Customer Due Diligence for Property: A 2026 UK Guide

In July 2025 the Solicitors Disciplinary Tribunal struck a Hampshire conveyancer off the Roll after he failed to carry out customer due diligence on 63 conveyancing clients handling £8.8 million of property transactions over a 21-month period. The Tribunal also recorded a dishonesty finding on his 2019 firm declaration. No firm-wide risk assessment, no client risk assessments, no source of funds checks. Six years of sole practice with no functioning CDD system.

Customer due diligence is the regulated process of identifying a client, verifying that identity from a reliable independent source, and assessing the money laundering risk attached to the business relationship. Under Regulation 27 of the Money Laundering Regulations 2017, every regulated UK property professional must carry it out before establishing a business relationship or completing a transaction.

The enforcement context in 2026 has changed. HMRC fined 170 estate agency businesses £835,842 in February 2026 alone, with a new £2,000 sanction administration charge attached to every civil penalty issued from 1 December 2025. The SRA, in its 2024-25 AML Annual Report, assessed 32.4% of law firms reviewed as non-compliant and issued fines totalling £1.5 million across 86 cases. This guide covers what CDD actually requires under UK law, where most firms fail, and how to build a process that survives an HMRC or SRA file review.

What is customer due diligence?

Customer due diligence (CDD) is the structured process by which a regulated firm identifies a client, verifies that identity from a reliable independent source, identifies any beneficial owner, understands the purpose and intended nature of the relationship, and continues to monitor it throughout the engagement. The framework sits under Part 3 of MLR 2017 and is the gateway control through which all other AML obligations flow.

CDD is wider than Know Your Customer (KYC). KYC is the identity step inside CDD: name, date of birth, address, government-issued document. CDD takes that identity step and adds beneficial ownership verification, source of funds enquiry, risk rating of the relationship, and ongoing transaction monitoring. For UK property professionals, KYC alone is never enough. Veyco's Smart Harbour identity check handles the full CDD chain in a single workflow, with the underlying biometric verification provided by Onfido and records retained for the statutory five-year period.

The three CDD measures recognised by MLR 2017 are Simplified Due Diligence (SDD) for assessed low-risk relationships, Standard CDD for medium-risk, and Enhanced Due Diligence (EDD) for high-risk cases including politically exposed persons, clients in high-risk third countries listed by the Financial Action Task Force, and transactions that are unusually complex or unusually large.

Legal requirements for CDD in the UK

The statutory foundation is MLR 2017, Statutory Instrument 692. Regulation 27 sets out when CDD must be applied; Regulation 28 specifies what the firm must actually do. Regulation 33 governs enhanced due diligence and Regulation 35 covers politically exposed persons. Regulation 75 makes trading as an estate agency business without HMRC registration a criminal offence carrying up to two years' imprisonment and an unlimited fine, and Regulation 76 gives supervisors the civil financial penalty power.

POCA 2002 sits behind MLR 2017. Sections 327 to 329 create the principal money laundering offences. Section 330 makes it a criminal offence for a regulated-sector employee to fail to disclose suspicion of money laundering, carrying up to five years' imprisonment. Section 335 governs the Defence Against Money Laundering (DAML) regime that conveyancers rely on when they need NCA consent to proceed with a suspect transaction.

Supervision is split by profession. HMRC supervises estate agency businesses, letting agency businesses where monthly rent reaches or exceeds the threshold, accountancy service providers, and trust or company service providers without alternative supervision. The SRA supervises solicitors and law firms in England and Wales. The Council for Licensed Conveyancers supervises licensed conveyancing practices. The FCA regulates financial-services firms.

The current sectoral guidance for solicitors is the LSAG AML Guidance, HM Treasury-approved on 23 April 2025. Two changes matter most for property work. The previous either/or option for verifying natural persons was removed, so firms must now obtain documents verifying name, address, and date of birth. The ultimate beneficial ownership threshold was clarified to "more than 25 per cent" rather than "25 per cent or more". For third-party contributors to a property purchase, firms must now obtain evidence of the third party's own underlying source of funds, not just confirmation that the gift is genuine.

