Compliance Requirements for Corporate Service Providers
KYB and KYC Verification
Client onboarding
Audit-readiness
Regulatory updates
Many compliance teams at CSPs across Malta, Cyprus, The UK, and beyond share the same daily pressure to keep everything organised accurate and ready for scrutiny. This guide walks through the core compliance requirements that apply to you as a CSP in clear practical terms so you can see exactly where your obligations sit and how to meet them without guesswork.
Understanding the Regulatory Landscape in the EU
Corporate service providers fall under the EU’s anti-money laundering and countering the financing of terrorism framework because your services make you a gatekeeper. The current rules stem from the Anti-Money Laundering Regulation known as the AMLR which is Regulation (EU) 2024/1624 and the accompanying Directive known as AMLD6 or Directive (EU) 2024/1640. These form a single harmonised rulebook that applies directly across all member states. The AMLR takes effect from 10 July 2027 while AMLD6 requires national transposition by the same date with some provisions phased earlier. Until then the obligations you follow today build directly on the foundations laid by earlier directives and continue to apply. The new package strengthens consistency so that a CSP in Ireland faces the same baseline standards as one in Lithuania. The European Commission’s overview of the AML package also provides clear context on why these rules exist to protect the financial system while supporting legitimate business.
Who Qualifies as a Corporate Service Provider
Under the AMLR a trust or company service provider is defined as any natural or legal person who by way of business supplies specific services to third parties. These services include forming companies or other legal persons acting or arranging for someone to act as a director or secretary providing a registered office or business address acting as or arranging for a trustee and acting as or arranging for a nominee shareholder. If your firm offers any of these you are an obliged entity. This classification triggers the full set of AML/CFT duties. National laws in certain member states add licensing requirements on top. For example, in Malta, CSPs must hold authorisation under the Company Service Providers Act administered by the Malta Financial Services Authority. Similar authorisation or registration rules exist in other jurisdictions with high CSP activity. Always check your local supervisor’s guidance because licensing is separate from but complementary to the AML obligations.
Core AML/CFT Obligations for CSPs
As an obliged entity you must apply a risk-based approach to every client relationship. The table below breaks down the main requirements in a straightforward way so you can see at a glance what applies and why it matters for daily operations.
Requirement | What it means for CSPs | Legal reference in AMLR |
|---|---|---|
Customer due diligence | Identify and verify the client and any beneficial owners before establishing a business relationship or carrying out occasional transactions above set thresholds | |
Beneficial ownership | Understand the ownership and control structure obtain accurate up-to-date information on natural persons who own or control 25 percent or more and verify it using reliable sources | |
Ongoing monitoring | Keep watching the relationship for changes in risk or activity and update records accordingly | |
Record-keeping | Retain all CDD documents transaction records and beneficial ownership information for at least five years after the relationship ends | |
Internal policies and risk assessment | Carry out a business-wide risk assessment maintain written policies controls and training and have them approved by senior management | |
Suspicious activity reporting | Report any suspicion of money laundering or terrorist financing promptly to the national financial intelligence unit | Relevant provisions in the AML package |
Sanctions screening | Check clients and beneficial owners against applicable financial sanctions lists at onboarding and on an ongoing basis |
These obligations are risk-based so higher-risk clients such as those with complex structures or links to high-risk third countries trigger enhanced due diligence. Lower-risk situations may allow simplified measures but you must always document your reasoning.
Also read: How to prepare for a compliance audit in 2026
Beneficial Ownership and KYB Requirements
KYB sits at the heart of your compliance work. When a client asks you to form a company or provide a registered office you must identify the natural persons who ultimately own or control it. This means collecting details on the ownership chain verifying identities against independent sources and understanding the purpose of the structure. The AMLR requires you to report any discrepancies you find in beneficial ownership registers within fourteen days. You must also keep this information accurate and up-to-date throughout the relationship. The EU’s interconnected beneficial ownership registers make this process more efficient but the responsibility to verify remains with you as the CSP.
