AML/CTF

Act in Haste!

Lance Barclay AML/CTF, Compliance, Corporate Governance, Fraud, Guernsey, Self Help

Both regulators in Guernsey and Jersey have issued warnings regarding Fraudsters

Compliance monkey

targeting financial firms and their Customers. Coming back from a long weekend and back log of emails, the stresses that you are under in this unprecedented time, business objectives and customer expectations, this is the perfect storm for the Fraudster to exploit. In our isolation the use of malicious and fraudulent emails (Phishing) appears to be the current tool of choice and here are some tips, key indicators and red flags that and email may be malicious or fraudulent to keep your Firm, Customers and Yourself safe.

  • Is the email out of the blue or unsolicited with a time pressure to undertake some action?

  • Is the email address of the sender the same as your Customers in your records?
  • Is the spelling correct or have letters been substituted, do you even know the sender?
  • If there are links to respond to do not click them, hover your cursor over them and check the URL. Always go to the official site rather than click a link in an email especial if it requesting that you need to do so to undertake some action.
  • If the email is requesting that you need to download a file or attached document do not do this or click on it.
  • Are there grammatical or spelling errors in the email?
  • Does the email sound like client?
  • Does the email request some personal data or business data or security details?
  • Does the sender address you by name, is this usual? If the sender is unknown to you this could be an attempt to gain confidence, remember we all have personal details on the web that are easy to find.

If you see any red flags it is time to contact your IT department or provider and get them to check the email out and validate it.

When receiving requests to make transfers to accounts or pay invoices you need to be cautious, consider the following as red flags that either the email is a phishing attempt or that your customers email account has been compromised.

  • Is the request expected, in line with the known activity and business operation of the Customer?

fraud-1-630x420-770x4332624814175215932423.jpg

  • If the email asks to call them on a phone number to confirm the transaction, use the contact details that your firm has on file and not the ones in the email.
  • Check the transfer details, are they the same as the ones you have on the file for the customer or is this a new transaction? .
  • Is the transaction inline with the normal activity and known behaviour of the client?
  • Is the invoice for services that appear odd or from an unknown party?
  • Does the email request use any links or downloads such as an invoice or software? Always go to the main website and make payment from there as the link could be malicious. Any download may contain malicious software that will endanger your firm such as ransomware or can even spy on you.

Always confirm actions with the customer, using the details your firm has of the actions that are required to be undertaken. If you have any red flags then your IT department or provider needs to be informed and the email checked out.

Also beware that you may also be subject to telephone (Vishing) or SMS (Smishing) fraud attempts that will also seek to make you undertake an action or provide personal or business details in the same manner as with Phishing.Always call the customer back on the details that your firm has and confirm with them any requested action. Rather than seeing this as a hassle customers will be impressed that you are so diligent and have good security, it will reassure them that you are the firm to be with and that you are proactive in protecting them and their data and assets. It may also alert them to the fact that they have already been hacked and can take appropriate action to minimise any loss.

Reporting of these attacks.

These attacks must be reported to the Compliance and MLRO team and onwards after assessment to the Board.The Board is accountable for the safety of the firms clients and client data and must be seen to be ensuring that it has considered the risks posed, put in place effective mitigation, appropriate systems and controls. This assessment must be reassessed after an attempted fraud and consideration of appropriate actions undertaken. Does this change the risk profile of the firm in anyway? Is there any further mitigation that can be done to protect the firm and its customers? Remember the Regulator will be looking for documentary evidence of consideration whether there has been an attack or not and certainly on their onsite visits.

Compliance and MLRO teams with the IT department or service provider need to collate the data, assess the threat and any further systems or controls that may be required to be considered by the Board and implemented. They need to consider if this is just a random attack, or whether it is targeted, is there a specific group of customers this affects? This information with any recommendation needs to be provided to the Board. Consideration must be given to the threat and may also require the of warning, training or refreshing of the firms employees to the risks and the policies, procedures and the controls that must be followed.

Fraudsters can be identified from the details that they provide to you, be it a phone number, email address or website URL. This being the case they must be reported to the Fraud or Financial Intelligence Unit as you would with a normal Suspicious Activity Report, if you are unsure give the Police or the Financial Intelligence Unit a call, they are there to assist you and help you. This also allows them to collect the data and establish if the jurisdiction, specific firms or a set of clients is being targeted, allowing them to warn industry and protect clients of the jurisdiction. Financial Intelligence Units have a wealth of good advice on there websites for the prevention and detection as well as the dealing with fraud.

In conclusion;

  • Don’t open email from unknown senders and take time to assess an email for red flags that it may contain malicious software or attachments or a fraud attempt.
  • Undertake callbacks using the customer details the firm has collated to confirm any actions.
  • Don’t undertake actions or give out personal data or business data to anyone who is unknown no matter how much they pressure you.
  • Contact your IT department, service provider and/or compliance department if you have any concerns, links or requests to download documents or software.
  • If it is found to be fraudulent or malicious report it to your compliance and MLRO departments.

Don’t be pressured by emails, phone calls, SMS’s and time pressures in to undertaking an action in haste only to repent at leisure.

De-Mystifying the High-Risk Territory

Lance Barclay AML/CTF, Compliance, Guernsey

Compliance monkeyThere is much talk these days regarding the difficulty of providing products and services to those persons who are in high risk territories.  The main gripe is that the Guernsey Regulatory Framework is stifling and strangulating licensees when it comes to high risk territories. This seems to be at odds with the presentations and assertions of the Commission about Guernsey being open for business and empowering its licensees to engage in risk to develop and grow.  What is the truth, are we being misinformed and if so by who?

