Prior to 18 May, reporting entities conducting customer due diligence (CDD) on trusts were required to verify source of wealth (SoW) and source of funds (SoF) by reliable and independent means - regardless of the trust's risk profile. This was a blanket requirement that applied broadly across trust customers.
The AML/CFT Amendment Bill was passed into law on 18 May 2026, and removes the default requirement to verify SoW and SoF for trusts, but only where the reporting entity is satisfied that the risks have been adequately mitigated through standard CDD.
Critical distinction: this is not a full exemption. You are still required to obtain SoW and SoF information for trusts. What has changed is the obligation to verify that information by reliable and independent means, and only where the transaction is not rated high risk.
In short: obtain, always. Verify only when the risk warrants it.
To support this change, the Individual Customer Risk Rating (ICRR) in the AMLHUB will be updated so that trusts are assigned a risk rating based on their holdings. The ratings are:
Foreign trusts are automatically deemed high risk, regardless of their holdings.
Where a trust is rated high risk, whether due to its holdings or because it is a foreign trust, enhanced customer due diligence (ECDD) applies. This includes the requirements to verify SoF.
The obligation to obtain SoW and SoF information for trusts remains in place
ECDD obligations for high-risk transactions are unchanged
Foreign trusts remain automatically high risk
Your overall CDD obligations: identifying and verifying beneficial ownership, trustees, and settlors, are not affected
✓ Update your risk assessment and compliance programme to reflect the new trust risk-rating framework
✓ Review your internal processes for obtaining (not just verifying) SoW and SoF for trust customers
✓ Confirm your team understands the distinction between obtaining and verifying. The gap between these two obligations is where compliance risk sits
✓ Keep an eye out for the AMLHUB interim appendix, which has been issued to all clients. If you are an AMLHUB client and haven’t received this, please get in touch with our team.
Our consultants work with reporting entities to apply regulatory changes to their risk assessments and compliance programmes. We do this accurately and without the guesswork.