Record-Keeping and Audit Readiness
Regulators expect your files to tell a complete story. Every piece of due diligence every update to beneficial ownership information and every decision you make must be stored securely and retrievable within days not weeks. The five-year retention period starts from the end of the business relationship or the last transaction. In practice this means moving away from scattered emails and spreadsheets toward a single organised system that shows exactly what you knew when you knew it and what steps you took. This is where audit readiness becomes your daily reality rather than a once-a-year scramble.
Risk Management and Internal Controls
You must maintain an up-to-date risk assessment that reflects your specific exposure as a CSP. Factors such as the types of clients you serve their jurisdictions and the services you provide all feed into this assessment. Your internal policies must cover how you train staff how you handle conflicts of interest and how you escalate issues. Senior management must approve these policies and you must review them regularly. The AMLA which began operations in January 2026 issues guidelines to help obliged entities like CSPs apply these rules consistently across the EU.
Supervisory Oversight and Penalties
National supervisors such as the MFSA in Malta or CySEC in Cyprus oversee CSP compliance and can conduct on-site and off-site inspections. Non-compliance can result in significant fines remedial orders or in serious cases suspension of your licence. The AMLD6 strengthens supervisory powers and harmonises enforcement standards so penalties are more consistent across member states. The focus is on proportionate yet effective supervision that protects the system without stifling legitimate business.
Preparing for the New AML Package
Even though full application of the AMLR and AMLD6 is set for 10 July 2027 many CSPs are already aligning their processes. The single rulebook reduces the patchwork of national differences and introduces clearer standards for customer due diligence outsourcing and third-country risks. If your firm operates across borders this harmonisation will simplify life considerably. Start by mapping your current procedures against the forthcoming requirements and consider a gap analysis now so the transition feels manageable rather than overwhelming.
About SpeedyDD
At SpeedyDD, our mission is to help complex and regulated businesses stay ahead of their compliance obligations and maintain genuine audit-readiness. We know that for fintechs in Europe, the regulatory environment is not getting simpler. The establishment of AMLA, the coming AMLR framework, and tightening enforcement all mean that robust KYB onboarding is not just about avoiding fines. It is about building the kind of compliant, trustworthy business that can grow sustainably.
SpeedyDD is a cloud-based platform that automates the most painful parts of KYB and CDD workflows, from automated document collection and real-time PEP and sanctions screening to tailored risk profiling and centralised audit documentation. We built it specifically for compliance teams who need to do more with less, without ever compromising on the standards that regulators and partners expect.
If you are a fintech company navigating EU compliance requirements and want to explore how SpeedyDD can support your onboarding and due diligence processes, we would love to speak with you.
FAQs
How do KYB requirements differ for CSPs compared with payment service providers? CSPs focus heavily on beneficial ownership verification for company structures while PSPs place more emphasis on transaction monitoring. Both are obliged entities but the nature of your services shapes the exact risk profile you assess.
What changes when a CSP also offers trust services? Trust services bring additional obligations around identifying settlors beneficiaries and protectors. The same CDD and record-keeping rules apply but the ownership structure of an express trust requires specific documentation under the AMLR.
Do CSPs need separate authorisation in every EU member state? No. Licensing is a national matter so a CSP authorised in one member state may still need to notify or register when providing cross-border services. Always check the relevant national authority’s website for guidance.
How does the AMLA affect day-to-day compliance for CSPs? AMLA coordinates supervision issues guidelines and directly oversees certain high-risk entities. For most CSPs the impact will be felt through more consistent EU-wide standards and clearer supervisory expectations.
What happens if beneficial ownership information is incomplete? You cannot establish or continue the business relationship until you have taken reasonable steps to verify it. In practice this often means pausing onboarding or seeking further documentation from the client.
Are there specific rules for CSPs dealing with crypto-asset clients? Crypto-asset service providers are separately obliged entities but if you provide company formation services to a CASP you apply standard CDD to that client relationship. The Travel Rule obligations sit with the CASP itself.
How long must CSPs retain client files after a relationship ends? Five years is the standard minimum under the AMLR although competent authorities can request longer retention in specific cases. You must delete or anonymise data once the period expires unless other legal obligations apply.
