Client data collection

Client data collection is the first phase of anti-money laundering (AML) due diligence. Before verifying identity or assessing risk, you must first gather all the relevant information about your client — who they are, how their business operates, and what the expected nature of your relationship will be. This includes collecting basic identification details, understanding the structure of any legal entity, and clarifying who owns or controls the client’s business. Data collection lays the groundwork for everything else in your AML process: ID checks, client risk assessments, and ongoing monitoring. Without accurate and complete data, those later steps become guesswork.

AML Essential Kit
Text Link

Why it matters

A strong data collection process is essential for complying with Regulation 28 of the Money Laundering Regulations (MLR 2017), which sets out the core components of customer due diligence (CDD). You can’t verify identity or assess AML risk if you don’t first understand the client and their business.

From a practical perspective, good data collection:

  • Helps avoid delays or repeat requests during ID checks or engagement onboarding.

  • Enables accurate risk classification — so you can apply the right level of due diligence (simplified, standard, or enhanced).

  • Improves your ability to spot inconsistencies or suspicious activity later on.

  • Supports clear record-keeping, which is a requirement under Regulation 40.

In short: getting this step right improves compliance and efficiency across your entire AML process.

How to collect client data

1. Understand what information is required

Before you start, make sure your team knows exactly what data needs to be collected. This will vary depending on whether your client is an individual or a legal entity:

For individuals:

  • Full legal name and any previous names

  • Date of birth

  • Nationality

  • Residential address (and address history, if required)

  • The purpose and nature of the business relationship

  • Email address and contact number (not required, but advised by HMRC)

For companies, LLPs, or trusts:

  • Registered name and registration number

  • Registered office and principal place of business

  • Names of directors, partners, or trustees

  • Constitution (e.g. articles of association or trust deed)

  • Ownership and control structure (including beneficial owners)

  • Information on persons acting on behalf of the client

This stage also includes identifying any politically exposed persons (PEPs) or sanctioned individuals linked to the client.

2. Use structured templates or software

Using a standardised form or data collection tool ensures consistency and reduces the risk of missing key details. Whether paper-based or digital, the form should include fields that map directly to the requirements of Regulation 28 — making it easier to move into ID verification and risk assessment.

AML software can streamline this process by pulling in public data, prompting the right questions, and storing everything in one place.

3. Involve the right people

Relevant employees (as defined in MLR 2017) must be trained to ask appropriate questions, especially where the client’s business is complex or higher risk. Data collection isn’t a simple admin task — it requires professional judgement and sometimes further probing if the information provided is unclear or incomplete.

4. Review and validate the information

The collected data should be checked for consistency and accuracy before moving on to ID verification or completing the client risk assessment. If anything is unclear, follow up before progressing.

It’s also good practice to document the rationale for accepting the information — especially for high-risk clients or where there are gaps in publicly available data.

How it supports customer due diligence (CDD)

Client data collection is the starting point for the three pillars of CDD: identification, risk assessment, and verification. Without it:

  • You can’t properly assess whether simplified, standard, or enhanced CDD is needed.

  • You risk applying the wrong level of scrutiny to a client relationship.

  • You increase the chance of errors or compliance gaps down the line.

By collecting the right data at the start, you make the rest of your AML process faster, clearer, and more reliable. It also gives your team the context they need to understand what’s normal — so they’re more likely to notice if something suspicious occurs later on.

Summary

Client data collection is the first — and arguably most important — step in your AML process. It gives you the information needed to verify identity, assess risk, and build a strong foundation for ongoing compliance. Done well, it makes your AML controls more accurate, your onboarding smoother, and your risk assessments more meaningful. Make it systematic, thorough, and proportional to risk.

This summary was prepared by the Firmcheck content team. The original article was written by an independent AML expert and can be found on our blog.

Compliance made easy

Start your compliance journey for free. Try Firmcheck's beautifully designed self-service platform and see why firms trust us with their AML compliance.

Sign up today