Anti-money laundering guidance for the legal sector: trust or company service providers
The anti-money laundering (AML) guidance for the legal sector is designed to support legal professionals and firms in complying with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
The guidance is issued by the Legal Sector Affinity Group (LSAG) and has two parts:
- part one: anti-money laundering guidance for the legal sector
- part two: specific anti-money laundering guidance for
- barristers/advocates (2a)
- trust or company service providers (2b)
- notaries (2c)
This is one of three part two sections.
Part two is intended to provide more tailored AML guidance for specific types of legal practices or practitioners or those providing certain services.
2b and 2c are to be read alongside part one of the guidance. 2a is designed to be read independently of part one.
Browse the interactive guidance below or download a PDF version.
The content of part 2b is only relevant for legal practices and practitioners who act as trust or company service providers (TCSPs) as defined in regulation 12(2) of the Money Laundering Regulations 2017.
Legal practices and practitioners who do not act as TCSPs should refer to part one of the LSAG guidance (along with parts 2a and 2c should they work as a barrister, advocate or notary).
This draft guidance replaces previous guidance and good practice information on complying with AML/counter-terrorist financing (CTF) obligations.
The authors will aim to keep this guidance up to date with new legislation as it comes into force, but this guidance cannot be regarded as a definitive statement of the law or of the effect of the law, and does not comprise, and should not be relied on as giving, legal advice.
It has been prepared in good faith, but neither the legal sector supervisors nor any of the individuals responsible for or involved in its preparation accept any legal responsibility or liability for anything done in reliance on it.
Legal professionals acting as TCSPs are not required to follow this guidance.
However, relevant AML supervisors will consider whether they have complied with this guidance when undertaking their role as regulators of professional conduct, and as supervisory authorities for the purposes of the Money Laundering Regulations 2017.
You may be asked by your regulatory body to justify a decision to deviate from this guidance.
Some independent legal professionals are authorised and regulated by the Financial Conduct Authority (FCA) because they are involved in mainstream regulated activities, for example, advising clients directly on investments such as stocks and shares. Those professionals should also consider the Joint Money Laundering Steering Group's guidance.
This guidance has been submitted to HM Treasury for approval.
In accordance with sections 330(8) and 331(7) of the Proceeds of Crime Act 2002, section 21A(6) of the Terrorism Act 2000, and regulation 86(2)(b) of the Money Laundering Regulations 2017, the court is required to consider compliance with this guidance in assessing whether a person committed an offence or took all reasonable steps and exercised all due diligence to avoid committing the offence.
This section offers guidance for those acting as trust or company service providers (TCSPs):
- client due diligence and risk assessment
- assisting entities with statutory documentation
- provision of an officer to an entity
- legal entity formation
- HMRC TCSP register
- practice-wide risk assessment
- horizon scanning
- provision of a registered office
- single alternative inspection location (SAIL) address and an administrative/correspondence address
- AML risks in TCSP work
Regulation 12(2) defines the broad range of trust or company services:
"(2) In these Regulations, “trust or company service provider” means a firm or sole practitioner who by way of business provides any of the following services to other persons, when that firm or practitioner is providing such services—
(a) forming companies or other legal persons;
(b) acting, or arranging for another person to act—
(i) as a director or secretary of a company;
(ii) as a partner of a partnership; or
(iii) in a similar capacity in relation to other legal persons;
(c) providing a registered office, business address, correspondence or administrative address or other related services for a company, partnership or any other legal person or legal arrangement;
(d) acting, or arranging for another person to act, as—
(i) a trustee of an express trust or similar legal arrangement; or
(ii) a nominee shareholder for a person other than a company whose securities are listed on a regulated market."
Regulation 28(12) requires all relevant persons to conduct a client level risk assessment when offering services within scope of the regulations.
The assessment should ensure that it captures the client’s reason for engaging a particular service as well as details of those who may exercise management and control of the entity or arrangement and any structures associated with the entity or arrangement.
The assessment should include, where applicable, details of how the entity or arrangement is or has been funded. See part one, paragraphs 5.10 and 5.11 for further guidance.
When conducting client due diligence, all practices must ensure that they identify and verify the entity and its principals (as per regulation 28(3)). Principals mean any natural or non-natural person who exercises management or control over an entity. This includes directors, shareholders, authorised signatories, trustees, beneficiaries, protectors, etc.
You should (on a risk-sensitive basis) establish the trading location and jurisdictions of activity of the entity as well as its activities.
Regulation 28(9) states that registers of people of significant control held at Companies House cannot be used solely to verify beneficial ownership. See part one, paragraph 6.14.1 for further guidance.
While the regulations do not place the same limitations on the information held at Companies House for directors, practices should take a risk-based approach when considering such information.
