Website compliance for accountants & bookkeepers
Accountants handle some of the most sensitive financial data of any profession. Tax returns, bank statements, payroll records, and Companies House filings all flow through your systems. Your website needs to reflect how you handle this data — and a generic privacy policy template won’t cover HMRC submissions, professional body obligations, or AML requirements.
What personal data do accountants handle?
The range of personal data processed by a typical accountancy practice is substantial:
- Client identification data — names, addresses, dates of birth, National Insurance numbers, UTR (Unique Taxpayer Reference) numbers
- Financial data — bank statements, income records, investment details, pension information, property ownership details
- Tax return data — self-assessment returns, corporation tax returns, capital gains records
- Payroll data — employee names, NI numbers, salary details, tax codes, pension contributions, student loan deductions
- Companies House data — director details, shareholder information, PSC (Person of Significant Control) records, annual accounts
- VAT records — VAT returns, MTD (Making Tax Digital) submissions
- AML due diligence data — identity verification documents (passport copies, utility bills), source of funds information
- Business records — invoices, receipts, contracts, supplier details
Key point: National Insurance numbers and UTR numbers are highly sensitive identifiers that can be used for identity fraud. Your privacy policy should specifically address how these are stored, who has access, and what security measures protect them.
HMRC data sharing
A core function of accountancy is submitting data to HMRC on behalf of clients. Your privacy policy must disclose this data sharing explicitly. The main HMRC submissions include:
- Self-Assessment tax returns — submitted annually via HMRC online services
- Corporation Tax returns (CT600) — submitted to HMRC with accounts
- PAYE Real Time Information (RTI) — payroll data submitted each pay period
- VAT returns — quarterly submissions via Making Tax Digital
- P11D and P11D(b) — benefits in kind reporting
- Annual accounts — filed with Companies House (not HMRC, but often handled simultaneously)
The legal basis for these submissions is legal obligation under various tax legislation (Income Tax Act 2007, Corporation Tax Act 2009, VAT Act 1994, etc.). Your privacy policy should state this clearly rather than relying on vague language like “to comply with the law.”
Anti-money laundering obligations
Accountants are subject to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Your AML supervisor is your professional body (ICAEW, ACCA, AAT, CIMA) or, for firms not affiliated with a professional body, HMRC directly.
AML obligations that affect your privacy policy:
- Customer due diligence (CDD) — you must verify client identity before establishing a business relationship. This involves collecting passport copies, utility bills, or other identity documents. Your privacy policy must explain that you collect this data, the legal basis (legal obligation), and how long you retain it.
- Record retention — AML records must be kept for five years after the end of the business relationship. This is a statutory minimum that overrides any shorter retention period.
- Suspicious Activity Reports (SARs) — if you suspect money laundering, you must report to the NCA. You must not tell the client you have made a report (“tipping off” is a criminal offence). Your privacy policy should note that legal obligations may sometimes prevent you from informing clients about certain processing activities, without specifically mentioning SARs.
Professional body requirements
Your professional body (ICAEW, ACCA, AAT, CIMA) imposes additional obligations that affect your website:
ICAEW members
ICAEW’s Code of Ethics requires transparency with clients about how their data is handled. ICAEW also provides guidance on data protection compliance specifically for accountants. Members should consider displaying their ICAEW membership status and practice certificate on their website.
ACCA members
ACCA’s Global Practising Regulations require firms to maintain professional indemnity insurance and to inform clients of their complaints process. ACCA members should display their ACCA practising certificate status.
AAT licensed accountants
AAT licensing requires members to follow specific record-keeping standards and to have a documented complaints procedure. AAT provides template engagement letters and privacy notices that members can adapt.
