Skip to content
Case studiesPricingSecurityCompareBlog

Europe

Americas

Oceania

Compliance8 min read

Due diligence explained: complete checklist for businesses

A practical guide to due diligence for businesses: what it covers, legal requirements in the UK, and a complete checklist across legal, financial, compliance, and ESG domains.

James Whitfield, Head of Compliance
James Whitfield, Head of Complianceยท
Illustration for Due diligence explained: complete checklist for businesses โ€” Compliance

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

Due diligence is the structured process of investigating a counterparty, acquisition target, or business partner before committing to a transaction or relationship. In the UK, due diligence obligations arise from multiple sources: the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLR 2017), the Bribery Act 2010, the Modern Slavery Act 2015, and UK GDPR (Data Protection Act 2018).

This article is for compliance officers, finance directors, and legal teams who need to structure their due diligence process. It is informational only and does not constitute legal, financial, or regulatory advice.

What is due diligence and why does it matter?

Due diligence is a risk assessment carried out before a business decision. It confirms a counterparty's identity, ownership structure, financial health, regulatory standing, and reputation. In financial services and other regulated sectors, it is not optional โ€” it is a legal requirement.

The FCA's Financial Crime Guide (FCG) requires regulated firms to apply Customer Due Diligence (CDD) measures before establishing any business relationship, under Regulation 28 of the MLR 2017. Firms that fail to comply face enforcement action: between 2019 and 2024, the FCA issued over ยฃ560 million in financial crime-related fines (FCA Enforcement Action Register).

The scope of due diligence has expanded significantly. The UK Modern Slavery Act 2015, s.54 requires commercial organisations with an annual turnover exceeding ยฃ36 million to publish a slavery and human trafficking statement. The EU's Corporate Sustainability Due Diligence Directive (CSDDD), 2024/1760/EU, adopted in May 2024, will affect UK businesses with EU market exposure.

The 5 types of due diligence

Due diligence is not a single exercise. The scope depends on the context: M&A transactions, new client onboarding in regulated sectors, vendor qualification, or investment appraisal.

Type Primary focus Key documents
Legal Corporate structure, litigation, IP, contracts Companies House filings, articles, PSC register
Financial Profitability, cash flow, liabilities 3-5 years P&L, balance sheets, management accounts
Tax HMRC compliance, hidden tax liabilities Tax returns 5 years, VAT records, transfer pricing docs
Regulatory/AML Sanctions, PEP status, beneficial ownership KYC documents, source of funds, screening results
ESG Human rights, environment, anti-bribery Modern Slavery statement, ESG reports, ISO certifications

The complete due diligence checklist

Legal due diligence confirms that a business exists, operates lawfully, and carries no undisclosed liabilities. UK practitioners consistently identify this as the starting point for any M&A or partnership process.

Documents to collect:

  • Companies House filing history: registered name, number, status, registered office, directors, and People with Significant Control (PSC) register (Companies House register)
  • Articles of association and shareholder agreements
  • Material contracts โ€” customer, supplier, and employment โ€” including change-of-control clauses
  • Schedule of current and threatened litigation
  • Intellectual property ownership: registered trademarks, patents, domain names

The PSC register, mandatory since April 2016 under the Companies Act 2006 (as amended), must accurately record all persons with more than 25% shareholding or voting rights (Companies Act 2006, s.790A). Failure to maintain accurate records is a criminal offence.

Forum users in compliance communities consistently raise one question: What do businesses most commonly miss in legal due diligence? The answer from practitioners is change-of-control clauses in customer contracts โ€” provisions that can void key agreements or trigger renegotiation following an acquisition.

Financial and tax due diligence

Financial due diligence validates the valuation and uncovers hidden liabilities. UK M&A practice requires a minimum three-year financial review for SME transactions and five years for larger deals.

Priority checks:

  • Adjusted EBITDA and normalised free cash flow analysis
  • HMRC compliance: Corporation Tax, VAT, PAYE, and Self-Assessment obligations. Check for open enquiries via the company's tax advisers
  • Pension fund obligations and FRS 102 compliance
  • Accounts receivable ageing schedule โ€” DSO trends reveal underlying revenue quality
  • Directors' loan accounts and related-party transactions

Companies House accounts are publicly available but often filed up to 9 months after year-end โ€” always request management accounts for the current period directly from the target.

AML/KYC due diligence for regulated firms

For businesses regulated by the FCA, HMRC (as a Money Service Business supervisor), or other designated supervisory authorities, customer due diligence is a statutory requirement under MLR 2017.

Three tiers of due diligence apply under the MLR 2017 risk-based approach:

  1. Simplified Due Diligence (SDD): applies to low-risk customers (Regulation 37). Duration of records retention: minimum 5 years from end of relationship.
  2. Standard Due Diligence (CDD): the baseline for most business relationships. Verify identity, beneficial ownership, and purpose of the relationship (Regulation 28).
  3. Enhanced Due Diligence (EDD): mandatory for Politically Exposed Persons (PEPs), customers in high-risk third countries, and complex or unusual transactions (Regulation 33).

