CSP Due Diligence

CSP Due Diligence

CSP, short for Corporate Service Provider and also known by other terms such as OSP (Offshore Service Provider), RA (Registered Agent), offshore agent, and a plethora of other terms that all mean more or less the same thing: someone (usually a company) that you turn to for services pertaining to forming an offshore company and opening an offshore bank account.

In the past I have written reviews about specific CSPs. Too many thought I was writing them as recommendations when the my real intent was simply to show how to perform basic due diligence on some popular service providers.

How can you tell if a CSP is reliable and trustworthy?

The hard truth is that you can’t, until after the fact.

However, there are a lot of things you can do to mitigate the risks of going with a bad CSP.

The risks of appointing a bad CSP

Let’s start here.

A bad CSP can be anywhere from just slow to respond to downright fraudulent and criminal.

If you work with a CSP that takes a long time to answer emails, that’s going to be frustrating and can cause problems if you need them to act quickly on something. I have also seen sloppy CSPs fail to renew companies in a time, which can cause all sorts of problems. Worst case is your company expires, but that’s fortunately quite rare in most jurisdiction. Many give ample time to renew but hit you with a penalty.

However, if you work with a fraudulent or criminal CSP, you may end up receiving fake corporate documents for a company formed in a jurisdiction where you cannot easily verify the authenticity of the documents, paying for no services being rendered at all, or having your identity stolen. You usually end up sending your CSP a copy of your passport (often certified) and other sensitive personal and financial data, which in the wrong hands can cause a lot of damage.

You only have one identity, so guard it carefully.

Performing Due Diligence

There are a lot of things you can look at to help reduce the risk of working with a fraudulent or bad CSP.

In this article, I will go through the following:

  • Website basics
  • Company information
  • Licensing status
  • Memberships
  • Reputation
  • Sanity

Now, as much as I wish all good CSPs tick all the boxes and bad ones don’t, the reality is more nuanced. Some things should be instant deal breakers. For everything else, consider the overall impression and results.

Website basics

This website – STREBER Weekly – fulfills a number of criteria which should speak strongly against doing business with me if this were a commercial website.

Although I am using HTTPS (secure/encrypted web traffic), a closer look will reveal that I’m just using an SSL certificate issued by Cloudflare, which is a content delivery network I use. You can’t be sure that the information between Cloudflare and the actual web server is secure. I think this is perfectly acceptable since there is no sensitive personal data being transmitted over STREBER Weekly (unless maybe you post something about yourself or interact with someone/a CSP via private messages on the forum, in which case consider this a notice).

Furthermore, the domain “streber.st” has the following whois information:

Administrative Contact Information
Owner: Whois privacy protection service
Contact: Whois privacy protection service
Address: Parkgatan 6
City: Borlange
Country: SE
Email: [email protected]
Technical Contact Information
Owner: Whois privacy protection service
Contact: Whois privacy protection service
Address: Parkgatan 6
City: Borlange
Country: SE
Email: [email protected]
Billing Contact Information
Owner: Whois privacy protection service
Contact: Whois privacy protection service
Address: Parkgatan 6
City: Borlange
Country: SE
Email: [email protected]

Private whois is a very bad sign when dealing with any business. It means they are hiding something and for some reason. Some use the excuse that they hide all details to prevent spam. Spam filters are good enough nowadays that an inbox used for public data like domain whois should be able to survive. Spam by phone can be annoying, which is why many opt for a VoIP number instead that goes straight to a voice mail.

In the whois, look for age when the domain was created.

Also be wary of free templates. These aren’t bad in and of themselves but it takes a lot less effort to custom build or at least pay for a premium template than to just throw something quickly using WordPress and a free template. You can use something like Builtwith.com to help you investigate this.

Any respectable online business will have its own domain name and not operate under any free subdomain URL.

Look up the CSP’s domain in Archive.org and Archive.fo to see if it has been used for anything else in the past. A shady way to make a website appear older and thereby more established and reputable, is to buy a domain that someone else was using previously. This is problematic in that cyber-squatters often registered lots of valuable domain name hoping to sell them for a big profit in the future.

Company Information

You’ll want to ensure that the CSP you are entrusting to form and in varying degrees maintain and manage your company, including sending your sensitive personal information, is in fact a legitimate business.

This method isn’t foolproof, but you should ensure that the CSP clearly states the name and address of the company or companies rendering you the services. Any additional data points, such as company registration number, telephone number, licensing statuses, organization memberships, and lists of actual human beings on the board of directors and/or staff are helpful.

As far as possible, validate these data points against reputable sources of information.

Try to corroborate the details with the Register of Companies in the relevant jurisdiction. This isn’t always possible, especially if your CSP is an offshore company incorporated in a secretive jurisdiction. Generally speaking, a CSP incorporated these types of jurisdictions should be considered to be at an immediate, inherent reputational disadvantage, whose sole remedy is to be a licensed company listed on the relevant authority’s website. I’ll get back to licensing later.

Attempt to establish whether your CSP is using a real office address and not just some registered address service or virtual office. It’s normal for companies to have multiple addresses, of which one is simply the registered address belonging to another financial services provider or accounting firm, and the other being their actual physical offices. Ensure neither is just a virtual office solution. Shared buildings are perfectly normal, but if you look up the address and find virtual office services, exercise additional caution. This also goes for phone number.