Engagement letters and your website
Professional standards require accountants to issue engagement letters setting out the scope of work, fees, and responsibilities. Your website’s terms should be consistent with your standard engagement letter terms. Key elements include:
- Scope of services — what’s included and what isn’t
- Client responsibilities — providing accurate information, meeting deadlines
- HMRC penalty disclaimer — clarifying that penalties imposed by HMRC for late filing or incorrect returns are the client’s responsibility unless caused by the firm’s negligence
- Fee basis — fixed fee, hourly rate, or hybrid
- Lien on records — your right to retain client records until outstanding fees are paid
- Complaints procedure — internal process plus escalation to your professional body
HMRC penalty disclaimer: Your terms should clearly state that while you will use reasonable care in preparing and filing returns, HMRC penalties for late filing or inaccurate returns remain the client’s legal liability. Most professional body guidance recommends explicit language on this point.
Retention periods for accountants
- Self-assessment records: 5 years after the 31 January filing deadline (HMRC requirement)
- Corporation tax records: 6 years after the end of the accounting period
- VAT records: 6 years
- PAYE records: 3 years after the end of the tax year
- AML records: 5 years after the end of the business relationship
- Engagement files: 6 years after the relationship ends (professional guidance)
- Companies House records: retain copies for 6 years after filing
What your accountancy website must include
Privacy policy
Tailored for accountants: covering HMRC data sharing (with specific legislative references), AML due diligence processing, professional body regulatory obligations, payroll data handling, Companies House submissions, cloud accounting software (Xero, QuickBooks, Sage) as third-party processors, and sector-specific retention periods.
Cookie consent
If your website uses analytics, a live chat widget, or any marketing tracking, you need a compliant cookie consent banner with a genuine reject option.
Terms and conditions
Sector-specific terms covering: engagement scope, HMRC penalty disclaimer, lien on records, fee basis and payment terms, client record-keeping responsibilities, complaints procedure with professional body escalation.
Company information
Company or LLP registration number, registered address, place of registration, and VAT number. Professional body membership status (ICAEW, ACCA, AAT, CIMA).
Accessibility statement
Equality Act 2010 and WCAG 2.1 Level AA commitment.
Common compliance gaps on accountant websites
- No mention of HMRC data sharing — the privacy policy doesn’t explain that tax return and payroll data is submitted to HMRC
- Missing AML processing disclosure — no explanation of identity verification, source of funds checks, or the 5-year retention requirement
- Cloud accounting software not mentioned — Xero, QuickBooks, FreeAgent, and Sage are third-party processors that your privacy policy should reference
- No HMRC penalty disclaimer — terms don’t clarify liability for filing penalties
- Professional body not stated — ICAEW/ACCA/AAT membership not displayed
- Generic retention periods — no distinction between the different statutory requirements for different record types
- No complaints procedure — or a procedure that doesn’t reference escalation to the professional body
Get your accountancy website compliant
We check your website against GDPR, PECR, Companies Act, and professional body requirements — then deliver a complete compliance pack tailored for accountants. From £49.
Get your compliance fix — £49Frequently asked questions
Do accountants need a privacy policy?
Yes. Accountants process extensive personal and financial data including tax returns, payroll records, bank statements, and Companies House filings. UK GDPR requires a comprehensive privacy policy explaining what data you collect, why, who you share it with, and how long you keep it.
What data do accountants share with HMRC?
Self-assessment tax returns, corporation tax returns, PAYE Real Time Information, VAT returns, and benefits in kind reporting (P11D). Your privacy policy must disclose this sharing and state the legal basis — legal obligation under tax legislation.
How long must accountants keep client records?
HMRC requires business records for at least 5 years after the filing deadline for the relevant tax year. Corporation tax records must be kept for 6 years. AML records must be kept for 5 years after the business relationship ends. Professional bodies recommend retaining engagement files for at least 6 years.
Do accountants need to comply with anti-money laundering regulations?
Yes. Accountants are supervised for AML by their professional body (ICAEW, ACCA, AAT, CIMA) or HMRC. You must conduct customer due diligence, retain AML records for 5 years, and report suspicious activity to the NCA.
Last updated: 1 March 2026 · This article is for informational purposes and does not constitute legal advice. For complex situations, consult a solicitor.