GIFCS Standard on the Regulation of Trust and Corporate Service Providers

Standard on the Regulation of Trust and Corporate Service Providers Version 1.2 | January 2026 Group of International Finance Centre Supervisors

Introduction Part 1 - Definitions Part 3 - The Standard 09 10 12 D. 14 16 19 22 25 I. 30 33 01 04 Part 2 - Principles for Regulation 06 A. Licensing B. Corporate Governance C. Controllers of TCSPs Individuals – Key Persons and Other Employees E. Control over Legal Vehicles Contents F. Conduct G. Prudential H. Administration Financial Crime and International Sanctions J. Co-Operation

Introduction 1.1. The Group of International Finance Centre Supervisors (“GIFCS”) first issued a Best Practice Statement on the supervision of TCSPs in 2002. GIFCS member countries used this Statement as a benchmark for establishing regulatory frameworks and supervisory practices for the robust oversight of the sector. A key objective of this initiative was to ensure TCSPs are adequately regulated and supervised and that information on the ultimate beneficial owners behind trust and company legal vehicles administered from GIFCS centres, as well as on the sources and nature of underlying funds, can at all times be accessed by competent authorities. 1.2. Based on the considerable experience acquired as a result of implementing this Best Practice Statement, the GIFCS in 2012 resolved to revise its Statement and to introduce this new Standard on the Regulation of Trust and Corporate Service Providers (the “Standard”). The Standard was subsequently published in 2014. This was deemed important to establish a comprehensive framework for effective TCSP supervision, incorporating combatting Financial Crime developments, corporate governance requirements and other supporting legal and prudential conditions. The Standard is periodically updated, with this latest version expanding on the evolving practices of TCSPs in areas such as Information Sharing between Regulators through supervisory colleges, Cybersecurity, Financial Crime, and Corporate Governance.

1. Background
2. Objectives 2.1. The Standard is based on the following objectives: Customers of TCSPs should receive a degree of protection equivalent to that afforded to the customers of other financial institutions. TCSPs should be subject to a similar regulatory regime as other financial institutions. To be effective, standards should be applied internationally. 2.2. This document sets out a Standard for jurisdictions and Regulators to measure their compliance against, or to work towards developing, a framework for the regulation and supervision of TCSPs. 2.3. The Standard is supported by complementary Technical Appendices, setting out desirable regulatory practices. These can be accessed via the GIFCS website. 1

3.1. Part 1 of the Standard sets out definitions used throughout the document. Part 2 of the Standard lays out the five key overarching principles that apply to Regulators, the regulatory system and jurisdictions as a whole in relation to the regulation and supervision of TCSPs. These five principles speak to an integrated environment where a comprehensive legislative framework, risk based supervisory practices, cooperation arrangements and robust enforcement measures promote a sound regulatory/supervisory system for TCSPs to operate in. In addition to the principles applying to the Regulator, Part 2 of the Standard lists general principles that jurisdictions should implement to create an effective regulatory environment for TCSPs and their Clients. 3.2. Part 3 of the Standard governs the oversight of the operations of licensed TCSPs by the Regulator. This Part is composed of 10 standards divided into sub-standards on topics that include licensing, controllers and key persons, conduct and corporate governance, and financial crime and international cooperation. The standards and sub-standards constitute the minimum elements that should be present in a regulatory framework for TCSPs in order for such framework to meet the objectives of TCSP regulation set out above. 3.3. The Regulator should view the Standard as a minimum requirement that sets out the broad framework for TCSP oversight, which can be tailored to each jurisdiction’s individual needs. The Regulator should apply the Standard to all TCSPs in their jurisdiction. Jurisdictions may satisfy the Standard by adopting requirements which are of substantially similar effect and may impose higher standards in some or all areas where national legislation requires. It is recognized that the Standard may be supplemented by other measures in individual jurisdictions designed to mitigate risks of TCSPs. 3. The Standard 4. Additional Information 4.1. The importance of TCSPs is recognised in particular in the Financial Action Task Force’s (“FATF”) Recommendations and the Asset Recovery Initiatives of the World Bank and the United Nations Office on Drugs and Crime. 4.2. International cooperation is an important part of effective regulation and effective cooperation and must include all Regulators, TCSPs and other financial institutions. 4.3. In order for the international community to better understand international flows of financial and other assets it is vital that regulatory regimes encourage transparency in the use of complex structures and Legal Vehicles. 4.4. TCSPs are an important part of combating money laundering, the financing of terrorism and countering of proliferation financing (“Financial Crime”) in their role as both intermediaries and introducers of business to other institutions. 1 StAR | Addressing Anti-Corruption, Money Laundering & Asset Recovery 1 2

4.5. TCSPs can fulfil an important role in ensuring that their organisations are not used as a conduit for Financial Crime such as money laundering, bribery and corruption and tax evasion, or the holding of stolen assets. 4.6. The Regulator has an important role to play within their powers in supporting other competent authorities and others to recover and repatriate criminal assets. The Regulator should require effective record keeping, monitor and enforce compliance with customer due diligence and beneficial ownership regulations, and insist on timely exchange of beneficial ownership and other relevant information. 3

Part 1 - Definitions “Client” save where the context requires otherwise, includes any person(s) who has: entered into an agreement for the provision of services by a licensed entity when carrying on trust and company business. received or may receive the benefit of services provided or arranged by the TCSP when carrying on trust and company business. Client “Client Money” means money which a TCSP holds or receives on behalf of a Client; or owes to a Client. Client Money Controller “Controller” means a Shareholder Controller and/or other influential person, including Beneficial Owner; 2 “Financial Crime” includes Money Laundering “ML” , Financing of Terrorism “FT” , and Proliferation Financing “PF” . Financial Crime “Key Person” includes a Director, Partner, Money Laundering Officer (including Money Laundering Reporting Officer or Money Laundering Compliance Officer) and Compliance Officer of a TCSP. Key Person The Standard uses the FATF definition for beneficial owner, which refers to, “... the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.” 2 “Legal Vehicle” , save where the context requires otherwise, includes Company, Partnership, Limited Partnership, Limited Liability Partnership, Foundation, Trust and any other form of legal person or legal arrangement. Legal Vehicle 4

