Prevention of Discrimination (Guernsey) Ordinance, 2022

At the moment Guernsey is debating it’s new proposed Prevention of Discrimination (Guernsey) Ordinance, 2022, with the big talk and worry about Amendment 8 in respect the disabled and carers.

It seems odd that our deputies would want to only include the rights, dignity and diversity of 27% of its work force?

To my mind that would be like saying that only the 27% of the big financial firms should have frameworks or be required to abide by the countering financial crime and terrorist financing (AML/CTF) framework.

We know as an industry that this approach doesn’t work, and by all financial firms adopting we have a first rate and internationally recognised industry that people outside of Guernsey want to be in. This helps us to protect and mitigate our industry against use by criminals and terrorist financiers while allowing us to prevent and detect them for the outside world. I remember at the time of implementation the same sentiment as is now with this new Discrimination Ordinance was voiced, that it would destroy the industry and ruin the Island, yet that never materialised!

Of the big 27% of big financial firms in our industry and many more firms, have sought to bring about change and have put in place policies for dignity diversity and inclusion at work, realising its benefits for their business, teams and the wider society, I have been so proud to work for some of them. We should be following their lead!

We need your help – Please sign the petition to support the withdrawal of Amendment 8 to the proposed anti discrimination legislation for Guernsey as it excludes disabled people and carers from accessing the same standard of life as everyone else.

You can find all the details and reasons why to support this petition when you click on the link.
We cannot leave anyone behind –

Guernsey needs first class framework inclusive of the Prevention of Discrimination to attract employees and businesses and bring that benefit to the wider society and the world.

#diversityandinclusion #WithdrawAmendment8 #diversity #respect #people #change #society #business #work

Changing Climate in Corporate Governance

International Finance Centres are known for their effective and efficient environment for undertaking cross border trade and the provision of products and services to assist and enhance business operations as well as the preserving of the generated wealth for the families and businesses that use them. Unfortunately we are still seen in the same vein as the wolves of Wall Street in a climate of greed is good and to hell with environmental impact. Is it time that this perception was changed? 

In the last decade, if not longer, there has been an undercurrent of change from beneficial owners and of businesses, whereby they have sought to be conscientious and use their wealth generated in the International Finance Centres for wider charitable purposes and causes close to their hearts inclusive of combating climate change. The same could be said about financial services businesses, though this has been for more local causes rather than world wide. Are we really utilising the innovations, products and services we have at our finger tips to their full potential to meet the environmental concerns of our clients, stakeholders and the wider world?

Regulators are also updating their regulatory frameworks to require that financial service businesses consider their impact in respect of climate change, as seen in Guernsey by the updates to the Finance sector Code of Corporate Governance. I would argue that this goes further than just making sure the office lights are turned off, recycling is undertaken and employees use more environmentally friendly forms of transport. Boards I believe should be looking at the business areas they are involved in and mitigating the effect these have on climate change world wide rather than just attending to their local footprint. This should not be in isolation, but in partnership with clients providing them with opportunities and innovations to assist them in ensuring that the impact of their business activities on the environment can also be mitigated. 

While business activities may be legal they may not be environmentally friendly, Boards of financial services businesses should look at their ethics and environmental risk appetite when engaging with clients that are in sectors that are higher risk for climate change. Where clients do engage in sectors that have a higher risk of environmental damage the Board should be aware of the issues relevant to climate change in that sector and should seek assurance that best practices and international standards are applied to mitigate that effect.  Boards should set out their environmental risk appetite and receive sufficient management information to assess the impact the financial service business has by providing products and services to these clients for their business activities. 

It is not just about the here and now impact of climate change but also the future and not all mitigations will produce net emissions or zero impact. Protecting against the effects of climate change should be looked at with a long term view and in the similar way that financial services businesses have provided for the preservation and enhancement of wealth over the years. This may be by allowing opportunities and investment in green technologies, the setting up green funds or in providing products and services that allow for the philanthropic support of education, innovation, research in understanding how to combat climate change and providing support for the communities that are most vulnerable. This allows for Boards of financial services business to show that they are meeting their obligations under the Finance Sector Code of Corporate Governance and their clients are able demonstrate that they are attending to their environmental responsibilities.

Good corporate governance assists in enhancing reputation allowing people to see that international finance centres, their stake holders and users are more than part of a greed is good culture, looking after their own self interests. It allows for clear evidence that demonstrates that they undertake their responsibilities seriously with a wider world appreciation.  Climate change may just be being felt on our shores but it is certainly knocking at our door.      

Act in Haste!

Both regulators in Guernsey and Jersey have issued warnings regarding Fraudsters

Compliance monkey

targeting financial firms and their Customers. Coming back from a long weekend and back log of emails, the stresses that you are under in this unprecedented time, business objectives and customer expectations, this is the perfect storm for the Fraudster to exploit. In our isolation the use of malicious and fraudulent emails (Phishing) appears to be the current tool of choice and here are some tips, key indicators and red flags that and email may be malicious or fraudulent to keep your Firm, Customers and Yourself safe.

  • Is the email out of the blue or unsolicited with a time pressure to undertake some action?

  • Is the email address of the sender the same as your Customers in your records?
  • Is the spelling correct or have letters been substituted, do you even know the sender?
  • If there are links to respond to do not click them, hover your cursor over them and check the URL. Always go to the official site rather than click a link in an email especial if it requesting that you need to do so to undertake some action.
  • If the email is requesting that you need to download a file or attached document do not do this or click on it.
  • Are there grammatical or spelling errors in the email?
  • Does the email sound like client?
  • Does the email request some personal data or business data or security details?
  • Does the sender address you by name, is this usual? If the sender is unknown to you this could be an attempt to gain confidence, remember we all have personal details on the web that are easy to find.

If you see any red flags it is time to contact your IT department or provider and get them to check the email out and validate it.

When receiving requests to make transfers to accounts or pay invoices you need to be cautious, consider the following as red flags that either the email is a phishing attempt or that your customers email account has been compromised.

  • Is the request expected, in line with the known activity and business operation of the Customer?