When it comes to high risk territories licensees must be aware of the obligations in the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007 as amended (“the Regulations”) and the Handbook for Financial Services Businesses on countering Financial Crime and Terrorist Financing (“the Handbook”).  Regulation 5 (1) (c) states the following;

“(c) a business relationship or an occasional transaction – (i) where the customer is established or situated in a country or territory that does not apply or insufficiently applies the Financial Action Task Force Recommendations on Money Laundering, or (ii) which the financial services business considers to be a high risk relationship, taking into account any notices,”

The Handbook goes further at rule 58 where it states the following;

“is connected to any of the countries or territories listed in Part A or Part C of Instructions on Business from Sensitive Sources issued by the Commission; is designated as high risk.”

At first glance the minimum requirements are that by applying the full instructions on Business from Sensitive Sources you would have a lists of high risk jurisdictions that the Commission would be happy with in meeting the requirements of the Regulation and the Handbook. The Commission have empowered Financial Services Businesses in Guernsey to actively engage and establish their own risk appetite and as such the Instructions on Business from Sensitive resources only represents the minimum requirements.  The Handbook at section 70 goes further to recommend that a high risk factor regarding territory would also include the following;

“customers based in, or conducting business in or through, a country or territory with known higher levels of bribery and corruption, or organised crime, or involved in illegal drug production/processing/distribution, or associated with terrorism; involvement of an introducer from a country or territory which does not have an adequate AML/CFT infrastructure;”

Just by looking at Transparency International perception index this allows the potential for a greater number of territories that could be designated as high risk. There are also those territories that Guernsey has Sanction regimes on which pose an association with terrorism and as such could be deemed high risk. The question is must these territories be high risk?

The Commission have through rule 57 empowered Directors and Boards to take a proactive view of risk where a business relationship has a high risk element (that is not a high risk element specified in Regulation 5(1)(a-c) or listed at part A or Part C of the Instruction on Business from Sensitive Sources) but this element does not mean that the actual risk of the relationship is high.  A Financial Service Business where it has compelling mitigating factors that it documents, can choose a lower and more realistic risk rating. Therefore, a territory that the Financial Services Business may class as high due to internal policy or procedure or that an international body classifies as high does not necessarily make the whole relationship high risk.

Some examples of where and how rule 57 can be applied;

  • An entity that is administer and controlled in Guernsey is conducting business in a territory that is not on the Business from Sensitive Sources Instruction but has a high bribery and corruption rating, there are controls in place to mitigate associated risk of bribery and corruption risk do we have to have this as high risk? If the licensee can demonstrate compelling mitigating factors to meet rule 57 of the Handbook, it could choose to down grade the risk if its policy procedures and controls allow.

 

  • An entity that we administer and control is conducting business in a territory that is on the Business from Sensitive Sources, there are controls in place to mitigate associated risk do we have to have this as high risk? This must be rated as high risk as it falls under the Regulations and the Handbook as having to be rated as high risk.

 

  • A Beneficiary resides in a Sanctioned country which the Financial Services Business deems as high risk, do they need to be classified as such? If the licensee can demonstrate that the beneficiary and the entity that will be receiving any transaction is not subject to a Sanction notice and demonstrates the compelling mitigating factors to meet rule 57 of the Handbook, it could choose to down grade the risk if its policy procedures and controls allows.

 

  • A customer born in a higher risk country due to bribery and corruption but residing and employed in Guernsey and all funds for the business relationship have been earnt in Guernsey do they have to be high risk? Though a Licensee must obtain information on Place of Birth and Nationality under the rule 86 of the Handbook there is no requirement to risk rate on this basis and it could be discriminatory.

 

  • There are also occasions where part of a structure or an entity is registered in a higher risk jurisdiction, such as a Panamanian foundation that is controlled and administered in Guernsey. The question that must be asked is does a brass plaque in a higher risk country create a higher risk? Regarding the Regulation and the Handbook the Panamanian Foundation could be said to be based in Guernsey due to the management and control element and as such would not fall under a higher risk country element as the due diligence requirements would be undertaken by the Guernsey Fiduciary to the requirements of the Handbook and the Regulation.

 

  • The use of corporate entities registered in other higher risk jurisdictions by a Guernsey licensee for its customers, the Corporate Service Provider in the higher risk territory is only the Registered Agent for corporate entities and only undertakes the required statutory functions of the Territory are these structures require to be high risk? Though higher risk jurisdictions can be used to provide a corporate entity they may not apply the same anti-money laundering measures and countering terrorist financing measures as we are required to do in Guernsey. In these cases, it could be said that the business relationship is based and established in Guernsey as the corporate entity is controlled and administered by a Guernsey Licensee who must comply the Guernsey Regulatory Framework requirements.  Does a brass plaque really carry a risk or money laundering and terrorist financing or should we be more worried about the risk of the beneficial owners and controllers?

From this brief review of the pertinent sections of the Regulations and the Handbook, the Commission have in fact created a framework when it comes to territory that does allow for consideration of risk and not everything is or should be classified as high though some must be.  Unfortunately, it is possible that licensees themselves, through either lack of knowledge, understanding or misinterpretation of the Regulation and Handbook are creating their own frameworks that are inflexible to allow compelling mitigation to be taken in to account when it comes to risking Territory risk where permissible.  This inflexable framework would contribute to the strangulation of a Financial Services Business and the potential offering of products and services to new markets and developing countries.

