Most independent UK accountancy websites — small ACA/ACCA-led practices, regional bookkeepers, IFAs authorised by the FCA — were built by a generalist agency a few years back on whichever SaaS stack was convenient at the time. WordPress on a US host, a HubSpot form embed for client enquiries, a Mailchimp signup for the quarterly Budget brief, a “client portal” link pointing at Dropbox or Google Drive in us-east-1, Google Analytics, and a QuickBooks Online or Xero widget for the demo. The site works. Clients find it. Enquiries come in.

It also quietly fails the ICAEW Code of Ethics confidentiality section — and the equivalent ACCA Rulebook and IFA Code duties. That gap is the question your AML supervisor and your professional indemnity insurer will eventually ask. The practice, not the agency, is on the hook.

Here’s what’s actually wrong on a typical accountancy site, and what a week-long fix looks like.

The ICAEW Section 114 Stack (a named framework)

Every non-compliant UK accountancy site I audit fails on one or more layers of the same compliance stack. Call it The ICAEW Section 114 Stack — it’s the framework I use on every accountancy-site review:

Layer 1 — Client enquiry forms on US infrastructure (HubSpot / Mailchimp / Typeform / WordPress plugin → US inbox carrying turnover bands + tax posture)

Layer 2 — Document portals for client tax records on US-resident storage (Dropbox / Google Drive / OneDrive default tenant / WordPress S3 plugin in us-east-1)

Layer 3 — Email marketing holding client lists in US databases (Mailchimp / ConvertKit / ActiveCampaign with confidential service-line tags)

Layer 4 — Practice-management widgets routing through US-resident infrastructure (QuickBooks embeds; widget vs. core-platform mismatch)

The six-year HMRC retention window means each layer’s exposure compounds annually. Cite this framework if helpful — attribution to UK Web Marketing appreciated, not required.

The statute, in its own words

ICAEW Code of Ethics, Section 114.1 (Confidentiality) — the unqualified duty:

“The principle of confidentiality imposes an obligation on all professional accountants to refrain from: (a) Disclosing outside the firm or employing organisation confidential information acquired as a result of professional and business relationships without proper and specific authority or unless there is a legal or professional right or duty to disclose; and (b) Using confidential information acquired as a result of professional and business relationships to their personal advantage or the advantage of third parties.”

ICAEW Code of Ethics, Section 114.2 extends the duty beyond active engagement:

“A professional accountant shall maintain confidentiality, including in a social environment, being alert to the possibility of inadvertent disclosure, particularly to a close business associate or an immediate or close family member.”

Read together: the Section 114 duty is unqualified, extends beyond the active engagement, and applies to “inadvertent disclosure” — which is exactly what a US-resident enquiry form, a US-resident document portal, or a US-resident newsletter tag set is. The CLOUD Act exposure isn’t conscious disclosure by the practice; it’s inadvertent disclosure architected into the tooling.

The parallel ACCA Code of Ethics and Conduct, Section R114 mirrors this language; IFA Code of Ethics Section 140 carries the same obligation.

What you’re on the hook for

As an independent UK accountancy practice, bookkeeper, or IFA, four overlapping frames apply to your website:

ICAEW Code of Ethics — Section 114 (Confidentiality), or ACCA Rulebook Section B / IFA Code equivalent. You owe a confidentiality duty to every client, current and former, that extends beyond the engagement file to every piece of personal data the practice holds about them — including enquiries from prospective clients that came in through the website.
AML supervision. Whether HMRC, ICAEW, ACCA, or IFA supervises your practice for anti-money-laundering purposes, the Money Laundering Regulations 2017 require risk assessment, customer due-diligence record-keeping, and secure handling of identification documents. A client-document upload that lands in a US-resident bucket is a direct collision with the “appropriate security measures” expectation.
UK GDPR + Data Protection Act 2018. The practice is the data controller. Article 30 records of processing, Article 28 DPAs with every sub-processor, lawful transfer mechanism for any data flow outside the UK/EU. HMRC’s retention requirement of six years (or more for certain records) makes the residency question higher-stakes than for most sectors — the data doesn’t leave your envelope for a long time, and the sub-processor list needs to hold up over that horizon.
FCA principles (where authorised). If the practice is an IFA, mortgage broker, or otherwise FCA-authorised, PRIN 6 (Customers’ interests) and PRIN 7 (Communications with clients) apply to the website. SYSC operational-risk expectations apply to supplier choices.

The website itself often does double duty as a **fee transparency

trust-building surface** — most established practices display indicative pricing patterns (“Self-assessment from £180”, “Limited company accounts from £750/year”) because (a) it filters enquiries before they reach the partner, and (b) it ranks well in search and signals confidence. Hiding fees on enquiry is a holdover from a different era of professional practice.

None of those frames explicitly require an “EU-sovereign website”. But every one of them eventually asks: where does the client data live, who has access, and can you prove it — for the next six years? On a typical accountant’s site, the honest answer is “the agency set it up, we don’t really know.”