  • If the email asks to call them on a phone number to confirm the transaction, use the contact details that your firm has on file and not the ones in the email.
  • Check the transfer details, are they the same as the ones you have on the file for the customer or is this a new transaction? .
  • Is the transaction inline with the normal activity and known behaviour of the client?
  • Is the invoice for services that appear odd or from an unknown party?
  • Does the email request use any links or downloads such as an invoice or software? Always go to the main website and make payment from there as the link could be malicious. Any download may contain malicious software that will endanger your firm such as ransomware or can even spy on you.

Always confirm actions with the customer, using the details your firm has of the actions that are required to be undertaken. If you have any red flags then your IT department or provider needs to be informed and the email checked out.

Also beware that you may also be subject to telephone (Vishing) or SMS (Smishing) fraud attempts that will also seek to make you undertake an action or provide personal or business details in the same manner as with Phishing.Always call the customer back on the details that your firm has and confirm with them any requested action. Rather than seeing this as a hassle customers will be impressed that you are so diligent and have good security, it will reassure them that you are the firm to be with and that you are proactive in protecting them and their data and assets. It may also alert them to the fact that they have already been hacked and can take appropriate action to minimise any loss.

Reporting of these attacks.

These attacks must be reported to the Compliance and MLRO team and onwards after assessment to the Board.The Board is accountable for the safety of the firms clients and client data and must be seen to be ensuring that it has considered the risks posed, put in place effective mitigation, appropriate systems and controls. This assessment must be reassessed after an attempted fraud and consideration of appropriate actions undertaken. Does this change the risk profile of the firm in anyway? Is there any further mitigation that can be done to protect the firm and its customers? Remember the Regulator will be looking for documentary evidence of consideration whether there has been an attack or not and certainly on their onsite visits.

Compliance and MLRO teams with the IT department or service provider need to collate the data, assess the threat and any further systems or controls that may be required to be considered by the Board and implemented. They need to consider if this is just a random attack, or whether it is targeted, is there a specific group of customers this affects? This information with any recommendation needs to be provided to the Board. Consideration must be given to the threat and may also require the of warning, training or refreshing of the firms employees to the risks and the policies, procedures and the controls that must be followed.

Fraudsters can be identified from the details that they provide to you, be it a phone number, email address or website URL. This being the case they must be reported to the Fraud or Financial Intelligence Unit as you would with a normal Suspicious Activity Report, if you are unsure give the Police or the Financial Intelligence Unit a call, they are there to assist you and help you. This also allows them to collect the data and establish if the jurisdiction, specific firms or a set of clients is being targeted, allowing them to warn industry and protect clients of the jurisdiction. Financial Intelligence Units have a wealth of good advice on there websites for the prevention and detection as well as the dealing with fraud.

In conclusion;

  • Don’t open email from unknown senders and take time to assess an email for red flags that it may contain malicious software or attachments or a fraud attempt.
  • Undertake callbacks using the customer details the firm has collated to confirm any actions.
  • Don’t undertake actions or give out personal data or business data to anyone who is unknown no matter how much they pressure you.
  • Contact your IT department, service provider and/or compliance department if you have any concerns, links or requests to download documents or software.
  • If it is found to be fraudulent or malicious report it to your compliance and MLRO departments.

Don’t be pressured by emails, phone calls, SMS’s and time pressures in to undertaking an action in haste only to repent at leisure.

You are Important!

Compliance monkey

Some times there are some things that are more important than Compliance, and that is now and it’s YOU.

We find ourselves in a reality that was unthinkable at the start of 2020 and our best laid plans for the year have disappeared in the tempest that is Covid 19. Many of us are now working from home which adds new stresses and strains that we were not prepared for, and that we are now having to deal with. As someone who has worked remotely for several years I wanted to share some tips to help you stay productive motivated and most importantly safe and well.

Firstly define your work and down time hours and try to stick to them. You need to be flexible but don’t let work take over from your need for down time and self care. Make sure that your colleagues know when you are working and when not to disturb you. Once you finish for the day turn your email off, it can wait till tomorrow and if urgent your firm will be able to contact you.

Ease yourself into your day, have a morning routine to prepare yourself for work. I take the time to make a cup of tea, have breakfast and catch up on the news, but be careful of the media overload and anxiety it can cause. I take my tea and either look or sit outside enjoying the dawn, breathing and just centring myself, sometimes with a quick yoga or Kayak session.

Make sure that you have a separate and dedicated workspace and that it doesn’t invade your personal space.

Have a plan for the day and stick to it but stay flexible and adaptive in your approach. I start by reading through emails and prioritising tasks and jobs to ensure that my plan for the day is as good as it can be. Once done I like to send an email to my colleagues letting them know I am online and can be contacted.

Make sure you schedule breaks throughout the day, I normally take 5 minute breaks every hour or so. This allows you to give your mind a break and recover and refocus. This is the same as any physical training where breaks from activity are needed to refresh the muscles and keep performance up. Your work space at home may not be conveniently designed for prolonged periods of computer work. Get up and move, stretch and get a drink or snack, lessen the strain on your body as well as your mind.

Have lunch, you need this to refuel and switch off completely, try to do this away from your work space to negate your work taking over this personal time. I often try to include an element of physical exercise outside as well as experimenting with recipes and varying my lunch from day to day. Lately I have got back in to sea swimming which is energising and refreshing, but do what makes you feel good and takes your mind off work and any negativity, it is about what is good for you and what is needed to leave your refreshed and motivated.

Have an end of the day routine to ease yourself in to your personal time. Try to finish your tasks and don’t start a new task if you won’t be able to complete it by the end of the day. I finish the day by catching up on emails and notifications and start to plan for tomorrow. Let your colleagues know that you have finished for the day. Review what you did during the day, try not to be overly self critical of your performance, you can’t change what has been, focus on tomorrow and be kind to yourself.

Then turn off, put your work away and start your personal time. By all means relax with a glass of wine or beer but don’t let it take over your personal time. Alcohol is a depressant and can lead to increasing your anxieties and worries, you also need to be fresh and motivated for tomorrow. If you do find that alcohol is starting to take over your life recognise that it is, take steps to regain control over it and seek help if needed.

