AML/CTF

Diving in to Compliance

Sara Barclay AML/CTF, Business Risk Assessment, Compliance Monitoring, Corporate Governance , , , , , ,

Entering the waterMy weekends are spent reviewing overarching risk assessments and analysing specific risk assessments as well as undertaking the compliance review of policies and procedures, finishing with the review of performance of the systems and controls.  I am not taking work home with me nor am I moon-lighting or taking on further roles, I am though a qualified Diver and a qualified Solo Diver.

Diving can be a high risk pursuit and can lead to death even at shallow depths. My joy and passion is to go deep, exploring wrecks and reefs of the Channel Islands below 30 meters or 100ft and seeing the beauty and fragility of the alien world below illuminated in beautiful colours with its abundance of life.  The chance of swimming to the surface and surviving without any injury after a total gear failure or panic attack are slim at best, at these depths. The choices I make are calculated and risks are mitigated using similar principles that a Financial Services Business (“FSB”) would utilise.

I start every dive season off with an overarching risk assessment, looking at the risk I am prepared to take, what I want to achieve and the factors affect me. This is not overly different to the Anti-Money Laundering and Combatting Terrorist Financing (“AML/CTF”) Business Risk Assessment for any FSB in Guernsey.  My overarching risk assessment is where I look at what I want to achieve and the risks that I am prepared to take in essence what my risk appetite is, and it does vary year to year.

For a FSB the AML/CTF Business Risk Assessment looks at the risks posed by its products and services and its customers. In my case these translate to the types of diving I want to engage in, my planning and who I dive with.  My mitigation of the risks faced would be my diving gear and its set up and my overall health to make the dive.

I then put into action a monitoring programme taking into account my overarching risk assessment.  A full review of my diving gear is essential as is my fitness, this will involve servicing both gear, body and mind and reviewing them on a periodic basis.  This is similar to the provision of management information to the Directors of a FSB. They require to know the state of health of their policies, procedures, systems and controls, to ensure that they are maintained and remain in good condition and fit for purpose in order to mitigate the risks their business face. Knowing that my gear is in good condition and works is essential for whatever dive I do while the health of my body and mind will dictate the dive that can be undertaken safely. Resources must be put to where areas of concern are noted to ensure that the potential for errors or incidents are reduced to a minimum.

drift drivingThen it all comes down to the day, where I undertake a specific risk assessment of myself, the conditions, the type of dive to be undertaken and who I am diving with or if I am going solo. In a sense this is similar to the customer risk assessment that FSB’s undertake for each customer, in order to identify the risk they pose to the FSB and whether the risks are acceptable.

FSB’s by appreciating the risk posed and faced by the customer can decide whether they are prepared to engage in a business relationship with a customer.  In some cases when I have dived I have been satisfied with the risk I face and have dived but I have also be known to decide that the risks are too high or that my systems and controls are not up to the task and have declined the dive or undertaken an easier dive.  I always work on the idea that it is better to be on the surface wishing you were diving then being in trouble under the water away from help and wishing you were on the surface.

Due to the higher risks I take my systems and controls are tailored to me and include as a minimum two independent air cylinders.  I implement my systems and controls by dividing my body in to two halves, one side has computers connected to one cylinder and the other side has old-fashioned gauges connect to my other cylinder, the idea being that should one side fail I can rely on the other as back up.  It also means I can monitor the performance of my systems and controls effectively ensuring that any false readings or dangerous situations are detected early and evasive action taken.

The last thing I do after every dive is to review my systems and controls obtaining data from my computers, analysing this to ensure my policies and procedures remain fit for purpose.  I then assess my overarching risk assessment making changes if required. This has similarities to the quarterly and annual reviews that are done by management and Directors of a FSB to ensure that their businesses are meeting the regulatory framework and mitigating the risks that they face, in essence it’s just good corporate governance.

Diver OKThings do go wrong and no matter how good your policies, procedures, systems and controls are.  I have been in situations where I have had to shut down one side of my systems and controls due to sudden failure of a hose or regulator as well as having to rely on my old-fashioned gauges, watch and mental arithmetic when my computer has failed. It does not come down to luck that I am here writing this but that my risk assessments and planning have taken these situations into account.  My compliance monitoring has reduced these incidents and malfunctions to a minimum and I have put resources to the risks I face ensuring I am suitable trained and able to deal with incidents of this nature.

FSB’s that have a good corporate governance culture, a suitable compliance framework and a compliance monitoring programme that meets their needs and provides the required management information effectively, have in general survived the financial crisis and have adapted to business and regulatory changes with ease.  Where issues have surfaced they have been able to deal with them effectively and/or report at the earliest opportunity where required to the regulatory authorities or Financial Intelligence Unit.

