1

Group of International Finance Centre Supervisors

Draft International Standard on the Regulation of

Trust and Corporate Service Providers

2

INDEX

1. INTRODUCTION ................................................................................................. 5

PART 1 ....................................................................................................................... 6

Guidance on the purpose of this document ................................................................ 6

Definitions .................................................................................................................. 6

PART 2 ....................................................................................................................... 7

Licensing …………………………………………………………………………………… 7

PART 3 ……………………………………………………………………………. 9

A. Corporate governance ......................................................................................... 9

B. Controllers of TCSPs ....................................................................................... 111

C. Individuals – Key persons and other employees .............................................. 133

D. Control over Assets .......................................................................................... 155

E. Conduct ........................................................................................................... 166

F. Prudential ......................................................................................................... 199

G. Administration .................................................................................................. 233

H. Financial Crime and International Sanctions .................................................... 266

I. Beneficial ownership ........................................................................................ 288

PART 4 ................................................................................................................... 299

A Regulation ........................................................................................................ 299

B Co-operation ……………………………………………………………………….. 30

3

Whereas: The Group of International Finance Centre Supervisors at its meeting in Istanbul in September 2012 decided to review its statement of Best Practice in respect of Trust and Corporate Service Providers promulgated in September 2002. There are a wide range of businesses and professionals that act by way of business, providing advice and services for the creation, administration and management of companies, trusts, foundations and other legal entities, which perform valuable economic roles in the transfers and holding of wealth and high value assets. In order for the international community to better understand international flows of financial and other assets it is vital that regulatory regimes discourage the use of complex structures and vehicles. International Cooperation is recognised as an important part of Financial Stability. Trust and Corporate Service Providers are an important part of combatting money laundering and the financing of terrorism in their role as both intermediaries and introducers of business to other institutions. Trust and Corporate Service Providers can fulfil an important role in ensuring that their organisations are not used as a conduit for bribery and corruption, the holding stolen assets or tax evasion. The trust, as developed in courts of equity in common law jurisdictions and adopted with some modifications in other jurisdictions, is the subject of the Hague Convention on the Law Applicable to Trusts and their Recognition, which was concluded on 1 July 1985. The importance of Trust and Corporate Service Providers is recognised in the Financial Stability Forum’s report on offshore financial centres and the Financial Action Task Force’s Recommendations. Independent research has shown higher standards exist for anti-money laundering and countering the financing of terrorism in jurisdictions where Trust and Corporate Service Providers are themselves regulated. Jurisdictions should promote the wider adoption of sound and prudent principles as a basis for regulatory regimes for Trust and Corporate Service Providers.

4

Declaration by the Group of International Finance Centre Supervisors of an International Standard for the Regulation of Trust and Corporate Service Providers. This Declaration is intended to define the international standard for the oversight of Trust and Corporate Service Providers. This Declaration is for use by jurisdictions generally in reviewing the position of Trust and Corporate Service Providers located or operating within their borders. Where the Regulation of Trust and Corporate Service Providers is undertaken, this document reflects the standard that Regulators should require of Trust and Corporate Service Providers. Regulators may satisfy the standard by adopting requirements which are of substantially similar effect. Regulators may impose higher standards in some or all areas where national legislation requires. Regulators may take notice of the guidance in the annexes to this standard as further guidance to adherence to this standard. Where jurisdictions do not oversee Trust and Corporate Service Providers they are actively encouraged to adhere to this standard and promote legislation to meet it.

5

1. INTRODUCTION

The Group of International Finance Centre Supervisors (“GIFCS”) first issued a Best Practice Statement on the supervision of Trust and Company Cervice Providers (“TCSPs) in 2002. Since then GIFCS member countries have used this Statement as a benchmark for establishing regulatory frameworks and supervisory practices for robust oversight of the sector. A key part of this initiative has been to ensure that information on the ultimate beneficial owners behind trust and company vehicles administered from GIFCS centres, as well as on the sources and nature of underlying funds (i.e. full due diligence), can at all times be accessed by the intermediaries involved and by the relevant authorities. Based on the considerable experience acquired as a result of implementing this oversight regime, the GIFCS in 2012 resolved to revise its statement and to introduce a formal new Standard. This was felt to be important to embrace a comprehensive framework for effective TCSP supervision, AML/CFT developments, corporate governance requirements and other supporting legal and prudential conditions now existing. This document is predicated on jurisdictions having established a regulatory regime that enables the regulator to be operationally independent and accountable in the exercise of its functions. In addition a licensing regime supports the following principles:

• Customers of TCSPs should receive a degree of protection equivalent to that afforded to the customers of other Financial Service Businesses (“FSB’s”)