Working from home is all about communication and as you are not in the office or able to see visual cues you need to over communicate. Communicating with your colleagues is not just to let them know when you are online but also let them know what you are working on and towards. If you need help or think you may need help ask for it, make time to understand what your colleagues have planned and are working on, and where you may be able to assist or help. We are remote and isolated but we have never been more electronically connected, use technology to interact, have video meetings and arrange team meetings where you can all interact.

Try to engage with your colleagues as you would normally do in the office. We all have that down time when we catch up on non-work related topics such as sports or television, remember keep things positive and try to avoid gossip, adding to anxieties and toxic conversations about colleagues, you may not have the whole picture and you won’t know how they are feeling or what they are dealing with. Try to schedule these conversations and interactions for your scheduled breaks as you are still on the firm’s time and should not abuse this.

You may find that a colleague uses this time to open up to you or leans on you for support. As you would do in the office make the time to hear your colleague but let others know you are unavailable and not to be contacted. Be empathetic to your colleague, what may seem trivial to you could be their whole world, support them and let them talk.

If you have concerns about a colleague let your Human Resources department know, they have the skills, training and resources to help and assist, try not to take the problems of others on your shoulders as that will also weigh you down and add to your stresses and strains. If you don’t have an Human Resources Department speak with a senior manger about your concerns, a problem shared is a problem halved, encourage and support your colleague to seek help that is out there.

Be aware of cues that may indicate someone is struggling such as them being withdrawn or making mistakes, maybe they just don’t seem like themselves. Ask them gently if there is something you can help with, strike up the conversation with them but respect their privacy, in some cases just let them know you are there and check in on them more regularly.

If you or anyone of your colleagues is struggling please know it is not a sign of weakness or failure. There are no prizes or bonuses for struggling through, you and your colleagues are part of team and together you are strong, can accomplish amazing feats and will succeed and get through this. Please remember that we are all in this together and it is OK and normal to have a bad day, feel down, anxious or frustrated. You are amazing, be kind to yourself and your colleagues, we can weather this storm together.

Stay safe, stay well and stay home.

I would be grateful to hear or have comments from readers for their tips on working from home or dealing with the day to day stresses and strains of our new day to day normality.

In to tomorrow


With the release of the new AML/CFT framework, effective 31 March 2019, We have collected some of our early thoughts with regard to key changes and what they mean for the Financial Services Industry and what Business Leaders should be considering as they seek to enhance, revise and establish their new AML/CFT framework to meet the Guernsey requirements? What do they need to do and understand in order to walk confidently in to tomorrow?
Working through the Legislation as it has been provided for approval by the States of Guernsey there is a marked change from the current legislation and Directors and/or Partners of Specified Businesses will need to be aware of these changes and ensure that their policies procedures and controls are designed not only to meet the new Guernsey AML/CFT Framework but to also satisfy the need to protect against the financial crime risks and safe guard their customers.

Specified Businesses- One Handbook for all
There will now only be one Handbook with both Financial Service Businesses and Prescribed Businesses collectively known as “Specified Businesses” and will be required to demonstrate and evidence their compliance status and due consideration of these matters for a robust governance culture. All Specified Business must have an AML/CFT governance framework that allows for policies procedures and controls to effectively and continually identify, assess, mitigate, manage and review and monitor the financial crime risks that are posed to the Specified Business from, the environment taking in to account the National Risk Assessment and also the perceived or actual identified financial crime risks pertinent to its business and including and not limited to its products and services and customers, as well as the rules, instructions and guidance published by the Commission from time to time.

Business Risk Assessment
The Starting point for the governance process remains with the Business Risk assessment and whilst the requirements generally remain the same there is a broader financial crime remit rather than pure AML/CFT. The regulatory AML/CFT framework requires a Specified Business to consider the following:

  • All relevant financial crime risk factors, deciding if they apply or not to the Specified Business
  • Assessing and concluding the overall level of risk faced
  • The type and the extent of risks that are acceptable in pursuit of achieving the Specified Business’s strategic aims
  • What is an appropriate level or type of mitigation that will be applied via its policies procedures and controls

We also see the requirement for the business risk assessment to take in to account the nature, size and complexity of the business regarding the following:

  • Its customers
  • Countries and geographical regions it engages with and transacts in, or provides it products and/or services to
  • Its delivery channels

The new AML/CFT framework includes the requirement for the review and, assessment of the development of new products and technologies to be considered before they are applied in the AML/CFT framework of a Specified Business. The Specified business must have a detailed and specific Business risk assessment that provides a high-level overview of the business.

Customer Risk Assessment
The Business risk assessment flows into the Customer risk assessment which must now include the consideration of a customer to the risk appetite of the business. There must be an understanding that the combination of financial crime risk identified may itself increase the financial crime risk posed by the Customer, as well as consideration of the National Risk Assessment as it pertains to the Specified Business. The Customer Risk assessment must be specific to the activities of the Specified Business, and referenced against the following relevant risks:

  • Country
  • Product
  • Service
  • Transaction
  • Delivery channel

This assessment will assist the business to meet the Guernsey Data Protection Regulations and obtain the relevant and required customer due diligence on natural persons commensurate to the financial crime risk they pose.

Customer Due Diligence
The level of customer due diligence will be dictated by the level of the financial crime risks identified and the requirements of the Commission’s Handbook to the risk identified. The focus for the verification subjects will be in respect of beneficial ownership and those controlling the entity or structure (except for an entity listed on a recognised stock exchange or a majority owned subsidiary of such a company). What is key here is the Specified Business must have obtained sufficient and suitable identification and verification evidence and documentation to demonstrate it has obtained a good understanding of the purpose and intended nature of the business relationship or occasional transaction.

Standard Risk Business Relationships20181011_073237-EFFECTS

This also brings in the requirement to undertake enhanced measures where a customer is not high risk but meets the following requirements:

  • The customer is not resident in the Bailiwick
  • The Specified Business provides private banking services
  • The Customer is a legal person or arrangement for personal asset holding purposes and where a legal person has nominee shareholders or owned by such an entity

The Specified Business must undertake measures to be able to demonstrate the management and mitigation of the identified specific risks associated with the customer, for example obtaining the source of wealth and funds for a customer who is an asset holding arrangement.