(Pictures by kind permission of Colin Peters)

Briefing note 002- Trust Company Business On-Site Examination Findings from Jersey

Sara Barclay AML/CTF, Business Risk Assessment, Compliance Monitoring, Corporate Governance , , , , , ,

Image

The Jersey Financial Services Commission (“JFSC”) has recently published its 2013 on-site regulatory examination findings in respect of Fiduciary business conducted in Jersey. These findings are pertinent to any financial service business, Compliance Officer and Money Laundering Reporting Officer (“MLRO”) in ensuring that they are adhering to the Guernsey regulatory framework. I believe that key points from the examination findings are as follows:

Evaluation of Suspicious Activity Report’s (“SAR’s”) and reporting to the Financial Intelligence Unit (“FIU”):

  • Delays in the acknowledgement of receipt of an internal SAR to the person disclosing.
  • Lack of detailed investigation by the MLRO to support the decision made.
  • Follow-up action resulting from internal reports not being undertaken or no evidence of follow-up action were noted.
  • Lack of autonomy by an MLRO and the decision to report to the FIU being made by Board rather than the MLRO.
  • Internal reports not being recorded accurately and being overlooked by the MLRO leading to late reporting to the FIU.

Corporate Governance:

  • Board discussions not being fully documented in some instances.
  • Concerns were identified in respect of the Board interaction, reporting lines and the functions of delegated risk committees of cross-divisional functions of a business.
  • Term’s of reference for delegated functions of the Board not being in place.

Business Risk Assessment (”BRA”) and Strategy:

  • Lacking details of the consideration of the following areas;
    • Organisational factors;
    • Jurisdiction of customers;
    • Underlying activities of Customers, including Politically Exposed Person risk;
    • Products and services specific to the business (third parties);
    • Delivery of those products and services;
    • Outsourcing risk to other branches or third parties and;
    • Not separating its BRA assessment from that of the Manager.

Conflicts of Interest:

  • No documented consideration of potential Conflicts of Interest where multiple licences are held and products are provided to customers who are common to both licenses.
  • Consideration and documentation of wider Conflicts of Interests, such as the investment in to customer structures by a Director.
  • Consideration of the risk where a significant shareholder of the business introduces customers.
  • Non-Executive Directors maintaining a direct relationship with a customer.
  • Conflicting roles of Compliance Officers the anti-money laundering function where the individuals also held a primary customer facing role.
  • Consideration of the impact of close staff relationships particularly at a senior level e.g. husband and wife.
  • Policies and procedures for declaring and monitoring were identified.

Compliance Function:

  • Inconsistent attendance at Board meetings by the Compliance Officer.
  • No separate reports in respect of Compliance and the anti-money laundering and combatting terrorist financing (“AML/CTF”) function.
  • Reports not containing the following;
    • Regulatory updates;
    • Progress of compliance monitoring;
    • Updated position on compliance registers, and;
    • Information on periodic reviews and accounting records.
  • In some cases there was a lack of documenting of matters brought to the attention of the Board.

Compliance Resourcing:

  • Back logs in periodic review cycle.
  • Delays in compliance monitoring
  • Not undertaking action in respect of regulatory updates.
  • Out of date policies and procedures
  • Ongoing projects and remedial work not completed.
  • Concerns in respect of the investigation and determination of SAR’s.
  • Meeting the day-to-day requirements of the compliance role, where the Compliance Officer or MLRO held other roles within the business.

Compliance Monitoring:

  • Compliance Monitoring Programme’s (“CMP’s”) task orientated rather than a schedule of testing of the operational procedures.
  • CMP’s not being seen or approved by the Board.
  • Ineffective reporting of the progress or completion of the CMP and of the remediation of compliance findings.
  • Compliance testing of the areas of the business lacking in detail.
  • Ineffective mapping of the business to the regulatory framework.

Business Acceptance Systems and Controls:

  • Procedures not being specific regarding the prescribed due diligence required for higher risk customers and business relationships.
  • Undertaking transactions prior to the acceptance of the customer by the Business.
  • The delay of obtaining verification documents and undertaking risk rating prior to the undertaking of customer transactions.

Customer Risk Management Systems and Controls:

  • Customer risk assessments not capturing fully the risks associated with customers or as detailed by the regulatory framework.
  • Customer risk assessment not capturing the risks identified by the business in the BRA.
  • Customer risk assessments not taking into account adverse information identified on the customer.
  • Weighting scores for risks not being appropriate to elevate overall the risk to high where required.
  • Lack of guidance to assist staff in the completion of the customer risk profile.