“Shareholder Controller” means any person: holding, directly or indirectly, 15% or more of the issued share capital of a TCSP; who is entitled to exercise or control the exercise of not less than 15% of the voting power in a general meeting of the TCSP; or who has a holding in the TCSP directly or indirectly which makes it possible to exercise significant influence over the management of the TCSP. Shareholder Controller “TCSPs” refer to those who undertake any one or more of the following activities, by way of business: acting as a Corporate or Partnership formation Agent; acting as (or arranging for another person to act as) a Director, Secretary or Official of a Company or a Partner of a Partnership or as a Foundation Official; providing administration or management of a Trust, Company, Partnership, Foundation, or for any other legal person or legal arrangement; providing registered office, business address for accommodation, correspondence for administrative address for a Company, Partnership, Foundation or for any other person; acting as a Resident Agent for the purposes of meeting requirements to hold beneficial ownership or interest information; acting as (or arranging for another person to act as) a Trustee of a Trust; acting as (or arranging for another person to act as) a Nominee Shareholder for another legal person; or acting as a Protector or an Enforcer of a Trust. TCSPs 5

1. Principles relating to the Regulator 1.1. The responsibilities of the Regulator should be clear and objectively stated. 1.2. The Regulator should be operationally independent and accountable in the exercise of its functions and powers. 1.3. The Regulator should have adequate powers, sufficient resources and the capacity to perform its functions and exercise its powers, through a risk-based approach. 1.4. The Regulator should ensure that within its organisation conflicts of interest are avoided, eliminated, disclosed or otherwise managed. 1.5. The Regulator should adopt transparent, clear and consistent regulatory processes. 1.6. The staff of the Regulator should observe the highest professional and ethical standards, including appropriate standards of confidentiality.

2. Principles for Regulation 2.1. The Regulator should have, or contribute to, a process to monitor and mitigate systemic risk, appropriate to its mandate. 2.2. The Regulator should undertake prudential and conduct supervision, including the prevention of Financial Crime, and have a process to monitor and review its supervision periodically. Part 2 - Principles for Regulation Jurisdictions should ensure that a framework of laws and regulations are in place to allow for the establishment of a regulatory framework enabling the ongoing oversight and regulation of TCSPs by a Regulator that is duly supported by the established framework. Systemic risk refers to the potential that an event, action, or series of events or actions could have a widespread adverse effect on the financial system and, in consequence, on the economy. Guidance Note on Systemic Risk 6

3. Principles for Co-operation 3.1. The Regulator should have authority to share both public and non-public information with domestic and foreign counterparts. 3.2. The Regulator should establish information sharing mechanisms that set out when and how they will share both public and non-public information with their domestic and foreign counterparts. These should cover information sharing on a timely and constructive basis at the Regulator’s own initiative and also on request. 3.3. Co-operation, where appropriate, could also include establishing colleges for supervisory cooperation and exchange of prudential supervisory information in relation to TCSPs whose operations extend to different jurisdictions. 3.4. The Regulator should adopt a pro-active approach to sharing information. 3.5. The regulatory system should allow for assistance to be provided to foreign Regulators who need to make inquiries in the discharge of their functions and exercise of their powers. Attention should be given to ensure that there is no period of time with limited or no supervisory activity being undertaken. If such a period does arise, as a result of but not limited to: limited resources, reorganisation, geopolitical events, natural disaster, public health crisis; to remain effective, attention should be given to adapting the supervisory approach to cover such events. Guidance Note on Ongoing Supervision of TCSPs 2.3. The Regulator should have, or contribute to, a process to review the perimeter of regulation regularly. 2.4. The Regulator should have powers to gather all information required to perform its functions and exercise its powers, on a risk-based approach, including those: 2.4.1. to supervise TCSPs by the use of on-site inspections; 2.4.2. to obtain information from TCSPs; and 2.4.3. to undertake thematic reviews and other offsite supervision. 2.5. The Regulator should have in place internal mechanism(s) to ensure complaint(s) against the Regulator are acknowledged and managed, in a consistent, timely, and appropriate manner. 3 3 These should be both on-notice and without notice inspections, commensurate to the seriousness of the situation. 7

4. Principles for Enforcement 4.1. The Regulator should have comprehensive inspection, investigation and supervision powers. 4.2. The Regulator should have comprehensive enforcement powers. 4.3. The regulatory system should provide for an effective and credible use of inspection, investigation, surveillance, enforcement powers and sanctions and implementation of an effective compliance programme.

5. Other Requirements on Jurisdictions 5.1. To ensure the timely development of legislation with regard to Legal Vehicles (legal persons and legal arrangements). 5.2. To develop an insolvency regime to solve the problems encountered with insolvent TCSPs. 5.3. To ensure that jurisdictions have a public official of last resort empowered as necessary to manage or liquidate a Legal Vehicle. 5.4. Jurisdictions should promote the wider and harmonious adoption of sound and prudent principles as a basis for regulatory regimes for TCSPs. This Standard on the Regulation of Trust and Corporate Service Providers seeks to achieve this. 5.5. Where jurisdictions do not regulate TCSPs, they are actively encouraged to consider introducing legislation and a regulatory framework in accordance with this Standard and promote practices to meet it. 5.6. The jurisdiction’s legislative framework should be such that in the event that a TCSP is wound up by the court or otherwise dissolved, the liquidators or any other person to whom custody of books and records has been given must retain such records for a minimum period of five years thereafter. 5.7. Jurisdictions should review their inherent powers and legislative provisions to determine their powers to administer trusts and foundations in the event that a TCSP goes into administration, receivership or liquidation. 8

