Understanding risks and taking action for Trust or Company Service Providers
Updated 8 October 2021
© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/understanding-risks-and-taking-action-for-trust-or-company-service-providers/understanding-risks-and-taking-action-for-trust-or-company-service-providers
National risk assessment
The National Risk Assessment 2020 assessed Trust or Company Service Providers (TCSP) as posing a high risk, with that risk increasing when provided with other financial, legal or accountancy services.
TCSPs are assessed as a low for terrorist financing.
HMRC-supervised TCSPs do not normally provide financial or legal services. Many will supply only one or two regulated TCSP services, including those who are mainly accountancy service providers, but these will generally be small localised businesses and, overall, we assess our supervised population as medium risk.
The range of services offered by the businesses HMRC supervises can include higher and lower risk activities. The overall risk increases when TCSP services are provided with other financial, legal or accountancy services. It is important that businesses understand and properly appraise the risk presented by each business activity, customer or class of customer and properly reflect this in their risk assessment.
HMRC expects a risk assessment to be more than a ‘tick box’ approach; it should reflect the business’s customer base and the nature of the services that the business provides and counter any risk that its services could be exploited for money laundering, and/or terrorist financing purposes.
It is also important that a business puts in place policies, controls and procedures to assess and address the varying level of risks presented. TCSPs must identify who their customers and beneficial owners are, and what levels of due diligence are appropriate. Policies, controls and procedures should document the business’ approach when dealing with intermediaries and when placing reliance on third parties or accepting due diligence undertaken by others.
Risk characteristics
Note that brief comments appear in the table and that more substantive comments follow the table. TCSP services provided singularly may be indicative of a lower risk, than requests for multiple services.
| TCSP Activity | Higher risk characteristics | Lower risk characteristics | Comment |
|---|---|---|---|
| Company formation | Wholesale type sales; sale of ready-made off the shelf companies; supply to off-shore intermediaries | Retail sale to UK-based owner-managers; formation to order; supply to UK intermediaries | Company only supply, unconnected to other TCSPs services. |
| Director services | Confidentiality to protect identity of actual owner or controlling interests; acting for multiple companies with common owners | Used as an administrative tool acting until all legal requirements are completed and the company is handed to the customer; neutral party to provide separation from interested parties, say, during merger negotiations. | Acting as or providing someone to act as what is commonly known as a ‘nominee director’. It is technically not possible to act as a nominee director as legal responsibility sits with the named director. |
| Company secretarial services | Services to companies with non-UK beneficial owners. | Provision of services to Public Limited Companies (PLCs); provision of services to large private companies with multiple shareholders/subsidiaries, and so on | A company secretary is responsible for the statutory compliance obligations of a corporate entity. |
| Shareholder services | Providing a degree of confidentiality to the actual owner or controlling interest of the company | Administrative purposes during the formation period and transferred when sold; management purposes – investment houses and stock brokers may hold shares for discretionary portfolios. | Shareholder service providers act as or provide for someone to act as a nominee. |
| Virtual office provision | Minimal face-to-face contact; regular forwarding of large volumes of mail; multiple addresses supplied to same and or connected businesses. supply to off-shore intermediaries | Regular contact with customer(s), physical collection of mail by known person(s); sole contact address; uses premises for meetings with clients. | The service involves the provision of an official address for a company or other legal entity. |
| Trust services | Where settlor, beneficiary or other person(s) have significant control over the assets and or income of the trust; when the source of the trust funds is not clear. | Operate independently of the settlor; services to low risk trusts when source of funds is clear, disabled persons, life interest, charities, share schemes and company pension funds. | This relates to the provision of professional trustees. |
| Multiple services | When a company is relying on a TCSP to provide multiple services as a long-term arrangement with little commercial basis, or a TCSP is being used to place layers between the company and the beneficial owners, and or is providing services to offshore beneficial owners and or intermediaries. | Short-term arrangements while management structures are put in place, providing services to UK-based owner-managed businesses. | This will include forming a company or other legal entity, supplying a registered address, mail forwarding, director and nominee services. |
Company formation agents: further comment
A company formation agent is a business involved in the supply of the service of forming companies for, and/or selling formed companies to customers.
Where a formation agent is forming companies for UK-based owner managers and established professionals, they may judge this to be low risk. However, the supply of a large number of companies at the same time, or in close succession, may be indicative of a higher level of risk.
The companies may be being used to open a large number of bank accounts across different jurisdictions to facilitate the movement of funds.
Requests for ‘aged’ companies, as opposed to newly formed companies, may indicate that they are required to give the impression of an established business that may be used for fraudulent purposes (this risk may have increased as a result of the Covid 19 pandemic).
When providing UK entities for offshore intermediaries, consideration should be given to the location of the intermediary, the frequency of the requests and the commercial purpose of the structures being formed.
Director services: further comment
If being asked to provide director services for a prolonged period of time, not just during the formation period or during a period of change, a service provider will need to be satisfied they know on whose behalf they are acting – who the beneficial owner of the business is.
Service providers should have an understanding of the business they are providing the service to and satisfy themselves that any transactions that they are required to approve as a director are commercially sound and legitimate.
Whilst there may be legitimate reasons why a beneficial owner of a business may want to remain anonymous it can also be part of a process to disguise misuse of funds. There is also a risk that a disqualified director may use another person to act in their place.
