they do, and the level of money laundering risks they present. It requires gathering information, assessing the AML risks that may exist within the client, and verifying identity using reliable evidence.
Firms must maintain professional scepticism, even with seemingly low-risk clients. Close relationships can cause familiarity and mask risks. Always pause to assess potential threats and base decisions on objective evidence.
Documentation is crucial. Knowing a client informally is not enough; firms must evidence their reasoning and consider red flags such as unusual ownership structures, adverse media, or inconsistent behaviour and/or transactions. Verification must always include obtaining evidence of identity, but it may be necessary to perform additional checks to mitigate risks such as opensource checks or asking clarifying questions.
Our monitoring reviews frequently identify gaps where firms have not fully evidenced CDD, or have relied too heavily on personal knowledge of the client.
ICAEW resources:
- Read our CDD Help sheet
- Watch our AMLbites videos on CDD Parts 1 & 2
- Refer to the CCAB Anti-money laundering guidance for the accountancy sector
4. What is required for ongoing monitoring of your clients?
CDD should be applied to existing client relationships throughout their duration. The timing of these reviews depends on changes affecting the client or the services provided (event-driven reviews), as well as the client's risk profile (periodic reviews). Additionally, you should monitor the client’s activities to ensure they align with your knowledge of the client, its operations, and any associated risks.
The work performed may consist only of reviewing and updating the client information on file, refreshing the risk assessment, and/or applying verification measures relevant to that updated information.
Gaps often arise when firms fail to update CDD after key changes. Monitoring should confirm that transactions make sense in the context of the client’s activities and that any unusual activity is questioned.
ICAEW resources:
5. What are the suspicious activity reporting (SAR) requirements?
Firms need clear processes for identifying, assessing, documenting and reporting suspicions. The MLRO must understand tipping off risks, when a defence against money laundering (DAML) SAR is required, and how to use the new SAR portal.
Assessing suspicious activity requires objective judgement. Decisions to submit or not submit a SAR must be documented. Firms should also reassess the client relationship following a SAR and consider whether ongoing engagement is appropriate.
ICAEW resources:
- Read the ICAEW SARs guidance
- Access the National Crime Agency’s SAR guidance
6. What are your AML training obligations?
AML training ensures that staff and subcontractors understand their obligations and can recognise red flags. Training should be regular, tailored to the firm’s services, and updated for new risks and regulatory changes.
Training reinforces the firm's culture of compliance and ensures individuals know how to escalate concerns, apply policies, and recognise unusual activity.
ICAEW resources:
- Use our MLRO guidebook
Watch/show your staff our:
- Ensure you/your staff are signed up to receive AML - the Essentials
7. When should small firms review AML compliance?
Regular reviews assess the effectiveness of AML policies, controls and procedures. They check whether CDD is being carried out properly, whether risk assessments are robust, and whether files contain sufficient evidence. Reviews should also capture emerging risks and regulatory developments. The compliance review should always include steps to reperform CDD that has been completed on a sample of clients.
While not mandatory for sole practitioners with no staff, an annual review strengthens systems and prepares the firm for an AML monitoring review.
ICAEW resources:
- Read our AML compliance review template
8. What is PSC discrepancy reporting and when is it required?
Firms must identify and report discrepancies between the information gathered as part of CDD and the information held on the public Persons of Significant Control (PSC) Register. Reports must be submitted promptly to Companies House or HMRC.
Clear procedures help ensure discrepancies are identified, recorded and reported consistently. Maintaining written records demonstrates compliance and supports the integrity of the corporate register.
ICAEW resources:
- Read the ICAEW guidance on PSC discrepancy reporting
- Refer to the Companies House PSC guidance
A strong AML framework requires clarity, consistency, and an inquiring mind. By strengthening controls across these eight areas and applying professional scepticism, (even where clients seem familiar or low risk) firms enhance their ability to safeguard against money laundering.