Part 3 - The Standard A.1. This framework should allow for: A.1.1. the Regulator to license TCSPs that want to operate in or from within the jurisdiction; A.1.2. the Regulator, to assess, with consideration to the Regulator’s risk appetite, whether a TCSP is at the time of licensing, and remains, fit and proper over the period for which it holds a TCSP licence; A.1.3. the Regulator to assess whether the Controllers of a TCSP are at the time of licensing, and remain, fit and proper to hold those interests and/or positions; A.1.4. the Regulator to assess whether the Key Persons of a TCSP are at the time of licensing, and remain, fit and proper to hold those positions; and A.1.5. withdrawal of the relevant licence in the event that a TCSP is no longer fit and proper or is in material breach of regulatory standards. A. Licensing A.2. The Regulator should consider the ownership, structure, control and/or management of a TCSP. The ownership structure should not hinder effective supervision or facilitate regulatory arbitrage. A.3. The Regulator should require that a TCSP demonstrates a physical presence in the jurisdiction in which it is regulated. A.4. The Regulator should require that a TCSP’s affairs are conducted in a prudent and financially sound manner. A.5. The Regulator should require that a TCSP has appropriate policies, procedures and controls to ensure full compliance with the Financial Crime requirements, including the ability to accurately detail the ultimate beneficial owners of Legal Vehicles. A.6. The Regulator should require that a TCSP is and remains resourced, structured and organised appropriately so that it can manage all Legal Vehicles and assets it administers. This requirement should address policies, procedures and controls, staff capabilities and the numbers and types of appointments to Legal Vehicles which are undertaken by staff, whether in their own name or through corporate directors or other indirect appointments. 4 4 The Regulator may consider that physical presence is duly demonstrated by: those persons who represent the mind and management of the TCSP being resident in the Regulator’s jurisdiction and actively involved in the governance of the business; and having an operational place of business in the Regulator’s jurisdiction. 9

B. Corporate Governance B.1. The Regulator should require that a TCSP has embedded within it a robust corporate governance culture and framework. The Regulator should have in place an approval process for the direction and management of a TCSP which requires that: Guidance Note on Directorships In considering capacity, attention should be given to the absolute number of directorships, and the nature, scale, and complexity of each appointment. However, the Standard does not set or require a fixed numerical cap. B.1.1. the Board collectively comprises an appropriate balance of skills, knowledge and competence taking into account its members’ relevant experience such that the Board as a whole is able to discharge its duties and responsibilities effectively, and further that no individual or group of individuals can or does unduly dominate the Board’s decision making; B.1.2. where functions have been delegated by the Board, the Board clearly and comprehensively records the functions delegated and ultimate responsibility for the delegated functions remains with the Board; B.1.3. the management structure should be appropriate to the size, complexity, structure and risk profile of an individual TCSP; B.1.4. every Board should have a minimum of two individuals to direct the business; who are sufficiently independent of each other such that each would not be unduly influenced by another Board member; B.1.5. every Board should establish appropriate succession planning; B.1.6. every Board should have a business continuity/ interruption plan, to safeguard against disruption of the operations and services and to mitigate risk. The Board should review these plans periodically; B.1.7. directors should be aware of and understand their duty to understand applicable legislation, regulations, policies, rules, instructions, guidance and codes of practice to an appropriate level to enable them to discharge their responsibilities; B.1.8. Boards should comprise of individuals who are aware of and understand the Board’s collective duty to ensuring that robust arrangements for compliance with the regulatory regime are maintained; 5 5 Or any alternate body that manages a TCSP where it is not a company. 10

B.2. The Board retains ultimate responsibility for the compliance function, and should ensure: B.2.1. that it approves and regularly reviews a compliance policy and establishes a defined and resourced compliance function; B.2.2. there is periodic verification of adherence with established applicable standards and all regulatory and other legal requirements; B.2.3. that necessary remedial actions to rectify any shortcomings in the TCSPs operations are taken promptly; B.2.4. that there are regular reports on the performance and effectiveness of the TCSP’s compliance function; B.2.5. that regulatory breach logs are maintained and available for inspection by the Regulator upon request; and B.2.6. that regulatory breaches are notified to the Regulator, as required. B.3. In assessing the quality and strength of the Board of a TCSP, the Regulator should have the power to require the amendment of the composition and size of the Board. B.4. The Regulator shall not permit a corporate director to be on the Board of a TCSP. B.1.9. Boards should establish, implement, document and maintain an effective conflicts of interest policy for both the Board and the TCSP, which sets out the standards of expected behaviour including, amongst other matters, the treatment of any non-compliance with the policy; B.1.10. Boards should ensure that they formulate and implement a suitable risk framework for the TCSP, including the production of a statement of risk appetite so that the types of business the firm is prepared to take on and risk tolerance are clear; B.1.11. Boards should undertake a periodic self-assessment of their effectiveness. 11

6 Both the existence of debt and options can give the holder effective control. C.1.1. The Regulator should ensure that: C.4. Financial Soundness C.4.1. If the TCSP is part of a group, the Regulator should assess the financial strength of the group insofar as it may impact the TCSP. Accordingly, the Regulator may require copies of the parent company financial statements and other relevant information to be submitted to it. C.4.2. The Regulator should assess the solvency of Controllers and the impact on the TCSP where any Controller has been or is likely to be declared bankrupt or insolvent or has been the subject of a money judgement. C.4.3. The Regulator should require that Controllers demonstrate clearly their sources of wealth and source of funds. C. Controllers of TCSPs C.1. Fit and Proper Standards C.1.2. The Regulator should require the TCSP to demonstrate that it has the controls to mitigate and manage any such risks arising, where a Controller is connected with a jurisdiction that is assessed as higher risk. C.2. Integrity C.2.1. The Regulator should require that any Controller acts with integrity at all times. C.3. Competence C.3.1. Controllers who exert an influence over the day to day affairs of a TCSP should be competent. C.1.1.1. the Controllers of a TCSP must be, and must remain, fit and proper; C.1.1.2. it understands the relationship created by any debt, option, equity or beneficial interest holding in the TCSP which would make the holder of that interest a shareholder controller; C.1.1.3. the appointment of, or change in, a Controller may only take place after the Regulator has been notified and has positively confirmed its approval of, or no objection to, the appointment via a separate vetting process. C.1.1.4. where a Controller exercises a Key Person function within the TCSP, they undergo a separate approval process specific to that role; and C.1.1.5. it has powers to refuse approval and remove existing Controllers. 6 12