Should a client engage your practice to assist with, for example, writing bespoke memoranda and articles of association or share allocations or transfers, you are obliged to conduct client due diligence on that entity.
This includes conducting a client risk assessment and, when dealing with share transfers, you should ensure that you conduct source of funds and/or source of wealth checks where applicable.
See part one of the LSAG guidance, paragraph 6.17 for further information on source of funds/source of wealth checks.
The provision of an officer to a legal entity is a regulated activity as defined in regulation 12(2). The practice should be able to demonstrate their involvement in an entity when requested to do so.
Officers include –
- director, or as a partner of a partnership
- shadow director, as defined in section 25(1) of the Companies Act 2006
- nominee shareholder
When providing an officer to an entity, be that as a natural or non-natural person , practices must perform appropriate and effective due diligence on the entity. See part one, paragraph 6.14.1 for further guidance.
The risk assessment should clearly detail the rationale for engaging the practice to provide a director.
When providing a director to a company the practice should be able to evidence, when requested, their role in the management of the company. This could take the form of, but is not limited to, minutes and resolutions of meetings, agendas, contracts, agreements and financial statements tabled at meetings.
There is no legal requirement for a UK incorporated company to appoint a secretary and the duties that come with the role are not prescribed.
Where you do provide a secretary to a client the duties and responsibilities entailed of the position must be agreed and clearly documented by both parties. This could be in the letter of engagement/terms of business issued to the client.
The same principles and obligations apply as listed above, including the rationale for agreeing to act as nominee shareholder.
Additionally, the nominee shareholding agreement/declaration of trust should evidence the nominee’s obligations for and on behalf of the client.
Evidence of the nominee shareholder’s role as well as copies of the communications between the nominee and beneficial owner (that is the person(s) who exercise ultimate control over the shareholding) should be held.
The letter of engagement/terms of business issued to and agreed by the client should clearly define the officer’s duties, roles and responsibilities. In addition, it should define the obligations placed on the client to comply with requests for updates when material changes occur.
Given the nature of trust or company services provision, practices must periodically review the relationship with the client in order to establish and document any material changes to the information and due diligence held on file, in accordance with the provisions of regulation 28(11).
The rationale and purpose for carrying out this service should be documented in the risk assessment you are obliged to conduct.
The risk assessment should determine the level of due diligence applied to mitigate any risks identified in that assessment.
If you are not providing further in scope services to the entity once the entity is formed, your obligations under the regulations will cease once the entity is formed.
However, in order to ensure that an entity you are forming will be used legitimately you should consider identifying and verifying the following:
- those persons, natural and non-natural, who will manage the company, for example, its directors
- those who will control the company (its shareholders) and
- any ultimate beneficial owner(s)
- the proposed activity and jurisdictions of activity of the company
- the source of funds and/or wealth to fund the entity
The regulations do not place any obligations on practices to monitor the entity on an ongoing basis if the practice has no further involvement in its administration or management.
However, you are obliged under regulation 40(2) to maintain records of all due diligence conducted for the prescribed period of five years pursuant to regulation 40(3). See part one, paragraph 10 for further guidance.
Pursuant to regulation 56, a practice or sole practitioner must not act as trust or company service provider unless they are listed on the TCSP register established and maintained by HM Revenue and Customs (HMRC).
Your professional body supervisor may have a memorandum of understanding with HMRC whereby they update the register on behalf of practices and sole practitioners.
Further information will be available directly from your supervisor.
As with all products and services in scope of the regulations, the practice must consider and risk assess the trust or company services it may provide to clients.
See part one of the LSAG guidance, paragraph 5 for further information.
In addition to training requirements as set out in regulation 24 and part one, paragraph 8, relevant staff should possess appropriate levels of skill, experience and knowledge when executing their roles in scope of the regulations, which includes trust or company services provision.
In addition to their obligations to comply with the regulations, there are other key pieces of legislation that relevant persons must be familiar with when it impacts on the services provided, for example:
- Companies Act 2006, Trusts (Scotland) Act 1921, Trustee Act 2000 and other UK legislation such as the Proceeds of Crime Act 2002 and Criminal Finances Act 2017
- non-UK legislation – what are the requirements of other jurisdictions? For example, duties of a secretary may vary between jurisdictions
Relevant staff must be made aware of the products and services in scope of the regulations so that they do not inadvertently (or otherwise) offer and deliver services to a client and not perform due diligence as required by the regulations.
Practices should keep themselves abreast of changes to the obligations and expectations when dealing with, for example, Companies House and HMRC when submitting statutory returns and planned filings.
For example, should a practice identify material discrepancies between the CDD information they have collected at onboarding, and the information held at Companies House, they must inform Companies House.