High Risk Business Relationships
Whether a Specified Business identifies it customer is high risk through the accumulation of risk, predetermined high risk rationale of the Specified Business or as required by the regulation and commission it will need to undertake enhanced customer due diligence. High risk relationships include:

  • PEP relationship or connection,
  • Relevant connection to a high-risk geographical jurisdiction
  • Correspondent Banking Relationships

The new AML/CFT framework precludes Specified Business from entering in to or continuing a correspondent Banking relationship, and there must be appropriate measures to ensure that it does not enter in to or continue such relationships or permit its accounts to be utilised by a shell bank. Further, Specified Business must not set up anonymous accounts or accounts in fictitious names.
There also needs to be consideration of politically exposed person, specifically to whether the are a foreign PEP, a Domestic PEP or an international organisation PEP which are new categories that need to be included and documented.
The requirements for Enhanced customer due diligence change slightly with specific senior management approval for Foreign PEPs now required along with, the need to obtain through reasonable measures and understanding of the source of funds and wealth of the customer and where the beneficial owner is a PEP.
Monitoring of high-risk relationships in respect of Enhanced customer Due Diligence needs to continue to be undertaken more frequently and whilst looking more extensively at patterns of activity or transactions. Additionally, the business will need to obtain additional information and evidence:

  • On the type, volume and values of the customers assets
  • Additional information on any other beneficial owners
  • Additional aspects of the customers’ identity
  • Obtaining additional information to understand purpose and nature of the business relationship or occasional transactions and obtaining information on the other beneficial owners’ source of wealth and funds where they are not the Customer or Political Exposed Person

Politically Exposed Persons
The change to PEP classification is that the new framework not only differentiates between different types as previously mentioned but allows the following:

  • Domestic PEPs to be treated as not being a PEP after a period of 5 years after ceasing to be entrusted with a prominent public function
  • Foreign and International Organisation PEPs to be treated as not being a PEP after a period of seven years, , after ceasing to be entrusted with a prominent public function

The two requirements for this are that a Specified Business:

  • Understands the Source of funds within the business relationship or occasional transaction
  • There is no reason to continue to treat the person as a PEP, with the exception where a PEP is a head of state or government or the head of an international organisation, a person with the power to direct spending of significant sums inclusive of persons who are the immediate family or maintain a close business relationship or in a position to conduct substantial transactions on behalf of such a person

With respect of high-risk jurisdictional and geographical connections the new Handbook clarifies this as requiring a relevant connection. The relevant connection is defined as follows:

  • Being either resident in the country or territory
  • Having a business address in the country or territory
  • Deriving funds from assets held directly or on behalf of the customer in the country or territory
  • Receiving income arising in the country and territory
  • Any connection that the Specified Business feels is a relevant connection to a country or territory

Simplified Due Diligence
There will be customers who neither require enhanced Customer Due Diligence or enhanced measures and for those customers who are risk rated as low risk and in accordance with the NRA, the Specified Business can utilise the provisions for simplified due diligence as detailed in the Commission’s Handbook.

Timing of Due Diligence
There is a requirement to undertake all this risk assessment, due diligence gathering and understanding of the business relationship and the financial crime risks prior to the onboarding of the customer. There will be occasions where it will not be possible to obtain due diligence prior to the start of the relationship and the new Handbook still allows for this to happen in certain circumstances as follows:

  • That the business relationship is not high risk
  • It is to be completed as soon as practicable after the commencement of the business relationship
  • It is essential not to interrupt the normal conduct of business
  • That there are effective and appropriate policies and controls in place to manage the risks identified, such as limitation on transaction and or the type of transactions etc.

Introduced Business Relationships
The Guernsey AML/CFT framework retains the ability for business relationships and occasional transactions to be introduced by an Appendix C Businesses or subsidiaries of such. The Specified Business must ensure the following:

  • Requirements relating to AML/CFT will be met
  • That it will receive copies of identification data upon request

It is important to remember that customer due diligence must meet the requirements of the Guernsey AML/CFT framework as the responsibility for meeting the requirements of the Guernsey AML/CFT framework remain with the Specified Business.

Non-Compliance with Due Diligence Measures
There will be occasions where customer will be non-compliant with the due diligence measures as set out by the Commission in their new Handbook. Where this is the case a proposed business relationship or occasional transaction should not be entered, and an existing relationship must be terminated. The business must consider and document their assessment of whether a disclosure is required to be made under the Disclosure Law or the Terrorism Law.

The new Guernsey AML/CFT framework retains the requirements for the Money Laundering reporting Officer and the Nominated Officer. The MLRO and Nominated officer will be relevant employees to receive additional and on-going training that is appropriate for their roles. The Directors and/or Partners Money Laundering Compliance Officer and Senior Management will also be required to have additional training that is appropriate for the role they undertaken in the Specified Business’s AML/CFT framework. Employees dependent on their role within the Specified business must have comprehensive training on the relevant Guernsey enactments, the new Schedule and Handbook in order that they can understand and appreciate their personal obligations and responsibilities and the consequences of non-compliance to the Guernsey AML/CFT Framework.

A Specified Business in evidencing its compliance with the Guernsey AML/CFT framework will need to retain records. The new schedule makes specific reference to the following:

  • Transactional documents, risk assessments, for a period of five years from the cessation of the Business relationship or carrying out an occasional transaction
  • Business risk assessments and its policies, procedures and controls require to be retained for a period of 5 years from when they ceased to be operative
  • Records relating to disclosures made to the MLRO must be retained for a period of five years from the cessation of the business relationship or the carrying out of an additional transaction
  • Any AML/CFT training carried out for a period of five years when the training was undertaken
  • Minutes or other documents relating to the Specified Business AML/CFT framework and compliance status

Records can be kept in any form if they are readily retrievable and can be provided promptly to auditors, Police, Financial Intelligence Services and the Commission.