Licensing Status

IBC jurisdictions and many other international financial services centers have specific authorities that license companies to be Trust Companies, Management Companies, Corporate Service Providers, Registered Agents, and other similar terms.

Wikipedia has a pretty complete list: List of financial regulatory authorities by country. Others can be found through your favourite search engine. Except in the case of Nauru, Comoros, and other worst-of-the-worst jurisdictions where the governments are failing to secure a reputable establishment online. Stay away from these jurisdictions, unless you’re really sure about what you’re doing and/or don’t mind getting defrauded.

On these financial service authorities’ websites, you can usually find lists of licensed companies. If you are forming an IBC and your CSP is not on any of these lists, you are working with a re-seller. Here, I will defer to an earlier article I wrote called Things You May Not Know About Your OSP. The gist of it is that most of them are unlicensed, barely-competent resellers, especially the ones that are desperately sending you PMs on forums and blogs.

That’s not to say that a licenses CSP is guaranteed to be better. It’s just a whole lot more likely given that they have had to submit significant documentation to prove their competences and compliance procedures, as well as some fairly significant sum of money, to the government in return for a license.


If the company claims to be a member of an organization, attempt to establish whether this organization exists and whether it is reputable. This can be done by looking for academic or government publications citing the organization repeatedly and in different contexts, as these often have a far stronger interest in source fact checking than blogs and most news outlets.

Most of these organizations list their members on their websites, so be sure to check that out. It doesn’t always take a lot of effort to become a member of some of these organization, but straight up lying about it is an immediate red flag.


This one is especially tricky, given the sensitivity and confidentiality surrounding the services offered by a CSP. Someone with a sound asset protection structure and online business held securely and confidentially through a series of offshore companies, is very unlikely to write about it on their Facebook wall or post about it on LinkedIn. It’s very, very difficult to find objective reviews of CSPs.

One thing to look for is whether a CSP is mentioned frequently and by different people in a positive or mostly-positive manner. Be skeptical and cautious, though.

Behind the curtain

There have been Wizards of Oz in this industry for as long as the industry as been around, but it’s becoming easier and easier to put together a reputable façade. Selling offshore services by pushing secrecy and ease-of-doing-anything has become outmoded, which rogue CSPs are getting to.

Your job is to pay attention to the man behind the curtain. What and who is your CSP really behind the fancy WordPress theme website?

My point here is to not be swayed to someone simply because of how much knowledge they tout and how compliant they are.


Is it too good to be true? Then one of two things is happening:

  • Fraud.
  • You need to spend more time researching. If you keep coming back to a CSP being too good to be true, move on to the next one on your list.

Cost is perhaps the biggest factor here. If one CSP is significantly cheaper than others for a specific jurisdiction, look up the actual government fees for incorporation (typically easily available on most IBC jurisdiction’s financial services authorities’ websites) and calculate what margin, if any, they are leaving for themselves.

Embed from Getty Images

Common Red Flags

In addition to the sanity checks described above, there are a couple of red flags to watch out for. I’m not saying that these are immediate deal breakers, but exercise extra caution if you come across these.

Offering a lot of Jurisdiction

This is a common technique to make the CSP appear more well-established than it actually is or simply draw in as many would-be clients as possible. If it isn’t an outright fraud, it means the CSP has way more partnerships with other CSPs than it can reasonably manage and you run a high risk of getting lost between the layers upon layers of middle-men, all of which are sitting on copies of your sensitive personal information.

This red flag is especially bright and large if the range of jurisdictions doesn’t make sense.

There are a few CSPs that have a wide reach. These are typically old CSPs that have been in the industry for decades.

Offering outdated Jurisdictions

Jurisdictions come and – more commonly – jurisdictions go. The reputational and political disadvantages of operating an IBC regime aren’t always worth the revenue source, especially if you’re not incorporating more than at least 1,000 IBCs per year.

For that, and other reasons, jurisdictions such as Nauru, Niue, and Brunei are no longer operating IBC regimes.

The offshore regime claimed to have existed in The Gambia has been officially declared a fraud.

Be careful of CSPs that offer services in these jurisdictions. It’s either a pure scam or the CSP is dreadfully outdated and failing to keep up with the times.

Offering a lot of Banks

This red flag is especially important if the banks they are offering are well-established banks in reputable jurisdictions.

Anyone with a half-decent CV and business plan can partner up with shoe-box banks in the Caribbean, easily raking up 20+ banks they work with. That’s not as much of a red flag.

Banks are picky and are getting pickier by the day. Watch our for any sort of guarantees for account opening. Some CSPs do money-back guarantees if your application is declined, which is fair but make sure you read the fineprints.

Offering outdated Banks

Like or not, but FBME, BPA, and ABLV are dead. If anyone is offering bank services there, they are either defrauding you or can’t even make the effort of updating their websites and brochures, which in and of itself is sloppy.


The old saying You get what you pay for holds true even in this industry, but that doesn’t necessarily mean that expensive is best.

While you’re almost guaranteed to get terrible (if any) service if you’re paying at-cost or tiny margin on top of the government fees for forming your IBC, you might not have any need for the additional competences, services, and skills that may be available if you go for a premium corporate service provider.

1 Comment on "CSP Due Diligence"

  1. 100% agree with the conclusion. This should be offshore 101. These days is plenty of improvised “sunday offshore providers”

Leave a comment

Skip to toolbar