Many businesses think AML inspections are about having perfect paperwork or never onboarding higher-risk clients.
In reality, HMRC is often far more interested in whether businesses can clearly explain and evidence their decision making!
This is where the idea of “showing your workings” becomes one of the simplest ways to understand effective AML compliance.
Think back to school maths lessons…
Even if you got the correct answer, teachers still wanted to see how you reached it. They wanted to understand:
- the steps you followed
- the logic behind your thinking
- whether you genuinely understood the process.
AML works in a very similar way.
HMRC is not just interested in whether checks were completed. They want to understand:
- what was reviewed
- what risks were identified
- what decisions were made
- why those decisions were reasonable
- and whether your business can evidence a genuine risk-based approach.
It’s Not About Having “Perfect” Clients
One of the biggest misconceptions around AML compliance is that businesses should never onboard higher-risk clients.
That is not realistic.
Higher-risk clients can still be completely legitimate businesses.
What matters is:
- did you recognise the risk?
- did you apply proportionate controls?
- did you carry out Enhanced Due Diligence (EDD) where appropriate?
- did you escalate concerns internally?
- and most importantly, did you document your rationale?
That documentation is your “workings”.
What Good AML “Workings” Looks Like
Strong AML audit trails do not need to be overly complicated.
In practice, good AML records often include:
- notes explaining unusual ownership structures
- screenshots from Companies House or sanctions checks
- rationale for customer risk scoring decisions
- escalation records
- management approvals for higher-risk onboarding
- records of ongoing monitoring reviews
- explanations where something unusual was identified but considered reasonable.
Even short operational notes can make a huge difference during an HMRC AML inspection.
What Poor “Workings” Looks Like
Problems usually arise when businesses:
- complete checks with no rationale recorded
- cannot explain why onboarding decisions were made
- rely entirely on automation without review
- fail to document escalations
- have inconsistent AML onboarding records
- or operate differently in practice than what their AML policies say on paper.
A common phrase within AML compliance is: “If it isn’t documented, it didn’t happen.”
That may sound harsh, but from a regulator’s perspective, businesses need to be able to evidence their decision making clearly.
AML Is About Building A Story
A good AML file should help another person understand the story behind the onboarding decision.
For example:
- Why did this company structure make sense?
- Why was this customer considered low or high risk?
- Why was additional verification requested?
- Why was EDD applied or not applied?
- Why was the business relationship considered reasonable?
If another person can follow your logic clearly, your “workings” are probably in a good place.
HMRC Wants To See Real Operational Understanding
One thing many businesses overlook is that HMRC increasingly focuses on whether AML controls actually work operationally, not just whether policies exist.
That means looking at:
- staff awareness
- escalation culture
- onboarding consistency
- ongoing monitoring
- operational understanding of risk
- and evidence that teams know when something “doesn’t feel right”.
Good AML is not about creating fear or endless paperwork.
It is about building proportionate, practical processes that teams understand and can confidently follow day to day.
Why Audit Trails Matter For TCSPs & Address Service Providers
For Trust and Company Service Providers (TCSPs), flexible workspace, coworking, virtual office, and address service businesses, maintaining strong AML documentation is particularly important.
These services can create corporate credibility and are sometimes targeted by criminals attempting to:
- obscure ownership
- create shell companies
- distance themselves from activity
- or misuse UK business infrastructure.
This is why HMRC expects businesses in these sectors to demonstrate:
- clear customer due diligence
- documented risk assessments
- proportionate escalation
- and ongoing monitoring procedures.
Frequently Asked Questions
“What does HMRC look for during an AML inspection?”
HMRC wants businesses to demonstrate that AML controls are understood, applied consistently, and properly documented. This includes customer due diligence, risk assessments, escalation records, ongoing monitoring, and evidence of a risk-based approach.
“What does “show your workings” mean in AML?“
It means businesses should be able to evidence:
- what checks were completed
- why decisions were made
- what risks were identified
- and how conclusions were reached.
“Why are audit trails important in AML?”
Clear audit trails help businesses demonstrate compliance, support operational consistency, evidence decision making, and show regulators that appropriate AML procedures are being followed in practice.
Flex Final Thoughts…
The businesses that tend to perform best during AML inspections are not always the ones with the thickest policies or the most complicated systems.
Often, they are the businesses that can clearly explain:
- what they did
- why they did it
- what risks they identified
- and how they reached reasonable decisions.
In other words:
they can show their workings.
💡 Flex AML Tip: The strongest AML frameworks are usually not the most complicated. They are the ones teams understand operationally, apply consistently, and can confidently explain if HMRC ever asks questions.
This guide is provided for general AML awareness, operational guidance, and educational purposes only. Businesses should consider their own legal, regulatory, operational, and risk-based obligations when applying any guidance in practice.