Compliance

Reflections of 2016

Sara Barclay AML/CTF, Compliance, Compliance Monitoring, Corporate Governance, Due diligence, Guernsey , , ,

Compliance monkeyAs the sun gets lower, the evenings longer and we get closer to the end of a year I cannot help but think what a year it has been and begin to reflect.  For me personally it has been a year that has been full of hard work, assistance and resolution of problems and all this led me to the beautiful Island of Bermuda to undertake a contract for a client.  Not only a fantastic opportunity to show case my skills and knowledge but a joy to work for some fantastic people and meet old and new friends as well as to experience another regulatory culture. While I would rather be pondering the last year and this post from a pool in Bermuda instead of next to a fire on a brisk cold day, Guernsey still very much holds my heart, though Bermuda is a close second.

In looking to the challenges of the future and what the next year may hold for us is it time to reflect on the past year, the regulatory framework and what is needed to ensure that our business moves forward, prospers and continues to uphold the regulatory standards and meet future challenges, and there is no better way to do this than look back over the last year.

There have unfortunately been instances where the Guernsey Financial Services Commission (GFSC) has had to take enforcement action in 2016, never an easy decision but essential in today’s world to assist in the safeguarding and continual success of our international reputation and prosperity.  I do not think it is right to dissect these cases as these are disclosed on the GFSC website but rather look at what lessons can be learnt to avoid a repeat to our businesses and to protect the Directors and Stakeholders.

Risk, Identification and Verification

Most of these incidents reported by the Commission are in respect of Anti-Money Laundering and Counter Terrorist Financing (AML/CTF) within businesses.  That is not to say that all these incidents related to actual financial crime but rather that businesses were not meeting the standards and expectation imposed by our regulatory framework to ensure that verification documentation mitigated the risk of the Island being utilised by criminals.

The identification and verification of customers and controllers to a business relationship is a continuing matter that is reported by the GFSC.  In many cases business’s application of a “risk based approach” had failed to ensure that the due diligence and enhanced due diligence for customers and required parties to a business relationship or occasional transaction, had been obtained and met the standards required by the regulatory framework, inclusive of rules and guidance issued by the GFSC for certification and the suitability of certifiers. It must be remembered that wherever you are licensed you must meet that jurisdictions regulatory requirements as a minimum!

Monitoring and Sanctions

Periodic monitoring of customers was another area where businesses struggled.  It was found in some cases that this monitoring was not undertaken or if undertaken did not meet the regulatory requirements. It was found that risk assessments were inadequate and not reviewed as required by a business’s policy and procedures to meet the obligations of the GFSC, especially where customers had been assessed as high risk.  The review of the rationale for the business relationship and transactions undertaken was found to missing or inadequate, leading to the GFSC questioning whether appropriate and effective policies and procedures were in place inclusive of suspicious activity reporting.

The review of customers to Sanction lists was also noted as an area of concern. While this may be undertaken at the start of a relationship and periodically is it suitable just to wait for these trigger events?  Is the review of transactions subject to sanction screening to ensure that sanctioned legal persons or those entities that they control are not financed? It may be that the GFSC believe terrorist financing to be a low risk to the Bailiwick but this will do nothing to deter terrorist financiers if they find a gap in our defences.  A definite area I think the GFSC will look to assess when conducting on-site examinations and through thematic reviews in 2017, so be warned!

Corporate Governance

Corporate Governance has also come to the forefront not only in the AML/CTF area but also in more prudential assessments of a business.  In all cases enforced by the GFSC the findings go back to the corporate governance requirements of the regulatory framework with the accusation that directors failed to ensure that they acted to ensure that the business could meet the Guernsey regulatory requirements.  THE GFSC also in some cases questioned the independence and integrity of directors due to the regulatory failings identified.  Not only will this area come more to forefront with shareholder activist and the spotlight of international bodies but also from the GFSC to ensure that Directors are suitable and safeguarding Stakeholders and the business.

With the Guernsey regulatory framework changing to meet the international requirements which are evolving it is difficult for any Director to ensure that their Business remains compliant.  Businesses in this ever-changing environment are at risk of falling behind the times.  While only minor infringements of the regulatory framework may be the result, if these infringements are many, systemic and material they may require to be reported to the GFSC.  By the Board bringing these issues to the GFSC, in some cases, remediation without the threat of enforcement can be undertaken, it is after all in the GFSC interest that businesses remediate and enhance themselves to meet the regulatory framework.  It is best to be able to show and have evidence that the Board have discussed the issues affecting the business and the action to be undertaken rather than hearsay in any regulatory inquiry!