Remember the Commission are there to use enforcement action on those who fall below minimum requirements and/or do not apply their own policies and procedures. There are countless other examples where rule 57 of the Handbook can be utilised so please contact me if you are interested in further clarification.Compliance monkey

Reflections of 2016

Lance Barclay AML/CTF, Compliance, Compliance Monitoring, Corporate Governance, Due diligence, Guernsey , , ,

Compliance monkeyAs the sun gets lower, the evenings longer and we get closer to the end of a year I cannot help but think what a year it has been and begin to reflect.  For me personally it has been a year that has been full of hard work, assistance and resolution of problems and all this led me to the beautiful Island of Bermuda to undertake a contract for a client.  Not only a fantastic opportunity to show case my skills and knowledge but a joy to work for some fantastic people and meet old and new friends as well as to experience another regulatory culture. While I would rather be pondering the last year and this post from a pool in Bermuda instead of next to a fire on a brisk cold day, Guernsey still very much holds my heart, though Bermuda is a close second.

In looking to the challenges of the future and what the next year may hold for us is it time to reflect on the past year, the regulatory framework and what is needed to ensure that our business moves forward, prospers and continues to uphold the regulatory standards and meet future challenges, and there is no better way to do this than look back over the last year.

There have unfortunately been instances where the Guernsey Financial Services Commission (GFSC) has had to take enforcement action in 2016, never an easy decision but essential in today’s world to assist in the safeguarding and continual success of our international reputation and prosperity.  I do not think it is right to dissect these cases as these are disclosed on the GFSC website but rather look at what lessons can be learnt to avoid a repeat to our businesses and to protect the Directors and Stakeholders.

Risk, Identification and Verification

Most of these incidents reported by the Commission are in respect of Anti-Money Laundering and Counter Terrorist Financing (AML/CTF) within businesses.  That is not to say that all these incidents related to actual financial crime but rather that businesses were not meeting the standards and expectation imposed by our regulatory framework to ensure that verification documentation mitigated the risk of the Island being utilised by criminals.

The identification and verification of customers and controllers to a business relationship is a continuing matter that is reported by the GFSC.  In many cases business’s application of a “risk based approach” had failed to ensure that the due diligence and enhanced due diligence for customers and required parties to a business relationship or occasional transaction, had been obtained and met the standards required by the regulatory framework, inclusive of rules and guidance issued by the GFSC for certification and the suitability of certifiers. It must be remembered that wherever you are licensed you must meet that jurisdictions regulatory requirements as a minimum!

Monitoring and Sanctions

Periodic monitoring of customers was another area where businesses struggled.  It was found in some cases that this monitoring was not undertaken or if undertaken did not meet the regulatory requirements. It was found that risk assessments were inadequate and not reviewed as required by a business’s policy and procedures to meet the obligations of the GFSC, especially where customers had been assessed as high risk.  The review of the rationale for the business relationship and transactions undertaken was found to missing or inadequate, leading to the GFSC questioning whether appropriate and effective policies and procedures were in place inclusive of suspicious activity reporting.

The review of customers to Sanction lists was also noted as an area of concern. While this may be undertaken at the start of a relationship and periodically is it suitable just to wait for these trigger events?  Is the review of transactions subject to sanction screening to ensure that sanctioned legal persons or those entities that they control are not financed? It may be that the GFSC believe terrorist financing to be a low risk to the Bailiwick but this will do nothing to deter terrorist financiers if they find a gap in our defences.  A definite area I think the GFSC will look to assess when conducting on-site examinations and through thematic reviews in 2017, so be warned!

Corporate Governance

Corporate Governance has also come to the forefront not only in the AML/CTF area but also in more prudential assessments of a business.  In all cases enforced by the GFSC the findings go back to the corporate governance requirements of the regulatory framework with the accusation that directors failed to ensure that they acted to ensure that the business could meet the Guernsey regulatory requirements.  THE GFSC also in some cases questioned the independence and integrity of directors due to the regulatory failings identified.  Not only will this area come more to forefront with shareholder activist and the spotlight of international bodies but also from the GFSC to ensure that Directors are suitable and safeguarding Stakeholders and the business.

With the Guernsey regulatory framework changing to meet the international requirements which are evolving it is difficult for any Director to ensure that their Business remains compliant.  Businesses in this ever-changing environment are at risk of falling behind the times.  While only minor infringements of the regulatory framework may be the result, if these infringements are many, systemic and material they may require to be reported to the GFSC.  By the Board bringing these issues to the GFSC, in some cases, remediation without the threat of enforcement can be undertaken, it is after all in the GFSC interest that businesses remediate and enhance themselves to meet the regulatory framework.  It is best to be able to show and have evidence that the Board have discussed the issues affecting the business and the action to be undertaken rather than hearsay in any regulatory inquiry!

Reflections

So, reflect on this year, look at the enforcement cases to ensure that you do not fall foul of history, review your business plans and business assessments to make sure you have the policies and procedures in place to meet the regulatory framework and the requirements of the Business.  Review the Compliance function is it suitable and sufficient? Consider its independence or whether there needs to be independent oversight or outside assistance?  Does the compliance monitoring facilitate management information that is required for Directors to undertake their duties and safeguard the business and stakeholders?  Look outside of your own regulatory regime to other sectors as if something is happening in one there is a good chance that those developments will feed in to your own sector’s regulatory requirements.  Look outside to other jurisdictions as developments there may impact on the regulatory framework where you are.

If you have a last Board meeting of 2016 or even an early 2017 Board meeting set the agenda to reflect on 2016 ensuring that history does not repeat itself. If you do find that you are not in compliance, please ensure that you have the issues and remediation documented whether you consider it material or not to report to the GFSC.

Instruction 01/2016

Lance Barclay AML/CTF, Compliance, Corporate Governance, Due diligence, Guernsey

Compliance monkeyThe Commission have released their latest Business from Sensitive Sources Instruction, no 01/2016 (“the Instruction”) for Financial Services Businesses and Prescribed Businesses replacing the previous instruction 04/2015 that was issued back in November 2015.  The upshot is that Myanmar, Loa PDR and Vanuatu are now included in Part B of the Instruction which lists countries and territories with improving Global AML/CTF Compliance, while Algeria, Angola and Panama have been removed altogether from the Instruction. For Financial Services Businesses and Prescribed Businesses, it would appear to be that they can now apply a risked based approach to relationships or transaction through or from Myanmar, Loa PDR and Vanuatu, and as much is said in the Commission’s statement on their Instruction, but is that really the case?