7Care should be taken to ensure that Controllers do not exert undue influence on the Board of a TCSP to act against the best interest of the TCSP especially where it would place it in breach of its licence. C.5. Conflicts of Interest C.5.1. The Regulator should assess whether Controllers of TCSPs have any existing or potential conflicts of interest and should any conflicts exist, the Regulator should ensure that these are addressed appropriately. 7 13

D. Individuals – Key Persons and Other Employees D.1.1. The Regulator should assess the fit and proper standards and ensure that the appointment of, or change in, a Key Person may only take place after the Regulator has been notified and has positively confirmed its approval of, or no objection to, the appointment via a separate vetting process. The Regulator should require that all Key Persons of a TCSP are fit and proper for their roles on an ongoing basis. D.1.2. The Regulator should have the power to refuse approval to and remove a person from a Key Person role. D.1.3. In making a fit and proper determination, the Regulator should consider integrity, competence and financial soundness. D.1.4. Prior to the appointment of a Key Person, the Regulator should assess the outcome of the following checks in respect of the proposed Key Person: D.1. Key Persons D.1.4.1. criminal records; D.1.4.2. regulatory sanctions; D.1.4.3. professional reprimands; D.1.4.4. other formal censure, discipline or public criticism; D.1.4.5. refusal of the right to carry on a trade, business or profession for which a specific licence, registration or other authority is required; D.1.4.6. refusal of entry to a trade organisation that imposes a fit and proper test (where applicable); D.1.4.7. declaration of bankruptcy (or similar); D.1.4.8. civil action; D.1.4.9. whether the person is subject to any investigation personally or in relation to any associated corporation; D.1.4.10. professional or other relevant qualifications; and D.1.4.11. knowledge and/or experience relevant to the business concerned. 14

D.2.2. The Regulator should require TCSPs to have procedures in place to control recruitment practices in regard to all individuals including Key Persons. The Regulator should require the TCSP to, prior to hiring an employee, give due consideration to an applicant’s: D.2.2.1. criminal records; D.2.2.2. regulatory censure; D.2.2.3. professional reprimands; and D.2.2.4. other formal censure, discipline or public criticism. D.3.1. The Regulator should require that a TCSP establishes and implements policies and procedures that require its employees, including Key Persons, to undertake an annual programme of training and professional development. D.3. Training and Development D.2.1. The Regulator should require a TCSP to implement controls in respect of the recruitment and ongoing assessment of all employees including Key Persons. The Regulator should require that the TCSP: D.2. Other Employees D.2.1.1. has recruitment procedures to ensure it employs employees who are competent to perform their roles; D.2.1.2. appropriately supervises its employees; D.2.1.3. regularly reviews the competence of its employees, and that the level of competence is appropriate to the nature and size of the business; and D.2.1.4. ensures all employees remain competent for the role they undertake by undertaking appropriate training or professional development. 15

E. Control over Legal Vehicles E.1.1. The Regulator should require that TCSPs have adequate written policies and procedures to ensure the professional performance of their duties. E.1.2. The Regulator should ensure that in order to meet the requirements and obligations under the FATF Recommendations relating to Financial Crime risks that in respect of any Legal Vehicle which a TCSP may incorporate, create, administer, manage or provide services to, the TCSP: E.1. Professional Duties E.1.2.1. documents, verifies and keeps updated the beneficial ownership of those Legal Vehicles as a component of its policies, procedures and controls on a customer's due diligence; E.1.2.2. knows the beneficial ownership of the source of funds being vested in those Legal Vehicles; E.1.2.3. has policies and procedures to ensure that full documentation is held evidencing the nature of business to be engaged in, as well as the powers of any Legal Vehicle; and E.1.2.4. has policies and procedures to establish, access in a timely manner and retain documentation of beneficial ownership information for all Legal Vehicles. E.1.3 The Regulator should also require that TCSPs: 8 The Standard uses the FATF definition for beneficial owner, which refers to, “...the natural person(s) who ultimately owns or controls a customer and/or the natural person on whose behalf a transaction is being conducted. It also includes those persons who exercise ultimate effective control over a legal person or arrangement.” E.1.3.1. have a robust system in place to establish beneficial ownership information in accordance with the FATF Recommendations; E.1.3.2. document the rationale for the establishment of any Legal Vehicle; E.1.3.3. undertake a risk-based approach to the establishment of and monitoring of a complex structure and that they hold adequate, accurate and timely information on the rationale for its use; E.1.3.4. undertake enhanced due diligence in accordance with the FATF Recommendations; E.1.3.5. ensure there is adequate, accurate and current information on the ultimate beneficial ownership and control of Legal Vehicles that can be obtained or accessed in a timely fashion by competent authorities; and E.1.3.6. retain accurate evidence of all decisions made in the course of acting as a director or other controlling party of a Legal Vehicle. 8 16

E.2.1. This Standard is not intended to interfere with trust law; trust law is the responsibility of the Courts. It is the responsibility of the TCSP to ensure that, in carrying out its duties as a trustee, fiduciary and/or administrator it fully complies with that law in all aspects of safeguarding the assets of the trusts and acts in accordance with the trust deed and always in the best interests of beneficiaries. E.2.2. The Regulator should require TCSPs to establish and document clear policies and procedures that ensure: E.2. Legal Vehicle Assets E.2.2.1. they act with professional skill care and diligence with regard to the administration of Legal Vehicle assets; E.2.2.2. there is a segregation of Legal Vehicle assets from those of the TCSP; and E.2.2.3. there is a recording and monitoring of any receipt or movement of assets of a Legal Vehicle administered by a TCSP. 9 FATF Recommendation 17 permits the reliance on third parties. 9 17 E.1.4. The Regulator should require that TCSPs remain responsible for obtaining and documenting beneficial ownership information, even where reliance is placed on a third party. E.1.5. Where TCSPs place reliance on third parties, the TCSP should ensure that contractual agreements with all third parties are sufficiently robust to ensure that they can fulfil the requirements set out above. E.1.6. Where TCSPs rely on third parties, the Regulator should require TCSPs to test the ability of all third parties to provide adequate beneficial ownership information upon request by the TCSP and without delay, which should also be supported by a contractual agreement. E.1.7. In cases where a TCSP cannot obtain beneficial ownership information from a third party, the Regulator should require such relationships should be terminated.

