ECSH52150 - Trust or Company Service Providers (General) - What would you expect to see on a visit

ECSH52150 Trust or Company Service Providers (TCSP) (General) - Compliance Visit Overview

Visits to TCSPs, regardless of the specific TCSP services they provide, will share many similarities with each other.

Additional information regarding what you would expect to see at a visit regarding specific TCSP services follows in sections ECSH52175 to ECSH52325 and compliments this page of the Handbook.

Who you will be visiting?

Over 27,000 UK businesses provide one or more TCSP service. The TCSP population encompasses all sizes of business, from large international companies to sole owner-managed businesses. Despite size, the businesses share many similarities. For example, almost all of them have their own website clearly advertising the products/services on offer and customers are often a mixture of direct and intermediaries (i.e. other professionals).  

Where the visit will be?

A visit to a smaller TCSP is likely to involve either a visit to a small office or to a private house; many sole practitioners trade from a spare room or study in their home set aside for this purpose. Medium or large firms will typically have their own premises, with few trading from more than one business premises. Many TCSPs are based in London. Using a central London address can be attractive to add credibility, but it will give access to other services such as meeting rooms. Many regional businesses want to give the impression that they have a country-wide reach and use virtual office addresses to create a presence in the capital, and other major cities. Generally, one TCSP will be used to provide addresses in different locations, and we expect the TCSP to assess if this service presents any money laundering and terrorist/proliferation financing (ML/TF/PF) risks.     

When do TCSPs operate?

TCSPs will typically operate during standard office hours on weekdays.

How are TCSP customers engaged?

TCSPs are usually approached by customerswho will ask them to carry out work. Services are often advertised online via their own websites or in printed media. Whilst TCSPs will have at least one premises, services provided are often offered through online platforms or intermediaries which reduces the TCSP’s face-to-face contact with customers. Some TCSPs may not have any in-person dealings with their customers.

Where do TCSPs customers live?

The customersof a TCSP can be geographically spread due to the variety of services they offer. As mentioned above, a TCSP providing a registered office services may be based in London, while having a customer base across the UK. It is also important to note that a TCSP will be attractive to foreign individuals and entities for access to the UK market, via firm formations or registered office addresses, for example. It’s likely a number of customers will be based outside the UK, and therefore the TCSP must ensure an appropriate assessment has been carried out of the risk that this poses, and effective PCPs are established and maintained to manage and mitigate any possible threat of exploitation.

What type of records are kept?

It is usual for a TCSP to maintain a file for each of their customers which will record basic information such as names, addresses and phone numbers.

This file may also contain the working papers relating to the customer and the services the TCSP is carrying out for them. Depending on the sophistication of the TCSP and the accounting procedures at their customer’s business these records may be held wholly or in part in computerised form. Where there are physical records, these may be stored onsite with older records stored in archives at other locations.

Records of customer due diligence measures applied to the customer at the outset of the business relationship, the TCSPs risk assessment of that customer and any ongoing monitoring records, must be kept. They may be held alongside or separate to these working papers. The Money Laundering Regulations 2017 (MLR 2017) do not specify the medium in which records should be kept, but they must be readily retrievable.

As covered in ECSH52100 What’s unique about visits to TCSPs the level of access a TCSP has to their customer’s business records and transactions, and as such into their financial and business affairs, depends on the services they are providing. This means the records they hold for customers will vary depending on the services offered. Some TCSP services, such as nominee director services, may attract sight of a customer’s bank accounts, and/or primary records, contributing to a ‘full picture’ of a customer’s affairs. Some services, such as firm formation or mail forwarding, will not provide the TCSP sight of transactions or financial affairs. However, the TCSP is still required under Regulation 28 to carry out ongoing monitoring to understand if the service provided is consistent with the customer’s profile and initial request, for example if there has been a significant increase in mail volume or formation requests.

What types of systems and software do TCSPs use?

Most TCSPs will have some computerised records.

Software is available that can be used to support tasks a TCSP may undertake, for example store and manage records, customer relationship management systems (CRMs). There are also systems which are marketed as aiding business’ compliance with MLR 2017 obligations.

Any business using computerised records will typically have a backup process, so that records can be retrieved in the event of a data loss. This may be cloud-based or the TCSP may have physical hard drives.

Some TCSPs will utilise e-verification software as part of their customer due diligence (CDD) measures, with the type and extent of checks completed by these software variable – often they are offered with a tiered pricing structure, with the price to the TCSP increasing alongside the number of checks. The use of any software/system which aids an TCSP with their CDD, record keeping and/or any other of their obligations under MLR 2017 should be fully understood by the TCSP, including its limitations, and the TCSP should be able to explain this to a compliance officer on a visit.  Demonstrations of relevant systems and how they are used to support MLR 2017 compliance can help officers gather information during visits.

Any failures or limitations of the systems or software a TCSP uses to assist them in complying with MLR 2017 remain the responsibility of the TCSP. For example, a TCSP chooses to use an e-verification software to conduct checks on its customers, but that software might not keep records of those checks. The TCSP should be aware of this limitation when considering the use of the software, and then must establish a process for the records of those checks to be kept. 

At a compliance visit, an officer should seek to understand all TCSP services (relevant activity) conducted by the TCSP, how the TCSP has risk assessed each service alone and in combination, and how it manages and mitigates those risks.

Record testing should span all of the TCSP services provided. For example, where a TCSP provides formation and trustee services, records should be selected where formation services have been provided, where trustee services have been provided, and where both services have been provided together.

Where the TCSP also carries out relevant activity in another supervised sector, an officer should seek to understand the business’s compliance with the MLRs in respect of that additional sector(s). Record testing should span all sectors of relevant services provided by the business, including where provided in combination.

General money laundering, terrorist financing and proliferation financing risks for TCSPs can be found at ECSH52125 General Risks in the TCSP Sector.  At a compliance visit, TCSPs should be expected to provide an explanation for any departure from published guidance.