Corporate Governance
A Specified Business’s AML/CFT framework needs to meet the requirements of the regulation, the specifics of the Handbook and the rules, instructions and guidance published from time to time by the Commission. The Directors and/or Partners must have in place a suitable and sufficient governance structure from which they can evidence and demonstrate that they have taken due corporate responsibility while enhancing and where required remediating their business. They must ensure that as a minimum annually they can evidence their consideration of their compliance AML/CFT framework and the status is discussed and assessed and where required enhanced to meet the size nature and complexity of their business and the financial crime risks that are posed or advised via the National Risk assessment. The Handbook contains the requirement for a new role of Money Laundering Compliance Officer to undertake this review of the compliance status of the Specified Business and the reporting to the Board for their discussion and assessment in this area and meeting the corporate governance requirements.20181011_073225

It is for Specified Businesses and their controllers and management to ensure that their AML/CFT framework meets the requirements set out by the Commission regarding the identification, assessment, mitigation, management, review and monitoring the financial crime risks that are posed and pertinent to its business on an on-going basis. The devil will be in the detail of the Handbook and any other instructions and guidance published by the Commission from time to time.
All in all, this is a positive enhancement of the Guernsey AML/CFT framework to ensure that Guernsey continues to meet international standards and remains a desirable International Financial Centre , allowing Specified Businesses to provide confidence to their customers and prospective customer and move forward confidently in to tomorrow, as we are already there!

Paradise Papers – Seeing the Wood for the Trees

The now infamous “Paradise Papers” contain personal data obtained from Appleby’s Bermuda office via an illegal hack. This data in part details the utilisation of International Finance Centres (IFC), by high net worth persons and corporates, for tax mitigation purposes. This post makes no comment on the legality or otherwise of using such data. Nor, is it a commentary about tax havens vs IFCs, the ethical considerations of society, and the freedoms for legal persons to engage in trade or invest in or through an IFC. Our focus instead is the failings that Trustees, Foundation Officials, Directors and Employees in Financial Services Businesses (FSB) must learn from in the wake of this saga. We do not purport to be a tax experts and so have not commented on the validity or otherwise of any advice given whether regarding tax or structuring. Our intention is to look at the compliance and “good business practice” considerations at the heart of good corporate governance. With offices in Guernsey, Jersey and having experience of working in Bermuda we believe analysis of legal and regulatory frameworks by jurisdiction offers a less valuable insight than a clear understanding of the general principles and terms of good corporate governance.

Tax Advice
In order for Trustees, Foundation Officials and Directors to fulfil their responsibility and work in the best interest of their clients they must understand and follow the professional tax advice received. They must evidence that they are compliant with this advice and periodically, depending on the type of arrangement they are administering or controlling, ensure that they have up-to-date tax advice on file. They must also evidence that these arrangements remain legal and all tax liabilities are settled when due. The following are instances where those responsible may find that they have failed to attain an appropriate standard:

• Legal arrangements over time becoming tax non-compliant;
• Legal arrangements set up with draft tax advice without the advice ever being formalised;
• Legal arrangements undertaking new activities outside the scope of the original tax advice;
• Failure to follow tax advice fully, e.g. the non-repayment of a commercial loan arrangement;
• Tax advice provided by those who are not appropriately qualified;
• Tax advice held by the client but never shown to the Trustees, Foundation Officials and Directors.

To ensure tax and legal compliance the Trustees, Foundation Officials and Directors must exert control. Here again to fulfil their responsibilities they must clearly document evidence that they have overarching control of the activities of the legal arrangement. The following are instances where those responsible may find that they have failed to attain an appropriate standard:

• Beneficiaries committing the legal arrangement to a business arrangement without due consideration and approval of the Trustees, Foundation Officials and Directors in the first instance;
• Those responsible acting without due consideration;
• Those responsible committing the legal arrangement to business activities which do not accord with the arrangement’s rationale;
• Those responsible lack sufficient independence from the client;
• Those responsible are unable to evidence their control of the assets and/or activities of the arrangement.

The Paradise Papers have also raised questions regarding the suitability and legality of investments undertaken by legal entities. Trustees, Foundation Officials and Directors must ensure that the investments or business activities undertaken by the entity are in line with its intended purpose. Those responsible must also ensure the legality of any investment or business activity does not breach any international sanctions. Though investments or business activities do not require due diligence to the same standard of beneficial ownership due diligence, sufficient research and evidence must be attained to ensure such activity is in the best interest and in line with the objective of the legal arrangement. At the same time sufficient checks must be undertaken to ensure legal compliance and suitability with its objectives both at initiation and on an on-going basis thereafter. The following are instances where those responsible may find that they have failed to attain an appropriate standard:

• Investing or engaging in a business relationship with legal entities related to a sanction regime or jurisdiction;
• Not undertaking sufficient due diligence to ensure that the investment or business engagement does not involve sanctioned legal persons or sanctions breaches;
• Investing or business relationships that are out of line with the entity’s purpose.

Source of Wealth and Funds
Trustees, Foundation Officials and Directors must ensure that they have sufficient understanding and evidence of their clients’ Source of Wealth and Funds (commensurate with their risk classification) to prevent and detect criminality and terrorist financing. Understanding the origin of assets and their usage assists those responsible in forming a picture of the true beneficial ownership, intention and nature of the relationship. This also allows those responsible to have sufficient transparency and enable effective reporting required by international regulatory and legal bodies.

Ethics of Doing Business
Those responsible must ensure that they have given ethical consideration to the activities of any legal arrangement. Ethical considerations must accord with the documented risk appetite and it must be understood that legal arrangements engaged in aggressive tax mitigation or higher risk industries pose a higher reputational risk to the Trustees, Foundation Officials and Directors, their business and those of the jurisdictions in which they are active. As such, these relationships must be properly understood and documented as they may be open to future challenge.

The ethics of doing business must also consider whether sufficient knowledge, qualifications and experience are inherent in those responsible. Trustees, Foundation Officials and Directors must document and evidence their consideration of whether a business relation, either new or continuing is within their realm of knowledge, understanding and experience. Where this is not the case they should remove themselves from responsible positions or obtain suitably experienced individuals as their replacement.

The integrity and professional actions of those responsible will ultimately be assessed by the authorities to ensure that the best interests of stakeholders have been met at all times. This responsibility includes timely reporting of non-compliance with appropriate authorities.