As part of your risk assessment you may want to check Companies House’s list of disqualified directors to protect your business from accusations of acting as a ‘sham’ director.
Providing director services for multiple companies with common owners may present a risk in that the beneficial owners may not wish their business relationships to be open to scrutiny.
Company secretarial services: further comment
While the requirement for UK companies to have a Company Secretary has been removed for the majority of companies, and those that do require one or decide to appoint one will generally fall into a low risk category, some jurisdictions still require one.
If asked to provide a company secretarial service to a non-UK-based entity, a service provider would need to consider if it was competent to provide such a service. It would also need to consider what risks arise from not having a locally-based Company Secretary and issues arising because of the jurisdiction where the entity is based.
Shareholder service providers: further comment
If being asked to act as a nominee shareholder for a prolonged period of time, not just during the formation period or for management purposes a service provider will need to be satisfied they know on whose behalf they are holding the shares – who is the beneficial owner of the business.
While there may be legitimate reasons why a beneficial owner of a business may want to remain anonymous, it can also be part of a process to disguise misuse of funds.
Providing shareholder services for multiple companies with common owners may present a risk in that the beneficial owners may not wish their business relationships to be open to scrutiny.
In providing such services you need to have awareness of local reporting requirements in the jurisdiction where the company is resident, for example, the register of persons with significant control in the U.K.
Virtual office providers: further comment
The provision of office services to a business that does not maintain a physical presence at your premises can present a number of risks to your business. It is important that you establish an appropriate risk assessment to monitor and differentiate between the provision of services that are out of scope of the regulations, for example the letting of physical office space where the user is in regular attendance and can be easily contacted and where the user is not in regular attendance and therefore cannot necessarily be easily contacted.
From a risk perspective if you are providing a virtual office service to a local resident who operates a peripatetic business, is known to you and regularly collects post in person, this is a lower risk, than, providing a service to a business where the owners are not known to you, are not local, do not regularly collect their post or the person collecting the post regularly changes. This risk may be increased if you are supplying this service to a non-U.K. based intermediary.
If the business is operated or owned by a non-UK resident company or person you may need to consider what risk that presents and what is the appropriate level of due diligence in these circumstances.
If you are receiving large volumes of mail for a customer, do you have enough knowledge to judge if this is to be expected for this kind of business, for example mail order services? Virtual office addresses can be used in investment frauds particularly those that are promoted with long term returns.
If you are being asked to supply multiple addresses to the same or connected businesses, does your risk assessment measure if this request has a commercial basis? Use of multiple addresses can be used create an impression that a business is more substantial than it is, or to create an impression that their customers are dealing with a company with a local presence.
If you also supply serviced office space, do your risk assessment and policies, controls and procedures recognise the risk of this service effectively becoming a virtual service and therefore falling within the provision of the regulations?
For example if a customer enters a serviced office agreement, i.e. wishes to operate their business wholly or in part from your premises, but it becomes apparent that they are not utilising the premises for normal business purposes or they only use it for a short period and then effectively use it as a mailbox, either collecting mail or having it forwarded.
The risk for you is that they entered a Serviced Office agreement to avoid due diligence checks. Best practice would be to apply appropriate due diligence checks to everyone who has access to your premises.
Your policies, controls and procedures should state that, if the service you are providing changes, you must monitor the use of the premises by your customers that you can recognise that change and assess and record the risk it presents. It is known that in the early days of certain types of investment fraud there is a great deal of activity, which then lessens, and the perpetrators reduce their presence.
Similar risks may have arisen as a result of the Covid 19 pandemic and the possible abuse of employee support and bounce back loans schemes by criminals. Any changes in the behaviour of customers that requested services during this period, for example, moving from the occupation of physical space to a virtual service or less frequent collection of mail should be monitored carefully.
Trust service providers: further comment
There is little evidence of UK trusts being used for money laundering or terrorist financing purposes, though there is some evidence of offshore trusts being used for money laundering purposes.
Professional Trustees must assess the extent to which they are free to act in the best interest of the beneficiaries and without undue influence of the settlor or other third party.
They should have proper oversight of the assets to prevent bank accounts etc being used for non-trust purposes. If acting as the professional trustee of a charity, while generally low risk, appropriate measures should be in place to confirm the nature and purpose of the charity, and if a newly established charity, evidence that it can meet its objectives, the source and control of its funds and that appropriate decision-making processes are in place.
Multi-service providers: further comment
Whilst it is fairly common for the same TCSP to form a company and provide a registered address for the company, the more services it is asked to provide the higher the level of risk.
If a beneficial owner is seeking to use you to provide a range of services that distances them from the legal entity, your risk assessment needs to reflect the increased level of risk that this may bring. The risk presented by the provision of each service needs to be assessed as well as the risk associated providing multiple services.
If there is no apparent commercial basis for the structures and services you are providing, particularly if opaque structures are being used to prevent identification of the ultimate owner then this may be indicative of corruption or money laundering.
The risk may significantly increase if you are asked to supply multiple services, on the instructions of non-UK based intermediaries, to their customers. It is important, in these circumstances, that you assess the risk to your business of providing services, taking into account the locations of the intermediaries, their customers and the beneficial owners and the nature of any entities being provided, and services required.
Your policies, controls and procedures should set out what is required in terms of customer due diligence and ongoing monitoring for both the intermediaries and their customers.