A quick look at Chapter 3 of the Handbook and rule 58 sets out the Commissions requirement for designating high risk Business Relationships or Occasional Transactions.  These characteristics are those identified in section 1 (a) to (c) of Regulation 5 of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007, as amended (“the Regulations”) and also those connected with Parts A or Part C of the Business from Sensitive Sources issued by the Commission. At first glance it would therefore appear that Business Relationships or Occasional Transactions with Myanmar, Loa PDR and Vanuatu do not necessarily need to be high risk as they are on Part B of the instruction.

What is important to realise is that section 5 (1) (c) (i) of the Regulation states that customers established in or situated in a country or territory that does not apply or insufficiently applies the Financial Action Task Force (“FATF”) recommendations on Money Laundering must be designated as high risk.  As part B of the Instruction relates to countries or territories who are improving but not meeting the FATF requirements on Money Laundering it would indicate to me that Myanmar, Loa PDR and Vanuatu, still require to designated as high risk in order that a Financial Service Business or a Prescribe Business can meet their obligations under the RegulationTO13-3s.

If this is not confusing enough for any Director, Compliance/ Risk Officer or Money Laundering Reporting Officer, please also be aware of your banking arrangements and relationships.  Though this Instruction on the face of things allows you to apply a risk based approach which may or may not be in line with the requirements of the Regulations, your Bankers may not deem these jurisdictions to be anything other than high risk.  You may have decided as a business to apply a risk based approach but if this is not in line with your Bankers you may find yourself in bother.

The only advice I can give is make sure that your risk designation of a client meets the requirements of the regulations and that of your Bankers.

The Sum of All the Parts

Lance Barclay AML/CTF, Compliance, Due diligence, Guernsey , , , , , ,

Compliance monkeyThe Guernsey Anti-Money Laundering and Countering Terrorist Financing (“AML/CTF”) framework has continually developed to take in to account good practice, external pressures, requests and recommendations of onshore governments, quangos and international organisations  to ensure that financial crime in all its guises is effectively tackled. The Commission have sought to and I would say that they have largely achieved a cohesive framework that effectively mitigates against the use by criminals of Guernsey as an international finance centre while not over burdening the Financial Service Business operating here.

This cohesive framework has been achieved over the course of the years by open dialogue with local industry bodies, licensees and working effectively and productively with those outside of Guernsey to achieve a proportionate approach for  the products and services that are provided to clients wishing to utilise the jurisdiction. Most notably in 2013 the AML/CTF framework in Guernsey changed extensively and this resulted in general insurance products being removed, but did it remove all the products and services that can classified as General Insurance?

With regard to the Insurance sector in Guernsey, a legal entity can be licensed for general business or for long-term business. Long term business is defined in the Insurance Business (Bailiwick of Guernsey) Law, 2002 as contracts on human life, human longevity, marriage and birth, linked long-term, permanent health, capital redemption, pension fund management and credit life assurance. Due to the nature and the requirements of some clients, an insurance licensee with a general business categorisation may want to offer some of these products to their clients to supplement the range of products and services they currently or can offer their clients, but without the need to be licensed for long-term business.  Section 2(4) of the Insurance Business (Bailiwick of Guernsey) Law, 2002 does allow for an Insurance licensee to elect that a contract for a term of not more than 18 months that may be regarded as a long-term business contract and can be deemed to be general business.

This would appear to allow a general insurer to fit such products into their licence requirements e.g. general insurance, without the requirements to adhere to the Guernsey AML/CTF framework as per the changes that were made to the Commission’s AML/CTF Handbook (” Commission’s Handbook”), in 2013.  It should be noted that the treatment of these products, though allowed to be done in certain circumstances by an Insurance licensee does not change the definition of those products in the Insurance Business (Bailiwick of Guernsey) Law, 2002.

In the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007 at schedule 1 it states that a Financial Services Businesses for the purposes of the Regulations are detailed in part 1 of the schedule, except where they are incidental or are other activities as listed at Part 2 of the Schedule. Part 1 of the schedule includes the carrying on of “Long Term Business as defined by the Insurance Business (Bailiwick of Guernsey) Law, 2002 as being a Financial Services Business for the purposes of the Regulation and the Commission’s Handbook, it does not include any change in the treatment of an Insurance product by an Insurance Licensee. The Commission’s Handbook at section 4.8 specifically deals with the treatment of life or other investment linked insurance policies and as such these appear to directly fall in to the Guernsey AML/CTF regime. Effectively this is saying that if a product falls under the long-term definition stated in the Insurance Business (Bailiwick of Guernsey) Law, 2002 though a Licensee it may regard it as being General business they remain subject to the AML/CTF Regulations. Thus a licensee must adhere to the requirements of the Commission’s Handbook and AML/CTF framework when dealing with such products.

The sum of all these parts would indicate that an Insurance licensee effecting or carrying out life or other long-term products regardless of how a Licensee may be able to classify these products as general business under the Insurance Business (Bailiwick of Guernsey) Law, 2002, they would still fall under the AML/CTF regulations and Commission’s Handbook by way of the requirements of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007 held at schedule 1. An Insurance Licensee regardless of how it treats such products under its licence would be required to have in place an effective AML/CTF framework.  A licensee must be able to evidence the suitability of its AML/CTF framework and compliance with the AML/CTF requirements pertaining to its business to the Commission.

