AML and GDPR changes: what small accountants and bookkeepers need to know
For many small accountancy and bookkeeping firms, compliance can feel like the uninvited guest at the party: always turning up, rarely bringing snacks, and somehow staying longer than expected.
But recent changes around anti-money laundering rules and data protection are worth paying attention to, because they affect the everyday stuff: onboarding clients, checking ID, keeping records, handling payroll data, and responding when someone asks, “What information do you hold about me?”
First up: AML is getting sharper
The UK’s anti-money laundering regime has recently been updated, with the Money Laundering and Terrorist Financing Amendment Regulations 2026 coming into effect on 30 June 2026. ICAEW says the package includes a number of targeted changes designed to strengthen the regime while reducing unnecessary compliance burdens.
As always, everything is about your assessment of risk. That means making sure your client onboarding process looks at every client individually and you have resisted the urge to operate a one-size-fits-all process. A local sole trader with straightforward books is not the same risk as a complex company structure with overseas ownership or unusual transactions.
HMRC’s AML supervision guidance for accountancy service providers was also updated in January 2026, and HMRC continues to publish guidance on registration, risk assessments, responsibilities, compliance checks, penalties and sanctions.
In plain English, this means small firms should be able to show:
- who the client is;
- who owns or controls the business;
- why the client is low, medium or high risk;
- what checks were carried out;
- when the file was last reviewed;
- what staff training has taken place;
- and what would happen if something suspicious cropped up.
The golden rule is simple: are you able to demonstrate the AML risk decisions that you have made.
Companies House changes matter too
The Companies House reforms under the Economic Crime and Corporate Transparency Act are also changing the landscape. Identity verification for company directors and people with significant control is a major part of those reforms, and ICAEW has warned that accountants acting in this space need to understand both the opportunity and the money laundering risks.
If you help clients with Companies House filings, company formations or confirmation statements, this is especially relevant. Some firms may register as Authorised Corporate Service Providers, while others may decide that is not a service they want to offer.
Either way, small practices should be clear with clients about what they do and do not handle. Do not let “Can you just sort Companies House for me?” turn into a vague, undocumented obligation.
Now GDPR: still here, slightly updated
GDPR has not disappeared. In the UK, we are mainly talking about the UK GDPR and the Data Protection Act 2018, now affected by the Data Use and Access Act 2025.
One practical change is the new requirement for organisations to have a data protection complaints process. The ICO has published guidance explaining what organisations need to do to meet that requirement. In essence, organisations need to have a written policy to deal with complaints about data and ensure that any complaint is acknowledged within 30 days.
For accountants and bookkeepers, this matters because you often hold a lot of sensitive everyday data: payroll records, addresses, dates of birth, bank details, tax references, payslips, pensions information, and sometimes health or family details linked to payroll, benefits or tax claims.
What should small firms do now?
A good starting point is a simple compliance refresh.
Review your AML policy, client risk assessment template, ID checking process and staff training records. Make sure client files include proper notes, not just a copy of a passport and a hopeful shrug.
Then review your GDPR basics: privacy notice, data retention policy, breach process, subject access request process, and client engagement letters. If you use cloud bookkeeping software, payroll platforms, e-signing tools or document portals, check who is processing what data and whether your terms are clear.
Also think about communication. Clients may need to understand why you are asking for ID, why Companies House checks are becoming stricter, and why you cannot casually send payroll reports to someone’s personal email just because “we’ve always done it that way”.
The bottom line
For small accountants and bookkeepers, the recent AML and GDPR changes are about being able to prove that you know your clients, protect their data, and see when something does not feel right.
A little housekeeping now can save a lot of pain later.
If you have any questions about these changes, please contact John.Grace@mogersdrewett.com
John Grace – Head of Risk & Compliance, Disputes & Compliance

