For accountancy practices

Built to ICAEW standard, not retrofitted to it.

Custodiance runs your practice's web and email estate as a managed, in-jurisdiction, accountable service — built to the ICAEW Code of Ethics from the first day, kept within UK and EU jurisdiction, and held by a named senior engineer who is personally accountable for it. Not a website you buy once and worry about for six years; a custodian who holds it on your behalf.

The risk

What ICAEW asks of your public surface

ICAEW does not require a "compliant accountancy website" as a standalone thing. It requires the firm to behave to the Code of Ethics, to comply with the Money Laundering Regulations where supervised, and to disclose its regulatory standing — and the website is where each of those duties is publicly verifiable. A typical agency build satisfies none of them by accident. These are the three places it silently fails.

ICAEW Code of Ethics — Section 114

Confidentiality attaches before the engagement begins

Section 114 imposes an unqualified duty to keep client information confidential. It extends to prospective clients and beyond the end of the relationship, and it is alert to inadvertent disclosure. A website enquiry form is exactly where that duty first bites: a prospect naming a turnover band, an HMRC enquiry, or an unreported-income question hands the practice confidential information the moment it arrives. When that form posts to a US-resident inbox — a HubSpot, Mailchimp, or Typeform embed — the practice has accepted confidential information into a sub-processor chain it cannot defend on a routine review.

Money Laundering Regulations 2017

Client records that must hold up for years, in a place you can name

Where the practice is supervised for anti-money-laundering — by ICAEW, HMRC, ACCA, or the IFA — the MLR 2017 require documented risk assessment, customer due-diligence records, and appropriate security for identification documents. A "send us your records" portal wired to Dropbox, Google Drive, or an S3 bucket in us-east-1 sits in direct tension with that. HMRC's six-year retention window means the exposure compounds: a document uploaded today does not leave the practice's envelope for years, and by year four the practice rarely knows which sub-processor can still reach it.

ICAEW Code of Ethics — Section 114 disclosures

The disclosure surface a reviewer reads before the file

The ICAEW does not require a "compliant website" as an artefact. It requires the firm to behave to the Code, to comply with the MLR 2017, to hold professional indemnity insurance at the prescribed level, and to handle complaints — and the website is the public projection of each of those duties. A reviewer who selects the firm for a sample check reads the site first. Typical agency builds miss the AML supervisory-authority footer block, the regulatory-information and complaints pages, accurate ICAEW trade-mark usage, and last-updated discipline on services pages that hold the firm out as competent on current law.

How Custodiance answers it

An estate mapped to your obligations

Each part of the answer maps to something ICAEW or the MLR 2017 actually asks of the practice — confidentiality on intake, secure and locatable record-keeping, accurate public disclosure, and a person who is accountable for all of it.

The estate, run as a managed service

Your web and email infrastructure is held and run continuously — hosting, enquiry intake, document flows, the contact list, and the disclosure pages — rather than handed over once and left to drift. Services pages carry a last-updated date and a named review owner, so the firm is never holding itself out as competent on superseded law. The ICAEW evidence pack maps each obligation to the URL on the estate that satisfies it.

In-jurisdiction by design

Client data and hosting stay within UK and EU jurisdiction. The enquiry form posts to an EU-routed, EU-relay-backed inbox; document uploads land in UK or EU-resident object storage with explicit six-year retention; the contact list moves to a UK or EU-hosted tool with retention pruning. When an AML supervisor, a client, or a finance-director prospect asks where the data lives and who can reach it, the answer is precise and without caveats — over the full retention horizon.

A published methodology

The posture is written down, not improvised per project. The same standard that puts your site right is the standard applied to the next practice — auditable, repeatable, and defensible. You can read it in full before you engage, and reference it when your own board or insurer asks how the estate is governed.

A named, accountable engineer

A single senior technical partner is personally accountable for the estate — a name and a direct line, not a ticket queue. For a practice too small to justify a full-time chief technology officer, this is the equivalent on a fractional basis: someone who understands the ICAEW and MLR obligations, carries the work between requests, and answers for it when something needs to be put right.

Engage

Two ways to work with us

Growth

£1,495 per month

For an established practice that wants its web and email estate run properly — in-jurisdiction, with a named partner on call.

Embedded

From £6,000 per month · bespoke

For a practice that wants a fractional CTO embedded — owning the roadmap, the compliance posture, and the build.

Custody, not marketing.

Have a senior partner look at your estate.

A scoping call is a measured conversation about your ICAEW and MLR obligations, your current setup, and what it would take to run it properly. No obligation, and no pressure.

Request a scoping call