The rules around anti-money laundering for accountancy firms are shifting — and fast. Within the next 18 months, the body supervising your AML compliance will likely be a completely different organisation, digital ID checks will be standard practice, and HMRC will be handing out fines at a pace that should make every practice owner pay attention.
Here's what's actually changing, why it matters, and what you should be doing about it right now.
AML supervision is moving to the FCA
This is the big one. The government has confirmed that AML supervision for accountancy firms will transfer from the current 23 professional body supervisors — ICAEW, ACCA, CIOT, AAT and the rest — to the Financial Conduct Authority as a single, unified supervisor.
The shift started being announced in late 2025, and implementation is expected to run through 2026 and into 2027. It's a phased transition, not a cliff edge. But the direction is clear: the days of being AML-supervised by your professional body are numbered.
What does this mean practically? A few things.
Your relationship with your supervisor will change. The FCA is a different beast — it's a statutory regulator with enforcement powers that go well beyond what ICAEW or ACCA have traditionally exercised. Expect more structured inspections, more detailed reporting requirements, and less of the "light touch" approach some firms have got used to.
Fees will almost certainly change too. The FCA operates on a cost-recovery model, so you'll be paying them directly for supervision. How that compares to what you're currently paying your professional body remains to be seen, but don't assume it'll be cheaper.
The practical details of how the handover works — timelines for registration, transitional provisions, how ongoing investigations transfer — are still being finalised. But waiting for every detail to land before you start preparing would be a mistake.
ACSP registration: a new requirement for Companies House work
Separately from the FCA supervision shift, there's a new registration requirement you need to know about.
From spring 2026, if your firm files documents at Companies House on behalf of clients — company formations, confirmation statements, director appointments, that sort of thing — you'll need to register as an Authorised Corporate Service Provider (ACSP). This comes from the Economic Crime and Corporate Transparency Act, and it's designed to stop criminals from using company formation agents as a front.
Most accountancy firms that do any company secretarial work will need to register. The process involves confirming your AML supervision status, providing details of your firm's beneficial owners and directors, and demonstrating that you have adequate AML procedures in place.
If you don't register, you simply won't be able to file at Companies House on behalf of clients. That's a service a lot of firms take for granted, so don't let this one catch you out.
Digital identity checks are now accepted
Here's a change that should actually make your life easier.
In February 2026, DSIT (the Department for Science, Innovation and Technology) published updated guidance confirming that regulated firms can use DIATF-certified digital identity service providers for customer due diligence. DIATF stands for the Digital Identity and Attributes Trust Framework — essentially the government's quality mark for digital ID providers.
What this means: instead of asking a new client to post you a certified copy of their passport and a utility bill (or bring them into the office), you can now direct them to a certified digital identity provider. The client verifies their identity online, and the provider passes a confirmation back to you that meets your CDD obligations under the Money Laundering Regulations.
This is a genuine improvement. It speeds up client onboarding, reduces the admin burden, and arguably produces a more reliable result than eyeballing a photocopy of someone's driving licence. You'll still need to record what checks you carried out and retain evidence, but the process itself can be fully digital.
Your AML policy will need updating to reflect this. If you're still operating under a policy that references physical document verification as the default, that's something to sort out sooner rather than later.
HMRC enforcement is getting sharper
If the regulatory changes above feel a bit abstract, this bit should sharpen your focus.
HMRC's February 2026 enforcement report revealed that accountancy firms were the second largest group fined for AML failures. Out of all the penalties handed out, 134 went to accounting firms — totalling £513,930 in fines. That's not massive in absolute terms, but it shows a clear pattern. HMRC is actively checking, actively penalising, and the numbers are trending upward.
The most common issues? Inadequate risk assessments, insufficient client due diligence, and failure to maintain proper records. None of these are difficult to get right. They just require attention and consistency — two things that slip when a firm is busy with client work and compliance feels like a box-ticking exercise.
If you haven't had an HMRC supervision visit yet, don't assume you're flying under the radar. The question isn't whether they'll check — it's when.
AML Risk Assessment Tool
Score client risk for anti-money laundering. Try it free — no sign-up required.
Use the AML Risk ScoreChanges to the Money Laundering Regulations
Alongside the supervision changes, the government is amending the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 — the MLRs. The updates aim to clarify existing requirements and sharpen the focus on high-risk activities.
The risk-based approach remains the foundation. You still need to know your client, assess the risk each relationship presents, and apply proportionate checks. But the amendments are tightening expectations around how you document that process and where you target enhanced due diligence.
If your firm-wide risk assessment hasn't been reviewed since 2024, it's overdue. The same goes for individual client risk assessments — particularly for clients in sectors that HMRC and the National Crime Agency flag as higher risk.
What you should do now
You don't need to overhaul everything overnight. But you do need to start moving.
1. Review your AML policy. Make sure it reflects the digital identity framework — specifically, that you can accept CDD from DIATF-certified providers. If your policy still references physical-document-only verification, update it.
2. Check your ACSP position. If your firm does any Companies House filing on behalf of clients, confirm whether you need to register as an Authorised Corporate Service Provider. The spring 2026 deadline is close.
3. Refresh your firm-wide risk assessment. The MLR amendments and the shift to FCA supervision both make this a good time to revisit your practice-wide AML risk assessment. Make sure it covers the sectors you work with, the types of services you provide, and the jurisdictions your clients operate in.
4. Audit your client files. Pick a sample of client files and check that your CDD records are complete and up to date. HMRC's enforcement data shows that sloppy record-keeping is one of the most common reasons for fines. This is low-hanging fruit.
5. Keep an eye on FCA communications. As the transition progresses, the FCA will publish guidance specific to accountancy firms. Sign up for their regulatory updates so you're not relying on secondhand summaries.
6. Talk to your team. Your staff need to understand these changes too. If your last AML training session was a recorded webinar from 2023, schedule a refresher. The regulatory environment has moved on.
The firms that treat AML compliance as something they actively manage — rather than a folder gathering dust — are the ones that won't get caught out. These changes are coming regardless. Better to be ahead of them than scrambling to catch up.