While the Trustees, Foundation Officials and Directors remain responsible and accountable for both and their own and the legal arrangements activities, a suitably resourced compliance function is required to assist and advise. Compliance must be a proactive force within a FSB rather than merely a tick box exercise. It must assist in ensuring that the business has attained appropriate tax and legal advice as well as ensuring it is understood and followed. Those responsible must demonstrate the required control and oversight of activities undertaken for and on behalf of the legal arrangement. Findings and recommendations must be reported back to those responsible and any remediation must be tracked to ensure that the business can demonstrate compliance, integrity and appropriate levels of knowledge and understanding of the entity’s activities.

Data Security
The Paradise Papers also clearly highlight the importance of implementing suitable and sufficient data security controls to protect stakeholders. These controls are not just IT system-focussed and must include effective staff training to reduce the risk of an unintentional data leak. Data security systems and processes must be monitored, tested and kept up-to-date. It goes without saying that failure to implement an efficient and effective control environment may lead to a catastrophic loss of data with disastrous reputational consequences for all stakeholders. FSB’s must also be aware and ensure that any 3rd parties who hold data do so effectively and have the necessary safeguards and review processes.

Conclusion Compliance monkey

IFCs adhere to international standards and best practice. While recent data hacks have revealed that there are practitioners out there who have not abided by these requirements, the vast majority are conscientious and highly professional.

However, the current political backdrop is unfavourable to offshore jurisdictions and we should expect greater scrutiny in our professional activities for the foreseeable future. Applying the highest standards of corporate governance is our best path to a successful future.
If you have any concerns or would like to know more please either contact myself

The Dawn of a New Era

Compliance monkey

The Commission have released a new Consultation on Revisions to the AML/CFT Framework with the purpose of bringing the Guernsey AML/CFT framework up to and in line with the Financial Action Task Force international standards issued in 2012. This new Framework will also address the recommendations that have been made by MoneyVal in their report on Guernsey that were published in January 2016.

These enhancements to the Guernsey Anti-Money Laundering and Comatting Financing of Terrorism (“AML/CFT”) Framework will affect Guernsey Financial Services Businesses, Prescribed businesses and the Non-Regulated Financial Services Businesses which will all become Specified Businesses. Some of the headline changes that need to be borne in mind by the Boards, Senior Managers and Controllers of Specified Business are as follows:

  • There will be only one Handbook for “specified businesses”, removing the current separate Handbooks for “Financial Services Businesses” and “Prescribed Businesses”. This is done on the basis that prescribed businesses have now had sufficient time to develop and be experienced in AML and CFT requirements.
  • Business Risk Assessments (“BRAs”) must clearly distinguish between AML and CFT risks. This can still be covered in one document. The proposed Handbook clearly puts more emphasis throughout on CTF, compared to the current Handbook. BRAs must also refer to the National Risk Assessment.
  • The definition of ‘Business Relationship’ has been expanded to include giving advice. “Such a relationship does not need to involve the firm in an actual transaction; giving advice may often constitute establishing a business relationship”
  • Additional CDD (“ACDD”) is proposed for the following relationships
    – Non-resident Customer
    – Private Banking Services
    – A customer that is a legal person or a legal arrangement used for personal asset holding purposes
    – Company with nominee shareholders that issues shares in the form of bearer shares
  • There is a proposed change in the treatment of PEPs with “domestic PEPs” and “Foreign PEPs” to be classified appropriately and the addition of International Organisation PEPS ( “IOPEPs”) and finally a risk based approach for the treatment of PEPs with no assets in a structure.
  • The role of Money Laundering Reporting Officer (“MLRO”) is to change to Financial Crime Reporting Officer (“FCRO”), which again highlights the coverage of CFT as well as AML.
  • In addition to the FCRO, a new role of Financial Crime Compliance Officer is proposed. This role can be undertaken the FCRO but this role must be undertaken by someone independent of business development and client facing roles.
  • A revised approach to identifying beneficial ownership is proposed which extends beyond just legal ownership, instead focussing on actual ultimate ownership and control.
  • There are new rules proposed for authorised and registered Collective Investment Schemes which will define the responsibility for AML and CFT requirements which fall under the responsibility of the nominated businesses which are licensed under the Protection of investors Law.

This consultation gives all parties the opportunity to raise any further considerations that may be of benefit and we would encourage everyone to take the time to consider how this new handbook will affect their business and industry and to make representation if any improvements could be considered.

The Board’s of Specified Businesses should make themselves aware and be familiar at this early stage of the high level changes to the Guernsey regulatory framework. A high level review of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) (Amendment) ordinance, 2017, schedule 3 to identify the proposed enhancements to the Guernsey AML/CFT Framework, has been prepared to assist the Board with understanding and preparing for the changes to come.

It is important with the dawn of this new era that all Specified Businesses consider this Consultation fully and make representations as may be necessary to the Commission. Specified Businesses must ensure that their business and respective industry and the Guernsey Financial Services industry as a whole continue to have an effective and workable AML/CFT regime going forward which serves to maintain and promote itself as one of the best International Financial Centres in the world and a place to do business.

De-Mystifying the High-Risk Territory

Compliance monkeyThere is much talk these days regarding the difficulty of providing products and services to those persons who are in high risk territories.  The main gripe is that the Guernsey Regulatory Framework is stifling and strangulating licensees when it comes to high risk territories. This seems to be at odds with the presentations and assertions of the Commission about Guernsey being open for business and empowering its licensees to engage in risk to develop and grow.  What is the truth, are we being misinformed and if so by who?

When it comes to high risk territories licensees must be aware of the obligations in the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007 as amended (“the Regulations”) and the Handbook for Financial Services Businesses on countering Financial Crime and Terrorist Financing (“the Handbook”).  Regulation 5 (1) (c) states the following;

“(c) a business relationship or an occasional transaction – (i) where the customer is established or situated in a country or territory that does not apply or insufficiently applies the Financial Action Task Force Recommendations on Money Laundering, or (ii) which the financial services business considers to be a high risk relationship, taking into account any notices,”

The Handbook goes further at rule 58 where it states the following;

“is connected to any of the countries or territories listed in Part A or Part C of Instructions on Business from Sensitive Sources issued by the Commission; is designated as high risk.”