• TCSPs should be subject to a similar regulatory regime to other FSBs

• To be effective, standards should be applied internationally Jurisdictions should ensure that their regulators have the authority to share both public and non-public information with domestic and foreign counterparts. The regulatory system should also allow for assistance to be provided to foreign regulators who need to make enquiries in the discharge of their functions and exercise their powers. The purpose of this Statement is not to interfere with trust law existing in a relevant jurisdiction, which is the responsibility of the Courts. It is the responsibility of the TCSP to ensure that in carrying out its duties as a trustee, fiduciary and/or administrator it fully complies with that law in all aspects of safeguarding the assets of the trusts and acting in the best interests of beneficiaries.

6

PART 1

Guidance on the purpose of this document This document sets out an International Standard for Jurisdictions and regulators to measure their compliance against, or to work towards in developing, a framework for the oversight and supervision of TCSPs. Part 2 is intended to set out key matters to which regulators of TCSPs should have regard in considering whether to license or otherwise grant permissions to businesses to operate as TCSPs. Part 3 is intended to govern the oversight of the operations of licensed TCSPs. Part 3 (I) lays down important provisions regarding ultimate beneficial “owners” behind client trust and company structures. Part 4 of this document is intended to address key matters applicable to the establishment of, and successful operation of a financial services regulator. Definitions “TCSPs” refer to those who undertake any one or more of the following activities:

• Acting as a company or partnership formation agent;

• Acting as (or arranging for another person to act as) a director, secretary or official of a company or a partner of a partnership or as a foundation official;

• Providing administration or management of a trust, company, partnership, foundation or for any other legal person;

• Providing registered office, business address for accommodation or, correspondence for administrative address for a company, partnership, foundation or for any other person;

• Acting as a resident agent for the purposes of meeting requirements to hold beneficial ownership or interest information;

• Acting as (or arranging for another person to act as) a trustee of an express trust;

• Acting as (or arranging for another person to act as) a nominee shareholder for another legal person;

• Arranging the establishment of other provisional services in relation to any legal entities not set out above.

Remaining definitions are shown on page 31.

7

PART 2

Licensing Jurisdictions should ensure that:

a) They have in place a licensing regime that requires TCSPs to be licensed to operate.

b) A licensed TCSP is and remains fit and proper over the period for which it

holds a licence.

c) The Controllers and Key Persons of a TCSP are and remain fit and proper to hold those interests and/or positions.

1. Regulators must consider the ownership structure of a TCSP.

The ownership structure should be as simple and transparent as possible.

The preferred ownership structure involves the TCSP being directly owned by natural persons or by an entity appropriately regulated elsewhere.

Regulators should ensure that all controllers are fit and proper persons to exercise influence over the company Where an ownership structure involves the use of nominee shareholders or a trust, the regulator should have a clear understanding about who ultimately lies behind such a structure and ensure that such persons are also fit and proper persons. Where a controller is associated with a higher risk jurisdiction, inherent risks arise. In order to demonstrate that it can manage any such risks arising, the TCSP will be expected to be able to demonstrate a longer relevant and satisfactory track record and mature relationship with a relevant supervisory authority.

2. A TCSP must demonstrate a physical presence in the jurisdiction in which it is

regulated. Physical presence is demonstrated by: 2.1 Those persons who represent the mind and management of the TCSP

being resident in that jurisdiction and actively involved in the governance of the business; and

2.2 Having an operational place of business.

3. A TCSP must be administered in a prudent financial manner.

8

4. A TCSP must have appropriate systems and controls to ensure full compliance to meet the requirements against money laundering and the financing of terrorism including the ability to accurately detail the ultimate beneficial owners of vehicles.

5. A TCSP must be structured and organised appropriately so that it can effectively

manage all vehicles and assets it administers.

6. The licensing regime must provide for Regulators to:

• supervise TCSPs by the use of on-site inspections;

• enforce compliance by the imposition of Sanctions;

• remove a licence in the event that the TCSP is no longer fit and proper.

9

PART 3

A. Corporate governance

Regulators should ensure that a TCSP has embedded within it a culture of robust corporate governance. 1. The Board should collectively comprise an appropriate balance of skills,

knowledge and competence taking into account its members relevant experience such that the Board as a whole is able to discharge its duties and responsibilities effectively, and further that no individual or group of individuals can or does unduly dominate the Board’s decision making.

2. The management structure adopted should be appropriate to the size, complexity, structure and risk profile of an individual TCSP. In the case of smaller, less complex companies, Board and Senior Management may overlap but the responsibilities of the Board and Senior Management are distinct and should be viewed separately.

