What happens during an HMRC AML inspection?

An HMRC AML inspection is a compliance check carried out under the UK’s Money Laundering Regulations 2017 (as amended) (MLRs) to assess whether your business is meeting its legal obligations. 

HMRC supervises estate agents, letting agents, high-value dealers, art market participants and accountancy service providers not supervised by a professional body. If your business falls into one of those categories and is registered with HMRC for AML supervision, expect that you will have (and need to be prepared for) an inspection.

The purpose of an inspection is not to catch you out. As HMRC sets out in its published guidance, officers are there to check that your controls are working, help you understand your obligations and identify any areas that need attention. 

How HMRC selects businesses for inspection

HMRC takes a risk-based approach to supervision, which means inspections are not random. Resources are allocated based on an assessment of where money laundering risk is highest across the sectors HMRC supervises. 

Your business may be selected for inspection because information suggests there is a risk of money laundering exposure, because your registration is due for review or as part of a planned programme for your sector.

HMRC also conducts unannounced visits, though the more usual route is contact by phone to arrange a convenient time, followed by a written confirmation of the date, who the officer will want to speak to and what records they will want to see. An inspection visit does not, in itself, mean HMRC thinks something is wrong.

Visit or office-based check: understanding the difference

HMRC has two main routes for compliance checks. The first is a physical visit to your business premises. The officer will normally attend your main site so they can see your systems and records in context, speak to the right people and test whether your controls work in practice.

The second route is an office-based check, conducted by phone or desk review. The purpose and scope are the same as a visit. HMRC will request the same information and documentation and will carry out equivalent checks. In many straightforward cases, an office-based check is sufficient. A visit may follow if the business is complex or if concerns arise that need further investigation.

Both formats require your MLRO / nominated officer or the person responsible for AML compliance to be available and ready to answer questions about how your policies and procedures operate in practice.

Who needs to be present

HMRC will want to speak to the owner of the business or, where the business has a management structure, the senior person responsible for AML compliance, at the start of the visit. 

After that initial conversation, you need to make sure that a responsible person is present who can answer questions and provide documents. Your MLRO / nominated officer or the senior manager responsible for AML compliance should be there for the duration of the visit.

The officer may also want to speak to other members of staff to test whether they understand your AML policies, controls and procedures and know what to do if a concern arises. A firm where the compliance knowledge sits entirely with one person, and front-line staff cannot articulate the basics, is a firm with a training gap that will be noted.

You can have a professional adviser present but they cannot answer questions on your behalf. Only you can explain how your business actually operates.

What HMRC will examine

The inspection centres on your AML framework. HMRC will always check the following:

• Your business-wide risk assessment, required under Regulation 18 of the MLRs, which must identify and document the money laundering, terrorist financing and proliferation financing risks your business faces. HMRC will assess whether it reflects your actual client base, services and geographic exposure, and whether it has been reviewed and kept current.

• Your AML policies, controls and procedures (PCPs), which must be directly linked to what your risk assessment identifies. A generic document that does not engage with your specific risks will not satisfy scrutiny. Officers will check that your PCPs are practical, that staff understand them and that they are applied consistently.

• Your client due diligence processes under Regulation 28, including how you identify and verify clients and beneficial owners, how you assess risk at client level and how you handle situations where enhanced due diligence is required under Regulation 33.

• Your training records. Regulation 24 requires relevant persons to ensure staff are aware of money laundering, terrorist financing and proliferation financing law and are regularly trained to recognise and respond to risks. HMRC will want to see evidence that training has been delivered, when it was completed and that it is refreshed on a regular basis (at least annually).

• Your internal reporting arrangements, including how suspicious activity concerns are escalated internally to your MLRO / nominated officer and how decisions about external reporting to the National Crime Agency are made and documented.

• Your sanctions screening process, including how you screen clients, beneficial owners and counterparties against the UK Consolidated List and relevant international sanctions lists, and how you handle potential matches.

HMRC officers may also review transaction records, copies of identity and verification evidence, any internal Suspicious Activity Reports and those submitted to the NCA, client risk assessments and, for high-value dealers, any cash found on the premises. 

For estate agency businesses, letting agents, art market participants, accountancy service providers and high-value dealers, HMRC will also check that the right individuals have passed HMRC approval checks as required.

What HMRC is testing

The sectors HMRC supervises tend to be made up of smaller businesses. For example, the 2025 National Risk Assessment notes that 90% of estate agents operate from a single premises. 

HMRC officers understand that proportionality matters and that a sole trader’s compliance infrastructure will not be as complex as a multi-branch firm. But whatever your size, the inspection is testing whether you have the required documentation and that your AML framework actually works, not just whether the paperwork exists.

A business that has a risk assessment, a PCPs document and training records but cannot demonstrate that they are applied consistently in practice will still attract findings. HMRC officers will look for reasoning, not just activity. 

Client risk assessments should show how the risk level was reached, not just record a rating. Enhanced due diligence files should show why enhanced measures were applied and what those measures were. 

Sanctions screening records should show the outcome of each check and, where an alert was raised, how it was reviewed and resolved.

What happens at the end of an inspection

Unless your business is large or complex, the visit will normally be completed within a day or two. At the end, the officer will review what they have covered, explain any areas of concern, agree any action you need to take and answer questions.

HMRC may send you notes of the meeting afterwards. You will have an opportunity to review and amend those notes within a deadline. After the check, HMRC will write to you to set out any required action or to warn you if a penalty may apply. In serious cases a penalty notice may be issued immediately.

Where concerns are identified but the failures are not serious, HMRC will usually give you time to put things right. Repeat failures or evidence of systemic non-compliance attract a different response. HMRC isn’t shy about pursuing penalties.

The most common areas of weakness

Recent HMRC enforcement action points to patterns that appear repeatedly:

• Business-wide risk assessments that are generic or out of date
• Client risk assessments that record a conclusion without showing the reasoning behind it
• Training records that show a one-off induction rather than regular refreshed training
• CDD files where verification is incomplete or not evidenced

Sanctions screening is also an area where gaps frequently appear, either because it is not built into the onboarding process or because ongoing monitoring is absent.

These are not obscure technical failings. They are the core requirements of the MLRs and they are the areas HMRC will go to first.

Final thoughts

An HMRC AML inspection is a structured review of whether your business is genuinely managing money laundering, terrorist financing and proliferation financing risk. The process is transparent: HMRC publishes exactly what officers will examine and what records they want to see. 

The businesses that come through inspections well are those where the risk assessment, policies, CDD and training all connect into a coherent, documented framework that staff actually understand and apply. If that description does not match where your business is today, an inspection is a reasonable prompt to address it.

AMLCC brings your business-wide risk assessment, client risk assessments, PCPs, sanctions and PEP checks, AML training and internal reporting together in one platform, with a complete audit trail. This way, when an HMRC officer asks to see how your AML framework works in practice, everything is documented, current and ready.