ECSH52325 - Compliance checks at a Trust or Company Service Provider (TCSP) visit

Compliance checks at a trust or company service provider (TCSP) visit

You should refer to ECSH32000 - How we check compliance when considering how to test compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) at a compliance visit. The information below is supplementary and focuses on specific circumstances you may come across at a TCSP. 

At a compliance visit, an officer should seek to understand all TCSP services (relevant activity) conducted by the TCSP, how the TCSP has risk assessed each service alone and in combination, and how it manages andmitigates those risks.

Record testing should span all of the TCSP services provided. For example, where a TCSP provides formation and trustee services, records should be selected where formation services have been provided, where trustee services have been provided, and where both services have been provided together.

Where the TCSP also carries out relevant activity in another supervised sector, an officer should seek to understand the business’s compliance with the MLRs in respect of that additional sector(s). Record testing should span all sectors of relevant services provided by the business, including where provided in combination.

General money laundering, terrorist financing and proliferation financing risks for TCSPs can be found at ECSH52125 - General risks in the trust or company service providers (TCSP) sector.

At a compliance visit, TCSPs should be expected to provide an explanation for any departure from published guidance.

HMRC’s guidance for TCSPs gives information to assist TCSPs in complying with their obligations under the MLR 2017. 

HMRC’s assessment of the risks relevant to the TCSP sector (‘Understanding Risk and Taking Action for TCSPs). HMRC is required to publish its risk assessment by Regulation 17(9).

TCSPs must take these publications into consideration as part of their compliance obligations under the Regulations. An AML compliance visit to a TCSP should therefore include establishing whether and to what extent the TCSP has considered these publications and followed their guidance. TCSPs should be expected to provide a credible explanation for any departure from this guidance Generic Risk Assessment (RA) and/or Policy, Controls and Procedures (PCPs) documents

You may find that a TCSP has purchased RA and/or PCP documents from one of a number of firms that operate in producing these for the TCSP sector. These may be given to you in an attempt by the TCSP as an attempt to evidence their compliance with the MLR 2017. However, the MLRs require risk assessments to be tailored to the specific business and some of these generic risk assessments may not tailored to the individual circumstances of the ASP and therefore be inappropriate. For more information on checking RAs and PCPs see ECSH32625 - Visits to a HMRC Large Business and ECSH 32650 - Pre-registration intervention

Customer Due Diligence (CDD)

Regulation 28 MLR 2017 sets out the requirements for customer due diligence checks. Section 4 of the TCSP guidance provides detailed information on the specific checks that a business should consider implementing to demonstrate that satisfactory CDD and Enhanced Due Diligence (EDD) measures are in place. EDD measures and requirements are set out in Regulation 33.

HMRC’s ‘Understanding Risk and Taking Action for TCSPs' include non-exhaustive lists of potential risk factors for TCSPs to consider when determining appropriate risk based CDD measures.SPs to consider when determining appropriate risk based CDD measures.

Suspicious Activity Reports (SARs)

TCSPs are required under Part 7 of the Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000 to submit a SAR in respect of information that comes to them in the course of their business if they know, or suspect or have reasonable grounds for knowing or suspecting, that a person is engaged in, or attempting, money laundering or terrorist financing. The MLRs require a TCSP to have appropriate PCPs in place that will enable the submission of SARs to the National Crime Agency

Regulation 66 MLR 2017 gives supervisors, including HMRC, power to require a TCSP to provide a copy of any SAR the TCSP has made to the NCA.

Discrepancy Reporting 

Regulation 30A of the MLR 2017 requires TCSPs to report material discrepancies regarding its customers to Companies House. A material discrepancy is when the information a TCSP holds on a customer is significantly different to the information recorded by Companies House about people with significant control (PSC) of a company, or a registrable beneficial owner of an overseas entity. A significant difference could be a difference in name, date of birth or nationality, for example, of a PSC.

Detailed information can be found at: Report a discrepancy about a PSC or a registrable beneficial owner. 

Training

Where the TCSP has employees, the TCSP should be assessed for compliance with the training obligations under regulation 24. You may find that a TCSP has purchased training material from one of a number of firms, either that operate in producing it for the TCSP sector, or produce generic Anti-Money Laundering (AML) training. In all cases, the training provided to staff of a TCSP must be recorded.  Training must include how the TCSP has made their employees aware of MLR 2017 and data protection laws, and be appropriate for employees to be able to recognise and deal with transactions/activities/situations which may be related to money laundering or terrorist/proliferation financing. 

Records

Regulation 66 MLR 2017 gives officers of HMRC the authority to request sight of any documents that they consider necessary for them to test whether a TCSP has put in place the necessary policies and procedures to comply with its obligations under the MLR 2017, provided that the request is reasonable.

In some circumstances, it may be necessary to ask to see the TCSP’s working papers. Working papers is a general term referring to the documents/records that a TCSP uses or creates in the course of their work for a client. The working papers support their professional judgement for the actions they took in providing the TCSP services to that client. For example,a TCSP might claim that as part of their risk assessment of a customer they carried out a review of that customer’s banking records, to consider whether the flow of funds through that customer’s business is consistent with the what the TCSP understands about the customer’s business model, ,. It would be reasonable for an officer to ask to see that review to verify this risk assessment process, as the request is relevant to the officer assessing the TCSP’s compliance with the MLR2017.

It is reasonable in all cases however, to ask to see evidence that the TCSP has taken action to identify and then verify the identity of the customer as part of their CDD measures. Where the TCSP has written AML policy documents, risk assessment documents and spreadsheets compiled for ongoing monitoring purposes these should be inspected.

General Data Protection Regulations (GDPR)

A TCSP may have concern that by keeping records relating to its customers for the periods and purpose as specified in the MLR 2017, or by sharing records during a compliance visit, may breach their concurrent GDPR obligations. The excuse of 'breaching GDPR' can be countered by reference to Regulation 72 MLR 2017. Regulation 72(2) and (3) provide that a businesses’ compliance in providing information pursuant to regulations 66, 69, 70, 74A or 74B does not carry with it a civil liability for breaching GDPR obligations nor does that provision of information automatically breach restrictions on the disclosure of information.