3. Regulators should ensure that on every Board there is a minimum of two individuals to direct the business who are sufficiently independent of each other such that each would not be unduly influenced by another Board member.

4. Directors have a collective duty to understand applicable legislation, regulation, policy, rules, instructions, guidance and codes of practice to an appropriate level to enable them to discharge their responsibilities.

5. Boards have a collective duty to ensure they have a robust arrangement for

compliance with the regulatory regime including the approval of a compliance policy and the establishment of an appropriately defined and resourced compliance function.

6. Boards should keep in mind the benefits that non-executive directors and in

appropriate cases a Chairman can bring to a TCSP. 7. Boards should establish, implement and maintain an effective conflict of interest

policy which sets out standards of expected behaviour including amongst other matters, the treatment of any non-compliance with the policy.

8. Boards should ensure that they produce a statement of risk appetite so that it is

clear the type of business the firm is prepared to take on and its limit of tolerance to that risk.

9. A TCSP should ensure that it undertakes appropriate and proportionate monitoring of its functions including functions of the Board of directors.

10

10. The Board should oversee the approach of a TCSP to risk management and ensure that it is commensurate with the size, complexity, structure and risk profile of the business.

11. The Board retains ultimate responsibility for the compliance function, and should

ensure appropriate procedures are in place:

a. to adhere to international standards; b. to adhere to all regulatory and other legal requirements; c. for the Board to take the necessary responsibility; d. for those with compliance duties to report to the Board.

11

B. Controllers of TCSPs

1. Controllers of a TCSP must be and must remain fit and proper with regard to their

integrity, competence and financial standing. 2. Regulators should ensure that

2.1. The appointment of or change in a Controller is subject to their consent.

2.2. They have powers for the removal of existing Controllers.

2.3. Give the regulator the power to remove a Controller should their continued

presence in the structure be no longer compatible with the TCSP being considered fit and proper.

Integrity

3. A Controller must at all times act with integrity. Competence 4. Controllers exert an influence over the day to day affairs of a TCSPand they must

be able to demonstrate competence in the same way as a Key Person.

Financial standing 5. If the TCSP is part of a group, the regulator may require copies of the parent

company’s financial statements to be submitted. 6. The regulator will consider the solvency of Controllers and will consider the impact

on the TCSP where any Controller has been declared bankrupt or insolvent or has been the subject of any money judgement that has not been satisfied in full.

7. Any person who is supplying any form of financing to the TCSP (including loans

to the TCSP) should be required to demonstrate their source of wealth and source of funds.

Conflicts of interest

8. A TCSP should consider whether its controllers have any potential conflicts of

interest . For example: 8.1. Whether a controller has any other business interests, either itself or via a

group company which may give rise to a conflict of interest.

8.2. Whether there are any close family relationships with other controllers or key persons of the TCSP.

12

8.3. Where a TCSP is controlled by a trust, the trustee’s duty to act in the best interests of the trust’s beneficiaries may conflict with the trustee’s obligations as a controller under the regulatory framework.

13

C. Individuals – Key persons and other employees

Statement 1. A TCSP must ensure that all of its employees are fit and proper for their roles. In

making a fit and proper determination, the Regulator should consider integrity, competence and where necessary financial soundness.

2. For the avoidance of doubt a TCSP should never have a Corporate Director on its

Board. Key Persons

3. The appointment of, or any change to a Key Person is subject to the consent of

the Regulator.

4. Integrity / competence checks

In order to be appointed a Key Person a Regulator shall ensure the following checks are completed for:

4.1. Criminal Records;

4.2. Regulatory censure;

4.3. Professional reprimands;

4.4. Censure, discipline or public criticism;

4.5. Refusal of the right to carry on a trade, business or profession for which a

specific licence, registration or other authority is required;

4.6. Refusal of entry to a trade organisation;

4.7. Declaration of bankruptcy (or similar);

4.8. Subject to civil action;

4.9. Subject to any investigation personally or in relation to any associated corporation;

4.10. Professional or other relevant qualification;

4.11. Knowledge and/or experience relevant to the business concerned.

14

5. The regulatory law must include provisions to permit the exchanging of information

with other regulatory / supervisory bodies / authorities with regard to Key Persons.

Other individuals

6. Before employing any individual in a role other than a Key Person a TCSP shall ensure the following checks are completed for:

6.1. Criminal Records;

6.2. Regulatory censure;

6.3. Professional reprimands;

6.4. Censure, discipline or public criticism;

7. A TCSP must ensure that :

7.1. Employees are competent to perform their role;

7.2. Employees are appropriately supervised;

7.3. Competence is regularly reviewed; and

7.4. The level of competence is appropriate to the nature and size of the business

7.5. All Employees remain competent for the role they undertake by undertaking appropriate training or professional development;

8. A TCSP must ensure that key persons undertake a minimum of 25 hours per

annum relevant training and development. 9. The regulatory regime should describe experience that is considered appropriate

for Employees and describe the means by which that experience is determined.