An Insurance licensee must ensure that at all times they meet the requirements for the minimum criteria for licensing, schedule 4 of the Insurance Business (Bailiwick of Guernsey) Law, 2002. This includes a requirement to meet and adhere to any rules, codes, guidance, principles and instructions issued from time to time under any other enactment as may be applicable to the business, and this would also be inclusive of the Guernsey AML/CTF framework.

Missing the Elephant in the room.

Lance Barclay AML/CTF, Due diligence , ,

These last few weeks I have been thinking back to myCompliance monkey time in Law Enforcement. Those of you who can remember back that far probably have an image of a young surfer dude who turned up in the most scruffiest uniform, collar half in half out, requiring either a haircut or beard trim, usually both and never mind the lack of tie!

Those who worked with me will probably remember a person who worked manically yet methodically, questioning everything, discussing and testing theories before providing a list of potential targets for Officers to stop and check out. I am very proud to have been one of the highest seizing drugs Officers during my time, but all this could not have been done without the above, the support of my senior officers (and at times I pushed them to the limits) and the Law Enforcement Officers and teams I worked with, who looked at the whole.

In recent weeks there has been a lot of international interest in the offshore world regarding tax avoidance and tax evasion as well as financial crime, which has included revelations of HSBC in Switzerland. This post is not about HSBC, what is or isn’t tax evasion or even the ethics behind tax avoidance or financial crime, but I hope to try to provide some advice where the due diligence process fails. I have previously written about how due diligence is only part of the solution. As a past Customs and Immigration Officer and now as a compliance manager and consultant these documents are essential in identifying and verifying the target/ client but this is by no means the be all or end all.

It is all about the analysis of information in front of us, checking these details and asking the questions not our pre-conceived ideas or prejudices. Do we ask the question of why our clients invest offshore or set up dynastic structures or entrepreneurial structures offshore, do we understand and test and document, this rationale and reason and do the transactions make sense and fit the profile?

As a Law Enforcement Officer I would start by building a picture of travellers, and ask myself if the analysis I had in front of me made sense. Were there any comparisons to known smuggling and people trafficking profiles? Then I would seek out the experience of my peers, asking questions and gaining in-sights, understanding and clarifying what I had in front of me. This is no different from a Financial Services Business, where you are obtaining identification details, verifying these with documentation, researching through the various open-source intelligence databases for known facts, asking questions regarding the rationale. Seeking supporting evidence e.g. tax/ legal rationale and advice for the creation of a structure, its suitability and comparing the client and business relationship to known criminal profiles.

Having assisted licensees when they have been subjected to on-site visits by the Commission the main observation is, to a greater or lesser extent, that the requirements of the Regulations and the Handbook have been met. Some licensees have gone for just meeting the required standards others are far in excess of what is required by the regulations, but all generally pass with only the criticism of lack of former names or certification not meeting the expectations of the Commission. The real bug bear for the Commission is the lack of or insufficient periodic review. Yes we screen for sanctions, yes we check the appropriateness of our due diligence and we risk assess to what we see in our verification documents and from our refreshed our database checks but is this enough? Well unfortunately no it’s not and we are missing the Elephant in the room.

We spend alot of time getting the tax/ legal advice, the rationale of the relationship and the expected transactions at the start of the on-boarding process but we seldom question these areas again in the course of the business relationship. Tax advice is valid when it is given and after that it is outdated and what was legal tax mitigation can become tax evasion, transactions vary due to life circumstances including financial crime, entrepreneurial relationships change due to economic reasons and taking advantage of situations, some which can be financial crime. The information is in front of our eyes yet we fail to look at it, react to it, analysis it and document these changes or question the rationale.

Being miles above and beyond regulation may serve little purpose apart from to annoy clients and make the offshore world difficult to invest in and access for those with legitimate reasons and rationales. You may think it looks good to a Regulator to be gold platted but that is not the case as they are only looking at compliance with the regulatory requirements. The information to detect financial crime in all its guises is in front of us, the transactions, the file notes of meetings and the tax advice or legal advice. All this allows us to analyse the client to ensure that what we have fits in to our knowledge and understanding of the them and that what we have is legal and remains legal. This though is the Elephant in the room we seldom look at and where Regulators will not look kindly on when they find it lacking, regardless of how high above the required due diligence standards you are!

In all these Financial crime and Tax evasion cases if the advice had been looked at, the transactions and rationale been reviewed in detail would things have been different? It is not OK to say things were different back in the day, it does not absolve you or anyone from financial crime or being complicit in it.

If the only thing you take from this is to look at the whole picture, analyse all the information and rationale of a client, ask any questions you can’t fathom out, and obtain answers and document your full review, this post will have been worth it.

Don’t change for the sake of change!

Lance Barclay AML/CTF, Compliance Monitoring, Corporate Governance , ,

It has been an interesting few weeks with lots of nervous Directors concerned with their compliance functions and wondering what to do in light of the recent Commission’s findings and fines that have been publically issued. What must be remembered is that the Directors are responsible for the compliance function and framework (Chapter 2 of the Commission’s Handbook’s) of their business and not the consultants they may employ.  So what needs to be done?

Don’t Panic! There really is little point in panicking and it will only tend to make things worse. Panicking only creates more fears, which may not be justified in some cases, fear then leads to aggression and that only leads to breakdown in communication. The key in gaining an understanding of what has happened and where your business may sit in the regulatory framework will be down to communication with your compliance provider.

Review your compliance framework. Are you satisfied that you have all the evidence to support the previous findings of your compliance function provided by your consultants? Does their review go far enough and look at all the areas of the regulation that pertains to your business? Are they evidencing their findings suitably to back up their conclusions? At the end of the day your compliance framework is your responsibility and you need to evidence that you are satisfied with it, those that undertake the review role and that you have oversight to control it.

