Back

How to Prepare for an HMRC AML Inspection

August 31, 2025

In this comprehensive guide, regulated UK businesses – including estate agents, solicitors, accountants, and independent financial advisers (IFAs) – will learn how to get ready for an HMRC anti-money laundering (AML) inspection. We explain what an HMRC AML inspection involves, why it occurs, common triggers that can lead to an inspection, what HMRC inspectors look for during a compliance check, and steps to ensure your firm is fully prepared. You’ll also discover a handy checklist for preparation, common mistakes to avoid, and how maintaining strong records and ongoing monitoring are critical. Finally, we highlight how AML Buddy helps firms stay inspection-ready with features like regulator-ready reports, automated tracking, and easy documentation retrieval.

Understanding HMRC AML Inspections

An HMRC AML inspection is a compliance audit conducted by His Majesty’s Revenue & Customs (HMRC) to ensure your business is following the UK’s anti-money laundering regulations. HMRC is the AML supervisory authority for several sectors – including estate agency businesses, accountancy service providers, trust or company service providers, high value dealers, art market participants, letting agents, and others. If your firm is registered with HMRC for AML supervision, you can be subject to an inspection. These inspections (also called compliance checks or audits) are designed to verify that you have appropriate systems and controls in place to prevent money laundering and terrorist financing.

During an AML inspection, an HMRC officer will typically review how your business implements key AML requirements. This can be done through an on-site visit at your office or sometimes through an off-site/desk-based review. The purpose is not only to check compliance but also to help ensure you understand your obligations. Inspections can occur periodically or at random, and an HMRC visit doesn’t automatically mean you’ve done something wrong – it’s often a routine part of risk-based supervision to protect against illicit finance. Nonetheless, it’s vital to be prepared at all times, because inspections may be announced on short notice or even conducted unannounced in some cases.

Common Triggers for HMRC AML Inspections

While some HMRC compliance checks are routine, there are common triggers that may lead HMRC to target a business for an AML inspection:

  • Risk Profile of the Business: Firms operating in sectors or areas that are considered higher risk for money laundering (such as property transactions, high-value trades, or dealing with high-risk customers) are more likely to be inspected. HMRC prioritizes businesses “at greatest risk,” so an estate agent handling high-value property deals or an art dealer dealing in expensive artworks might see more frequent checks.
  • Suspicious Activity or Intelligence: If HMRC receives information suggesting that your business might be exposed to or involved in money laundering, they will likely initiate an inspection. This could be triggered by anomalies or red flags – for example, if multiple suspicious activity reports (SARs) involve your firm or if another enforcement agency flags concerns. Significant discrepancies in records or any tip-offs about non-compliance can prompt a closer look.
  • Previous Non-Compliance or New Registration: If your firm has had compliance issues in the past (for instance, previous inspection findings that required follow-up, or a history of penalties), HMRC may revisit to ensure those issues are resolved. Similarly, newly registered businesses under the Money Laundering Regulations might get an early inspection to check they’ve set up proper AML processes from the start.
  • Random or Routine Checks: HMRC also conducts some inspections on a random or cyclical basis as part of their supervisory regime. Even if you have a clean record, you could be chosen simply because it’s been some time since your last audit or as part of a spot-check program. Every regulated business should assume they could be inspected at any time, and prepare accordingly.

Being aware of these triggers helps underline why continuous compliance is important. Rather than waiting for a trigger, it’s best practice to always maintain an “inspection-ready” stance.

What HMRC Inspectors Look For

When an HMRC officer inspects your business for AML compliance, they will examine all aspects of your anti-money laundering program. Key areas of focus include:

  • AML Policies, Procedures and Controls: Inspectors will review your written AML policies, controls, and procedures (often abbreviated as PCPs). They want to see that you have a robust AML policy manual tailored to your business’s risk profile – not just a generic template. The officer will check that your procedures align with current regulations and that they effectively address the risks identified in your risk assessment. They may ask you to explain how these policies and controls work in practice to gauge your understanding and implementation.
  • Risk Assessments: HMRC will expect to see a documented business-wide risk assessment for money laundering and terrorist financing. This risk assessment should identify the specific risks your firm faces (based on your clients, services, geographies, etc.) and rate them appropriately. Inspectors look for evidence that the risk assessment is up-to-date and that its findings directly inform your AML policies. If you have client risk assessments (individual customer risk profiles), they may sample those as well to ensure you’re assigning proper risk levels and applying commensurate due diligence.
  • Customer Due Diligence (CDD) Records: A core part of any AML inspection is checking your client due diligence records. The HMRC officer will likely examine a selection of customer files to verify you have collected the required identification documents and information (e.g. passports or company records, proof of address, information on beneficial owners). They will check that you performed appropriate checks at onboarding (such as ID verification, sanctions and PEP screening, understanding the nature of the client’s business and source of funds for higher-risk clients). If any simplified or enhanced due diligence was applicable, they will want to see you applied it correctly and documented the reasons. Essentially, every client file should demonstrate that you “know your customer” and have assessed their risk.
  • Ongoing Monitoring and Record-Keeping: Beyond initial CDD, HMRC inspectors will look at how you monitor your business relationships on an ongoing basis. They may ask how you keep customer information up to date, whether you conduct periodic reviews of high-risk clients, and how you monitor transactions for suspicious activity. They will expect to see records of any ongoing monitoring actions – for instance, notes of annual reviews for a high-risk client, updates to client risk ratings, or logs from automated transaction monitoring systems if applicable. Strong record-keeping is crucial; inspectors often say “if it’s not written down, it didn’t happen.” They will want to see audit trails for the AML activities you’ve undertaken.
  • Training and Awareness: HMRC will check that you have provided regular AML training to all relevant staff (including senior management, front-line employees, and anyone involved in compliance). Training records should be available, showing who was trained, on what topics, and when. Inspectors might even speak to staff or managers during a visit to gauge their knowledge. For example, they may ask employees if they know who the nominated officer (Money Laundering Reporting Officer) is, or how to report an internal suspicion. Your team should be able to demonstrate awareness of the firm’s AML procedures and their personal obligations. Lack of appropriate employee training is a commonly cited weakness in AML compliance, so be sure your training program is solid and documented.
  • Suspicious Activity Reporting: Expect the inspection to cover how you handle suspicious activity reports (SARs). The officer may review your internal SAR log or records of any external reports to the National Crime Agency. They will want to see that staff know how to escalate suspicions to the MLRO, that each suspicion is evaluated, and that decisions (whether to file a SAR or not) are properly documented. If you have filed SARs, HMRC might discuss the quality of those reports or any follow-up. Having a clear internal reporting procedure and evidence of its use is critical.
  • Compliance Governance: Inspectors will consider the overall governance of AML in your business. This includes whether you have appointed the required compliance officers – such as a Money Laundering Reporting Officer (MLRO) and possibly a compliance manager or Money Laundering Compliance Officer (MLCO) at a senior level. They may ask to see the job description or delegated responsibilities for these roles. Essentially, HMRC wants to confirm that responsibility for AML is taken seriously at the top and that those individuals have sufficient authority and knowledge to be effective.

In summary, HMRC inspectors are looking for a well-rounded AML program: one that is documented, actively followed, and up-to-date. They will examine your paperwork and your practice – from risk assessment and policy documents to actual client files and staff interviews. Knowing ahead of time what they’ll focus on allows you to prepare those areas diligently.

How to Prepare for an HMRC AML Inspection (Checklist)

Preparation is key to a successful AML inspection. Regulated firms should take a proactive approach to compliance, rather than scrambling when an audit is announced. Below is a checklist of steps and best practices to ensure you’re always inspection-ready:

  1. Maintain an Updated Risk Assessment: Regularly review and update your business’s AML risk assessment. Make sure it identifies all relevant risks (client types, services, delivery channels, geographic factors, etc.) and that you have documentation of annual (or more frequent) reviews. Be prepared to show why you rated certain risks as high or low and how you address those risks.
  2. Keep AML Policies and Procedures Current: Have a comprehensive, written AML policy document that is tailored to your operations. Review your policies and procedures at least annually (and whenever regulations change) to keep them current. Ensure they cover customer due diligence, record-keeping, reporting suspicious activity, staff training, and internal controls. It should be clear that your procedures are informed by your risk assessment. Print out or have available the latest version of your AML policies for an inspector to review.
  3. Organize Customer Due Diligence Files: Go through your client files and make sure all required CDD information is present and well-organized. Each file for an active client should have identification documents, verification steps recorded, risk assessment for that client, and any additional due diligence (like source of funds checks for high-risk cases). If some files are missing pieces, resolve it now – HMRC will likely spot gaps if they choose that file. Having a standardized checklist for each new client file can help ensure consistency. Also, ensure that old client records (within the mandatory retention period, typically five years from end of relationship) are archived but accessible if requested.
  4. Ensure Robust Ongoing Monitoring: Implement a process for ongoing monitoring of business relationships. This may include periodic client reviews (especially for higher-risk clients), transaction monitoring triggers, and regular screening of clients against sanctions or politically exposed persons (PEP) lists. Document these monitoring efforts – for example, maintain logs of when you perform monthly or quarterly checks, and note any actions taken (like updating client information or asking for additional details on a transaction). During an inspection, being able to show a history of monitoring and follow-up demonstrates that your AML compliance is active, not just a one-time event.
  5. Document Everything (Audit Trail): As a rule, keep a record of every significant AML-related action or decision. Have an internal log or file for compliance matters. Document internal discussions or decisions on borderline cases (e.g., why you considered a certain client low risk, or why a transaction was deemed suspicious or not). If you perform internal audits or compliance reviews, keep the reports and evidence of remedial actions. Remember, if you don’t have records to show an inspector, in their eyes it didn’t happen. A well-documented audit trail is your best defense in proving you’ve done the right things.
  6. Train Staff and Refresh Knowledge: Conduct AML training for all staff at least annually and keep clear records of the training sessions (date, content, attendees). Ensure new hires receive prompt training as part of onboarding. It’s also wise to do periodic refreshers or circulate updates whenever regulations change or new risks emerge. Consider short quizzes or attestations to confirm understanding. Come inspection time, not only can you show certificates or logs of training completed, but your team will be more likely to answer the inspector’s questions confidently and correctly.
  7. Perform Mock Inspections or Audits: Periodically self-audit your AML compliance or engage a third-party consultant to conduct a mock inspection. This can help identify weaknesses before HMRC does. Review your procedures against regulatory checklists, sample some client files for completeness, and interview a couple of staff members as if you were the regulator. Fix any gaps you discover – whether it’s updating a policy, retraining staff, or tightening record-keeping. Being proactive in this way can significantly improve your readiness and reduce anxiety when the real inspection occurs.
  8. Check Your HMRC Registration and Fees: This is basic but essential – ensure your business is properly registered with HMRC for AML supervision (if required for your sector) and that your registration details are up to date. Pay any annual renewal fees on time. Firms have been fined for failing to register or renew, which is an easily avoidable mistake. Also, confirm that any beneficial owners, directors, or senior managers have passed the required fit and proper test or HMRC approval if that’s mandatory for your line of work (e.g., estate agency business, money service business, etc.). HMRC will check these during an inspection.
  9. Prepare Key Documents in Advance: Before an inspection (whether you get notice or not), have a folder – physical or digital – of all crucial AML documents ready for quick access. This should include your latest risk assessment, AML policy/procedures manual, training log, list of your current high-risk clients, SARs register, and a couple of complete client files (preferably high-risk ones) that you can hand over as examples. Being able to promptly produce any requested documentation makes the inspection go smoother and shows you’re organized.
  10. Ensure Management Engagement: Finally, foster a culture of compliance from the top down. Senior management should be briefed regularly on AML matters and involved in approving the risk assessment and policies. If a director or partner is the appointed compliance officer or MLRO, they should actively oversee the program. HMRC inspectors often ask to speak with the business owner or a senior manager to assess their commitment and understanding. Make sure your leadership can confidently articulate the firm’s AML approach and doesn’t give the impression that compliance is just a box-ticking exercise.

By following this checklist, your firm will be in a strong position when an HMRC AML inspection occurs. You’ll be able to demonstrate that you not only have the required paperwork, but that you are genuinely implementing an effective anti-money laundering system.

Common AML Compliance Pitfalls to Avoid

Even well-intentioned businesses can fall foul of compliance requirements. Here are some common mistakes and areas of non-compliance that HMRC often uncovers during AML inspections:

  • Inadequate or Generic Policies: Relying on off-the-shelf AML policy templates without tailoring them to your business can be a mistake. HMRC expects your policies and procedures to reflect your specific risk profile. A one-size-fits-all policy might leave dangerous gaps. Avoid the pitfall of having a “paper program” that looks good but isn’t followed – ensure your policies are both comprehensive and actively implemented.
  • Outdated Risk Assessment: Treating the risk assessment as a one-time exercise is a common error. Some businesses either never update their initial risk assessment or fail to account for changes (like new services offered or evolving criminal techniques). An outdated risk assessment can lead to blind spots in your controls. Avoid this by reviewing it at least annually or whenever major changes occur in your business.
  • Poor Customer Due Diligence Practices: HMRC frequently finds that firms have not collected all the required CDD information or haven’t verified documents properly. Skipping steps to onboard a client faster, or not identifying the ultimate beneficial owner of a company client, are serious lapses. Another mistake is not applying enhanced due diligence for higher-risk situations (for instance, not digging deeper into a politically exposed person’s source of wealth). To stay compliant, follow the CDD requirements diligently for every client and escalate to enhanced checks when needed.
  • Lack of Ongoing Monitoring: Some businesses perform checks at client onboarding but then adopt a “set and forget” approach. This is a big risk. Without ongoing monitoring, you may miss changes in a client’s risk level or suspicious patterns that develop over time. For example, an initially low-risk client might start doing larger, more complex transactions that warrant a re-evaluation. Failing to monitor and update client information can be seen as non-compliance. Always keep the relationship under review and refresh documents or risk ratings periodically.
  • Insufficient Staff Training: A common area of non-compliance is inadequate training or lack of staff awareness. If employees don’t know what the AML rules are or how to apply them, even the best-written policy will fail. HMRC has encountered firms where front-line staff couldn’t explain how they would spot or report suspicious activity. Avoid this by ensuring everyone gets quality training and actually understands it – test their knowledge if you have to. Training is not just a checkbox; it’s crucial for creating a compliance culture.
  • Poor Record-Keeping: In the rush of daily business, documentation can fall through the cracks. But as emphasized, if you don’t have records, regulators assume it didn’t happen. Common record-keeping failures include missing copies of ID documents, lack of evidence of address verification, no logs of training, or no record of why a decision to not file a SAR was made. These omissions can lead to penalties. The solution is to implement a disciplined record-keeping system (even a simple checklist or software solution) and conduct periodic file audits to ensure nothing is missing.
  • No Internal Reporting Culture: Sometimes employees might notice red flags but fail to speak up because there’s no clear internal process or they fear repercussions. This is a compliance and business risk. Ensure you have a defined internal SAR process and that staff are encouraged to use it when needed. It should be made clear that reporting suspicions is not only safe to do but expected as part of their duty.
  • Complacency and Lack of Review: Finally, one of the biggest pitfalls is complacency – assuming “we’ve never had an issue, so we must be fine.” Regulations and criminal methodologies evolve constantly. Firms that don’t periodically review and improve their AML controls often find themselves lagging behind what’s required. Don’t wait for HMRC to point out a flaw that you could have caught yourself. Regular compliance health checks go a long way in avoiding nasty surprises.

By being aware of these common mistakes, you can take steps to avoid them. Proactively addressing these areas will not only help you pass an HMRC inspection but also strengthen your overall anti-financial crime defenses.

The Importance of Record-Keeping and Ongoing Monitoring

Throughout the points above, record-keeping and ongoing monitoring have come up repeatedly – and for good reason. These are the lifeblood of effective AML compliance and are especially scrutinized during inspections.

Record-Keeping: Good record-keeping means maintaining a detailed documentary trail of everything related to your AML compliance. This includes client identity documents, risk assessment documents, reports of suspicious activity (even those that didn’t result in an external SAR), training logs, communications with regulators, and so on. The reason this is so critical is twofold: First, it allows your business to operate more safely by having the information you need to make informed decisions (e.g., knowing a client’s risk level or that a certain transaction was cleared by compliance). Second, it provides evidence to regulators that you are doing what you claim to be doing. In an HMRC inspection, being able to quickly pull out a file and show “here’s the ID, here’s the risk rating, here’s the due diligence we did, and here are the notes from our last review” can turn a potentially contentious audit into a smooth one. It demonstrates professionalism and transparency.

Practical tips for record-keeping include using digital tools or compliance software to store and organize files, setting reminders for document updates or deletions when retention periods expire, and encrypting/storing records securely to prevent loss or tampering. Also, ensure that if key documents are updated, you maintain version control (for example, keep a dated copy of each year’s risk assessment or policy manual). That way, if an inspector wants to see historical compliance efforts, you have those records too.

Ongoing Monitoring: Money laundering risks don’t stop after you onboard a client – they evolve. Ongoing monitoring is how you catch things that initial due diligence might not cover. This could be as simple as staying alert to unusual transactions or as structured as using software to automatically flag transactions above certain thresholds or linked to high-risk countries. It also involves periodically refreshing customer due diligence – for high-risk customers, maybe once a year you request updated information or re-verify their identity and check for any new adverse media or sanctions hits. Medium or low-risk clients might be reviewed every few years. The key is that you have a schedule and process for this monitoring.

During an inspection, HMRC might ask: “How would you know if one of your clients was sanctioned or if their risk level changed?” Your answer should be that you have a process in place – whether it’s automated screening alerts, regular client outreach, or transaction review. And you should have logs to back it up (e.g., “Here we noted on X date that we reviewed Client Y’s activity and everything was consistent with their profile”). Ongoing monitoring also ties into the obligation to file SARs; if you are actively monitoring, you’re more likely to catch suspicious activity and report it promptly as required.