15

D. Control over Assets

Vehicle Assets 1. Regulators should describe rules to ensure:

1.1. The segregation of Vehicle assets from those of the TCSP. 1.2. The reconciliation of any receipt or movement of assets of a Vehicle

administered by a TCSP. 1.3. That the assets of Vehicles administered by a TCSP are kept clear and

distinct from the TCSPs own assets.

Client Money Rules 2. Regulators should describe rules for the handling of and holding of client monies

which address inter alia:

− Mechanisms before client monies are used for the settlement of TCSP fees and disbursements;

− For the holding of client monies in interest bearing accounts;

− For the disclosure to clients of the terms upon which client money is held; and

− That client money accounts are reconciled by the TCSP and the reconciliation is subject to external audit.

16

E. Conduct

Integrity

1. A TCSP should observe high standards of integrity and fair dealing in the conduct

of its business.

Conflicts of Interest 2. A TCSP should either avoid any conflict of interest arising or, where a conflict

arises, should ensure fair treatment to its Clients by disclosure, internal rules of confidentiality, declining to act, or otherwise. A TCSP should not unfairly place its interest above those of its Clients and, where a properly informed Client would reasonably expect that the TCSP would place his interests above its own, the TCSP should live up to that expectation.

Skill, Care and Diligence 3. A TCSP should act with due skill, care and diligence towards its clients and

customers and counterparties.

Timeliness 4. A TCSP should transact matters in an efficient and timely manner.

Interaction with Clients

5. A TCSP must ensure that all transactions/decisions entered into or taken by or on

behalf of Clients are appropriately authorised and handled by persons with an appropriate level of knowledge, experience and status properly to effect such transactions or make the proper decisions according to the nature and status of the transactions/decisions involved.

6. A TCSP should seek from Clients it advises or for whom it exercises a discretion,

any information about their circumstances and investment objectives which might reasonably be expected to be relevant in enabling it to fulfil its responsibilities to them.

7. A TCSP must ensure that all reasonable steps are taken to ensure that they obtain

sufficient information in order to exercise a relevant discretion or other power in a proper manner and that such discretion or power is only exercised for a proper purpose.

8. A TCSP should ensure that, where appropriate, there is a full understanding of the

duties arising under the laws relevant to the administration and affairs of Clients for which they are acting, in the jurisdictions in which they are carrying on business and in which the assets being handled/managed are held.

17

Advertising 9. Misleading or inaccurate information:

• A TCSP should ensure that the advertising of products is clear. Advertising

should not contain any element that is in breach of laws or promotes the breach of other legislation.

• Advertisements must set out any risks that may be associated with a particular financial services product or service.

• A TCSP should ensure, as far as possible, that its advertisements, or those of affiliates and third parties, do not place the jurisdiction at risk or bring it into disrepute.

• Where appropriate, a TCSP should ensure that linked advertisements with third-parties are verified and approved by the Board of Directors.

10. Promotion of sound business practices:

• A TCSP should promote sound business practices by providing information

on the scope of business conducted. Such promotions may also include scope of regulated business approved.

• A TCSP may, where appropriate, provide announcements of changes in regulatory or legal requirements that may impact financial service providers and/or products and services.

• Promotions should ensure that the business practices of the TCSP are transparent and accurate.

Client of Record 11. TCSPs should ensure that their policies and procedures reflect their duty to Clients

over introducers and maintain the highest standards of ethical behaviour in order to avoid conflicts of interest.

Terms of Business 12. The regulatory regime should require that:

• TCSPs should identify the person with whom it is contracting and execute terms of business.

• Clients are provided with documented terms of business.

• Terms of business should set out clearly the fees charged and their basis for calculation.

• The basis of Exit Fees should be stated explicitly.

• Terms of business should provide for a system for the making of complaints.

18

• Unless there is good reason, a TCSP should only terminate a relationship on reasonable notice.

• Complaints against a TCSP that are not resolved satisfactorily or include an allegation of failing to meet regulatory standards are logged in a central register and reported to the Regulator.

Complaints System 13. TCSPs should have:

13.1 Effective complaints handling procedures.

13.2 Report all complaints not resolved in accordance with national requirements.

19

F. Prudential

Financial resources of a TCSP

1. The regulator should aim to maintain a level of capital and liquidity in a TCSP so

as to:

• Reduce the risk of financial failure; and

• Maintain a level of capital and liquidity which should permit the business to be operated under temporary management or liquidated in an orderly manner if that should become necessary.