I have previously had licensees who would sit down with me during the year and go through my monitoring programme and how they correlated to the reports I was providing them. The positive was that it gave them comfort and evidenced to the Commission that they had true oversight and control of their compliance framework.

Communicate clearly and calmly. This is important, the oversight review you have done will provide you with questions that you need to have satisfied.  In light of the recent Commission actions and public statement released, you will also need to know the facts of what happened and why it happened as you need to assess if you could find yourself in the same situation of being incorrectly reported to on the regulatory requirements.

Even if your provider was not concerned in the recent Commission’s action you need to ensure that they would not put your business in jeopardy. It is important that from your review you can put any queries or concerns across in a calm manner. Your consultants may be defensive but the discussion needs to be open and honest so you can establish the facts. It is vital that your consultants and/or their management have the ability to constructively deal and satisfy any questions or concerns you may have.

Potential areas to discuss and obtain evidence on. Are you satisfied with the work that has been and continues being undertaken? Do you need to increase the time that the consultants provide to your business? Is the compliance monitoring utilised to assess your business suitable? Do the reports provided to you evidence the review that has been undertaken and do they cover the requirements of the regulatory framework? Are you getting the service that you require and want, remember you are the customer here!

Are the consultants suitably qualified or knowledgeable in the areas pertaining to your business, and have you got the evidence? It is always best to assume that you need enough information to satisfy yourself as you would for any of your employees. Your compliance consultants will be able to provide you with evidence of the consultant’s qualifications and suitability.  I was always more than happy to provide my certificates to licensees as I am very proud of what I have achieved!

Review, assess, conclude and evidence. Once you have the responses to your queries and concerns, you will be in a situation where you can review and assess where your current framework is and where it is going. You may be satisfied that everything is suitable or your compliance consultants are making changes to bring their game up for you and are able to service your requirements appropriately going forward. You may find that it’s time to bring your compliance function in-house wholly or partially, or if you remain unsatisfied you have the option to move to another provider, but do your due diligence.

What is vitally important in your conclusion is that you evidence all of the findings. The Commission will be asking you the questions about your compliance framework, how you monitor and mitigate the risks and are able to ensure oversight. You will be held accountable by the Commission so you need to have the answers and evidence. It’s just good Corporate Governance at the end of the day.

I was approached earlier this week by a Licensee who had just been visited by the Commission. The Commission was impressed that AML/CTF was discussed and documented at their meetings and how this evidenced the oversight and responsibility the Licensee took. One happy Licensee always means one happy Compliance monkey. This shows the power of good minutes and how the Commission view the importance of them in the evidencing of the oversight of the compliance function taken by Licensees.

At the end of the day you do not want to be jumping from the frying pan into the fire. People make mistakes it is whether they can learn from them.  Whatever conclusion you come to will allow you to make the best decision for your business, just make sure that it is clearly evidenced. Don’t change just for change sake!

Diving in to Compliance

Lance Barclay AML/CTF, Business Risk Assessment, Compliance Monitoring, Corporate Governance , , , , , ,

Entering the waterMy weekends are spent reviewing overarching risk assessments and analysing specific risk assessments as well as undertaking the compliance review of policies and procedures, finishing with the review of performance of the systems and controls.  I am not taking work home with me nor am I moon-lighting or taking on further roles, I am though a qualified Diver and a qualified Solo Diver.

Diving can be a high risk pursuit and can lead to death even at shallow depths. My joy and passion is to go deep, exploring wrecks and reefs of the Channel Islands below 30 meters or 100ft and seeing the beauty and fragility of the alien world below illuminated in beautiful colours with its abundance of life.  The chance of swimming to the surface and surviving without any injury after a total gear failure or panic attack are slim at best, at these depths. The choices I make are calculated and risks are mitigated using similar principles that a Financial Services Business (“FSB”) would utilise.

I start every dive season off with an overarching risk assessment, looking at the risk I am prepared to take, what I want to achieve and the factors affect me. This is not overly different to the Anti-Money Laundering and Combatting Terrorist Financing (“AML/CTF”) Business Risk Assessment for any FSB in Guernsey.  My overarching risk assessment is where I look at what I want to achieve and the risks that I am prepared to take in essence what my risk appetite is, and it does vary year to year.

For a FSB the AML/CTF Business Risk Assessment looks at the risks posed by its products and services and its customers. In my case these translate to the types of diving I want to engage in, my planning and who I dive with.  My mitigation of the risks faced would be my diving gear and its set up and my overall health to make the dive.

I then put into action a monitoring programme taking into account my overarching risk assessment.  A full review of my diving gear is essential as is my fitness, this will involve servicing both gear, body and mind and reviewing them on a periodic basis.  This is similar to the provision of management information to the Directors of a FSB. They require to know the state of health of their policies, procedures, systems and controls, to ensure that they are maintained and remain in good condition and fit for purpose in order to mitigate the risks their business face. Knowing that my gear is in good condition and works is essential for whatever dive I do while the health of my body and mind will dictate the dive that can be undertaken safely. Resources must be put to where areas of concern are noted to ensure that the potential for errors or incidents are reduced to a minimum.

drift drivingThen it all comes down to the day, where I undertake a specific risk assessment of myself, the conditions, the type of dive to be undertaken and who I am diving with or if I am going solo. In a sense this is similar to the customer risk assessment that FSB’s undertake for each customer, in order to identify the risk they pose to the FSB and whether the risks are acceptable.

FSB’s by appreciating the risk posed and faced by the customer can decide whether they are prepared to engage in a business relationship with a customer.  In some cases when I have dived I have been satisfied with the risk I face and have dived but I have also be known to decide that the risks are too high or that my systems and controls are not up to the task and have declined the dive or undertaken an easier dive.  I always work on the idea that it is better to be on the surface wishing you were diving then being in trouble under the water away from help and wishing you were on the surface.

