Share this content
Hacker spying on your data

HMRC trusts register could pose risk of identity theft

7th Jun 2017
Share this content

A new online trusts register from HMRC set to debut this month poses an unanticipated risk – identity fraud – according to a report from the Information Commissioner’s Office (ICO). The report also highlights significant data protection issues.

Two-way pull

The problem arises from the two-way pull of money laundering requirements on the one hand, and data protection issues on the other.


The new trusts register is HMRC’s way forward for trustees and agents to register and update records online.

The site lists the usual range of potential benefits. Say goodbye to problems like losing forms in the post; take on board the advantage of seeing questions relevant only to your trust or estate, and the ability to print a copy of the summary page.


HMRC’s confidence in the new trust registration service is such that it has asked its customers to delay notifying it of a new trust or complex estate until the new service becomes operational.

According to the Revenue, this is because the new online system will “provide a more efficient service in providing trustees and personal representatives with a UTR for the Trust/Estate and will remove the need for HMRC to contact customers for missing information.”


All trusts with a UK tax consequence will need to register, with trustees confirming that information is up to date, and guaranteeing their obligations under the Fourth Money Laundering Directive (4MLD) are complied with.

Roll out

The service is being rolled out so that initially lead and corporate trustees and lead and individual personal representatives get access to the system this month. 

Money laundering

HMRC’s role as the registry authority for trust and company service providers not registered by HMRC itself or by the Financial Conduct Authority (FCA) is part and parcel of stringent new money laundering regulations.

The 2017 regulations, transposing 4MLD into UK law, have been the subject of considerable consultation.

Back in March, the Treasury stated the overall objectives – ensuring that the UK’s anti-money laundering and counter terrorist financing regime is “up to date, effective and proportionate.”

The draft regulations have impact in enhanced due diligence (EDD), where for example, a client is a Politically Exposed Person (PEP), a family member or close associate of a PEP.


Enter HMRC and the trusts register. The information to be held ‘to implement the requirements’ of 4MLD is extensive.

The register aims to include details of trust assets, identity of settlors, trustees, protectors and persons exercising effective control over the trust, the beneficiaries or class of beneficiaries.

Names, dates of birth, national insurance numbers of UK residents, addresses and passport or ID numbers for non UK residents in default of a national insurance number, will be required.


HMRC states that once registered, “the details will be stored and future processes will be quick, easy and completely paperless.”


But, as one Hamlet, Prince of Denmark, put it, there we have the rub.

If made public, the information commissioner concludes “the data included in the register {of beneficial ownership information for express trusts with tax consequences} would alone, or in combination with other available data, pose a real risk of identity theft.”


The commissioner finds a degree of ‘comfort’ in the fact that at present inspection of the register is open only to UK law enforcement authorities, and disclosure of information therein is only to be made to EEA competent money laundering authorities.


However, the ICO also notes with concern that there have been suggestions that full public access to registers of trust beneficial ownership should be allowed.

It flags up the need to consider data protection and the right to privacy here, calling for public consultation should any such amendments to 4MLD go ahead.

Data protection

The ICO also highlights the fact that for anti-money laundering purposes, PEPs will be identified from information given to the Electoral Commission for the purpose of party registration.

This constitutes an ‘additional use’ of the information.

“As Principle 1 of the DPA makes clear, organisations must be transparent about how they intend to use individuals’ data and give those individuals privacy notices when collecting their personal data,” the ICO points out.

It also notes that the EDD measures for family members and close associates of PEPs are likely to come as a bolt from the blue.

“Many of these individuals will have no expectation that they will now be captured by the PEP regime and therefore subject to EDD,” it states.

Left hand … right hand

With over 6,000 data security breaches at HMRC in 2014-15, according to the September 2016 National Audit Office report, AccountingWEB readers may like to ponder the wisdom of HMRC’s holding significantly enhanced levels of sensitive personal data on the trusts register.

And also, perhaps, whether left hand, in charge of money laundering regulations, knows what right hand, in charge of data protection, is doing.


Replies (7)

Please login or register to join the discussion.

By partner55
08th Jun 2017 14:45

Sorry, but what does EDD and PEP stand for in the sentence:
Many of these individuals will have no expectation that they will now be captured by the PEP regime and therefore subject to EDD.

Thanks (0)
Replying to partner55:
Tom Herbert
By Tom Herbert
08th Jun 2017 14:59

EDD = enhanced due diligence
PEP = Politically Exposed Person

It is flagged earlier in the article, but apologies if the sentence was unclear.

All the best,


Thanks (0)
By chatman
12th Jun 2017 10:08

Can't public inspection be allowed to those part of the register that don't allow identity theft?

Thanks (0)
Replying to chatman:
By Smokoe Joe
12th Jun 2017 10:18

Surely a trust is a private arrangement and only the authorities need access!

Thanks (0)
Replying to Smokoe Joe:
By jonahwhale
12th Jun 2017 11:06

Does this affect beneficial owners of a Residents Management Limited Company which holds Freehold of the Registered Title to Property held in Trust for Housing Associations who are the Transferors who are exempt charities

Thanks (0)
By AndrewV12
14th Jun 2017 12:16

Extract above
'With over 6,000 data security breaches at HMRC in 2014-15,'

I suppose its only a matter of time before our on-line accounts are breached.

Thanks (0)
By pauljohnston
20th Dec 2017 10:46

"I suppose its only a matter of time before our on-line accounts are breached.

According to a specialised I recently spoke with - we should all accept that our data will be breached, unintentially or by hack. We should therefore make sure that we make sure that passwords etc are held in an unhackable form or on paper only!!

Thanks (0)