Trust & Corporate Service Providers

AML and KYC vulnerabilities

Where TCSPs may be vulnerable to AML risk

Regulators have long regarded this to be a reality of the nature of the work of TCSPs and as a result, have framed anti-money laundering (AML) and know your customer (KYC) legislation and regulation accordingly.

The rulebook continues to evolve as global authorities seek to tighten the net on criminal activity. This has increased the pressure on TSCPs to put the right structures and processes in place, greatly adding to their compliance burden.

KYC and AML are powerful complements to each other and important elements for TCSPs looking to protect themselves against fraud and financial crime. Both involve verifying the identity and legitimacy of individuals and organisations through rigorous checks. In itself, that makes it harder for criminals to operate. In addition, AML checks help to uncover the money trail, understanding where money comes from and how it’s spent so that organisations can ensure it’s not laundered through them.

headset - Copy-1

The focus on TCSPs from an AML perspective has been gathering pace since at least 2010. This is when the Financial Action Taskforce (FATF), the inter-governmental body responsible for setting worldwide AML standards, published a series of recommendations targeting the sector (which were subsequently updated in 2019). At the time, the FATF warned:

“TCSPs have often been used, wittingly or unwittingly, in the conduct of money laundering activities.”

Since then, scrutiny of TCSPs has continue to increase, not least following events such as the leaking of the Panama Papers. These exposed how trusts are often used by corrupt or criminal individuals to launder their money and how professional service providers are sometimes complicit in this activity.

Long before online gaming surged in popularity, live casinos accepted cash payments for chips, which money launderers could then play for a short period before cashing out their money in the form of a legitimate check. Bookmakers and fixed-odds betting terminals afford similar opportunities. 

Recently bodies including the Solicitors Regulatory Authority (SRA) and the Institute of Chartered Accountants in England and Wales (ICAEW) have studied the trust-related work that is performed by their members and concluded that tighter rules were needed.
Meanwhile, In the European Union, the sanctions imposed against Russia following its invasion of Ukraine in early 2022, include specific requirements for TCSPs (see below).

For TCSPs that fail to comply with AML legislation, there is a significant risk of reputational damage and regulatory sanctions, with regulators worldwide imposing fines for breaches. In the Cayman Islands, TCSP Intertrust was recently fined more than $4m for such failings; in Europe, the Maltese TSCP N Trust was issued with a penalty of €95,000.

Against this backdrop, TCSPs, many of which are providing legitimate and important services to clients, must maintain the highest standards of AML compliance.

The stakes are high. Directors and senior managers at TSCPs must recognise they may be personally liable for prosecution and penalty. For example, in the UK breaches of AML law carry a maximum prison sentence of two years.

It is the nature of the work provided by TCSPs that leaves them especially vulnerable to AML risk.

This includes services such as forming companies and other legal entities, acting as a director or secretary of a company (or as a partner in a partnership), providing a registered office and/or business address, and acting as a trustee or nominee shareholder.

Red flags for money laundering include:

  • The use of a pre-existing entity for a transaction without adequate explanation of the nature of the business. Criminals aim to use well-established structures that are likely to be perceived as less risky from an AML perspective.
  • The use of entities in multiple countries with no obvious connection to the client or the transaction. The aim may be to create additional complexity to obfuscate, and to move money across international borders.
  • The use of entities in jurisdictions regarded as having less exacting rules on transparency and disclosure. Those with more to hide are likely to favour regulatory regimes seen to be less demanding.
  • Actions that disguise the real controlling party of an entity. For example, criminals may use family relationships to create the illusion of separation between the actual controller of assets and the beneficiaries of a trust.
  • The use of entities and structures regarded as particularly lacking in transparency when there is no clear commercial or business case for doing so. This may be a deliberate attempt to secure opacity.

In the UK, any business that provides any service as a TSCP falls within the scope of the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017.

These regulations introduced specific AML responsibilities aimed at a number of key business sectors regarded as being at particular risk of criminal activity, reflecting the Government’s judgement in its National Risk Assessment that TCSPs were “at highest risk of exploitation by criminals”.

As part of this legislation, HM Revenue & Customs has a duty to maintain a register of all relevant persons in the UK that may act as TSCPs, other than those individuals that are registered with the Financial Conduct Authority, the financial services regulator.

In practice, most TCSPs are supervised – for AML compliance and for other regulated activities – by their regulatory bodies, including the accountancy bodies and the legal bodies, or by HMRC itself. As a result, TCSPs must be supervised in order to conduct their business.