Penalties for CDD failures

Individual HMRC penalties on estate agents in 2024-25 ranged from £1,250 at the bottom to £215,000 at the top, with the calculation set out in Handbook ECSH82791. SRA fines are now typically calculated as a fixed percentage of firm turnover, in the 1.6 to 2 per cent band. The Mishcon de Reya £232,500 fine for record-keeping failures on three property files and the £172,934 Taylor Vinters fine for treating a PEP as a standard client for two months after completion both sit inside this percentage-of-turnover formula. Individuals also face strike-off, suspension, personal liability under Regulation 78 of MLR 2017, and disqualification.

The three levels of customer due diligence

MLR 2017 graduates CDD by risk. The firm's own documented risk assessment decides which level applies to which client.

Simplified due diligence

Simplified due diligence is permitted under Regulation 37 only where the firm's risk assessment positively concludes the relationship presents a low risk of money laundering or terrorist financing. The firm must still identify the client and conduct ongoing monitoring. What changes is the timing and intensity of verification. Eligible categories include UK and EEA-listed companies subject to disclosure obligations, UK public authorities, and clients with a residence in a low-risk jurisdiction. SDD is not "no CDD" and SRA file reviews regularly find firms misapplying it.

Standard CDD

Standard CDD is the default measure under Regulation 28. The firm must identify the client, verify that identity from an independent source, identify any beneficial owner of a corporate client and take reasonable measures to verify them, and understand the purpose and intended nature of the business relationship. Ongoing monitoring under Regulation 28(11) runs continuously through the relationship.

Enhanced due diligence

Enhanced due diligence under Regulation 33 applies whenever risk is heightened. Mandatory triggers include any business relationship or transaction involving a high-risk third country named in HM Treasury guidance, any politically exposed person, any complex or unusually large transaction or unusual pattern with no apparent economic or lawful purpose, and any case where the firm's own risk assessment identifies heightened risk. EDD layers on senior management approval, source of funds and source of wealth checks, and intensified ongoing monitoring. The draft Money Laundering and Terrorist Financing (Amendment) Regulations 2026 narrow the EDD trigger to transactions that are "unusually complex or unusually large" relative to sector norms, expected in force June or July 2026.

The CDD process: step by step

Regulation 28 sequences four obligations. Property professionals execute them in this order.

Step 1: identify the client

Collect full legal name, date of birth, current residential address, and the nature and purpose of the relationship. For a corporate client, collect the registered name, company number, registered office, and the names of the directors and beneficial owners. Under the LSAG April 2025 update, the name plus address plus date of birth combination is now mandatory for natural persons.

Step 2: verify identity from a reliable, independent source

A photocopy of a passport is not verification. Verification means confirming that the document is genuine, current, and belongs to the person presenting it. Acceptable evidence routes include a government-backed digital identity provider certified under the UK Digital Identity and Attributes Trust Framework, an in-person check of physical documents against an independent source, or a biometric remote verification process matching a photographic document to a live selfie. Veyco's identity check workflow performs document authenticity, biometric face-match, and liveness detection in a single flow.

Step 3: identify and verify the beneficial owner

For a UK company client, identify any natural person who ultimately owns or controls more than 25 per cent of the shares or voting rights, or who exercises control over management. The Companies House register became the authoritative source for this from 18 November 2025, when identity verification for directors, PSCs, and authorised filers became a legal requirement. Firms can rely on Companies House status as part of their verification but cannot rely on it blindly: the regulatory burden remains with the firm.

Step 4: assess and document risk

Risk-rate the relationship and the matter. Document the rationale, not just the outcome. The single most cited finding in SRA file reviews is that 16 per cent of files reviewed in 2024-25 had no client and matter risk assessment at all, and a further 39 per cent did not effectively evaluate the money laundering risk. A risk decision with no documented reasoning is treated by inspectors as no risk decision.