Due to the higher risks I take my systems and controls are tailored to me and include as a minimum two independent air cylinders.  I implement my systems and controls by dividing my body in to two halves, one side has computers connected to one cylinder and the other side has old-fashioned gauges connect to my other cylinder, the idea being that should one side fail I can rely on the other as back up.  It also means I can monitor the performance of my systems and controls effectively ensuring that any false readings or dangerous situations are detected early and evasive action taken.

The last thing I do after every dive is to review my systems and controls obtaining data from my computers, analysing this to ensure my policies and procedures remain fit for purpose.  I then assess my overarching risk assessment making changes if required. This has similarities to the quarterly and annual reviews that are done by management and Directors of a FSB to ensure that their businesses are meeting the regulatory framework and mitigating the risks that they face, in essence it’s just good corporate governance.

Diver OKThings do go wrong and no matter how good your policies, procedures, systems and controls are.  I have been in situations where I have had to shut down one side of my systems and controls due to sudden failure of a hose or regulator as well as having to rely on my old-fashioned gauges, watch and mental arithmetic when my computer has failed. It does not come down to luck that I am here writing this but that my risk assessments and planning have taken these situations into account.  My compliance monitoring has reduced these incidents and malfunctions to a minimum and I have put resources to the risks I face ensuring I am suitable trained and able to deal with incidents of this nature.

FSB’s that have a good corporate governance culture, a suitable compliance framework and a compliance monitoring programme that meets their needs and provides the required management information effectively, have in general survived the financial crisis and have adapted to business and regulatory changes with ease.  Where issues have surfaced they have been able to deal with them effectively and/or report at the earliest opportunity where required to the regulatory authorities or Financial Intelligence Unit.

(Pictures by kind permission of Colin Peters)

Briefing note 002- Trust Company Business On-Site Examination Findings from Jersey

Lance Barclay AML/CTF, Business Risk Assessment, Compliance Monitoring, Corporate Governance , , , , , ,

Image

The Jersey Financial Services Commission (“JFSC”) has recently published its 2013 on-site regulatory examination findings in respect of Fiduciary business conducted in Jersey. These findings are pertinent to any financial service business, Compliance Officer and Money Laundering Reporting Officer (“MLRO”) in ensuring that they are adhering to the Guernsey regulatory framework. I believe that key points from the examination findings are as follows:

Evaluation of Suspicious Activity Report’s (“SAR’s”) and reporting to the Financial Intelligence Unit (“FIU”):

  • Delays in the acknowledgement of receipt of an internal SAR to the person disclosing.
  • Lack of detailed investigation by the MLRO to support the decision made.
  • Follow-up action resulting from internal reports not being undertaken or no evidence of follow-up action were noted.
  • Lack of autonomy by an MLRO and the decision to report to the FIU being made by Board rather than the MLRO.
  • Internal reports not being recorded accurately and being overlooked by the MLRO leading to late reporting to the FIU.

Corporate Governance:

  • Board discussions not being fully documented in some instances.
  • Concerns were identified in respect of the Board interaction, reporting lines and the functions of delegated risk committees of cross-divisional functions of a business.
  • Term’s of reference for delegated functions of the Board not being in place.

Business Risk Assessment (”BRA”) and Strategy:

  • Lacking details of the consideration of the following areas;
    • Organisational factors;
    • Jurisdiction of customers;
    • Underlying activities of Customers, including Politically Exposed Person risk;
    • Products and services specific to the business (third parties);
    • Delivery of those products and services;
    • Outsourcing risk to other branches or third parties and;
    • Not separating its BRA assessment from that of the Manager.

Conflicts of Interest:

  • No documented consideration of potential Conflicts of Interest where multiple licences are held and products are provided to customers who are common to both licenses.
  • Consideration and documentation of wider Conflicts of Interests, such as the investment in to customer structures by a Director.
  • Consideration of the risk where a significant shareholder of the business introduces customers.
  • Non-Executive Directors maintaining a direct relationship with a customer.
  • Conflicting roles of Compliance Officers the anti-money laundering function where the individuals also held a primary customer facing role.
  • Consideration of the impact of close staff relationships particularly at a senior level e.g. husband and wife.
  • Policies and procedures for declaring and monitoring were identified.

Compliance Function:

  • Inconsistent attendance at Board meetings by the Compliance Officer.
  • No separate reports in respect of Compliance and the anti-money laundering and combatting terrorist financing (“AML/CTF”) function.
  • Reports not containing the following;
    • Regulatory updates;
    • Progress of compliance monitoring;
    • Updated position on compliance registers, and;
    • Information on periodic reviews and accounting records.
  • In some cases there was a lack of documenting of matters brought to the attention of the Board.

Compliance Resourcing:

  • Back logs in periodic review cycle.
  • Delays in compliance monitoring
  • Not undertaking action in respect of regulatory updates.
  • Out of date policies and procedures
  • Ongoing projects and remedial work not completed.
  • Concerns in respect of the investigation and determination of SAR’s.
  • Meeting the day-to-day requirements of the compliance role, where the Compliance Officer or MLRO held other roles within the business.

Compliance Monitoring:

  • Compliance Monitoring Programme’s (“CMP’s”) task orientated rather than a schedule of testing of the operational procedures.
  • CMP’s not being seen or approved by the Board.
  • Ineffective reporting of the progress or completion of the CMP and of the remediation of compliance findings.
  • Compliance testing of the areas of the business lacking in detail.
  • Ineffective mapping of the business to the regulatory framework.

Business Acceptance Systems and Controls:

  • Procedures not being specific regarding the prescribed due diligence required for higher risk customers and business relationships.
  • Undertaking transactions prior to the acceptance of the customer by the Business.
  • The delay of obtaining verification documents and undertaking risk rating prior to the undertaking of customer transactions.