E.3. Client Money Rules E.3.1. The Regulator should put in place rules for the administering of and holding of Client monies which at a minimum address: E.3.1.1. segregation of the Client monies from the monies of the TCSP; E.3.1.2. the requirement to hold Client monies in clearly separate and distinct accounts from any accounts of the TCSP’s own monies; E.3.1.3. the disclosure to Clients of the terms upon which Client money is held; E.3.1.4. the requirement for Client money accounts to be reconciled promptly by the TCSP; E.3.1.5. the requirement for the payment away of Client monies to be subject to a dual signature regime; and E.3.1.6. the establishment of policies, procedures and controls to prevent the inappropriate use of Client monies for the settlement of TCSP fees and disbursements. E.3.2. The Regulator should require a TCSP to implement an independent, competent, appropriately qualified, review of the controls over Client money, on a risk-based approach. Guidance Note on Client Money

1. The Standard is aiming to achieve an independent, competent, appropriately qualified, verification of the controls over client money because loss or misuse of client money is a material risk to clients and to regulatory objectives.
2. The review can be internal or external. Either way, attention should be given to ensure both the competence and independence of the review. Where an internal party performs such a review they must be operationally independent from the individuals or functions responsible for the operation of the controls under review.
3. Whilst a risk-based approach applies to the scope and frequency of the review, the expectation is that a review should be carried out at least annually.
4. The independent, competent, appropriately qualified, review should pay particular regard to the controls that prevent Loss, Misuse and Misappropriation of client money. 18

F.3.1.1. ensure that, where appropriate, there is a full understanding of the duties arising under the laws relevant to the administration and affairs of Clients for which they are acting in the jurisdictions in which they are carrying on business and in which the assets being managed are held; F.3.1.2. ensure that all decisions taken or transactions entered into by or on behalf of Clients are actioned in a timely manner appropriately authorised and handled by persons with an appropriate level of knowledge, experience and status; F.3.1.3. ensure that all reasonable steps are taken to ensure that it obtains sufficient information about the Client in order to exercise a relevant discretion or other power in a proper manner and that such discretion or power is only exercised for a proper purpose; F.3.1.4. inform the Client in writing of the agreed terms between the CSP and the Client, including the instructions received and the capacity and scope of discretion, if any, within which the CSP will act for the Client; and F. Conduct F.1.1. The Regulator should require that a TCSP acts with integrity and fair dealing in the conduct of its business. F.1. Integrity F.2.1. The Regulator should require that a TCSP’s policies and procedures reflect its duty to Clients over the referrers of those Clients and maintain the highest standards of ethical behaviour in order to avoid conflicts of interest so as to always act in the best interests of the Client. F.2.2. The Regulator should require that a TCSP has clearly established policies and documented procedures to either avoid any conflict of interest arising or, where a conflict arises, to keep adequate records of such conflicts and ensure fair treatment to its Clients by disclosure of the conflict, internal rules of confidentiality, declining to act, or otherwise. F.2. Conflicts of Interest F.3. Interaction with Clients F.3.1. The Regulator should require that TCSPs adopt and maintain prudent standards in its interactions with Clients, and further require that, inter alia, a TCSP should: 19

Guidance Note on TSP Terms of Business Where a TCSP is both the service provider and the trustee, it is considered best practice for the TSP to circulate its terms of business with the trust accounts to whoever is entitled to receive copies of those accounts in order to ensure that anyone with an interest in the accounts is aware of the terms on which the TSP is providing services. The provision of a fees schedule, referenced from the client agreement and/or the terms of business, is one method of complying with section F.3.1.4. F.3.1.5. establish and maintain policies, procedures and controls to monitor and ensure it always has the requisite capacity and resources to provide the services agreed with its Clients. F.4. Advertising and Communication F.4.1. The Regulator should require that a TCSP adopts advertising and communication practices that: F.4.1.1. do not violate local and international laws; F.4.1.2. do not violate standards of prudence and fairness; F.4.1.3. are clear and ethical; F.4.1.4. do not contain any element that is in breach of laws or promotes the breach of other legislation; and F.4.1.5. as far as possible, do not place the jurisdiction at risk of being brought into disrepute. F.5. Terms of Business F.5.1. The Regulator should require a TCSP to enter into written terms of business with Clients for whom the TCSP has agreed to act. The terms should provide: F.5.1.1. a description of the services to be provided; F.5.1.2. the fees to be charged and the basis of the calculation of those fees; F.5.1.3. any exit fee and the basis upon which it is calculated; F.5.1.4. the means by which complaints about the TCSP’s services can be made; and F.5.1.5. that termination of a relationship be on reasonable notice, unless a good reason can be given. 20

F.6. Complaints Handling F.6.1. The Regulator should require that a TCSP: F.6.1.1. has an effective documented complaints handling mechanism which is fair and timely; and F.6.1.2. has a complaints log, which is maintained and available for inspection by the Regulator upon request. 21

G. Prudential G.1. Capital and Liquidity Requirements of a TCSP G.1.1. The Regulator should undertake an analysis of the capital and liquidity of a TCSP, based on an analysis of financial information. G.1.2. The Regulator should implement regulatory capital and liquidity requirements that: G.1.2.1. set out minimum standards of net assets and liquidity that TCSPs must maintain, in order to remain financially resilient and reduce the risk of failure; G.1.2.2. set out minimum standards of surplus liquid assets to be retained in the business, sufficient to meet the TCSP’s expenditure for a specific period in the event of the need to have an orderly wind up of the TCSP; and G.1.2.3. require TCSPs to notify the Regulator when they fall below the minimum capital and/or liquidity requirements established by the Regulator. G.1.3. The Regulator should: G.1.3.1. consider whether to apply restrictions on what assets may be included in regulatory capital and liquidity requirements. Guidance Note on Minimum Net Assets In determining net assets for the purpose of satisfying minimum net assets requirements, the following amounts should generally be deducted, as they do not represent capital available to the TCSP: Investments in Subsidiaries Investments in Associates Intangibles Related party balances, unless in the ordinary course of business 22