Maintenance of adequate accounting and other records of a TCSP 2. Company law for each jurisdiction will normally set a requirement for the

maintenance of accounting records and for those records to be retained for a minimum period (e.g. 6 years).

3. Where a TCSP is a partnership it should comply with the accounting requirements

of the partnership law of the jurisdiction in which it is established, where that law is silent then it should follow as closely as possible the requirements of local companies’ law.

4. The TCSP should ensure that accounting records are maintained in a manner that

promotes accessibility and are available for inspection by the Regulator. 5. The regulator should consider whether it wishes to impose a longer period of

records retention than that imposed by general company or partnership law or AML/CFT requirements.

Requirement to have accounts audited of a TCSP 6. The regulatory regime should require a TCSP to produce financial statements, in

line with the accounting standards applicable to their home jurisdiction, and to have them audited. In addition:

• The auditor should be suitably qualified to undertake the audit;

• The regulator should be empowered to refuse a proposed auditor;

• Any qualification or emphasis of matter in the audit report should be followed up by the regulator;

• A time limit for the provision of audited financial statements to the regulator should be enforced;

• A copy of the auditor’s management letter and the management response should be obtained by the regulator; and

• The scope of the audit should include a review of controls over clients’ money and clients’ assets.

7. A de-minimis provision could be considered for very small firms.

20

8. The regulatory regime should include provisions for gateways between the regulator and the auditor. These should include an obligation for the auditor to report to the regulator on significant breaches of regulatory requirements by the firm, and protection from civil liability for an auditor in respect of any such information supplied to the regulator.

9. The regulatory regime should enable the regulator to require copies of audited

financial statements of parent entities, particularly where the firm is dependent upon support from its parent, or otherwise has significant financial exposure to the parent.

Capital and liquidity requirements of a TCSP 10. A TCSP must maintain adequate paid-up capital in addition to any initial minimum

share capital and/or net assets requirement. In addition, there should be an ongoing requirement for the maintenance of capital.

11. Regulators should consider whether to apply regulatory calculations on a basis

which disregards certain assets. 12. The regulator should consider an analysis of the share capital and liquidity of a

firm, based on analysis of financial information in a standard format. Such analysis should:

12.1 Set out minimum standards of net assets and liquidity, so as to reduce the risk of financial failure;

12.2 Set out minimum standards of surplus liquid assets to be retained in the business, sufficient to meet the firm’s expenditure for a specific period in the event of the need to wind up the firm;

12.3 Eliminate from the calculation of net assets those balance sheet assets which are of doubtful value in the event of financial failure. This might include aged debtors, longstanding work in progress, classes of intangible assets, and unsecured related party debtors / loans; and

12.4 Take into account the Professional Indemnity Insurance (“PII”) excess, particularly where claims are in process.

12.5 Support prudential supervision by allowing peer group comparison;

12.6 Set a consistent basis for intervention;

13. The regulator may choose exceptionally to grant a modification to the calculation

to reflect particular circumstances.

Liquidity requirements 14. In addition to normal “going concern” requirements, there should be a requirement

to maintain a minimum level of liquid capital.

21

15. Consideration should be given to a standardised approach which relates to the cost base of the firm and excludes intangible assets, illiquid assets and related party debtors / loans. One route would be to require surplus liquidity equivalent to a set period’s expenditure.

Insurance

16. Regulators should require a firm to obtain PII cover which is appropriate to the

size and nature of its business. 17. Regulators should require notification to themselves and insurers concerned of

any potential claim on a timely basis. 18. Regulators should consider the extent to which firms should obtain Directors and

Officers insurance cover 19. Regulators should consider and determine the extent to which they specify the:

• Risks which the Professional Indemnity Insurance policy must cover;

• Minimum amount of mandatory cover;

• Capital or additional capital a TCSP must have to cover any excess on a policy;

• Excess that can be carried by the firm, or where it is part of a group then the Group to the extent that appropriate contractual arrangements are in place; and

• Regulator can deem a policy unacceptable where the insurer does not appear to be satisfactory

20. Consideration should be given to requirements for run-off PII where a licence is

surrendered or revoked. Liquidations and receiverships 21. As part of its consideration of financial stability, a regulator should recognise that,

notwithstanding any prudential regime, a TCSP may need to have a manager, administrator, receiver or liquidator appointed to them (“insolvency practitioner”).