Customer Risk Management Systems and Controls:

  • Customer risk assessments not capturing fully the risks associated with customers or as detailed by the regulatory framework.
  • Customer risk assessment not capturing the risks identified by the business in the BRA.
  • Customer risk assessments not taking into account adverse information identified on the customer.
  • Weighting scores for risks not being appropriate to elevate overall the risk to high where required.
  • Lack of guidance to assist staff in the completion of the customer risk profile.

Customer Profile

  • Vague customer profiles not capturing the expected pattern and frequency of expected transactions.
  • Customer information held in various places rather than centrally.
  • Where the rationale for the business relationship was recorded as tax planning or mitigation, Licensee’s did not hold the relevant tax advice.

Politically Exposed Persons:

  • PEP’s being declassified contrary to the regulatory framework.
  • Immediate family members and close associates not being designated as PEP’s

In conclusion Licensees and the Boards must ensure that they have up to date compliance procedures, their functions are staffed and resourced appropriately and ensuring that they have suitable and sufficient management information for their compliance status being provided in a timely manner to them.  The role of the MLRO is coming more into focus with Regulators especially its assessment by the Board.  The MLRO function needs to be adequately resourced with a suitable and autonomous person, it is my opinion that this role will become more of a focus of regulatory visits and evidence of its review and suitability will required to be documented.  I would always advise that a separate compliance report and MLRO report is provided to the Board to ensure that matters are easily identifiable to the Board.  Conflicts of interest must be recorded and the risks assessed appropriately.   The BRA must take into account the risks that customers pose to the business and also the AML/CTF risks detailed by the regulatory framework and where they are not applicable they should be noted as such. What I believe is the most important finding to come out is, ensuring customer risk assessments and profiles are detailed and maintained ensuring that all risks are covered in the BRA.  I would advise that you assess your business to these findings and if any matters are found a remedial programme is put in place and signed off by the Board ensuring appropriate timescales and reporting is in place.

.

Briefing Note: Jersey Financial Services Commission Onsite Examination Findings.

Lance Barclay AML/CTF, Compliance Monitoring, Corporate Governance , , ,

Compliance monkey

The Jersey Financial Services Commission (“JFSC”) conducted an onsite examination of one of its fiduciary licensee’s which has resulted in a public statement being issued. The findings provide an insight in to the areas that our sister Island regulator is focusing on and the regulatory action they are taking in respect of their findings. I believe that the key points of the onsite examination are as follows;

Anti-Money Laundering and Combatting Financing of Terrorism (“AML/CTF”)

The key points made in respect of the examination of the area of AML/CFT noted the following areas as failure to comply with the AML/CFT regulatory requirements:

  • Out of date CDD.
  • Lack of sufficient evidencing of source of funds and source of wealth.
  • Lack of evidence to demonstrate that CDD had been sufficiently evaluated.
  • Inadequate evidence of EDD having been undertaken on High Risk customers
  • Inadequate evidence of the review of risk assessments.
  • Providing registered office only business and the issuance of Powers of Attorney with little control of the risks and oversight expected to be applied to these products.

 

An investigation was also undertaken into a customer entity that had received funds that may have been connected to a fraud. The investigation found the following matters of concern:

  • Mind and management not with the Jersey appointed Directors but with the beneficial owners.
  • Lack of questioning and properly understanding the activities of the customer entity.
  • Allowing payments to be made by the Customer entity without knowing or assessing whether adequate funds would be available to complete transactions.
  • Over reliance on the ultimate beneficial owners instructions and did not challenge the rationale for acquiring assets.
  • Receiving loans which did not have formal loan agreements and were from entities that had the same beneficial owners.
  • Failing to understand the source of funds through the customer entity.
  • Failing to consider adverse information made available to it regarding the source of funds received by the customer’s entity.
  • Receiving funds without knowledge of the remitter and paying them out the next day.
  • Failing to keep adequate books and records for the customer entity
  • Being re-active instead of pro-active in the management of the customer entity.

 

Breaches of the Code of Conduct of Trust Company Business

The key points that led to breaches of the Jersey regulatory framework and principles for the conduct of Trust Company Business were as follows:

  • Failing to act with skill, care and diligence.
  • Failing to evidence in writing decisions made.
  • Failing to identify conflicts of interests.
  • Failing to ensure adequate review procedures were implemented to monitor Trust Company Business.
  • Failing to maintain adequate internal systems and controls.
  • Failing to exercise an adequate level of Corporate Governance.

These failures led to remedial action having to be implemented as follows:

  • Directors stepping down and the appointment of new local Directors and a new Non-Executive Chairperson.
  • Review in conjunction with an external resource of the processes and procedures of the business to effect changes to strengthen its systems and controls.
  • Initiation of a review process of customer files to remedy customer due diligence deficiencies.
  • Remediation programme has been put in place to rectify issues identified by the investigation.

In conclusion I believe that a robust compliance function and a compliance monitoring programme encompassing the regulatory framework would have alerted the business to its deficiencies and assisted in the evidencing of areas of concern that required remedial action that were subsequently identified by the JFSC .  I recommend that the points raised are taken in to account in any Financial Regulated or Registered Business and assessed against its current compliance framework. If you do find that you have issues of concern or that you cannot adequately evidence compliance to the regulatory framework my advice is to form a remediation plan and inform the Commission as soon as practical. A problem shared is a problem halved, I cannot give any guarantees that you will not face regulatory sanction but being open and honest has the potential to reduce or negate the use of regulatory sanctions, as William Mason Director General, mentioned in his December 2013 address to the Industry.  If the regulator in our sister Island is looking at these areas I believe that the Guernsey Commission will also be.