As of February 2026, the FCA expects firms to apply EDD to all PEPs, including domestic PEPs, within 12 months of the updated guidance taking effect (FCA PS23/3, February 2023).

Automated document verification reduces KYC processing time by 60โ€“80% compared to manual review. CheckFile automates identity document verification, Companies House cross-checks, and address verification in line with FCA CDD requirements.

For more context on AML obligations, see our anti-money laundering compliance guide.

ESG and supply chain due diligence

ESG due diligence is increasingly mandated. For UK businesses with EU operations, the CSDDD introduces mandatory human rights and environmental due diligence for companies with over 1,000 employees and โ‚ฌ450 million turnover.

Checklist:

  • Modern Slavery Act statement (required annually for organisations above the ยฃ36m threshold)
  • Supplier code of conduct and audit programme
  • Carbon footprint disclosure (Scope 1, 2, and 3 emissions under TCFD framework)
  • Anti-bribery procedures under the Bribery Act 2010 โ€” documented policies and training records
  • GDPR/UK GDPR compliance: Data Protection Impact Assessments (DPIAs) for high-risk processing

Under the UK Bribery Act 2010, s.7, a commercial organisation commits an offence if a person associated with it bribes another person to obtain or retain business โ€” and failing to have "adequate procedures" is not a defence unless documented procedures exist (Ministry of Justice Guidance, March 2011).

Due diligence by transaction type

Transaction Due diligence level Recommended timeline Key specialists
New regulated client (FCA firm) Standard to Enhanced 2โ€“5 business days Compliance, front office
SME acquisition Comprehensive 4โ€“8 weeks Solicitors, accountants, tax advisers
Strategic supplier (critical) Standard 1โ€“2 weeks Procurement, legal, compliance
Minority investment Comprehensive 3โ€“6 weeks M&A advisers, finance
Standard vendor onboarding Simplified 24โ€“48 hours Procurement, compliance

How to automate your due diligence process

The most common question from compliance teams on practitioner forums is: How do we scale due diligence without adding headcount?

The answer lies in combining secure virtual data rooms with automated document verification. CheckFile verifies document authenticity (fraud detection, intelligent OCR, cross-document consistency checks) and integrates with existing workflows via API.

An internal benchmark across 150 due diligence files processed via CheckFile showed an average 72% reduction in document collection and verification time compared to a standard manual process.

For an overview of documentation requirements in compliance programmes, see our document compliance guide.

FAQ

What is the difference between due diligence and an audit?

Due diligence is a pre-transaction investigation carried out by the acquiring party to inform a decision. An audit is a periodic, independent review of accounts or processes. The two complement each other: a recent clean audit shortens the financial due diligence phase but does not replace it.

Not universally. For FCA-regulated firms, CDD is a statutory obligation under MLR 2017. For businesses above the Modern Slavery Act threshold (ยฃ36m turnover), supply chain due diligence reporting is required annually. For all businesses, general common law duties of care and the Bribery Act create practical due diligence obligations regardless of sector.

How long does due diligence take in the UK?

SME acquisitions typically complete due diligence in 4โ€“8 weeks. Complex transactions involving multiple entities or regulated activities can extend to 12 weeks. FCA-regulated new client onboarding should complete standard CDD within 2โ€“5 business days; EDD typically requires 5โ€“10 business days.

What documents does Companies House provide for due diligence?

Companies House provides: certificate of incorporation, articles of association, confirmation statements, annual accounts (up to 9 months after year-end), director appointments and resignations, charge register (mortgages over company assets), and the PSC register. All are freely accessible at find-and-update.company-information.service.gov.uk.

How should due diligence findings be documented?

Document findings in a written report with a risk matrix classifying each issue by probability and financial impact. Include a clear summary for decision-makers, specific items for price adjustment or warranty/indemnity protection, and conditions precedent to completion. Retain all working papers for a minimum of 6 years for HMRC purposes and 5 years under MLR 2017.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. For jurisdiction-specific guidance, consult a qualified solicitor, accountant, or compliance specialist. CheckFile supports compliance teams with automated document verification โ€” visit our pricing page or contact us to learn more.

Explore further

Discover our practical guides and resources to master document compliance.

Related articles

Compliance10 min

Third-Party Risk Management (TPRM): Complete Guide 2026

Master third-party risk management (TPRM): DORA compliance, FCA expectations, vendor assessment, continuous monitoring and supplier due diligence guide for 2026.

Read
Compliance17 min

Compliance Risk Assessment: A Practical Guide for UK Firms

Learn how to identify, evaluate, and mitigate regulatory risks. A step-by-step compliance risk management framework aligned with FCA expectations and Money Laundering Regulations 2017.

Read
Compliance9 min

Governance Risk Management Compliance (GRC): Complete Guide 2026

What is governance risk management compliance (GRC)? Learn the three pillars, UK regulatory requirements under FCA, ARGA, and how to build an effective GRC programme.

Read