G.1.3.2. take into account any deductible claims payable for any insurance policies in force. G.1.3.3. support prudential regulation by allowing peer group comparison; and G.1.3.4. define a mechanism for intervention, including triggers, where a TCSP is at risk of falling below acceptable minimums. G.1.4. The Regulator may choose exceptionally to grant a modification to the capital and liquidity requirement to reflect particular circumstances. Where a modification is granted, the Regulator may apply additional requirements to compensate for any increased risk. G.2. Maintenance of Adequate Accounting and other Records of a TCSP G.2.1. The Regulator should require a TCSP to produce and retain financial records that accurately reflect its affairs. Such records must be available to the Regulator immediately upon request. G.2.2. The Regulator should implement rules wherein a TCSP should retain sufficient accounting and financial data with regard to any financial transaction in which it played a part, to ensure the preservation of an audit trail for a minimum period of five years. G.2.3. The Regulator should implement controls to require a TCSP to maintain accounting records in a manner that is accessible and promotes inspection by the Regulator. G.3. Requirement to have Accounts Audited G.3.1. The Regulator should require that a TCSP prepares financial statements in accordance with the accounting standards applicable in its home jurisdiction. Furthermore, where proportional to the risk presented by the TCSP and considering the nature of its business, these financial statements should be subject to external audit. G.3.2. A time limit for the provision of audited financial statements to the Regulator should be enforced. G.3.3. A copy of the Auditor’s management letter and the management response should be presented to the Regulator. G.3.4. A TCSP should be required to notify the Regulator on a timely basis of any decision by its Auditor to qualify its audit report or to raise an emphasis of matter. G.3.5. The Regulator should require the Auditor to be suitably qualified to undertake the audit. G.3.6. The Regulator should be empowered to refuse a proposed Auditor and to remove Auditors. 23

G.3.7. The Regulatory framework should include provisions for gateways between the Regulator and the Auditor. These should include an obligation for the Auditor to report to the Regulator on significant breaches of regulatory requirements by the TCSP, and protection from civil liability for an Auditor in respect of any such information supplied to the Regulator. G.3.8. The Regulatory framework should enable the Regulator to require copies of financial records, including audited financial statements of parent and ultimate parents’ entities, particularly where the TCSP is dependent on support from its parent or group, or otherwise has significant financial exposure to the parent or group. G.4. Insurance G.4.1. The Regulator should require a TCSP to maintain Professional Indemnity Insurance (“PII”) cover which is commensurate with the size and nature of its business. G.4.2. The Regulator should require notification to itself and insurers concerned of any material potential claim on a timely basis. G.4.3. The Regulator should give consideration to imposing requirements for the TCSP to have in place run-off PII where a licence is surrendered or revoked. G.5. Liquidations and Receiverships G.5.1. The Regulator should have the power to apply to the Court or pursuant to its own powers, to appoint a Manager, Administrator, Receiver or Liquidator (“insolvency practitioner”) to a TCSP. G.5.2. The regulatory framework should establish whether insolvency practitioners: G.5.2.1. are required to be licensed; G.5.2.2. are subject to rules or regulations of the Regulator; G.5.2.3. are subject to other regulatory powers; and G.5.2.4. can be required to submit reports to the Regulator. Guidance Note on an Insolvent TCSP Section G.5.2. should be interpreted as a plan/regulatory framework that Regulators have prepared in the event of a TCSP becoming insolvent (and there is an insolvency practitioner being appointed to a TCSP). 24

H.1. Record Keeping Requirements H.1.1. The Regulator should ensure that it has the statutory power to access the records of a TCSP, and to take copies of such records to undertake its regulatory functions. H.1.2. The Regulator should require that TCSPs have in place robust record keeping policies and procedures that deliver effective information and document management systems. The Regulator should require that a TCSP: H. Administration H.1.2.1. maintains all records so that they are accessible and up-to-date at all times as far as is reasonable; H.1.2.2. arranges files and indexes all records so as to permit prompt access to any particular record; H.1.2.3. records information in such a way as to enable a particular transaction to be identified at any time and traced through the accounting systems of the TCSP, in particular in such manner as to enable early identification of balances and of the particular items which make up those balances; H.1.2.4. ensures any records it maintains in an electronic format are stored in such a way as to be and remain admissible in evidence before a relevant Court; H.1.2.5. maintains adequate policies and procedures for the maintenance, security, privacy and preservation of records, working papers and documents of title belonging to the TCSP and/or its Clients or others so that they are admissible before a relevant Court and reasonably safeguarded against loss, unauthorised access, alteration or destruction; and H.1.2.6. maintains adequate records identifying relevant financial transactions following the closing of an account, the end of a transaction or the cessation of the business relationship for a minimum period of five years from the last of these events; or for as long as the law requires. H.2. Accounting Requirements for Legal Vehicles administered by TCSPs H.2.1. The Regulator should require that a TCSP with responsibility for maintaining accounting records of a Legal Vehicle does so with sufficient particularity to show and explain the transactions and commitments (whether effected on its own behalf or on behalf of others). 25