Step 5: monitor and refresh

Regulation 28(11) requires ongoing monitoring of transactions throughout the relationship. Refresh CDD records when a material change occurs: change of beneficial ownership, change of address, change in transaction pattern, change in risk rating, or change in PEP status. Retain CDD records for five years after the relationship ends.

Who must carry out CDD in UK property

The regulated property cohort is broader than most practitioners assume.

Estate agency businesses across England, Wales, Scotland, and Northern Ireland are supervised by HMRC and must apply CDD on both buyer and seller for residential and commercial property sales. Letting agency businesses must apply CDD where the monthly rent equals or exceeds the EUR 10,000 threshold, and from 14 May 2025 all letting agents regardless of rent level are "relevant firms" under the OFSI financial sanctions regime and must screen every client.

Solicitors and licensed conveyancers in England and Wales sit under the SRA or CLC respectively and follow LSAG guidance. Conveyancers in Scotland are supervised by the Law Society of Scotland. Solicitors in Northern Ireland are supervised by the Law Society of Northern Ireland. The CDD framework is identical across the four nations, though the supervisory body and the disciplinary tribunal change.

Property developers and builders fall inside the regulated sector when they act as estate agents on their own developments. High-value dealers, art market participants, and accountancy service providers handling property transactions are independently supervised. HMRC's recent crackdown on unregistered trading led to its first criminal prosecution of an unregistered estate agent in 2024, with the individual receiving 120 hours of community service and a two-year ban.

The Treasury has explicitly acknowledged that ambiguity over scope has led many agents to run CDD on every landlord and tenant when this is not legally required. HMRC has been tasked with updating sector guidance during 2026 to clarify the actual trigger points.

Common challenges with CDD for UK property professionals

This is where the 2024-25 enforcement data points. The challenges below are not theoretical: each is named in a published SRA or HMRC finding.

Documents collected but not analysed

The SRA's 2025 thematic review of source of funds and source of wealth compliance found that of 5,873 files reviewed during 2024-25, 11 per cent contained no source of funds check at all and a further 18 per cent showed inadequate scrutiny of the information provided. Inspectors describe a recurring pattern: bank statements obtained, never read against the transaction, never reconciled against funds actually arriving in client account. CDD is treated as a filing exercise instead of an analytical one.

Late-stage source of funds requests collapse chains

The most damaging pattern is the source-of-funds request made a week before exchange after two months of inaction. The chain collapses, the firm absorbs the cost, and the client leaves a one-star review naming the firm. The Law Society's practice advice on AML in the property market addresses the inverse pattern that is now routine: a cash buyer in the chain refuses to disclose source of funds, and the firm has to decide mid-transaction whether to continue acting. Guidance is to carry out CDD on that buyer even though they are not your client, because the alternative is exposure to criminal property risk under POCA.

Beneficial ownership tracing on corporate buyers

The 25 per cent threshold sounds simple. In practice, layered corporate structures with overseas trusts, nominee shareholders, and discretionary trust arrangements push the trace through three or four jurisdictions before a beneficial owner is identifiable. Companies House identity verification, mandatory from 18 November 2025, addresses domestic UK companies but does not cover overseas entities buying UK property.

PEP screening blind spot for estate agents

HMRC penalty narratives consistently cite "failures to recognise specific risks such as politically exposed persons, high-risk jurisdictions, companies, trusts, and sanctions." The pattern is that estate agents invest in identity verification but underinvest in screening layers. The Taylor Vinters £172,934 fine shows the same blind spot in a law firm: a non-domestic PEP was treated as a standard client for two months after completion because no automated PEP screen ran at onboarding.

MLRO capacity in small firms

In firms below 20 fee-earners the MLRO is typically also a fee-earning partner. Risk assessments slip. SARs go in late. CDD files lack matter-level risk assessment because the person responsible spent the morning on a transfer of equity. This is the structural reason the SRA finds smaller firms disproportionately non-compliant.