At first glance the minimum requirements are that by applying the full instructions on Business from Sensitive Sources you would have a lists of high risk jurisdictions that the Commission would be happy with in meeting the requirements of the Regulation and the Handbook. The Commission have empowered Financial Services Businesses in Guernsey to actively engage and establish their own risk appetite and as such the Instructions on Business from Sensitive resources only represents the minimum requirements.  The Handbook at section 70 goes further to recommend that a high risk factor regarding territory would also include the following;

“customers based in, or conducting business in or through, a country or territory with known higher levels of bribery and corruption, or organised crime, or involved in illegal drug production/processing/distribution, or associated with terrorism; involvement of an introducer from a country or territory which does not have an adequate AML/CFT infrastructure;”

Just by looking at Transparency International perception index this allows the potential for a greater number of territories that could be designated as high risk. There are also those territories that Guernsey has Sanction regimes on which pose an association with terrorism and as such could be deemed high risk. The question is must these territories be high risk?

The Commission have through rule 57 empowered Directors and Boards to take a proactive view of risk where a business relationship has a high risk element (that is not a high risk element specified in Regulation 5(1)(a-c) or listed at part A or Part C of the Instruction on Business from Sensitive Sources) but this element does not mean that the actual risk of the relationship is high.  A Financial Service Business where it has compelling mitigating factors that it documents, can choose a lower and more realistic risk rating. Therefore, a territory that the Financial Services Business may class as high due to internal policy or procedure or that an international body classifies as high does not necessarily make the whole relationship high risk.

Some examples of where and how rule 57 can be applied;

  • An entity that is administer and controlled in Guernsey is conducting business in a territory that is not on the Business from Sensitive Sources Instruction but has a high bribery and corruption rating, there are controls in place to mitigate associated risk of bribery and corruption risk do we have to have this as high risk? If the licensee can demonstrate compelling mitigating factors to meet rule 57 of the Handbook, it could choose to down grade the risk if its policy procedures and controls allow.


  • An entity that we administer and control is conducting business in a territory that is on the Business from Sensitive Sources, there are controls in place to mitigate associated risk do we have to have this as high risk? This must be rated as high risk as it falls under the Regulations and the Handbook as having to be rated as high risk.


  • A Beneficiary resides in a Sanctioned country which the Financial Services Business deems as high risk, do they need to be classified as such? If the licensee can demonstrate that the beneficiary and the entity that will be receiving any transaction is not subject to a Sanction notice and demonstrates the compelling mitigating factors to meet rule 57 of the Handbook, it could choose to down grade the risk if its policy procedures and controls allows.


  • A customer born in a higher risk country due to bribery and corruption but residing and employed in Guernsey and all funds for the business relationship have been earnt in Guernsey do they have to be high risk? Though a Licensee must obtain information on Place of Birth and Nationality under the rule 86 of the Handbook there is no requirement to risk rate on this basis and it could be discriminatory.


  • There are also occasions where part of a structure or an entity is registered in a higher risk jurisdiction, such as a Panamanian foundation that is controlled and administered in Guernsey. The question that must be asked is does a brass plaque in a higher risk country create a higher risk? Regarding the Regulation and the Handbook the Panamanian Foundation could be said to be based in Guernsey due to the management and control element and as such would not fall under a higher risk country element as the due diligence requirements would be undertaken by the Guernsey Fiduciary to the requirements of the Handbook and the Regulation.


  • The use of corporate entities registered in other higher risk jurisdictions by a Guernsey licensee for its customers, the Corporate Service Provider in the higher risk territory is only the Registered Agent for corporate entities and only undertakes the required statutory functions of the Territory are these structures require to be high risk? Though higher risk jurisdictions can be used to provide a corporate entity they may not apply the same anti-money laundering measures and countering terrorist financing measures as we are required to do in Guernsey. In these cases, it could be said that the business relationship is based and established in Guernsey as the corporate entity is controlled and administered by a Guernsey Licensee who must comply the Guernsey Regulatory Framework requirements.  Does a brass plaque really carry a risk or money laundering and terrorist financing or should we be more worried about the risk of the beneficial owners and controllers?

From this brief review of the pertinent sections of the Regulations and the Handbook, the Commission have in fact created a framework when it comes to territory that does allow for consideration of risk and not everything is or should be classified as high though some must be.  Unfortunately, it is possible that licensees themselves, through either lack of knowledge, understanding or misinterpretation of the Regulation and Handbook are creating their own frameworks that are inflexible to allow compelling mitigation to be taken in to account when it comes to risking Territory risk where permissible.  This inflexable framework would contribute to the strangulation of a Financial Services Business and the potential offering of products and services to new markets and developing countries.

Remember the Commission are there to use enforcement action on those who fall below minimum requirements and/or do not apply their own policies and procedures. There are countless other examples where rule 57 of the Handbook can be utilised so please contact me if you are interested in further clarification.Compliance monkey

Reflections of 2016

Compliance monkeyAs the sun gets lower, the evenings longer and we get closer to the end of a year I cannot help but think what a year it has been and begin to reflect.  For me personally it has been a year that has been full of hard work, assistance and resolution of problems and all this led me to the beautiful Island of Bermuda to undertake a contract for a client.  Not only a fantastic opportunity to show case my skills and knowledge but a joy to work for some fantastic people and meet old and new friends as well as to experience another regulatory culture. While I would rather be pondering the last year and this post from a pool in Bermuda instead of next to a fire on a brisk cold day, Guernsey still very much holds my heart, though Bermuda is a close second.

In looking to the challenges of the future and what the next year may hold for us is it time to reflect on the past year, the regulatory framework and what is needed to ensure that our business moves forward, prospers and continues to uphold the regulatory standards and meet future challenges, and there is no better way to do this than look back over the last year.

There have unfortunately been instances where the Guernsey Financial Services Commission (GFSC) has had to take enforcement action in 2016, never an easy decision but essential in today’s world to assist in the safeguarding and continual success of our international reputation and prosperity.  I do not think it is right to dissect these cases as these are disclosed on the GFSC website but rather look at what lessons can be learnt to avoid a repeat to our businesses and to protect the Directors and Stakeholders.

Risk, Identification and Verification

Most of these incidents reported by the Commission are in respect of Anti-Money Laundering and Counter Terrorist Financing (AML/CTF) within businesses.  That is not to say that all these incidents related to actual financial crime but rather that businesses were not meeting the standards and expectation imposed by our regulatory framework to ensure that verification documentation mitigated the risk of the Island being utilised by criminals.

