AML Compliance Guide for TCSPs

Understanding Risk and Taking Action as a Trust or Company Service Provider

As a Trust or Company Service Provider (TCSP), your role goes far beyond admin. Whether you help form companies, act as a nominee director, or provide registered office services, your business is in the frontline of the UK’s fight against money laundering, terrorist financing, and proliferation.

At Flex AML, we believe AML compliance doesn’t need to feel overwhelming. It should be practical, proportionate, and tailored to your risks. This guide breaks down everything TCSPs need to know about AML, with real-world insight and tools to help you stay HMRC-compliant.

Why TCSPs Are High-Risk

TCSPs are listed as high-risk businesses under the UK Money Laundering Regulations 2017. Criminals may try to use your services to:

Set up companies to hide true ownership
Access the UK’s trusted financial system
Launder the proceeds of crime
Obscure funds used in proliferation financing (e.g. WMDs)

Even if your services seem routine, they can be exploited without robust checks in place.

What Risks You Must Assess (Regulations 18, 18A & 33A)

Under the Regulations, you are legally required to carry out a written business-wide risk assessment. This should include:

Risk Area	What to Consider
Money Laundering (ML)	How likely your services are to be used for laundering, e.g. shell companies, nominee directors, or complex ownership structures
Terrorist Financing (TF)	Look out for small, structured payments, offshore third-party transfers, or links to high-risk regions
Proliferation Financing (PF)	Required under Reg. 33A. Could your clients be involved in goods/services used in weapons development or exporting to high-risk jurisdictions?

You must also reference:

HMRC’s 2024 TCSP Risk Assessment
National Risk Assessments: ML/TF (2020) & PF (2021)
OFSI sanctions list and guidance

What to Include in Your Risk Assessment

✅ Geographic risk – Clients based in or linked to high-risk countries
✅ Customer risk – PEPs, nominee directors, unregulated professionals
✅ Service risk – Registered office only vs full nominee arrangements
✅ Delivery channel risk – Remote onboarding, online-only services
✅ Third-party interaction – Lawyers, accountants, formation agents

💡 Flex Tip: HMRC will often ask for your risk assessment first during an audit. Keep it updated and inspection-ready.

Common Red Flags for TCSPs

Watch out for these high-risk indicators. They may require you to apply Enhanced Due Diligence (EDD) or file a Suspicious Activity Report (SAR):

🚩 Clients unwilling to disclose beneficial ownership
🚩 Multiple companies using your address with no trading activity
🚩 Shareholders/directors based in offshore or high-risk jurisdictions
🚩 Use of cryptocurrency for payments
🚩 Urgent onboarding with minimal documentation
🚩 Use of proxies, nominee shareholders, or bearer shares
🚩 Complex or layered ownership structures

Your Legal AML Obligations as a TCSP

As a regulated business, you are required to:

Complete a business-wide AML risk assessment
Conduct Customer Due Diligence (CDD) and EDD where appropriate
Maintain a tailored AML policy and procedures document
Train your staff and keep a training log
Report discrepancies in beneficial ownership (Regulation 30A)
File Suspicious Activity Reports (SARs) with the National Crime Agency
Keep full audit trails for all client onboarding decisions

Your MLRO (Money Laundering Reporting Officer) must have a clear internal reporting process and escalation pathway.

Common AML Mistakes TCSPs Often Make

Even well-meaning providers can trip up on the basics. Here are some frequent pitfalls we see when working with Trust and Company Service Providers (TCSPs):

❌ Using generic AML policies – Off-the-shelf templates not tailored to your services won’t stand up to HMRC scrutiny.

❌ Outdated risk assessments – Many firms complete a risk assessment once and forget about it. This document should evolve as your services and client base change.

❌ Overlooking Proliferation Financing (PF) – Many TCSPs mistakenly believe PF is only relevant for arms dealers or exporters. Under Regulation 33A, everyone must assess this risk.

❌ Not recording decisions – It’s not enough to do due diligence, you need a clear audit trail showing why you made onboarding decisions.

❌ Neglecting staff training logs – Even if you train staff verbally or on the job, without a record, you can’t prove it to regulators.

💡 Flex Tip: The best defence in an HMRC audit is well-documented decisions, updated policies, and a training log. It doesn’t need to be perfect, just practical.

Build a “Compliance Pack” – Your Toolkit for HMRC Audits

Flex AML recommends every TCSP creates a simple but effective AML compliance pack:

📁 Business-Wide Risk Assessment
📋 AML Policy & Procedure Document
📚 Staff Training Log
🧾 Sample Client CDD File
📌 PEPs & Sanctions Screening Tool
🚨 Internal Risk Escalation Form
📨 Regulation 30A Discrepancy Reporting Template

Having this on hand shows HMRC you take compliance seriously and are prepared for inspection.

Final Thoughts from Flex AML

AML doesn’t have to be complicated or full of jargon. At its heart, it’s about:

Asking the right questions
Documenting your decisions
Staying alert to anything unusual

You don’t need to be a detective – just a diligent gatekeeper. At Flex AML, we’re here to help you do just that, with tools, templates, and training that are fit for purpose and easy to use.

Frequently Asked Questions (FAQs)

1. Do TCSPs need a written AML risk assessment?
Yes. Under the Money Laundering Regulations 2017 (Regulations 18 and 18A), all TCSPs must complete and maintain a documented, business-wide risk assessment covering ML, TF, and PF risks.

2. What happens if my AML policy is generic or out of date?
HMRC may view your controls as inadequate, which can result in fines or corrective actions. Your AML policy must reflect your actual services and risk profile.

3. What is Regulation 30A and why does it matter?
Regulation 30A requires you to report any discrepancies between the beneficial ownership details your client gives you and what is shown on the Companies House register.

4. Do I need to screen clients for sanctions and PEPs?
Yes. Sanctions screening is required by law, and screening for Politically Exposed Persons (PEPs) is essential to determine if Enhanced Due Diligence (EDD) is needed.

5. What does HMRC look for in an AML audit?
They typically review your risk assessment, AML policy, training records, CDD files, and whether you’re reporting suspicious activity correctly. They want to see evidence of proactive compliance, not just policy documents.

6. Can I outsource AML compliance as a TCSP?
Yes, but you remain legally responsible. You can get external help with policy writing, training, and file reviews – but your MLRO must stay accountable.

Need Help Getting Started?

Flex AML offers:
✅ Custom AML risk assessments
✅ Ready-to-use policies and procedures
✅ CDD file templates
✅ PEPs and sanctions screening checklists
✅ Staff AML training – CPD certified
✅ Ongoing support for your MLRO

👉 Contact us today and book your free consultation to talk through your current setup.

Further Reading:
🔗 Full HMRC guidance for TCSPs
🔗 National Risk Assessment 2020 (ML/TF)