Best practices for effective CDD in UK property transactions

The pattern below is what HMRC supervision teams and SRA inspectors look for during a file review. Each item is operational, not aspirational.

Begin CDD before instruction, not before exchange

MLR 2017 requires CDD before the firm establishes a business relationship. For solicitors that means at the instruction stage, not after the offer is agreed. For estate agents it means on the seller at point of listing and on the buyer at the point of offer acceptance. Starting CDD at exchange is the most common cause of late-stage chain collapse.

Document the rationale, not just the outcome

Inspectors do not just want evidence that a check was run. They want the documented reasoning that led the firm to assign a particular risk level, the information that supported the decision, and the response to any heightened risk indicators. A risk score of "medium" with no narrative is treated as no risk assessment.

Screen for PEPs and sanctions on every relationship, then monitor continuously

A client may not be a PEP at onboarding but acquire that status mid-transaction. Ongoing monitoring obligations require that the firm's process catches status changes, not just first-contact risks. Adverse media screening sits alongside PEP and sanctions screening as part of the same monitoring layer.

Run source of funds and source of wealth as separate analytical exercises

Source of funds is the immediate origin of the money used in the specific transaction. Source of wealth is the wider pattern of accumulation that explains how the client came to have it. The SRA grades firms separately on each. The LSAG 2025 update also requires evidence of the third party's own source of funds where someone other than the buyer is contributing to the purchase.

Use the Land Registry counter-fraud restrictions where appropriate

Form LL restrictions require a solicitor or conveyancer to certify the identity of the person signing transfer documents against the registered proprietor. This is the operational defence against seller-impersonation fraud and is particularly relevant where the owner is overseas, the property is unoccupied, or there is no mortgage. In 2024-25 HM Land Registry prevented fraudulent applications worth £59 million across 86 cases, and paid £398,964 across four indemnity claims where prevention failed.

Centralise records in one auditable system

Scattered records across email, shared drives, and three separate verification platforms are the single most common cause of MLR Regulation 40 record-keeping breaches. The Mishcon de Reya £232,500 fine was issued after the firm could not produce copies of checks made on three property files. A single auditable record per client, retained for five years after the relationship ends, simplifies both compliance and any subsequent supervisory request.

A faster approach to CDD

For most UK property professionals, the structural problem is fragmentation. Identity verification runs in one platform, AML and PEP screening in another, source of funds documentation lives in email, and the audit trail has to be reassembled by hand when HMRC or the SRA asks for the file. This is the friction that drives the late-stage source of funds requests that collapse chains.

Veyco's Smart Harbour runs identity verification, AML screening, PEP and sanctions screening, and source of funds in a single workflow, with biometric verification powered by Onfido. Most standard CDD checks complete in under 10 minutes. Enhanced due diligence cases involving PEPs, complex corporate structures, or overseas buyers take longer because the regulations require deeper investigation, and Veyco surfaces that escalation rather than hiding it. The output is a structured risk report with audit-ready records retained for the statutory five-year period.

The platform is UK-based, GDPR-compliant, and used by conveyancing firms and estate agents across England, Wales, Scotland, and Northern Ireland. Speak to Veyco's compliance team to see the workflow against a transaction profile your firm is currently running.

Frequently asked questions about customer due diligence

What is customer due diligence?

Customer due diligence (CDD) is the regulated process of identifying a client, verifying their identity from a reliable independent source, understanding the purpose of the business relationship, and assessing the money laundering risk they pose. In the UK, CDD is mandated by Regulation 27 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. For estate agents, conveyancers, and letting agents handling property transactions, CDD must be carried out on both buyer and seller before the transaction completes, and is supervised by HMRC, the SRA, or the Council for Licensed Conveyancers depending on profession.

When is customer due diligence required under MLR 2017?