The identification and verification of customers and controllers to a business relationship is a continuing matter that is reported by the GFSC.  In many cases business’s application of a “risk based approach” had failed to ensure that the due diligence and enhanced due diligence for customers and required parties to a business relationship or occasional transaction, had been obtained and met the standards required by the regulatory framework, inclusive of rules and guidance issued by the GFSC for certification and the suitability of certifiers. It must be remembered that wherever you are licensed you must meet that jurisdictions regulatory requirements as a minimum!

Monitoring and Sanctions

Periodic monitoring of customers was another area where businesses struggled.  It was found in some cases that this monitoring was not undertaken or if undertaken did not meet the regulatory requirements. It was found that risk assessments were inadequate and not reviewed as required by a business’s policy and procedures to meet the obligations of the GFSC, especially where customers had been assessed as high risk.  The review of the rationale for the business relationship and transactions undertaken was found to missing or inadequate, leading to the GFSC questioning whether appropriate and effective policies and procedures were in place inclusive of suspicious activity reporting.

The review of customers to Sanction lists was also noted as an area of concern. While this may be undertaken at the start of a relationship and periodically is it suitable just to wait for these trigger events?  Is the review of transactions subject to sanction screening to ensure that sanctioned legal persons or those entities that they control are not financed? It may be that the GFSC believe terrorist financing to be a low risk to the Bailiwick but this will do nothing to deter terrorist financiers if they find a gap in our defences.  A definite area I think the GFSC will look to assess when conducting on-site examinations and through thematic reviews in 2017, so be warned!

Corporate Governance

Corporate Governance has also come to the forefront not only in the AML/CTF area but also in more prudential assessments of a business.  In all cases enforced by the GFSC the findings go back to the corporate governance requirements of the regulatory framework with the accusation that directors failed to ensure that they acted to ensure that the business could meet the Guernsey regulatory requirements.  THE GFSC also in some cases questioned the independence and integrity of directors due to the regulatory failings identified.  Not only will this area come more to forefront with shareholder activist and the spotlight of international bodies but also from the GFSC to ensure that Directors are suitable and safeguarding Stakeholders and the business.

With the Guernsey regulatory framework changing to meet the international requirements which are evolving it is difficult for any Director to ensure that their Business remains compliant.  Businesses in this ever-changing environment are at risk of falling behind the times.  While only minor infringements of the regulatory framework may be the result, if these infringements are many, systemic and material they may require to be reported to the GFSC.  By the Board bringing these issues to the GFSC, in some cases, remediation without the threat of enforcement can be undertaken, it is after all in the GFSC interest that businesses remediate and enhance themselves to meet the regulatory framework.  It is best to be able to show and have evidence that the Board have discussed the issues affecting the business and the action to be undertaken rather than hearsay in any regulatory inquiry!


So, reflect on this year, look at the enforcement cases to ensure that you do not fall foul of history, review your business plans and business assessments to make sure you have the policies and procedures in place to meet the regulatory framework and the requirements of the Business.  Review the Compliance function is it suitable and sufficient? Consider its independence or whether there needs to be independent oversight or outside assistance?  Does the compliance monitoring facilitate management information that is required for Directors to undertake their duties and safeguard the business and stakeholders?  Look outside of your own regulatory regime to other sectors as if something is happening in one there is a good chance that those developments will feed in to your own sector’s regulatory requirements.  Look outside to other jurisdictions as developments there may impact on the regulatory framework where you are.

If you have a last Board meeting of 2016 or even an early 2017 Board meeting set the agenda to reflect on 2016 ensuring that history does not repeat itself. If you do find that you are not in compliance, please ensure that you have the issues and remediation documented whether you consider it material or not to report to the GFSC.

Instruction 01/2016

Compliance monkeyThe Commission have released their latest Business from Sensitive Sources Instruction, no 01/2016 (“the Instruction”) for Financial Services Businesses and Prescribed Businesses replacing the previous instruction 04/2015 that was issued back in November 2015.  The upshot is that Myanmar, Loa PDR and Vanuatu are now included in Part B of the Instruction which lists countries and territories with improving Global AML/CTF Compliance, while Algeria, Angola and Panama have been removed altogether from the Instruction. For Financial Services Businesses and Prescribed Businesses, it would appear to be that they can now apply a risked based approach to relationships or transaction through or from Myanmar, Loa PDR and Vanuatu, and as much is said in the Commission’s statement on their Instruction, but is that really the case?

A quick look at Chapter 3 of the Handbook and rule 58 sets out the Commissions requirement for designating high risk Business Relationships or Occasional Transactions.  These characteristics are those identified in section 1 (a) to (c) of Regulation 5 of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007, as amended (“the Regulations”) and also those connected with Parts A or Part C of the Business from Sensitive Sources issued by the Commission. At first glance it would therefore appear that Business Relationships or Occasional Transactions with Myanmar, Loa PDR and Vanuatu do not necessarily need to be high risk as they are on Part B of the instruction.

What is important to realise is that section 5 (1) (c) (i) of the Regulation states that customers established in or situated in a country or territory that does not apply or insufficiently applies the Financial Action Task Force (“FATF”) recommendations on Money Laundering must be designated as high risk.  As part B of the Instruction relates to countries or territories who are improving but not meeting the FATF requirements on Money Laundering it would indicate to me that Myanmar, Loa PDR and Vanuatu, still require to designated as high risk in order that a Financial Service Business or a Prescribe Business can meet their obligations under the RegulationTO13-3s.

If this is not confusing enough for any Director, Compliance/ Risk Officer or Money Laundering Reporting Officer, please also be aware of your banking arrangements and relationships.  Though this Instruction on the face of things allows you to apply a risk based approach which may or may not be in line with the requirements of the Regulations, your Bankers may not deem these jurisdictions to be anything other than high risk.  You may have decided as a business to apply a risk based approach but if this is not in line with your Bankers you may find yourself in bother.

The only advice I can give is make sure that your risk designation of a client meets the requirements of the regulations and that of your Bankers.