H.3. Outsourcing of Key Functions H.3.1. The Regulator should define the functions of a TCSP which should not be outsourced, giving careful consideration to ensure that a TCSP does not delegate so many of its functions as would leave an inadequate presence in the jurisdiction. H.3.2. Outsourcing must not hamper supervision of a TCSP by the Regulator. The terms of the outsourcing agreement must include a contractual requirement for the provider of the outsourcing services to give the Regulator the right to direct access to material which it holds in relation to the business of a TCSP. H.3.3. In any instance of proposed outsourcing, the Regulator should require a TCSP to: H.3.3.1. assess the risk of the proposal; H.3.3.2. document the capability and suitability of the proposed provider of the outsourced services; H.3.3.3. establish a clear responsibility within the TCSP for monitoring the conduct of the outsourced services, and for reporting to the Board; H.3.3.4. consider the risks which could arise from the failure of the provider of outsourced services or other breakdown in the provision of services; and H.3.3.5. have in place a contingency plan in case of the failure of the provider of outsourced services or other breakdown in the provision of services. H.3.4. The Regulator should require that: H.3.4.1. a TCSP notify it before outsourcing functions which are relevant to its management, compliance or the delivery of TCSP services; H.3.4.2. there is an outsourcing agreement in writing between a TCSP and the provider of the outsourcing services; H.3.4.3. if the outsourcing is of a regulated activity, then the provider of the outsourcing services should normally itself be regulated; and H.3.4.4. there is no sub-outsourcing without the explicit approval of the Regulator. This should generally include the power to conduct an on-site visit. 10 26

H.4. Data Security H.4.1. The Regulator should require that data (whether in a physical or digital format) is held in a secure manner. This should include reasonable steps to ensure: H.4.1.1. security against theft or unauthorised access; H.4.1.2. security against loss or destruction; H.4.1.3. compliance with the statutory requirements which apply to the TCSP; and H.4.1.4. suitable backup and disaster recovery arrangements. H.4.2. The Regulator should require that a TCSP notify the Regulator of any material cybersecurity events, without undue delay. H.3.5. The Regulator should require a TCSP which maintains its accounting records of Legal Vehicles and other records with a provider of outsourced services (whether or not in a location outside the jurisdiction), to ensure that: H.3.5.1. the records are kept secure and pose no operational risk; H.3.5.2. the records are maintained so as to be readily accessible; H.3.5.3. all regulatory and confidentiality laws are complied with; and H.3.5.4. the Regulator has ready and reasonable access to the records at all times. 27

The Regulator may consider a cybersecurity event to be material when it results in unauthorised access to, disruption or misuse of the electronic systems or information stored on such systems of a TCSP, including any breach of security leading to the loss or unlawful destruction or unauthorised disclosure of or access to such systems or information, including where: a) the cybersecurity event has the likelihood of adversely impacting clients; b) the TCSP has reached a view that there is a likelihood that loss of its system availability will have an adverse impact on its business; c) the TCSP has reached a view that there is a likelihood that the integrity of its information or data has been compromised; d) the TCSP has become aware that there is a likelihood that there has been unauthorised access to its information systems, whereby such would have an adverse impact on its business; or e) the event has occurred for which a notice is required to be provided to a regulatory body or government agency. Guidance Note on Cybersecurity H.5. Data Protection H.5.1. The data protection principles framework for holding data about individuals varies slightly between jurisdictions, but the principles can be summarised as below. Personal data must be: H.5.1.1. used fairly and lawfully; H.5.1.2. used for specific and lawful purposes, in a manner that is compatible with those purposes; H.5.1.3. adequate, relevant and not excessive; H.5.1.4. accurate and where necessary kept up to date; H.5.1.5. kept for no longer than necessary; H.5.1.6. used in accordance with the rights of individuals; and H.5.1.7. kept secure to avoid unauthorised or unlawful use, accidental loss, or damage. 28

H.5.2.1. not transfer data to another jurisdiction unless that jurisdiction subscribes to the above principles or an agreement exists between the TCSP and transferee providing an equivalent level of protection; H.5.2.2. document the capability and suitability of the proposed provider of outsourced services; H.5.2.3. establish a clear responsibility within the TCSP for monitoring the conduct of the outsourced services, and for reporting to the Board; H.5.2.4. consider the risks which could arise from the failure of the provider of outsourced services or other breakdown in the provision of services; and H.5.2.5. have in place a contingency plan in case of the failure of the provider of outsourced services or other breakdown in the provision of services. H.5.2. The Regulator should require a TCSP to follow the above data protection principles and to: 29

I.1.3.1. identify, assess, and understand the Financial Crime risks for their jurisdiction and the TCSP sector, and apply resources aimed at ensuring those risks are mitigated effectively; I.1.3.2. identify, assess and document a Financial Crime risk assessment relevant to their business, based on their business plans and risk profiles (for example, customer base, markets, distribution channels and products and services offered), whilst having regard to findings in the jurisdiction’s National Risk Assessments; I.1.3.3. ensure that measures to prevent or mitigate Financial Crime are commensurate with the risks identified; and I.1.3.4. implement a suitable combatting Financial Crime programme with effective oversight over the Legal Vehicles for which they act. The programme should include the implementation of adequate controls to mitigate any identified Financial Crime risks. I.1.3.5. implement effective policies, procedures and controls to ensure the prompt reporting to the financial intelligence unit (FIU) of suspicious activity. I. Financial Crime and International Sanctions I.1. Financial Crime Policies, Procedures and Controls I.1.1. The Regulator should require TCSPs to have policies, procedures and controls to ensure that their business is protected from the threats of Financial Crime. I.1.2. The Regulator should require TCSPs to have policies, procedures and controls to ensure that they and entities that they control and administer do not become engaged directly or indirectly in Financial Crime. I.1.3. The Regulator should require that TCSPs assess risks and apply a risk-based approach to discharging their combatting Financial Crime obligations. The Regulator should require TCSPs to: I.2. National Co-operation and Co-ordination I.2.1. The Regulator should ensure that it has legal authority and effective mechanisms in place which enable it to co-operate, and, where appropriate, co-ordinate domestically with policy-makers, the FIU, targeted financial sanctions authorities, law enforcement authorities, Regulators and other relevant competent authorities concerning the development and implementation of policies and activities to combat Financial Crime. 30