Customer Profile

  • Vague customer profiles not capturing the expected pattern and frequency of expected transactions.
  • Customer information held in various places rather than centrally.
  • Where the rationale for the business relationship was recorded as tax planning or mitigation, Licensee’s did not hold the relevant tax advice.

Politically Exposed Persons:

  • PEP’s being declassified contrary to the regulatory framework.
  • Immediate family members and close associates not being designated as PEP’s

In conclusion Licensees and the Boards must ensure that they have up to date compliance procedures, their functions are staffed and resourced appropriately and ensuring that they have suitable and sufficient management information for their compliance status being provided in a timely manner to them.  The role of the MLRO is coming more into focus with Regulators especially its assessment by the Board.  The MLRO function needs to be adequately resourced with a suitable and autonomous person, it is my opinion that this role will become more of a focus of regulatory visits and evidence of its review and suitability will required to be documented.  I would always advise that a separate compliance report and MLRO report is provided to the Board to ensure that matters are easily identifiable to the Board.  Conflicts of interest must be recorded and the risks assessed appropriately.   The BRA must take into account the risks that customers pose to the business and also the AML/CTF risks detailed by the regulatory framework and where they are not applicable they should be noted as such. What I believe is the most important finding to come out is, ensuring customer risk assessments and profiles are detailed and maintained ensuring that all risks are covered in the BRA.  I would advise that you assess your business to these findings and if any matters are found a remedial programme is put in place and signed off by the Board ensuring appropriate timescales and reporting is in place.

.

Briefing Note: Jersey Financial Services Commission Onsite Examination Findings.

Sara Barclay AML/CTF, Compliance Monitoring, Corporate Governance , , ,

Compliance monkey

The Jersey Financial Services Commission (“JFSC”) conducted an onsite examination of one of its fiduciary licensee’s which has resulted in a public statement being issued. The findings provide an insight in to the areas that our sister Island regulator is focusing on and the regulatory action they are taking in respect of their findings. I believe that the key points of the onsite examination are as follows;

Anti-Money Laundering and Combatting Financing of Terrorism (“AML/CTF”)

The key points made in respect of the examination of the area of AML/CFT noted the following areas as failure to comply with the AML/CFT regulatory requirements:

  • Out of date CDD.
  • Lack of sufficient evidencing of source of funds and source of wealth.
  • Lack of evidence to demonstrate that CDD had been sufficiently evaluated.
  • Inadequate evidence of EDD having been undertaken on High Risk customers
  • Inadequate evidence of the review of risk assessments.
  • Providing registered office only business and the issuance of Powers of Attorney with little control of the risks and oversight expected to be applied to these products.

 

An investigation was also undertaken into a customer entity that had received funds that may have been connected to a fraud. The investigation found the following matters of concern:

  • Mind and management not with the Jersey appointed Directors but with the beneficial owners.
  • Lack of questioning and properly understanding the activities of the customer entity.
  • Allowing payments to be made by the Customer entity without knowing or assessing whether adequate funds would be available to complete transactions.
  • Over reliance on the ultimate beneficial owners instructions and did not challenge the rationale for acquiring assets.
  • Receiving loans which did not have formal loan agreements and were from entities that had the same beneficial owners.
  • Failing to understand the source of funds through the customer entity.
  • Failing to consider adverse information made available to it regarding the source of funds received by the customer’s entity.
  • Receiving funds without knowledge of the remitter and paying them out the next day.
  • Failing to keep adequate books and records for the customer entity
  • Being re-active instead of pro-active in the management of the customer entity.

 

Breaches of the Code of Conduct of Trust Company Business

The key points that led to breaches of the Jersey regulatory framework and principles for the conduct of Trust Company Business were as follows:

  • Failing to act with skill, care and diligence.
  • Failing to evidence in writing decisions made.
  • Failing to identify conflicts of interests.
  • Failing to ensure adequate review procedures were implemented to monitor Trust Company Business.
  • Failing to maintain adequate internal systems and controls.
  • Failing to exercise an adequate level of Corporate Governance.

These failures led to remedial action having to be implemented as follows:

  • Directors stepping down and the appointment of new local Directors and a new Non-Executive Chairperson.
  • Review in conjunction with an external resource of the processes and procedures of the business to effect changes to strengthen its systems and controls.
  • Initiation of a review process of customer files to remedy customer due diligence deficiencies.
  • Remediation programme has been put in place to rectify issues identified by the investigation.

