Trust and company services: managing AML risk

Trust and company services (“TCS”) is an area that was identified in the national risk assessment, published by the UK Government in December 2020, as inherently high risk given the known track record of organised crime using UK legal entities to facilitate money laundering and other criminal activities. 

By way of reminder, TCS includes any of the following: (i) setting up legal entities; (ii) acting (or arranging for someone else to act) as a director, company secretary, partner (of a partnership), trustee or nominee shareholder; or (iii) providing a registered office or correspondence or administrative office address. The focus of the supplementary guidance is on company and partnership entities. 

The supplementary guidance is currently with the Treasury for approval; and it is worth bearing in mind that in any prosecution under the Proceeds of Crime Act 2002 (and other related AML legislation), a court is required to take into account whether the guidance has been followed. If a strong incentive to follow the guidance was ever required, this is it! 

Assessing the risk 

As with any other work that falls under the AML Regulations, a firm must risk assess the client to which it provides TCS as well as the nature of the service itself. And by now, law firms should be very familiar with what information they routinely require, depending on the level of risk, not only to verify the identity of the client but also to carry out the risk assessment. 

However, the guidance develops this a bit further in relation to TCS. It recommends that those law firms setting up limited companies or partnerships for clients should, following a risk-based approach, consider capturing and recording the following information (to the extent not already done): 

• the purpose for which the legal entity will be used;
• the identities of those who will actually manage the entity;
• any other connected structures or arrangements;
• the identity of those who will control the company (i.e. shareholders);
• the ultimate beneficial owners;
• the proposed activity of the entity and the jurisdiction(s) in which it will operate;
• the source of wealth and source of funds to finance the entity in its activities. 

The guidance makes particular mention of Scottish limited partnerships (“SLPs”). Given that these vehicles are arguably more opaque and have recently been the subject of negative press reports on their use for criminal activity, it may also be advisable to record why an SLP is being used by a client as opposed to, say, a limited company.

Providing a director/secretary etc 

If your firm provides an officer for the legal entity (e.g. director or company secretary, which may itself be a corporate vehicle), you should clearly document what services are being provided by way of a separate letter of engagement or the like. In the case of a director's appointment, you should document the rationale for your practice providing a director and agree in writing with the client the extent to which your officer is to be involved in the management of the company. You should also be able to evidence, if requested by your AML supervising authority or any other relevant authority, your officer's involvement in the management of the entity (e.g. by way of company minutes, resolutions etc). 

The supplementary guidance sets out in (very helpful) detail the information required under the Companies Acts to be held by a law firm providing a registered office or other administrative address. Where you provide a registered office facility for a client, you should also set out in an engagement letter or similar the basis on which you will do so, including the client's duties to inform you of any changes.

Special register of TCS providers 

Furthermore, there is a requirement (reg 54 of the AML Regulations) for any TCS provider to be included on a special register of TCS providers set up and maintained by HMRC. If you are a TCS provider, you should have included that information on your AML certificate, and your AML supervising body (in Scotland, the Law Society of Scotland) should have submitted your details to HMRC. 

Ongoing monitoring 

In all cases, as required by reg 28(11), there is a need for ongoing monitoring of the relationship/transaction. It is often the case that an off-the-shelf legal entity is set up as a special purpose vehicle in the context of a corporate or property transaction. In some firms the administration of setting up the entity may be carried out by an individual or a team (e.g. a TCS team) quite separate from the corporate/property team dealing with the acquisition. This can mean that the TCS team/individual may well establish their own continuing relationship with the client, particularly where, for example, registered office services are to be provided on an ongoing basis. This can have the result that the relationship with the TCS team/individual may continue after the corporate/property team's involvement with the client entity has come to an end. 

But here is the risk: just how well can the TCS team/individual really know the ongoing business of the client if all they are doing is providing a registered office or other similar services? Indeed, routine administrative TCS are not particularly remunerative and, in some cases, this may result in a downgrading in the effort applied in monitoring the ongoing relationship. 

That would be a mistake. In the absence of a wider, deeper relationship with the client there is a greater risk that, with the passage of time, a client with criminal intent can use for illegal activity that limited company or partnership, blessed with the good name of the law firm that established it and which (for example) may continue to provide a registered office. It will not be a persuasive defence in a prosecution brought under the Proceeds of Crime Act to claim: “We didn’t know what that client was up to and in any event we just provided them with a registered office address.” 

In this scenario, as the fee revenue reduces, the law firm should in many cases be even more diligent in the continuing monitoring of the client.

In response to the supplementary guidance, I would recommend the following:

• If not already included, you should update your firm-wide risk assessment to include the provision of TCS, and identify the level of risk to your firm in providing those services.
• Carry out an audit of the TCS that your firm is providing. Can you confidently confirm that you have a sound knowledge of the business of all the clients to whom you are providing these services?
• Review and update your processes for capturing the information required for client ID verification and risk assessment.
• Ensure that you have proper procedures in place to document the basis on which you will provide a client with a registered office or an officer (e.g. director or company secretary).
• Review the processes you have in place to regularly review and monitor the client due diligence you hold for your TCS clients. Are those processes sufficiently robust?
• Consider what additional safeguards may be required where your firm has been instructed by a TCS provider in another jurisdiction. In such a case you are one step removed from having knowledge of the end client's business; indeed, the TCS provider instructing you may be less diligent than you are in their scrutiny of clients and their business.
• Review (and if necessary design) bespoke training for your TCS team.
• Check that the AML certificate you submitted recently to your AML supervising authority includes TCS if you are providing any of these services.