The practical effect of the UK’s regulatory approach is to require senior managers at TCSPs to engage seriously with the risk of money laundering.

Firms are expected to show they have taken steps to identify, assess and effectively manage the risks their business faces in this regard – and that they have devoted sufficient resources to AML work. They must also appoint a nominated officer to report suspicious activity to the UK’s National Crime Agency.

In line with other UK regulations, the money laundering regime proscribes a risk-based approach for TSCPs. The detail of the approach each firm takes will therefore depend on its assessment of the risks it faces, with resources focused on the risks it identifies as being the most serious.

As the supervisory authority for the UK’s gaming and gambling industry, the UK Gambling Commission takes primary responsibility for enforcing money laundering regulation in the sector, though in practice, it may work alongside agencies such as the National Crime Agency.  

The Gambling Commission publishes detailed guidance on the approach it takes to regulating both remote and non-remote operators. Its legal framework reflects the FATF’s recommendations for a risk-based approach, which gives organisations some flexibility to devise policies, procedures, and controls that are appropriate to their assessment of the money laundering and terrorist financing risks they face. 

meeting shorter square

Around the globe


AML regulation for TCSPs in the European Union

The European Union (EU) 5th Anti-Money Laundering Directive (5AMLD), which came into force in January 2020, expanded the scope of AML regulation in areas such as customer due diligence, domestic and politically exposed persons, central registrars of beneficial ownership, and AML checks for majority-owned subsidiaries outside the EU. The 6th Anti-Money Laundering Directive (6AMLD), which came into effect in 2021, underlined these provisions, to which all TCSPs businesses must now comply.

Each member state of the EU is responsible for implementing such directives and incorporate the rules within their own national laws. In practice, this means the detail of legislation will vary from one country to another, with some states opting to implement additional AML provisions that go further than the EU legislation.

It is also worth noting that the EU is in the process of creating a single EU-wide Anti Money Laundering Authority (AMLA), which will have direct supervisory powers across the whole bloc. The new AMLA is expected to be operational by 2024 and in its early years will prioritise supervision of sectors regarded as high-risk, which has the potential to include TCSPs.



AML regulation for TCSPs in the US

The United States’ most recent National Strategy for Combating Terrorist and Other Illicit Financing identifies TSCPs as one of several groups “not covered by comprehensive and uniform AML obligations”.

This represents an opportunity for regulatory arbitrage, it warns. However, efforts are being made to close this gap. The US Congress is currently considering the Enablers Act. This would extend the AML requirements introduced by the Bank Secrecy Act more than 50 years ago to professional service providers, including lawyers and accountants, third-party payment services, and people who form or register companies or trusts.


Complying with sanctions

In addition to AML regulation, all organisations are required to comply with financial sanctions imposed by the jurisdictions in which they operate to cover specific individuals or corporate entities. Such sanctions may prohibit dealings at all with those named or curtail the business activities to those that are permissible.

The number of these sanctions has increased significantly as the international community has targeted Russia and Russian entities following its invasion of Ukraine. TCSPs may find sanctions difficult to deal with. It is likely that most or all of the services they provide will be prohibited under most sanctions. TCSPs that lack proper visibility of the parties and entities they are working for risk breaching sanctions inadvertently.

In addition, sanctions introduced in different jurisdictions against the same parties may be subtly different and may apply more broadly than is immediately obvious. For example, the EU’s sanctions against Russia apply to EU TCSPs, but also to non-EU providers that conduct business in the EU, and those that have an EU person working for them.

Compliance with AML regulation

The UK Government has published extensive guidance on what is required of TCSPs for AML compliance, with further information available from individual supervisory bodies. The guidance sets out both what is required by law and what is regarded as best practice.

In addition, individual supervisory bodies provide guidance on what they regard as higher-risk aspects of TCSP work. For example, work provided in conjunction with other financial, legal or accountancy services is perceived to be more risky.

For example, forming a company may not in itself constitute a high AML risk, but where the company is formed to receive funds from a property transaction, the risk would escalate.

Similarly, TCSPs focused only on domestic clients operating solely in the UK are regarded as less risky than those with an international client base, since money launderers often seek to move money from one jurisdiction to another.

Nevertheless, all TCSPs are expected to comply with a broad set of duties. The firm’s senior managers are responsible for ensuring these duties are discharged in accordance with legislation.