CDD is required whenever a regulated firm establishes a new business relationship, carries out an occasional transaction of EUR 15,000 or more, suspects money laundering or terrorist financing, or doubts the veracity of previously obtained identity documents. UK estate agency businesses must apply CDD on both buyer and seller before a property transaction completes. Letting agents must apply CDD where monthly rent reaches or exceeds EUR 10,000, and from 14 May 2025 must screen every client against the UK sanctions list regardless of rent level. CDD must also be applied when circumstances change in an existing relationship.

What is the difference between CDD and KYC?

Know Your Customer (KYC) is the identity verification step inside the wider Customer Due Diligence (CDD) process. KYC confirms who the client is by collecting name, date of birth, address, and a government-issued document. CDD includes that identity check, then adds beneficial ownership verification, source of funds enquiry, risk assessment of the relationship, and ongoing transaction monitoring throughout the engagement. For UK property professionals supervised under MLR 2017, KYC alone is not sufficient. The full CDD framework must be applied, including ongoing monitoring and record-keeping for at least five years after the relationship ends.

What are the three levels of customer due diligence?

MLR 2017 sets three levels of CDD based on risk. Simplified Due Diligence (SDD) applies where the firm's documented risk assessment confirms low risk, such as listed companies or UK public authorities, and is governed by Regulation 37. Standard CDD is the default measure for medium-risk clients and requires identity verification, beneficial ownership checks, and ongoing monitoring under Regulation 28. Enhanced Due Diligence (EDD) applies to high-risk cases including politically exposed persons, clients from high-risk third countries, and any transaction with unusual or complex features under Regulation 33. EDD adds source of funds verification, senior management approval, and intensified ongoing monitoring.

How do you carry out customer due diligence?

Carrying out CDD involves four sequential steps under Regulation 28. First, identify the client by collecting full name, date of birth, and residential address, plus beneficial ownership details for corporate clients, then verify that identity using independent documents such as a passport or photo driving licence supported by an address-verification document. Third, assess the purpose and intended nature of the business relationship and rate the money laundering risk. Fourth, conduct ongoing monitoring and refresh CDD records when circumstances change, and for UK estate agents also verify source of funds for property buyers before completion.

What documents are needed for customer due diligence?

Standard CDD typically requires one government-issued photographic identity document and one address verification document. Accepted photographic identity includes a current passport, UK photo driving licence, or national identity card. Accepted address evidence includes a utility bill, bank or building society statement, council tax bill, or HMRC correspondence dated within the last three months. For corporate property clients, firms must also obtain the Companies House registration number, registered office address, certificate of incorporation, and identification documents for each beneficial owner holding more than 25 per cent. Source of funds evidence such as bank statements, payslips, or sale-proceeds confirmation is required for property buyers under HMRC and LSAG guidance.

How often should customer due diligence be reviewed?

CDD should be reviewed on a risk-based schedule set by the firm's documented AML policy. Industry guidance suggests refreshing simplified due diligence files every three to five years, standard CDD files annually, and enhanced due diligence files at least every six months. Regulation 28(11) of MLR 2017 also requires an immediate review whenever there is a material change in the client's circumstances, ownership, transaction pattern, or risk rating. UK estate agents and letting agents must keep CDD records and supporting documents for five years after the business relationship ends or the occasional transaction completes.

Conclusion

CDD is the front door of the UK property AML framework. The 2024-25 enforcement data is unambiguous: HMRC fined estate agency businesses over £4 million in two years, the SRA fined law firms £1.5 million in one year, and 73 per cent of all legal-sector SARs originate in conveyancing. The firms being penalised are not the ones missing one check on one file. They are the ones whose CDD process is fragmented, undocumented, or treated as a filing exercise instead of an analytical one.

The fix is operational, not philosophical. CDD before instruction, source of funds analysed rather than just collected, beneficial ownership traced, PEP and sanctions screened continuously, records retained centrally for five years. Veyco runs the whole sequence in one workflow. Book a demo to see how your firm can meet its MLR 2017 obligations without losing a quarter of its clients to onboarding friction.