In summary, thorough record-keeping and continuous monitoring are what keep your AML program alive and effective. They ensure that compliance is not just a one-time checklist but an ongoing process. Businesses that excel in these areas find inspections far less daunting because every answer the inspector needs is readily available in the records.

Staying Inspection-Ready with AML Buddy

While achieving all of the above may sound daunting, leveraging the right tools can make AML compliance much more manageable. AML Buddy is an example of a smart compliance solution that helps UK businesses stay inspection-ready effortlessly. Here’s how AML Buddy can support your firm in meeting HMRC’s expectations:

  • Regulator-Ready Reports: AML Buddy can generate comprehensive reports that compile your AML data in a format regulators expect. With a few clicks, you can produce up-to-date reports on your risk assessments, customer due diligence status, training logs, and more. These regulator-ready reports save time when preparing for an HMRC visit – instead of scrambling to gather information from various files, you’ll have a consolidated report ready to present. The reports are designed to highlight key compliance information, making it easier to demonstrate your controls to inspectors.
  • Automated Tracking and Reminders: One of the challenges in AML compliance is keeping track of all the moving parts – client review dates, training deadlines, policy updates, etc. AML Buddy includes automated tracking features that monitor these tasks for you. It will send reminders or alerts when a client’s due diligence review is due, or when it’s time for the annual risk assessment update, for example. This automated tracking ensures nothing slips through the cracks, so you’re less likely to inadvertently fall out of compliance. By continuously tracking compliance obligations in the background, AML Buddy helps your team stay on top of AML duties year-round, not just right before an inspection.
  • Easy Documentation Retrieval: When HMRC asks for a specific document or record, speed and organization are crucial. AML Buddy provides a centralized repository for all your AML documentation – from scanned IDs and verification documents to policy manuals and training certificates. Everything is stored securely in one platform with robust search functionality. This means during an audit you can quickly retrieve exactly what the inspector requests. Need to show the training record for a particular employee or the risk rating for Client X? With AML Buddy’s documentation management, it’s at your fingertips. This easy retrieval of documentation not only saves time but also impresses regulators with your firm’s organization.
  • Centralized Audit Trail: The platform logs compliance actions taken, creating an automatic audit trail. Every time a staff member completes a task (like performing a sanction check, updating a risk score, or adding a new policy document), AML Buddy records it. This central audit log means you can evidence your ongoing compliance activities without having to manually compile logs. It complements your record-keeping by ensuring nothing is overlooked.
  • Peace of Mind and Efficiency: By using a solution like AML Buddy, firms can drastically reduce the manual burden of AML compliance. This frees up your team’s time to focus on serving clients and growing the business, rather than constantly worrying about missing a compliance step. More importantly, it gives you peace of mind that if HMRC knocks on the door, you have a systematically maintained compliance program. The confidence of being prepared is invaluable, and AML Buddy helps instill that by keeping you inspection-ready at all times.

Incorporating technology like AML Buddy into your compliance processes turns what could be an overwhelming checklist into a streamlined workflow. It’s like having a digital assistant that continuously monitors your AML compliance status, so there are no unpleasant surprises when an inspection happens.

Conclusion

Preparing for an HMRC AML inspection might seem challenging, but with the right approach it becomes part of your business’s regular compliance routine. By understanding why inspections happen and what HMRC inspectors expect to see, you can align your policies and practices to meet those standards every day – not just when an audit is imminent. Key takeaways include keeping thorough documentation, performing regular risk assessments and reviews, training your staff, and being proactive about fixing any weaknesses in your AML controls.

For UK businesses like estate agents, solicitors, accountants, and IFAs, the stakes are high – non-compliance can lead to hefty fines or even criminal penalties, not to mention reputational damage. On the flip side, a well-managed AML program not only helps you pass inspections but also protects your business from being misused by criminals.

By following the preparation checklist and avoiding common pitfalls outlined above, you’ll put your company in the best possible position for any future HMRC AML inspection. And by leveraging helpful tools such as AML Buddy to organize and automate your compliance efforts, you can stay one step ahead. In the ever-evolving landscape of financial crime regulation, a proactive and organized stance is your best defense – and it will make that call or visit from HMRC just another routine checkpoint that your business is ready to ace.

Table of Contents

Example H2
Example H3
Example H4
Example H5
Example H6

Popular post

What Are PEPs, Sanctions, and Adverse Media?

Learn the definitions of PEPs, sanctions, and adverse media, why they matter under UK anti-money laundering laws, and how to manage these high-risk factors with enhanced due diligence and automated screening tools like AML Buddy.

Understanding Customer Due Diligence (CDD)

Learn what Customer Due Diligence (CDD) means under UK AML rules — standard vs enhanced checks, best practices, and how AML Buddy automates compliance.