With the release of the new AML/CFT framework, effective 31 March 2019, We have collected some of our early thoughts with regard to key changes and what they mean for the Financial Services Industry and what Business Leaders should be considering as they seek to enhance, revise and establish their new AML/CFT framework to meet the Guernsey requirements? What do they need to do and understand in order to walk confidently in to tomorrow?
Working through the Legislation as it has been provided for approval by the States of Guernsey there is a marked change from the current legislation and Directors and/or Partners of Specified Businesses will need to be aware of these changes and ensure that their policies procedures and controls are designed not only to meet the new Guernsey AML/CFT Framework but to also satisfy the need to protect against the financial crime risks and safe guard their customers.
Specified Businesses- One Handbook for all
There will now only be one Handbook with both Financial Service Businesses and Prescribed Businesses collectively known as “Specified Businesses” and will be required to demonstrate and evidence their compliance status and due consideration of these matters for a robust governance culture. All Specified Business must have an AML/CFT governance framework that allows for policies procedures and controls to effectively and continually identify, assess, mitigate, manage and review and monitor the financial crime risks that are posed to the Specified Business from, the environment taking in to account the National Risk Assessment and also the perceived or actual identified financial crime risks pertinent to its business and including and not limited to its products and services and customers, as well as the rules, instructions and guidance published by the Commission from time to time.
Business Risk Assessment
The Starting point for the governance process remains with the Business Risk assessment and whilst the requirements generally remain the same there is a broader financial crime remit rather than pure AML/CFT. The regulatory AML/CFT framework requires a Specified Business to consider the following:
- All relevant financial crime risk factors, deciding if they apply or not to the Specified Business
- Assessing and concluding the overall level of risk faced
- The type and the extent of risks that are acceptable in pursuit of achieving the Specified Business’s strategic aims
- What is an appropriate level or type of mitigation that will be applied via its policies procedures and controls
We also see the requirement for the business risk assessment to take in to account the nature, size and complexity of the business regarding the following:
- Its customers
- Countries and geographical regions it engages with and transacts in, or provides it products and/or services to
- Its delivery channels
The new AML/CFT framework includes the requirement for the review and, assessment of the development of new products and technologies to be considered before they are applied in the AML/CFT framework of a Specified Business. The Specified business must have a detailed and specific Business risk assessment that provides a high-level overview of the business.
Customer Risk Assessment
The Business risk assessment flows into the Customer risk assessment which must now include the consideration of a customer to the risk appetite of the business. There must be an understanding that the combination of financial crime risk identified may itself increase the financial crime risk posed by the Customer, as well as consideration of the National Risk Assessment as it pertains to the Specified Business. The Customer Risk assessment must be specific to the activities of the Specified Business, and referenced against the following relevant risks:
- Delivery channel
This assessment will assist the business to meet the Guernsey Data Protection Regulations and obtain the relevant and required customer due diligence on natural persons commensurate to the financial crime risk they pose.
Customer Due Diligence
The level of customer due diligence will be dictated by the level of the financial crime risks identified and the requirements of the Commission’s Handbook to the risk identified. The focus for the verification subjects will be in respect of beneficial ownership and those controlling the entity or structure (except for an entity listed on a recognised stock exchange or a majority owned subsidiary of such a company). What is key here is the Specified Business must have obtained sufficient and suitable identification and verification evidence and documentation to demonstrate it has obtained a good understanding of the purpose and intended nature of the business relationship or occasional transaction.
Standard Risk Business Relationships
This also brings in the requirement to undertake enhanced measures where a customer is not high risk but meets the following requirements:
- The customer is not resident in the Bailiwick
- The Specified Business provides private banking services
- The Customer is a legal person or arrangement for personal asset holding purposes and where a legal person has nominee shareholders or owned by such an entity
The Specified Business must undertake measures to be able to demonstrate the management and mitigation of the identified specific risks associated with the customer, for example obtaining the source of wealth and funds for a customer who is an asset holding arrangement.
High Risk Business Relationships
Whether a Specified Business identifies it customer is high risk through the accumulation of risk, predetermined high risk rationale of the Specified Business or as required by the regulation and commission it will need to undertake enhanced customer due diligence. High risk relationships include:
- PEP relationship or connection,
- Relevant connection to a high-risk geographical jurisdiction
- Correspondent Banking Relationships
The new AML/CFT framework precludes Specified Business from entering in to or continuing a correspondent Banking relationship, and there must be appropriate measures to ensure that it does not enter in to or continue such relationships or permit its accounts to be utilised by a shell bank. Further, Specified Business must not set up anonymous accounts or accounts in fictitious names.
There also needs to be consideration of politically exposed person, specifically to whether the are a foreign PEP, a Domestic PEP or an international organisation PEP which are new categories that need to be included and documented.
The requirements for Enhanced customer due diligence change slightly with specific senior management approval for Foreign PEPs now required along with, the need to obtain through reasonable measures and understanding of the source of funds and wealth of the customer and where the beneficial owner is a PEP.