In addition to the obligations under the regulations, practices also have statutory obligations under the Companies Act to comply with.
In addition to holding the certificate of incorporation, and the memorandum and articles of association, when providing a registered office service, practices must hold the following for public inspection as laid out in the Companies Act, registers of:
- directors (section 162)
- directors’ usual residential address (section 165)
- secretaries, where applicable (section 275)
- members (shareholders) (section 114)
- persons of significant control (section 790M)
You should hold a register of authorised signatories (to determine who can act on behalf of the entity).
The Companies Act also states that the following documentation must be held at the registered office:
- copies of minutes and resolutions (section 358)
- copies of contracts and agreements (section 228)
- register of qualifying indemnity provisions (section 237)
- register of interests (section 809)
Practices are reminded of a company’s duty to notify the registrar of changes to the registers of directors, secretaries, members and persons of significant control within 14 days.
Where a practice is not responsible for updating the information contained in the registers with Companies House, they should ensure that the client informs the practice of those changes in a timely manner and that the registers held are updated.
Where applicable, the practices must update the due diligence held on the individuals pursuant to regulation 28.
A SAIL address is where a legal entity may choose to keep its statutory records and make them available for public inspection, pursuant to section 1136 of the Companies Act 2006.
Entities that resolve to have a SAIL address must inform Companies House and register the details using the prescribed form AD02.
In addition, they must also state the records to be held at the new address by filing form AD03.
Practices should hold copies of the forms on file to evidence that the client has a SAIL address and be able to evidence the same to their supervisor when requested to do so.
Should a client engage your practice to provide a SAIL address (normally using the practice’s office address for the purpose), you must ensure that you establish and thoroughly record the rationale behind the request.
When providing a SAIL address, due diligence requirements are equivalent to where you are providing a registered office (the firm address is used as a registered office address).
It is important to note that all official correspondence, for example, from Companies House or HMRC, must still be delivered to the entity’s registered office and not the SAIL address.
Practices should consider that the AML risks involved in TCSP work may be more challenging to identify than in other in scope work areas.
This is because the work may be incorrectly seen as a piece of ancillary work on another related matter (in or out of scope), rather than a distinct piece of in scope TCSP work which brings with it compliance requirements.
Examples of this could include setting up or helping to manage:
- a special purpose or single use vehicle in order to facilitate a conveyancing transaction
- an entity to manage the shared freehold of a property, or
- a trust as a part of the management of a deceased person’s estate
It is important to note, that as with most other areas of the regulations, there is no de minimis. Just because a service may be provided alongside or ancillary to another main service, does not mean the service provided is not work in scope of the regulations.
In addition to the Financial Action Task Force, the UK government provide useful information and guidance on how, for example, TCSPs should conduct themselves when dealing with clients and how to work within the parameters of the risk-based approach to service delivery.
In addition to the risk factors outlined in in section 18 of part one of the LSAG guidance, FATF lists specific, further red flags and risk indicators in their guidance for a risk-based approach for trust and company service providers (June 2019).
- payments received from un-associated or unknown third parties and payments for fees in cash where this would not be a typical method of payment.
- inexplicable changes in ownership
- activities of the trust, company or other legal entity are unclear or different from the stated purposes under trust deeds or internal regulations of the company or foundation
- the legal structure has been altered frequently and/or without adequate explanation
- management of any trustee, company or legal entity appears to be acting according to instructions of unknown or inappropriate person(s)
- unreasonable choice of TCSP without a clear explanation, given the size, location or specialisation of the TCSP
- non-UK clients seeking to engage your services with no clear rationale or business sense for doing so
- unnecessarily complex cross-border structuring with no clear rationale or supported with sound legal and/or tax advice
Other red flags associated with TCSP work include where the client wants or appears to seek:
- to involve a pre-existing entity for a transaction, without adequate explanation. Such instances may reflect a desire to have a transaction chain appear to be going through more well-established and seemingly lower risk entities than is the case as well as simply adding a further layer of complexity
- to involve entities in a jurisdiction that is known to have rules and requirements that may facilitate anonymity or opacity, for example, no need to register the entity with a centralised oversight body or no need to update the information of the individuals associated with the entity
- to use entities that involve multiple countries that are unconnected with the client or the transaction with no legitimate reason
- to create or use an entity type that is noted to provide greater opacity or secrecy without a legitimate reason, for example, Scottish limited partnerships
- to take any action which may disguise the actual controlling party of an entity, for example, to use family relationships to add an apparent layer of separation between the actual controller of assets and either the trustee(s) or beneficiaries of a trust
- to use or in any way involve a structure that has bearer shares
- loans involving entities in the client’s control are frequently paid back before the set term of the loan agreement