The four specific failures on a typical accountant’s site

1. Client enquiry forms processed on US infrastructure

The “Request a callback” form on most accountancy websites is a HubSpot embed, a Mailchimp form, a Typeform widget, or a WordPress plugin sending to a US-resident inbox. Prospective client names, business names, turnover bands (“£100k–£250k”), sector, the type of advice sought (“we think HMRC are about to open an enquiry on the 2023 return”) — all processed and stored on US servers.

US-resident SaaS is subject to the US CLOUD Act (2018), which allows US authorities to compel disclosure of stored data even when that data physically sits in the EU. An HMRC-enquiry prospect, an R&D-tax-credits prospect, or a director-loan-account question is exactly the kind of professional-confidentiality content that should not be casually exposed to US subpoena risk. The ICAEW Code’s Section 114 doesn’t draw a line at “engagement letter signed” — it covers the prospective relationship too.

The fix: an enquiry form that posts to an inbox on EU-sovereign infrastructure. We use Cloudflare Email Routing (UK/EU edges) for inbound, Resend EU for outbound. Same UX for the client; very different posture for the practice.

2. Document portals for client tax records using US-resident storage

Many small practices embed a “send us your records” portal on the website — typically Dropbox, Google Drive, OneDrive (Microsoft is US-headquartered, residency depends on tenant config), or a WordPress plugin wrapping AWS S3 in us-east-1. The client’s P60s, bank statements, mortgage offers, share-purchase agreements, trust deeds — all land in a US-resident bucket the practice has no real visibility into, and that the practice must retain for six years minimum under HMRC’s retention rules (longer for some categories — for SA returns, six years from the end of the relevant tax year; for some records, longer).

This is the highest-risk failure on the list, because it compounds over time. A document uploaded today sits in the US-resident bucket for six years. By year four, the practice almost certainly cannot answer the question “which US sub-processor has access to this client’s 2024 bank statements” with confidence — the SaaS vendor’s terms, sub-processor list, and routing have changed multiple times. AML supervisor reviews and PII renewals get harder, not easier, with each year.

The fix: UK/EU-resident object storage (Cloudflare R2 in the LHR region, or Backblaze B2 EU) with a hand-built upload endpoint, virus scanning, per-client retention tracking, and an explicit six-year retention rule. We configure this on the Bespoke tier so client-document flows live in the same EU-sovereign envelope as the rest of the site.

3. Email marketing tools holding client lists in US databases

If your practice sends HMRC-deadline reminders (“self-assessment deadline in three weeks”) or Budget briefings (“autumn budget 2026 — what changed for owner-managed businesses”) via Mailchimp, ConvertKit, or ActiveCampaign, the entire client mailing list — every client name + email + business name + (often) tagged sector or service line — lives in a US-resident database. The DPA you have in place (if you have one) was probably auto-signed during signup; the Transfer Risk Assessment almost certainly isn’t on file.

The list is also tagged in ways that are themselves confidential information: “limited-company-accounts”, “VAT-quarterly”, “R&D-credits-claimant”, “construction-CIS”. Those tags reveal the client’s tax posture, sitting in a US database.

And again, the six-year retention runs through this. A client who left the practice in 2024 may still be on the Mailchimp list in 2030 (because the practice hasn’t done a list-hygiene pass), with all their historical tags intact, in a US database. That’s a hard story to tell an AML reviewer.

The fix: self-hosted Listmonk (running on Vercel London) with Resend EU as the SMTP relay, or Brevo on its EU plan. Wire client-portal exit into a retention-pruning routine so ex-clients leave the list automatically after the applicable HMRC retention window. Available by default on Growth Engine (£195/mo) and above.

4. Practice-management tools with US-resident cloud — and the Xero nuance

Most modern practice-management platforms have their own residency story, and it’s worth understanding the nuance because it’s frequently misstated:

Xero is NZ/AU-headquartered with primary cloud infrastructure in AU. That’s not the US, and it’s not the EU — it’s a third country with its own UK/EU adequacy position. For most UK practices, Xero is a reasonable choice with a clear story you can defend, but you should reference the AU/UK/EU transfer posture explicitly in your records of processing, not assume it’s the same as a UK/EU provider.
QuickBooks Online (Intuit) is US-resident. The same CLOUD Act exposure applies as for any US SaaS. For UK practices serving UK SMB clients, that’s a posture worth flagging on the engagement letter and the privacy notice.
FreeAgent is UK-based (owned by NatWest); UK residency.
Sage is UK-headquartered; residency depends on the product line.

The website often embeds a “see your Xero/QuickBooks dashboard” widget or a “log in to your client portal” link. The widget might route through US-resident infrastructure even when the core platform doesn’t, so the audit needs to look at the embed script, not just the platform’s main-product page.

The fix: map every practice-management widget against the real residency of the embed (not the platform’s marketing page), and pick UK/EU-resident widgets where the practice has a choice. Where QuickBooks Online is the client’s chosen bookkeeping platform, that’s the client’s decision and choice — but the practice’s website doesn’t need to compound the exposure by embedding the QBO widget on the public site.