22. In the event that a TCSP company is wound up by the court the TCSP company,

the liquidators or any other person to whom custody of books and records has been given must make such records available to any party or parties claiming to be interested in them for a period of five years thereafter.

23. The licensing regime should address the position of the TCSP and any appointed

insolvency practitioner. The regulatory regime should establish whether insolvency practitioners:

• Need to be or may be exempt from licensing;

• Are subject to rules or regulations which normally apply to licensed firms;

• Are subject to other regulatory powers; and

• Can be required to submit reports to the regulator.

22

24. Jurisdictions should review their inherent powers and legislative provisions to

determine their powers to administer entities, in particular trusts and foundations in the event that a TCSP goes into administration, receivership or liquidation.

23

G. Administration

Records Keeping Requirements Retention 1. All records must be maintained on a continual basis so that they are accessible

and up-to-date at all times as far as is reasonably practical. 2. A TCSP must ensure that all records are arranged, filed and indexed so as to

permit prompt access to any particular record. 3. A TCSP must record information in such a way as to enable a particular

transaction to be identified at any time and traced through the accounting systems of the TCSP, in particular in such manner as to enable early identification of balances and of the particular items which make up those balances.

4. Records may be kept in a form other than a document or copy of a document,

though any document held by electronic means only must by stored in such as way as to remain admissible in evidence before a relevant Court.

5. A TCSP must maintain adequate procedures for the maintenance, security,

privacy and preservation of records, working papers and documents of title belonging to the TCSP or others so that they are admissible before a relevant Court and reasonably safeguarded against loss, unauthorised access, alteration or destruction.

6. Adequate records identifying relevant financial transactions should be kept

following the closing of an account, the end of a transaction or the cessation of the business relationship for a minimum period of five years from the last of these events.

7. A TCSP must ensure that it retains records for as long as is needed to meet its

professional obligations. 8. In addition, a TCSP is required to maintain a record of its own transactions for at

least the life-time of the TCSP. Accounting Requirements for Trusts and Corporate Vehicles 9. A TCSP must keep accounting records in such a manner that they are sufficient

to show and explain the transactions and commitments (whether effected on its own behalf or on behalf of others) that it has facilitated on behalf of a trust, or corporate entity.

24

Outsourcing of key functions 10. A TCSP should be obliged to notify the regulator (or obtain prior consent) before

outsourcing functions which are relevant to its management, compliance or the delivery of TCSP services. This may be subject to a materiality test.

The regulator may wish to give guidance or set standards as to the materiality of outsourcing. This could relate to, for example, a weakness in, or a failure of, the delegate’s ability to perform the function having a significant impact upon the firm’s ability to conduct its operations in a proper manner.

The regulator should consider whether there are any core functions of a business for which outsourcing is prohibited.

11. A TCSP who is not restricted from maintaining their accounting and other records

in a location outside of the jurisdiction, should ensure that:

11.1 The data is kept secure and poses no operational risk,

11.2 It maintained so as to be readily accessible; and

11.3 All regulatory and confidentiality laws are complied with.

12. The general provisions set out in 3 above continue to apply, and in particular a TCSP must ensure that the regulator will have reasonable access to records at all reasonable times.

13. If the outsourcing is of a regulated activity, then the service provider should

normally itself be regulated, and the TCSP must not delegate so many of its functions as would leave an inadequate real presence in the jurisdiction.

14. Any outsourcing must be agreed in writing between a TCSP and the service

provider under a Service Level Agreement or equivalent document. 15. The Service Level Agreement should not permit sub-outsourcing without the

consent of the regulator. 16. Outsourcing must not hamper supervision of a TCSP by the regulator. The terms

of the Service Level Agreement must include a contractual requirement for the service provider to give the regulator unfettered access to material which it holds in relation to a TCSP business.

17. The regulator should establish whether its definition of outsourcing includes or

excludes intra-group outsourcing and practices such as the use of a central employment company which employs all staff in a group.

18. In any instance of proposed outsourcing a TCSP should:

• Risk assess the proposal;

25

• Document the capability and suitability of the proposed provider of outsourced services;

• Establish a clear responsibility within the TCSP for monitoring the conduct of the outsourced services, and for reporting to the board;

• Consider the risks which could arise from the failure of the provider of outsourced services or other breakdown in the provision of services; and

• Have in place a contingency plan in case of the failure of the provider of outsourced services or other breakdown in the provision of services.

Data security

19. The regulator should set a general expectation that data (whether in a physical or

digital format) is held in a secure manner. This should include reasonable steps to ensure:

• Security against theft or unauthorised access;

• Security against loss or destruction;

• Compliance with the statutory requirements which apply to the firm; and

• Suitable backup and disaster recovery arrangements.