I.3.1. The Regulator should ensure that TCSPs are subject to regulation and supervision and have policies, procedures and controls which effectively implement the FATF Recommendations by undertaking on-site inspections. The Regulator should: I.3. Regulation and Supervision I.3.1.1. require that TCSPs be licensed or registered and adequately regulated, and subject to supervision or monitoring for the purposes of combatting Financial Crime, having regard to the risk of Financial Crime in the trust company business sector. This requirement is in addition to the requirement for the TCSP to be licensed to conduct trust and company business as provided for in Section A; I.3.1.2. have adequate powers to supervise or monitor, and ensure compliance by, TCSPs with regard to combatting Financial Crime; I.3.1.3. require that TCSPs provide an explanation of any recorded information or state where it may be found; I.3.1.4. verify the TCSPs’ compliance with combatting Financial Crime requirements by undertaking regular onsite inspections, whilst maintaining a risk-based approach; I.3.1.5. be authorised to compel production of any information from TCSPs that is relevant to monitoring such compliance; I.3.1.6. have the legal powers and internal procedures to impose sanctions on TCSPs for failing to comply with the Financial Crime regulatory framework established by the Regulator or failing to provide information requested by the Regulator; and I.3.1.7. have the ability, supported by legislation, to impose a range of disciplinary and financial sanctions, including the power to remove an individual from a Key Person role and the power to withdraw, revoke, restrict or suspend the financial institution’s licence, where applicable and to issue directions to TCSPs. I.4. Bribery and Corruption I.4.1. The Regulator should require TCSPs to have systems and policies, procedures and controls in place to ensure that they or entities that they control and administer do not become engaged directly or indirectly in bribery or corruption. I.4.2. The Regulator should prohibit TCSPs from: I.4.2.1. soliciting, receiving or accepting bribes or gifts, inducements, rewards or advantage that is likely to conflict with the TCSPs’ duty to any Client, to facilitate breach of the regulatory framework or to facilitate the commission of an offence under any law applicable to the TCSPs or to the person offering the bribe, gift, inducement, reward or advantage; 31

I.4.2.2. being involved or offering services to corrupt entities or individuals. In this context “entities” includes any entity, whether incorporated or not offering, promising or giving a bribe, gift, inducement or other benefit to a public official as consideration for co-operation, assistance, exercise of influence or act of omission in connection with any transaction or business relating to a governmental matter or a claim, advantage, approval or exemption that the government is entitled to bestow, whether or not the public official is willing or able to render such assistance; and I.4.2.3. directly or indirectly, offering, promising, giving, or demanding a bribe or other undue advantage to obtain or retain business, to facilitate a breach of any law or other improper advantage. I.5. Policies, Procedures and Controls I.5.1 The Regulator should require that TCSPs promote employee awareness of Financial Crime Risk and compliance with its policies, procedures and controls. I.6.2.1. have adequate procedures to identify their obligations and comply with national laws on financial sanctions. Implementation should include the development of proportionate and adequate systems, internal controls and processes to satisfy relevant sanctions requirements and manage overlapping sanctions regimes. Such controls should ensure that designated persons are identified promptly after the designation comes into effect, and the assets are subsequently frozen; I.6.2.2. ensure that their policies and procedures on sanctions legislation are compliant and being applied in practice. Adequate resources must be allocated to monitoring sanctions compliance. Regular risk assessments and combatting Financial Crime audits are recommended to help assess the effectiveness of the policies and procedures; I.6.2.3. ensure that their staff possess the appropriate knowledge, competencies, awareness and understanding of relevant sanctions regimes, especially staff charged with developing and implementing systems of compliance and policies, procedures and controls; and I.6.2.4. inform the relevant competent authorities forthwith where they know or suspect a Client or a person with whom the TCSP has or has had business is affected by a relevant sanction. I.6.1. The Regulator should monitor the readiness of TCSPs to comply with sanctions regimes. Testing regulatory compliance with the sanctions regimes should form part of their on-site and off-site supervision. I.6.2. The Regulator should require that TCSPs: I.6. International Sanctions 11 “Sanctions” within I.6. refers to “targeted financial sanctions” in relation to terrorism and proliferation financing as required under Recommendation 6 and 7 of the Financial Action Task Force Standards. 11 32

J.1. Information Sharing J.1.1. The Regulator should have the legal authority and sufficient resources to obtain and share both public and non-public information with domestic and foreign counterparts without the approval of another body or government department. The existence of a Memorandum of Understanding (“MOU”) should not be a pre-requisite to exchanging information. J.1.2. The regulatory system should allow for assistance to be provided to foreign Regulators who make enquiries in the discharge of their supervisory functions and exercise of their powers, including for purposes of day-to-day supervision, investigations and inquiries and enforcement. Information sharing mechanisms and procedures should extend to sharing information both in the context of regular supervision and in other conditions, including crisis situations. J.1.3. Requested Regulators may impose conditions on the use of the information by the requesting Regulator, including limiting the use of the information by the requesting authority. J.1.4. The Regulator should have the legal authority to enter into information sharing mechanisms, including MOUs, with other Regulators and competent authorities. J.1.5. The mechanisms established by a Regulator to share information should cover information sharing on a timely and constructive basis at the Regulator’s own initiative and also on request. J.1.6. The Regulator that receives information from another Regulator should have measures to ensure that the information is kept confidential, used only for supervisory purposes and is not disclosed to any third party without the other Regulator’s prior approval. J.1.7. Information sharing mechanisms should, where appropriate, include establishing and proactively participating in colleges for supervisory co-operation and exchange of prudential supervisory information in relation to TCSPs whose operations extend to different jurisdictions. J.1.8. The Regulator should adopt a proactive approach to sharing information in a coordinated, timely and effective way during each stage of the regulatory relationship pertaining to a TCSP. The Regulator should inform any other Regulator concerned with a TCSP as soon as possible when taking any action that might reasonably be considered to affect that TCSP. J. Co-Operation 33

2. Other Forms of Co-Operation J.2.1. The Regulator should have the legal ability to provide assistance to foreign Regulators upon request. J.2.2. The Regulator should have the legal authority to allow a foreign counterpart to conduct an on-site inspection of a TCSP operating in the Regulator’s jurisdiction that is also regulated by the foreign counterpart. J.2.3. The Regulator should have mechanisms to collaborate with each other and other competent authorities in exercising their functions in the case of suspected or actual criminal activities by a TCSP. John Aspden Chairman of Group of International Finance Centre Supervisors