Reflections

So, reflect on this year, look at the enforcement cases to ensure that you do not fall foul of history, review your business plans and business assessments to make sure you have the policies and procedures in place to meet the regulatory framework and the requirements of the Business.  Review the Compliance function is it suitable and sufficient? Consider its independence or whether there needs to be independent oversight or outside assistance?  Does the compliance monitoring facilitate management information that is required for Directors to undertake their duties and safeguard the business and stakeholders?  Look outside of your own regulatory regime to other sectors as if something is happening in one there is a good chance that those developments will feed in to your own sector’s regulatory requirements.  Look outside to other jurisdictions as developments there may impact on the regulatory framework where you are.

If you have a last Board meeting of 2016 or even an early 2017 Board meeting set the agenda to reflect on 2016 ensuring that history does not repeat itself. If you do find that you are not in compliance, please ensure that you have the issues and remediation documented whether you consider it material or not to report to the GFSC.

Dear Board, don’t engage me to undertake your outsource compliance requirements until you have read this!

Sara Barclay Compliance, Corporate Governance, Guernsey , , , , , , , , ,

Compliance monkeyGuernsey has an amazing regulatory framework which has become quite a selling point with financial service businesses offering their products and services and those financial service businesses wanting to come and have operations here. Some will utilise outsource compliance professionals to assist them with the cost of set up, on-going costs,  ensuring their business can have knowledgeable and professional persons on-board while it establishes and grows its presence and offerings. Even established firms may need extra compliance support in their business to be able to ensure that they can at all times remain compliant with the Guernsey regulatory framework or ensure that remediation is appropriate and effective.

In the last year the use of outsource compliance professionals has come to the forefront of the regulatory radar, instances of their failure having been identified as contributing to businesses failing to adhere to the regulatory framework. There have been numerous communications from the Commission to the industry on the issues surrounding the requirements for utilising an outsourced compliance professional and failures where this has not been met, showing that the Commission are treating this seriously.

At the end of the day the responsibility for compliance to the regulatory framework is laid firmly at the feet of the Board and they are the first point of call when failings or regulatory deficiencies are identified by the Commission. The need to ensure a Licensee is meeting the regulatory requirements forms at the most basic level with the minimum criteria of licensing as well as being mentioned throughout the regulations, codes instructions, and guidance issued by the Commission.

So what needs to be considered by Boards? Here are some questions to be asked but at all times refer to the legislation regulations, rules,instruction and codes that pertain to your business and licence.

Prior to any engagement consider these points.

You wouldn’t employ anyone to undertake the role in a full-time capacity so why would you chose anyone to do your outsource function?

Prior to any engagement do your due diligence on the outsource company/ person, the person who will be your appointed compliance representative and the people who will be doing the work. At the very minimum the person who will be undertaking the work needs to be suitably qualified and knowledgeable of the area your business operates in and the regulatory rules that pertain to your licence.  You will need to ensure that you can evidence that they have been appropriately screened as you will be expected to have been as diligent with your provider as with your own staff!

You wouldn’t employ anyone who doesn’t have the time for your business?

Prior to any engagement you need to work out how much time will be required. This will change from the role that compliance professional will undertake, as an example an outsourced MLRO will have different time requirements to a compliance professional assisting with licensing.

When you actually look at it, if you have a compliance professional for two hours a week it would take them eighteen weeks to achieve one thirty-six hour working week in your business! Obviously cost is a major factor in this assessment and knowledge and experience never come cheap. The time any compliance professional spends on your business must be commensurate to the size, complexity and nature of your business and the role undertaken.

You need to be aware that a compliance professional will also be working for other firms, there is obviously a risk regarding resources. If their clients require more time or the outsource provider or person undertaking the role has issues with resources will you be affected? You need to ensure that there are controls in place or a plan B to mitigate these risk.

You wouldn’t have any old agreement?

You need to ensure that the outsource agreement meets the requirement of the Guernsey regulatory framework and is legally binding. The Board cannot discharge its responsibilities only delegate the work, it is often a good idea to have a Guernsey Advocate firm look over any agreement, especially if the Board are not familiar with Guernsey Law or this area.

During any engagement consider these points.

You wouldn’t want to be assessed by any old criteria, what criteria is the business or business area being assessed to?