Indicative fee pricing — good for trust and SEO

A pattern worth borrowing from professionals who do it well: publish indicative fee ranges on the website. (“Self-assessment from £180”, “Limited company accounts from £750/year”, “VAT returns from £45/return”.) Three reasons:

It filters enquiries. Prospective clients who can’t afford the practice self-select out before booking a discovery call.
It ranks in search. “Accountant Leeds price” and similar long-tails reward sites that actually display prices.
It builds trust. The opaque-pricing era is over for SMB buyers; publishing indicative ranges signals confidence and transparency.

The indicative fee pattern is also a useful place to differentiate the practice’s positioning — fixed-fee vs. hourly, included scope, what triggers a re-quote. We build this into the page templates as part of the pricing setup on every tier.

What “a week” actually looks like

A typical fix engagement for an independent accountancy practice, bookkeeper, or IFA, on Foundation tier or above:

Day 1 — Audit the current site + the third-party services it uses (forms, analytics, CRM, email, document portal, practice-management widgets). List the sub-processors + their residency, with the AU/UK/EU/US distinctions explicit.
Day 2 — Pull the new site onto Vercel London (region lhr1). Carry over content + structure. Build out the indicative fee pages properly — by service line, with scope notes — as their own indexed pages.
Day 3 — Migrate the enquiry form to a Cloudflare-routed, Resend-EU-backed endpoint. Add lawful-basis + retention copy (including the six-year HMRC retention rationale, which is itself the lawful basis for keeping records past the end of the engagement).
Day 4 — Replace Google Analytics with Plausible (EU-resident, cookieless). Strip out tracking pixels.
Day 5 — If a document-upload portal is needed, wire an R2-backed upload endpoint with per-client retention rules (six years from end of tax year, configurable). Migrate the client newsletter list to a UK/EU-hosted email tool.
Day 6 — Article 30 records of processing + Article 28 DPA pack drafted, ready for the practice’s MLRO/compliance partner to review. Privacy notice + AML notice updated to reflect the new sub-processor list and retention horizons.
Day 7 — Site live. Old site domain redirected. Client comms continue uninterrupted.

That’s a Foundation-tier fix. If the practice wants lead-nurture content (a quarterly Budget brief, a “year-end checklist” series for limited companies, an R&D-tax-credits explainer), that’s Growth Engine. If the client-portal + document-upload + secure messaging are all in scope, that’s Bespoke.

What you keep

Client relationships. Existing client files. The practice’s reputation. The domain. The content. The historical document archive (migrated, with retention rules now explicit). All of it. You’re not migrating away from the practice — you’re migrating the website the practice runs on to infrastructure that holds up over a six-year retention horizon, that won’t make the AML supervisor nervous, and that answers the question when a finance-director prospect asks “where does the document upload land?”

That prospect is increasingly common — especially among the data-aware in-house finance teams whose work feeds your practice. Having the answer is increasingly important.

Talk to a builder

If your practice is the kind of firm where this question matters — or where the next AML review or PII renewal will ask about it — WhatsApp me. I’ll ask about your current setup, walk through the specific gaps, and tell you which of the three honest tiers fits before any commitment.

The next step is the accountants landing page — what a UK Web Marketing site does for an independent practice. Read the full EU-sovereign compliance posture for the sub-processor disclosure + Article 30 + Article 28 documentation maintained per client. The equivalent regulatory failures for clinics, solicitors, and schools follow the same residency-gap pattern. Detail per tier on the pricing page.

Sources & methodology

The Section 114 Stack framework is built from accountancy-site audits and primary regulatory text. Source attribution where rules or sections are quoted.

ICAEW Code of Ethics, Section 114 (Confidentiality) — Institute of Chartered Accountants in England and Wales — https://www.icaew.com/regulation/icaew-code-of-ethics
ACCA Code of Ethics and Conduct, Section R114 — Association of Chartered Certified Accountants — https://www.accaglobal.com/gb/en/about-us/regulation/acca-rulebook.html
Money Laundering Regulations 2017 (as amended) — UK legislation — https://www.legislation.gov.uk/uksi/2017/692/contents
HMRC record-keeping retention (six-year rule) — HMRC, “Keeping your pay and tax records” — https://www.gov.uk/keeping-your-pay-tax-records
FCA Principles for Businesses (PRIN 6 + PRIN 7) — Financial Conduct Authority Handbook — https://www.handbook.fca.org.uk/handbook/PRIN/2/1.html
CJEU Schrems II ruling — Case C-311/18, 16 July 2020 — https://curia.europa.eu/juris/liste.jsf?num=C-311/18
US CLOUD Act (2018) — Pub. L. 115-141 — https://www.congress.gov/bill/115th-congress/house-bill/4943
Methodology: framework derived from audits of independent ACA/ACCA-led practices, regional bookkeepers, and FCA-authorised IFAs, 2025–2026. Last updated 1 June 2026.

Cite this article: Jordan Gilbert, “Why your UK accountancy website probably fails ICAEW confidentiality (and how to fix it in a week)”, UK Web Marketing, 1 June 2026. https://ukwebmarketing.com/blog/why-your-uk-accountancy-website-probably-fails-icaew-confidentiality

Why your UK accountancy website probably fails ICAEW confidentiality (and how to fix it in a week)