In conclusion I believe that a robust compliance function and a compliance monitoring programme encompassing the regulatory framework would have alerted the business to its deficiencies and assisted in the evidencing of areas of concern that required remedial action that were subsequently identified by the JFSC .  I recommend that the points raised are taken in to account in any Financial Regulated or Registered Business and assessed against its current compliance framework. If you do find that you have issues of concern or that you cannot adequately evidence compliance to the regulatory framework my advice is to form a remediation plan and inform the Commission as soon as practical. A problem shared is a problem halved, I cannot give any guarantees that you will not face regulatory sanction but being open and honest has the potential to reduce or negate the use of regulatory sanctions, as William Mason Director General, mentioned in his December 2013 address to the Industry.  If the regulator in our sister Island is looking at these areas I believe that the Guernsey Commission will also be.

Is Client Due Diligence there to stop Criminals and Criminality?

Sara Barclay AML/CTF , , , , ,

ImageOver the last few years of training people in the weird and wonderful world of AML/CTF I have noticed that people have become despondent with the subject.  I will be the first to admit that it can be a pretty dry subject if not put across well.  One of the areas of despondency that Licensees and their employees have with AML/CTF comes from the task of collecting Client Due Diligence (“CDD”).  Will the collation of CDD actually stop criminals utilising the Bailiwick?  Does this process have any effect on stopping criminality? With some Licensees believing that this burdensome exercise acts as a detriment to business, is this really the case or a misunderstanding?

Stopping criminality and criminals using the Bailiwick by obtaining a passport and utility bill is improbable. It is very unlikely that on production of these documents that they will inform you that they are a criminal and will be using your services and products for their criminality (I have only ever had one unsuccessful drug importer inform me what he was up to when stopped, but that’s another story). These documents are provided to criminals by Government agencies and Utility firms, legitimately, as it is the criminal’s human right after all to be able to live and travel and many do have legitimate incomes.  Criminals will sometimes use fraudulent documents which I’m afraid are prevalent in today’s society.  Fraudulent documents are cheap and easy to obtain and in today’s world of computer technology easy to produce to a very good standard, just look at the print quality of documents that you produce in your office on a day-to-day basis!  Criminals have access to the same if not better technology. Criminals in my experience are only different from ourselves through their moral and ethical values. Ethical and moral values change throughout a person’s life due to the situations they find themselves in and therefore a legitimate customer at a start of a business relationship may change in to a criminal. Unfortunately a passport or utility bill will not tell you if your customer will become a criminal at a later stage.

We are an International Finance Centre respected worldwide for our professionalism and the quality of our products and services and this will naturally be attractive to our customers and potential customers as well as criminals.  Our regulatory framework requires us to identify and verify our customers by obtaining CDD and in my opinion this is not only for us to know our clients and undertake checks to identify any adverse information on them but it also assists Regulators and Law Enforcement Agencies in preventing and detecting criminality and identifying the perpetrators.  By obtaining the required level of CDD when international requests for assistance in investigations are received by either our Regulator or Law Enforcement Agency, it will allow a licensee to react effectively and efficiently, searching their client database to establish if there is any connection or potential connection.

Our Law Enforcement Agency and the Regulator receive requests for assistance from overseas agencies and from my experience the requests are not always the most detailed or extensive and sometimes not totally accurate, this is not the fault of the overseas agency as they are only as good as the intelligence they receive from their sources.  From my time in the Financial Intelligence Service it has never ceased to amaze me that with a little information provided to our Licensees they are able to quickly identify if there is a connection or a potential connection to an enquiry, this is a credit to the professionalism of their employees and commitment in not allowing criminals to prosper.

In one case I dealt with the request for assistance was received from an overseas Law Enforcement Agency who could only provide the suspected person’s name which was very common and a potential address. Not expecting a lot I was surprised to get a phone call from a local financial institution that had a possible match on the suspected person. Relaying this information back to the overseas Law Enforcement Agency their amazement was evident. With a bit more investigative work and liaising between the parties involved it transpired that the local financial institution did have the person the overseas Law Enforcement Agency believed to be involved in criminality, an exercise made easier due to the financial institution having obtained the required CDD which also led to further details being discovered.

I have also been told on occasions by overseas agencies that they always like dealing with the Bailiwick as they are able to establish quickly if there is a connection to their suspect.   This greatly assists them in directing and managing their case and also any potential prosecution. Something positive for all stakeholders in our financial industry to take away with them!

