Being the holiday season its time to sit back relax and take stock of all that has happened in 2013. Time for any Compliance professional to take stock of the year and to review the key business documents of a licensee and assess if they remain fit for purpose or need to be enhanced.
One such document that requires to be reviewed at least annually is the Business Risk Assessment (BRA) to ensure it is fit for the regulatory framework and the Licensee. The BRA though is a document that licensees struggle with and the Guernsey Financial Services Commission (Commission) constantly find as deficient. What lessons can we learn that will allow our 2014 BRA’s to be fit for the licensee and for the rules and regulations?
Essentially the BRA is a high level overarching document that the Board of a licensee must have in place. It evidences what the business is about, identifies the risks associated with its products and services, clients and the jurisdictions that it undertakes business in or through. The Commission have commented on how these documents tend to fall short of the mark, being generic, over simplified and not representative of the licensee.
Whenever I re-draft or assist a licensee with a BRA I take the approach of creating a document that tells the story of the licensee ensuring that it flows into the policies, procedures and forms. I use the BRA to create the framework from which the licensee’s policies and the procedures enlarge upon and stipulate the full requirements of the licensee requirements and the regulatory framework.
My BRA’s look at what the licensee business plan is, the Money Laundering, Bribery and Corruption and Terrorist Financing (ML/BC/TF) risks that the business is exposed to from following its business plan. I then look at how the licensee will mitigate the risks by the implementation of its policies, periodic reviews and training. How it will differentiate its high risk’s from its low risk’s to ensure that a risk based approach can be applied successfully and cost effectively. My BRA’s look at how the Board will be kept informed of the ML/BC/TF risks and what their responsibilities are, from ensuring policies and staff are sufficient to how they will review the existing and new business.
Licensees often complain that I am stating the obvious in my BRA’s, that the BRA will not stop a criminal or terrorist and so add little to no value to a business. The BRA is not about stopping criminals but assisting in their identification and prevention of a licensee being an unwitting conduit for them, criminals will always seek to abuse the financial system to their own ends. Unfortunately though licensees will be unknowingly utilised by criminals and they, their clients and insurers may suffer reputation loss and in the worst cases material loss. A licensee can never negate these risks in all cases, though the BRA does allow a business to protect itself, and so adds value.
We live in a contentious and litigious society, it is now not the case that a crime has to have been committed, but has a licensee done enough to reduce the possibility of a crime occurring or to protect against being a conduit in a crime as required by the regulatory framework. The Commission whether on a regulatory visit or dare I say it, when things have gone wrong and Lawyers and Advocates are involved they will review the BRA intently to assess if a licensee has acted recklessly by not assessing or identifying the risks posed by their business. It goes without saying that a licensee who has considered in-depth the risks posed by the business activities and the preventative measures that they have employed (stating the obvious) is going to be treated more sympathetically than a business who did not evidence their consideration of the risks that they faced.
There have been numerous regulatory cases over the last few years that were not about ML/BC/TF having occurred but that licensee’s did not have suitable and sufficient policies or information at hand for the Board or the MLRO to consider and mitigate the risks posed and inherent in their business. If you need help in assessing or redrafting your BRA the Commission has guidance on what they deem are the minimum requirements. You can ask Consultants to review your BRA and provide suggestions if required. You can simply ask around your fellow peers to see if they can assist or provide guidance.
It must be remembered that the Board of a licensee must take full responsibility and can’t contract out of their responsibility for having a suitable BRA. The Board and the MLRO must ensure that the BRA is fit for purpose and identifies and mitigates the risks while evidencing the preventative measures, and most importantly meets the regulatory requirements. The Compliance professional is only there to suggest what they believe is suitable in how the Licensee has evidence the consideration of the risks that it faces.
Over the course of 2013 a licensee’s business, the risks posed by clients, products and services it offers inclusive of the jurisdiction that they are associated with or their clients are associated with will have changed. Now is the perfect time to take stock of the current status of the licensee, its future intentions and go forward in to 2014 with the risk duly considered and mitigated.
Merry Christmas one and all.