Data Protection 20. For the holding of data about individuals, the form of a Data Protection Principles

regime may vary slightly between jurisdictions, but the principles can be summarised as below:

Personal data must be

1. Used fairly and lawfully.

2. Used for specific and lawful purposes, in a manner that is compatible with those purposes.

3. Adequate, relevant and not excessive.

4. Accurate and where necessary kept up to date.

5. Kept for no longer than necessary.

6. Used in accordance with the rights of individuals under the Act.

7. Kept secure to avoid unauthorised or unlawful use, accidental loss, or damage.

Personal data must not be

8. Transferred to another country unless that country has an adequate level of protection.

26

H. Financial Crime and International Sanctions

Statement 1. All member countries of the GIFCS are committed to following the

Recommendations of the Financial Action Task Force (“FATF”) regarding AML/CFT. Regulators should ensure that a TCSP operates systems and controls to ensure that its business is protected from the threats of money laundering and the financing of terrorism and proliferation.

AML/CFT policies, co-ordination 2. Assessing risks and applying a risk-based approach

2.1 Regulators should identify, assess, and understand the money laundering

and terrorist financing risks for their jurisdiction, and should take action, to assess risks, and apply resources, aimed at ensuring the risks are mitigated effectively.

2.2 Regulators should apply an approach to ensure that measures to prevent

or mitigate money laundering and terrorist financing are commensurate with the risks identified.

2.3 Regulators should ensure a TCSP identifies, assesses and takes effective

action to mitigate its money laundering and terrorist financing risks.

2.4 A TCSP has a responsibility to ensure that it implements effective AML/CFT oversight over the client entities for which it acts, in line with the role and duties which it is performing. This includes the timely reporting to the appropriate authorities of suspicious activity.

National cooperation and coordination

3. Regulators should ensure that they have effective mechanisms in place which

enable them to cooperate, and, where appropriate, coordinate domestically with policy-makers, the financial intelligence unit (FIU), law enforcement authorities, supervisors and other relevant competent authorities concerning the development and implementation of policies and activities to combat money laundering, terrorist financing and the financing of proliferation of weapons of mass destruction.

Regulation and Supervision 4. Regulation and supervision of TCSPs

Regulators should ensure that TCSPs are subject to regulation and supervision

and are effectively implementing the FATF Recommendations by undertaking on-site inspections.

4.2 TCSPs should be licensed or registered and adequately regulated, and

subject to supervision or monitoring for AML/CFT purposes, having regard

27

to the risk of money laundering or terrorist financing in the trust company business sector.

4.3 Regulators should have adequate powers to supervise or monitor, and

ensure compliance by, TCSPs with requirements to combat money laundering and terrorist financing.

Regulators should be authorised to compel production of any information from TCSPs that is relevant to monitoring such compliance, and to impose sanctions. Regulators should have powers to impose a range of disciplinary and financial sanctions, including the power to withdraw, revoke, restrict or suspend the financial institution’s licence, where applicable. Bribery and corruption

5. TCSPs must in accordance with national laws ensure that entities they control and

administer do not become engaged directly or indirectly in bribery or corruption. 6. TCSPs should resist the solicitation of bribes and involvement with corrupt entities

or individuals. In this context “entities” means business vehicles and non-profit organisations such as charities. TCSPs should report attempts at bribery.

7. TCSPs should not, directly or indirectly, offer, promise, give, or demand a bribe or

other undue advantage to obtain or retain business or other improper advantage. Internal controls 8. TCSPs should promote employee awareness of Financial Crime Risk and

compliance with company policies and internal controls, statement of ethics and compliance programmes or measures against bribery, bribe solicitation and corruption

9. TCSPs should develop and adopt adequate internal controls, statement of ethics

and compliance programmes or measures for preventing and detecting all types of bribery and corruption.

10. Bribery and corruption risks should be regularly monitored and re-assessed as

necessary to ensure the enterprise’s internal controls, are adapted and continue to be effective.

International sanctions

11. TCSPs must comply fully with the requirements of all relevant international

sanctions applying to their businesses and to the structures which they administer or to which they provide services.

28

I. Beneficial ownership

1. Transparency and beneficial ownership of Vehicles

Establishing Ultimate Beneficial Ownership

2. TCSPs are required to have a robust anti-money laundering regime in place to

establish ultimate beneficial ownership. 3. TCSPs should verify the identity of a beneficiary, beneficiary class and beneficial

owner; including the ultimate beneficial ownership across transnational and complex trust and corporate structures, and maintain and hold appropriately sufficient information to establish ultimate identity.

4. TCSPs should identify beneficial owners by reference to their local AML/CFT

handbooks where these meet the FATF Recommendations.

