Bookkeeper Engagement Letter Template 2026: GDPR + AML

A freelance bookkeeper writing their first formal engagement letter for an agency client is really writing three documents at once: the proposal that wins the work, the scope agreement that keeps the retainer from sprawling, and, the moment they touch the client's data, a GDPR processor contract. Generic engagement-letter templates handle the first job and quietly skip the other two, which is how a bookkeeper ends up onboarded, processing payroll, and missing both the data-processor clauses the law requires and the anti-money-laundering supervision they were supposed to confirm before signing.

The general proposal mechanics are in how to write a freelance proposal and the freelance proposal templates by profession guide. The rate that anchors the fee is in the 2026 bookkeeper rates report, the retainer billing is in the bookkeeper invoice template, and the deeper liability terms are in the bookkeeper contract guide.

The engagement letter is your proposal · GDPR: you are a data processor · AML: HMRC supervision and CDD · The retainer scope boundary · The responsibilities split

The Engagement Letter Is Your Proposal

For most freelancers the proposal and the contract are separate steps. For a bookkeeper they collapse into one document: the engagement letter. It is what you send to win the client, and it becomes the governing agreement when they accept it. That dual role means it has to be persuasive enough to close the deal and precise enough to run the relationship for a year.

At minimum it defines the services, the fee and billing frequency, the term and termination, and the responsibilities of each side. A designer's proposal can stop roughly there. A bookkeeper's cannot, because the work touches regulated data and triggers anti-money-laundering duties. The next three sections are the clauses that turn a generic engagement letter into a compliant one.

GDPR: You Are a Data Processor

When you process a client's personal data on their instructions, running their payroll, reconciling accounts that contain customer details, the client is the data controller and you are their data processor. That relationship requires a written contract, and GDPR specifies what it must contain.

Per Article 28 GDPR, the processor contract must bind you to obligations including that you:

• process "the personal data only on documented instructions from the controller";
• ensure persons authorised to process the data "have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality";
• take "all measures required pursuant to Article 32," the security obligations;
• respect the conditions "for engaging another processor," meaning you cannot bring in a sub-processor (a cloud tool, a subcontractor) without meeting the rules;
• assist the controller in responding to data subject rights requests;
• assist the controller with its own obligations under "Articles 32 to 36" (security, breach notification, impact assessments);
• at the controller's choice, delete or return all the personal data "after the end of the provision of services"; and
• make available "all information necessary to demonstrate compliance," and allow for and contribute to audits.

The UK Information Commissioner's Office (ICO) publishes guidance on exactly what this controller-to-processor contract must include, and it tracks the Article 28 list above. The engagement letter is the natural home for these clauses, or for a referenced data processing agreement attached to it. The deeper liability questions, who pays if data is mishandled and how liability is capped, are covered in the bookkeeper contract guide.

AML: HMRC Supervision and Due Diligence

Bookkeeping is a supervised activity under the UK money laundering regulations, and the engagement letter is where you disclose your supervision status. Per GOV.UK, "you may have to register with HMRC if your business operates as an accountancy service provider," and "you must register with HMRC unless you're already supervised for money laundering regulations purposes by a professional body." HMRC's guidance places bookkeeping squarely in scope: a business supplying bookkeeping services is an accountancy service provider under the regulations.

Supervision can come from HMRC directly or from a professional body. Per AAT, "we act as a money laundering supervisor for AAT licensed members who provide accounting and bookkeeping services to clients." Supervision then requires customer due diligence. Per AAT, "customer due diligence (CDD) must be performed and documented both before establishing a business relationship and throughout the duration of the business relationship." Per ICB, supervised bookkeepers must "carry out customer due diligence and ongoing monitoring of your clients," including verifying "the client's identity and source of funds," and must retain "CDD and other records for five years after the business relationship has ceased."

The practical sequence: confirm your supervision, complete CDD on the client before you sign, then state your supervision status in the engagement letter. The CDD step is not paperwork you can defer until after onboarding, because the requirement is to do it before establishing the relationship.

The Retainer Scope Boundary

The compliance clauses protect you legally; the scope boundary protects your time. A bookkeeping retainer is the classic scope-creep target, because financial tasks feel small and continuous, and "could you just" requests accumulate.

Define three things in the letter:

• Included tasks, listed specifically: for example, monthly bank reconciliation, payroll for a stated headcount, quarterly VAT return preparation. Vague phrasing like "general bookkeeping" invites unlimited requests.
• Out-of-scope work, named: year-end accounts, tax filing, software migration, ad-hoc projects, whatever the retainer does not cover.
• The change trigger: a requirement that out-of-scope work is agreed in writing, at a stated rate, before it begins.

That structure turns "one more thing" into a priced change order instead of unpaid work. The out-of-scope rate should track the 2026 bookkeeper rates report, and the agreed retainer is billed using the bookkeeper invoice template.

The Responsibilities Split

The clause that prevents the most common bookkeeping disputes is the one that divides responsibilities. The engagement letter should state plainly that the client is responsible for providing complete and accurate records and for notifying you of changes, and that you are responsible for processing those records to the agreed scope. Crucially, it should state who is responsible for filing with HMRC: a bookkeeper who processes the records is not automatically the agent who files the client's returns, and conflating the two is how a bookkeeper inherits a filing deadline they never agreed to own.

Naming the split protects both sides. The client knows what they must supply and by when; you are protected from liability for errors that flow from records you were never given. The general contract framework this builds on is in freelance contract essentials, and the upstream retainer terms are in the freelance retainer agreement.

Copy-Paste Engagement Letter Checklist

Build the engagement letter with these clauses in the free FreelanceDesk proposal generator, then bill the agreed retainer with the invoice generator.

References

• Article 28 GDPR: Processor, GDPR-info.eu
• What Needs to Be Included in the Contract (Controllers and Processors), ICO
• Money Laundering Regulations: Accountancy Service Provider Registration, GOV.UK
• Anti-Money Laundering, AAT
• AML Guidance, ICB