Customer due diligence

TCSPs must carry out due diligence on all new clients. The requirement is to “know your customer”, which requires identity checks to be made in order to verify that the customer is who they say they are.

In practice, firms may take a risk-based approach; more basic checks will be acceptable for customers assessed as low-risk, but there must be a policy in place to make that assessment. Note that customer due diligence duties do not end after the first checks are completed; relationships must be monitored on an ongoing basis.




Enhanced customer due diligence

Clients assessed as higher risk must be subjected to enhanced due diligence requirements. Examples include clients from a high-risk country identified by the UK Treasury, the EU, or the FATF; where the customer or transaction is identified as posing a high risk of money laundering or terrorist financing; or where a transaction is complex or unusual in some way.

In these cases, TCSPs must do more to verify the identity of the customer, and to scrutinise the source of their wealth. This might include asking for additional evidence of identity, including corroboration from independent sources, seeking expert validation of identity, and making extra financial checks.




PEP screening

Politically exposed persons (PEPs) are individuals (and their close associates, including family members) who may be more susceptible to being involved in bribery or corruption because they hold a prominent position or influence.

TCSPs must make efforts to identify PEPs during onboarding processes; in such cases they must then make enhanced AML checks.

Upon the identification of a PEP, a senior manager at the company must give their approval before a business relationship is established with the customer. There are also requirements to conduct enhanced ongoing monitoring of any continuing business relationships. The FCA publishes guidance on how to identify and treat PEPs, their family members and their associates.



Beneficial owners

Beneficial owners are individuals who ultimately own or control the client, or on whose behalf a transaction or activity takes place. AML regulation requires TCSPs to identify the existence of any beneficial owners when working with clients and to take reasonable steps to verify the identity of these owners. If the firm’s client is a trust or another TCSP acting for a beneficial owner, it must take steps to identify this individual too.

Beneficial owners are individuals who ultimately own or control the client, or on whose behalf a transaction or activity takes place. AML regulation requires TCSPs to identify the existence of any beneficial owners when working with clients and to take reasonable steps to verify the identity of these owners. If the firm’s client is a trust or another TCSP acting for a beneficial owner, it must take steps to identify this individual too.




Sanctions screening

New clients may be subject to specific sanctions and export controls themselves or have links to individuals and countries that have been targeted. Existing clients may also become subject to sanctions over time. TCSPs therefore need to make checks relating to this issue, bearing in mind that sanctions may be in force from both individual countries, such as the UK, and supranational bodies such as the EU.

The Office of Financial Sanctions Implementation offers extensive advice on sanctions and related issues, while the EU publishes similar advice.




Suspicious activity reports

The UK’s Proceeds of Crime Act requires the reporting of suspicious activity to the National Crime Agency. TCSPs must appoint a nominated officer who is responsible for making such reports, and train staff on what might constitute suspicious activity in the context of the business.

In practice, suspicious activity is anything that give rise to the fear that an entity or transaction is in some way connected to criminal or terrorist activity. Even where TCSPs have no knowledge of the nature of the crime, they must still report activity that cannot be properly explained by the client.


The role of technology

Manual approaches to AML and KYC compliance are increasingly impractical. The workload is simply too onerous, putting TCSPs at risk of regulatory sanction and reputational damage in the event that staff make mistakes or overlook problem cases. For this reason, technologies that harness tools such as automation and machine learning are increasingly important to AML compliance.

Automating AML and KYC processes provides comfort that activities such as screening and monitoring can take place quickly and accurately, reducing the risk of a compliance failure. There is also an opportunity to leverage external data sources in order to strengthen compliance even further.

Another advantage of using such tools is they automatically create an audit trail, providing the business with a means through which to account for their actions to regulators and other stakeholders. Together, AML and KYC are necessary requirements to effectively manage the end-to-end customer lifecycle.


Until now, compliance has been a barrier to business - it’s made doing business slower and more difficult by creating friction through clunky processes, siloed data and human error. The opportunity now exists for organisations to outperform commercially through the way they comply. Compliance has evolved from being a barrier to becoming a major point of difference in how businesses accelerate time to revenue, increase profitability and improve customer experience.

Our Customer Lifecycle Management SaaS Platform takes care of all aspects, from creating the right first impression with rapid risk-based onboarding, through to award-winning screening and KYC refresh that enable your business to:

  • Realise massive operational efficiencies

  • Achieve rapid ROI through the speedy deployment of our no-code solutions and

  • Master complexity with solutions that evolve as regulations change

All at the same time as delivering even higher levels of compliance assurance.