We can safely say that the CDD documents we obtain will not stop criminals utilising the Bailiwick but as you can see they do act as a deterrent.  These documents won’t stop criminality but they will assist in the fight to detect and identify effectively and efficiently suspected criminals when we receive requests from our Law Enforcement Agency or Regulators. The assistance we give to the international community allows the Bailiwick to hold its head up high while discrediting the view held by some out there that we are a safe haven for criminals and their ill-gotten gains, and we do have our supporters out there.

Explaining my view on the necessity to collate these documents, Licensee’s and their employees are able understand the vital importance that they and these documents play in deterring criminals and assisting the international community in the prevention and detection of crime. I hope I have removed the perception that the CDD collation exercise is worthless and burdensome to a business, while demonstrating that it is a worthwhile and a necessary part of doing business in a moral and ethical way. It is interesting to note the recent developments in the on-shore world to pass regulations in respect of identifying ultimate beneficial owners, something we have had in or regulatory framework and have been undertaking for a very long time!

Are we guilty of stopping investment in the developing world?

Sara Barclay AML/CTF , , ,

Compliance monkeyOne of the questions that I am asked when undertaking Anti-Money Laundering and Combating Terrorist Financing (“AML/CTF”) training is “should we just stop dealing with areas and customers that have a higher risk of money laundering and terrorist financing”? Why is it that people believe that Licensee’s and Guernsey must stop any business that may have a higher risk of money laundering terrorist financing? Has this led to a paranoia within our financial industry and could this be leading our industry to be potential uncompetitive and lacking the entrepreneurial spirit that directors, management and compliance officers should aspire to? Most importantly is our paranoia stopping us from providing investment into the developing world and allowing these people to remain in poverty?

The laws, regulations, codes, rules and guidance (“the Framework”) as published by the Guernsey Financial Services Commission (“Commission”) require that licensees have suitable and sufficient policies procedures and controls for the products and services provided to customers in order to protect the Licensee and the Bailiwick of Guernsey from being susceptible to money launderers and terrorist financiers. Licensee’s must not avoid their responsibilities or manipulate the framework, but ensure that at all times they conduct their business within the Framework. The Commission does not prohibit engagement with higher risk clients or Licensees and their customers being engaged in sensitive activities that are of a higher risk of money laundering or terrorist financing, only that licensees mitigate the risks suitably and demonstrably.

The policies, procedures and controls of a Licensee must meet the minimum requirements of the Framework, though there is nothing stopping a licensee from exceeding these requirements. The Framework is merely requiring Licensees and their employees to be able to identify and verify their customers, understand the reason and rationale of their customer in order that they can assess whether the use of the product or service is reasonable. The Framework also ensures that the minimum required information on a customer is obtained and can be provided by the licensee expediently to Regulators or Law Enforcement if required.

The Licensee must assess its customer’s not on prejudice or paranoia but on a risk based approach at the start and during the business relationship ensuring that they have sufficient knowledge and information on their client as required by their risk based approach and the Framework. Just because a customer is a higher risk of money laundering and terrorist financing does not necessarily mean that they are a criminal, just that the activities or the jurisdiction amongst other things may make the customer or their activities more susceptible to money laundering and terrorist financing and that more frequent monitoring is required to be undertaken.

 There are many opportunities in the developing world that will not only allow our customers to prosper but also the people of these jurisdictions to also prosper and be able to move themselves out of poverty.Telecommunications, mining, agriculture and cash machines are some of the business propositions that I have seen being presented to licensees by their customers only to be met by the paranoia that these may expose the licensee to money laundering or terrorist financing and must be avoided or declined.

Should the question that licensees ask when they take on customers or provided products or services to a client relate to the Licensee’s knowledge and experience of the customers activity, and if the policies, procedures and controls of the licensee are suitable and sufficient for this type of activity? If the answer is no can the Licensee enhance their knowledge or policies, procedures and controls or oversight of the customers activity to become comfortable in undertaking the engagement.

By acting in paranoia it is the Licensee and their employees not the Commission or the Framework that is letting customers down and the people of these developing countries. In some ways it could be argued that we are allowing money laundering and terrorist financing to prosper by not engaging with the development of legitimate business and opportunities in these developing countries.

We can never eradicate money laundering and terrorist financing, but by ensuring that a Licensee’s policies procedures and controls meet the requirements of the Framework I believe that they can engage with customers and activities that will provide a benefit to people in developing countries and enhance the living conditions and education for all. Would it not benefit these countries and people if by applying our high standards that money laundering and terrorist financing in all guises could be reduced?