What to expect during an AML review

If you’re regulated for anti-money laundering (AML) in the UK, you should expect a compliance review at any time. Whether it’s carried out by HMRC or your professional body, the purpose is the same: to assess whether your firm is meeting its legal obligations under the Money Laundering Regulations 2017.

That might sound daunting but it doesn’t need to be. Knowing what reviewers look for, and having the right evidence ready, makes the process far smoother.

Who carries out AML reviews

Every regulated business in the UK is supervised by one of the 23 designated bodies under the MLRs. These include:

• Professional body supervisors (PBSs)
• HMRC, which supervises estate and letting agents, trust and company service providers, HVDs and accountants not supervised by a PBS

Each supervisor conducts periodic reviews or inspections to ensure compliance. These can be routine (scheduled in advance) or triggered by risk factors such as a complaint, suspicious activity or missing filings. 

How the review process works

You’ll likely to be asked to provide a list of documents and may be invited to grant read-only access to your AML system (for AMLCC users, this takes seconds). Depending on your supervisor, the review may be:

Remote, where evidence is reviewed digitally and discussed over calls

On-site, where the reviewer visits your office to interview staff and examine files

They’ll typically:

1. Request your key AML documents, including your current and historic Business Risk Assessments, AML Policies, Controls and Procedures (PCPs), training logs and sample client files.
2. Interview key people, usually your Money Laundering Reporting Officer (MLRO) or Money Laundering Compliance Officer (MLCO), and sometimes front-line staff.
3. Test compliance in practice, to check whether what’s written in your policies is actually followed day-to-day.
4. Provide feedback or an action plan, setting out areas for improvement or follow-up.

What reviewers will look for

A review focuses on two broad areas, your framework and your evidence.

1. Your business framework: policies, risk assessments and controls

Reviewers will assess whether your AML documentation meets the requirements of the MLRs, particularly Regulations 18–21. They’ll look for:

1. A business-wide risk assessment that’s current, detailed and tailored to your services, clients and jurisdictions
2. Policies, controls and procedures (PCPs) aligned to that risk assessment
3. Regularly updated and approved PCPs and business-wide risk assessments showing annual reviews or updates following regulatory change
4. Defined roles and responsibilities for AML oversight

Generic or outdated documents are a red flag. As the article The 6 signs your AML PCPs are out of date notes, many inspection failures come from “copied templates” that bear no relation to the firm’s actual risks.

2. Your evidence: people, records and real-world activity

Beyond the paperwork, reviewers need to see proof that your AML framework is embedded in practice. They’ll check:

• AML Training – Has every employee completed regular AML training, passed their tests and acknowledged policy updates?
• Client due diligence (CDD) – Can you evidence ongoing CDD? How are clients’ identities, beneficial ownership and source of funds verified?
• Risk assessments – Are client risk assessments completed in full and updated when circumstances change or according to the timeframe detailed in your PCPs?
• Record keeping – Can you retrieve files, internal SAR logs and decision-making records quickly?

If you use AMLCC, this is all visible on your dashboard. 

Common findings across all regulated sectors

Supervisors across the UK and across sectors report the same weaknesses again and again. Whether the review is for an accountancy firm, law practice, dedicated TCSP, HVD or property business, the main failings fall into five themes.

1. Out-of-date or generic AML documentation

Many businesses still rely on templates that haven’t been adapted and customised to reflect their actual business or risk profile.

• The IFA’s 2023/24 report found that 78% of non-compliant businesses failed to have an up-to-date business-wide risk assessment or used generic templates inappropriately.
• The SRA’s 2024 AML report also warned that non-customised “off-the-shelf AML policies” put firms and clients at risk because they fail to show how AML controls actually work in practice.

2. Weak client due diligence (CDD) and risk assessments

Supervisors consistently find incomplete or poorly evidenced CDD.

• ICAEW data shows over a third (34%) of reviewed firms failed to gather enough verification evidence, and 27% failed to properly identify beneficial owners.
• HMRC penalties against property agents often stem from poor CDD, such as missing source-of-funds checks or failing to verify buyers using third-party payments.

3. Missing or incomplete training records

While most businesses deliver AML training, many can’t evidence it. Supervisors expect to see who was trained, when, and on what topics.

• The SRA found several firms “could not provide sufficient evidence that all relevant staff had completed AML training”.
• The IFA and OPBAS highlight training and culture as weak spots — especially in smaller practices without dedicated compliance leads.
  

4. Poor record-keeping and audit trails

Supervisors often note that businesses have carried out checks but can’t prove it. Missing records of identity verification, file reviews, or policy updates are common findings.

• The SRA explicitly lists “lack of evidence of ongoing monitoring” as one of its top compliance failings.
• ICAEW found that 36.7% of non-compliant firms failed to maintain effective ongoing CDD records.

5. Inadequate ongoing monitoring

AML isn’t a one-off task at onboarding. Yet reviews repeatedly show that businesses stop after initial checks.

• ICAEW reports that ongoing monitoring was the single most common failure across accountancy practices.
• HMRC inspections of estate and letting agents show the same issue: CDD is rarely refreshed when clients’ circumstances change.

In short, the same weaknesses appear across every review, regardless of sector: outdated documents, incomplete client risk assessments, missing training evidence, weak record-keeping and poor ongoing monitoring. Supervisors expect all five areas to be demonstrably active, reviewed, evidenced and current.

How to prepare for your next review

Preparation is about visibility. You need to know where everything sits, how up to date it is and who’s responsible. Here’s how to get review-ready:

1. Centralise your AML evidence: Store all policies, training logs, CDD and risk assessments in one place.
2. Check your BWRA date: Reviews older than 12 months are non-compliant under Regulation 18.
3. Review your PCPs: Update them in line with any changes to your services or the latest National Risk Assessment.
4. Audit your training: Make sure every staff member’s completion is logged and up to date.
5. Spot-check client files: Ensure CDD records, risk assessments and decision notes are complete and accessible.
6. Document updates and approvals: Keep evidence of who reviewed and signed off each policy change.

Many businesses run a mini internal audit before an expected review. This helps identify any gaps early and creates a culture of continual readiness rather than last-minute panic.

What happens after the review

After your supervisor has completed their review, they’ll send a written report summarising findings. This will confirm where you’re compliant, highlight any weaknesses or breaches, and set out required improvements and timescales

If issues are found, take them seriously. Non-compliance can lead to financial penalties and regulatory action. But if you respond promptly, document your remedial steps and demonstrate improvement, your supervisor will usually view that positively.

Final thoughts

An AML review isn’t something to fear. It’s a chance to show that your businesses takes compliance seriously. With the right preparation, evidence and systems in place, you can make the process quick, smooth and even beneficial.

Compliance isn’t about ticking boxes. It’s about proving that your AML framework works in practice, protecting your business, your clients and the integrity of your profession.