5. Jurisdictions should ensure that there is adequate, accurate and timely information on the ultimate beneficial ownership and control of legal persons that can be obtained or accessed promptly by competent authorities.

6. TCSPs should take measures to facilitate access to beneficial ownership and

control information by competent authorities TCSPs undertaking the requirements set out in FATF Recommendations 10 and 22.

Transparency and beneficial ownership of legal arrangements

7. Jurisdictions should take measures to prevent the misuse of legal arrangements for money laundering or terrorist financing. In particular, jurisdictions should ensure that there is adequate, accurate and timely information on express trusts, including information on the settlor, trustee and beneficiaries that can be obtained or accessed in a timely fashion by competent authorities.

Retention of Records 8. All records establishing beneficial ownership should be kept for 5 years post the

close of the business relationship or as required in the local legislation.

29

PART 4

A Regulation

Many jurisdictions will already regulate their financial services sector and subscribe to the principles set out below.

Where in respect of the oversight of TCSPs jurisdictions are either proposing to introduce legislation to set up a Regulatory Regime or extending the scope of an existing Regulatory Authority then they should ensure that such legislation reflects the following principles:

1. Principles relating to the Regulator

− The responsibilities of the Regulator should be clear and objectively stated.

− The Regulator should be operationally independent and accountable in the exercise of its functions and powers.

− The Regulator should have adequate powers, proper resources and the capacity to perform its functions and exercise its powers.

− The Regulator should seek to ensure that within its organisation conflicts of interest and are avoided, eliminated, disclosed or otherwise managed.

2. Principles for Regulation

− The Regulator should adopt clear and consistent regulatory processes.

− The staff of the Regulator should observe the highest professional standards, including appropriate standards of confidentiality.

− The Regulator should have or contribute to a process to monitor, mitigate and manage systemic risk, appropriate to its mandate.

− The Regulator should have a process to monitor and review prudential and conduct supervision including the prevention of financial crime.

− The Regulator should have or contribute to a process to review the perimeter of regulation regularly.

− The Regulator should ensure Controllers and Key Persons of TCSPs are fit and proper.

3. Principles for cooperation

− The Regulator should have authority to share both public and non-public information with domestic and foreign counterparts.

− Regulators should establish information sharing mechanisms that set out when and how they will share both public and non-public information with their domestic and foreign counterparts.

− Regulators should adopt a pro-active approach to sharing information.

− The regulatory system should allow for assistance to be provided to foreign Regulators who need to make inquiries in the discharge of their functions and exercise of their powers.

30

4. Principles for Enforcement

− The Regulator should have comprehensive inspection, investigation and supervision powers.

− The Regulator should have comprehensive enforcement powers.

− The regulatory system should ensure an effective and credible use of inspection, investigation, surveillance, enforcement powers and sanctions and implementation of an effective compliance program.

5. Other requirements on jurisdictions

- To ensure the timely development of legislation with regard to trusts,

companies, foundations, etc; - To work with legislators to develop insolvency regimes to solve the

problems encountered with insolvent trusts; - To ensure that jurisdictions have a public official of last resort empowered

as necessary to manage or liquidate a trust, company, partnership or foundation or other legal person.

B Co-operation As part of the arrangements for co-operation, regulators of TCSPs should open channels of communication which where appropriate could also include establishing colleges for supervisory co-operation and exchange of prudential supervisory information in relation to TCSPs whose operations extend to different countries.

31

Definitions

“Controller” means a shareholder controller and/or other influential person. “Vehicle” save where the context requires otherwise includes company, partnership, limited partnership, limited liability partnership, Foundation and Trust. “Client ” includes save where the context requires otherwise any person(s) who has: (a) Entered into an agreement for the provision of services by a licensed entity when

carrying on trust and company business.

(b) Received or may receive the benefit of services provided or arranged by the TCSP when carrying on trust and company business.

“Client Money” means:

a) money which, for the purpose or in the course of, a regulated activity to which this Part applies, a licenceholder — (i) holds or receives on behalf of a client; or

(ii) owes to a client,

“Key Person” means a Director, Money Laundering Reporting Officer or Money Laundering Compliance Officer and Compliance Officer of a TCSP. “Shareholder Controller” means any person:

i. Holding whether directly or indirectly, 15% or more of the issued share

capital of a TCSP, or

ii. who is entitled to exercise or control the exercise of not less than 15% of the voting power in a general meeting of the TCSP, or

iii. who has a holding in the TCSP directly or indirectly which makes it possible

to exercise significant influence over the management of the TCSP. Group of International Finance Centre Supervisors April 2014