Monitoring of high-risk relationships in respect of Enhanced customer Due Diligence needs to continue to be undertaken more frequently and whilst looking more extensively at patterns of activity or transactions. Additionally, the business will need to obtain additional information and evidence:
- On the type, volume and values of the customers assets
- Additional information on any other beneficial owners
- Additional aspects of the customers’ identity
- Obtaining additional information to understand purpose and nature of the business relationship or occasional transactions and obtaining information on the other beneficial owners’ source of wealth and funds where they are not the Customer or Political Exposed Person
Politically Exposed Persons
The change to PEP classification is that the new framework not only differentiates between different types as previously mentioned but allows the following:
- Domestic PEPs to be treated as not being a PEP after a period of 5 years after ceasing to be entrusted with a prominent public function
- Foreign and International Organisation PEPs to be treated as not being a PEP after a period of seven years, , after ceasing to be entrusted with a prominent public function
The two requirements for this are that a Specified Business:
- Understands the Source of funds within the business relationship or occasional transaction
- There is no reason to continue to treat the person as a PEP, with the exception where a PEP is a head of state or government or the head of an international organisation, a person with the power to direct spending of significant sums inclusive of persons who are the immediate family or maintain a close business relationship or in a position to conduct substantial transactions on behalf of such a person
With respect of high-risk jurisdictional and geographical connections the new Handbook clarifies this as requiring a relevant connection. The relevant connection is defined as follows:
- Being either resident in the country or territory
- Having a business address in the country or territory
- Deriving funds from assets held directly or on behalf of the customer in the country or territory
- Receiving income arising in the country and territory
- Any connection that the Specified Business feels is a relevant connection to a country or territory
Simplified Due Diligence
There will be customers who neither require enhanced Customer Due Diligence or enhanced measures and for those customers who are risk rated as low risk and in accordance with the NRA, the Specified Business can utilise the provisions for simplified due diligence as detailed in the Commission’s Handbook.
Timing of Due Diligence
There is a requirement to undertake all this risk assessment, due diligence gathering and understanding of the business relationship and the financial crime risks prior to the onboarding of the customer. There will be occasions where it will not be possible to obtain due diligence prior to the start of the relationship and the new Handbook still allows for this to happen in certain circumstances as follows:
- That the business relationship is not high risk
- It is to be completed as soon as practicable after the commencement of the business relationship
- It is essential not to interrupt the normal conduct of business
- That there are effective and appropriate policies and controls in place to manage the risks identified, such as limitation on transaction and or the type of transactions etc.
Introduced Business Relationships
The Guernsey AML/CFT framework retains the ability for business relationships and occasional transactions to be introduced by an Appendix C Businesses or subsidiaries of such. The Specified Business must ensure the following:
- Requirements relating to AML/CFT will be met
- That it will receive copies of identification data upon request
It is important to remember that customer due diligence must meet the requirements of the Guernsey AML/CFT framework as the responsibility for meeting the requirements of the Guernsey AML/CFT framework remain with the Specified Business.
Non-Compliance with Due Diligence Measures
There will be occasions where customer will be non-compliant with the due diligence measures as set out by the Commission in their new Handbook. Where this is the case a proposed business relationship or occasional transaction should not be entered, and an existing relationship must be terminated. The business must consider and document their assessment of whether a disclosure is required to be made under the Disclosure Law or the Terrorism Law.
The new Guernsey AML/CFT framework retains the requirements for the Money Laundering reporting Officer and the Nominated Officer. The MLRO and Nominated officer will be relevant employees to receive additional and on-going training that is appropriate for their roles. The Directors and/or Partners Money Laundering Compliance Officer and Senior Management will also be required to have additional training that is appropriate for the role they undertaken in the Specified Business’s AML/CFT framework. Employees dependent on their role within the Specified business must have comprehensive training on the relevant Guernsey enactments, the new Schedule and Handbook in order that they can understand and appreciate their personal obligations and responsibilities and the consequences of non-compliance to the Guernsey AML/CFT Framework.
A Specified Business in evidencing its compliance with the Guernsey AML/CFT framework will need to retain records. The new schedule makes specific reference to the following:
- Transactional documents, risk assessments, for a period of five years from the cessation of the Business relationship or carrying out an occasional transaction
- Business risk assessments and its policies, procedures and controls require to be retained for a period of 5 years from when they ceased to be operative
- Records relating to disclosures made to the MLRO must be retained for a period of five years from the cessation of the business relationship or the carrying out of an additional transaction
- Any AML/CFT training carried out for a period of five years when the training was undertaken
- Minutes or other documents relating to the Specified Business AML/CFT framework and compliance status
Records can be kept in any form if they are readily retrievable and can be provided promptly to auditors, Police, Financial Intelligence Services and the Commission.
A Specified Business’s AML/CFT framework needs to meet the requirements of the regulation, the specifics of the Handbook and the rules, instructions and guidance published from time to time by the Commission. The Directors and/or Partners must have in place a suitable and sufficient governance structure from which they can evidence and demonstrate that they have taken due corporate responsibility while enhancing and where required remediating their business. They must ensure that as a minimum annually they can evidence their consideration of their compliance AML/CFT framework and the status is discussed and assessed and where required enhanced to meet the size nature and complexity of their business and the financial crime risks that are posed or advised via the National Risk assessment. The Handbook contains the requirement for a new role of Money Laundering Compliance Officer to undertake this review of the compliance status of the Specified Business and the reporting to the Board for their discussion and assessment in this area and meeting the corporate governance requirements.
It is for Specified Businesses and their controllers and management to ensure that their AML/CFT framework meets the requirements set out by the Commission regarding the identification, assessment, mitigation, management, review and monitoring the financial crime risks that are posed and pertinent to its business on an on-going basis. The devil will be in the detail of the Handbook and any other instructions and guidance published by the Commission from time to time.
All in all, this is a positive enhancement of the Guernsey AML/CFT framework to ensure that Guernsey continues to meet international standards and remains a desirable International Financial Centre , allowing Specified Businesses to provide confidence to their customers and prospective customer and move forward confidently in to tomorrow, as we are already there!