Again this depends on the role you are utilising the outsourced compliance professional for, but you need to know how they are monitoring you and to what standard.  The Board must make sure that it can evidence and satisfy itself and the Commission that the Guernsey regulatory framework requirements have been met.

You wouldn’t want any report, do the reports provided give the full picture of the work being undertaken?

The reports that are provided to the Board must be meaningful and contain accurate management information. This allow the Board to see the whole picture of their business or the area that the outsourced provided has been contracted to service and assess the level of compliance to the regulatory framework. If areas or remediation work have been identified are the Board kept appropriately up to date?

You wouldn’t want to keep on anyone who isn’t performing, is the outsource provider performing to the required standards?

Throughout any engagement the Board must consistently monitor and evidence its monitoring of the outsource provider and/or those undertaking the work for the Licensee. Is the Board satisfied with the work undertaken, is the monitoring of the business meeting the requirements of the Guernsey regulatory framework, has the business changed in its complexity, nature or size and is the person doing the role still suitable?

The most important aspect to any outsource relationship is that you have the right person/firm, they add something to your business, provide you with the accurate management information, they get on with you and are honest to you regarding their business and yours. By hopefully considering and evidencing these requirements a Board will be able to show that they have acted to ensure that their business meets the requirements of the Guernsey regulatory framework. In the unfortunate case where things have not worked out the Board will be able to evidence that they were aware of the issues at the earliest opportunity and have acted to mitigate any non-compliance and remediate the situation.

The Sum of All the Parts

Sara Barclay AML/CTF, Compliance, Due diligence, Guernsey , , , , , ,

Compliance monkeyThe Guernsey Anti-Money Laundering and Countering Terrorist Financing (“AML/CTF”) framework has continually developed to take in to account good practice, external pressures, requests and recommendations of onshore governments, quangos and international organisations  to ensure that financial crime in all its guises is effectively tackled. The Commission have sought to and I would say that they have largely achieved a cohesive framework that effectively mitigates against the use by criminals of Guernsey as an international finance centre while not over burdening the Financial Service Business operating here.

This cohesive framework has been achieved over the course of the years by open dialogue with local industry bodies, licensees and working effectively and productively with those outside of Guernsey to achieve a proportionate approach for  the products and services that are provided to clients wishing to utilise the jurisdiction. Most notably in 2013 the AML/CTF framework in Guernsey changed extensively and this resulted in general insurance products being removed, but did it remove all the products and services that can classified as General Insurance?

With regard to the Insurance sector in Guernsey, a legal entity can be licensed for general business or for long-term business. Long term business is defined in the Insurance Business (Bailiwick of Guernsey) Law, 2002 as contracts on human life, human longevity, marriage and birth, linked long-term, permanent health, capital redemption, pension fund management and credit life assurance. Due to the nature and the requirements of some clients, an insurance licensee with a general business categorisation may want to offer some of these products to their clients to supplement the range of products and services they currently or can offer their clients, but without the need to be licensed for long-term business.  Section 2(4) of the Insurance Business (Bailiwick of Guernsey) Law, 2002 does allow for an Insurance licensee to elect that a contract for a term of not more than 18 months that may be regarded as a long-term business contract and can be deemed to be general business.

This would appear to allow a general insurer to fit such products into their licence requirements e.g. general insurance, without the requirements to adhere to the Guernsey AML/CTF framework as per the changes that were made to the Commission’s AML/CTF Handbook (” Commission’s Handbook”), in 2013.  It should be noted that the treatment of these products, though allowed to be done in certain circumstances by an Insurance licensee does not change the definition of those products in the Insurance Business (Bailiwick of Guernsey) Law, 2002.

In the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007 at schedule 1 it states that a Financial Services Businesses for the purposes of the Regulations are detailed in part 1 of the schedule, except where they are incidental or are other activities as listed at Part 2 of the Schedule. Part 1 of the schedule includes the carrying on of “Long Term Business as defined by the Insurance Business (Bailiwick of Guernsey) Law, 2002 as being a Financial Services Business for the purposes of the Regulation and the Commission’s Handbook, it does not include any change in the treatment of an Insurance product by an Insurance Licensee. The Commission’s Handbook at section 4.8 specifically deals with the treatment of life or other investment linked insurance policies and as such these appear to directly fall in to the Guernsey AML/CTF regime. Effectively this is saying that if a product falls under the long-term definition stated in the Insurance Business (Bailiwick of Guernsey) Law, 2002 though a Licensee it may regard it as being General business they remain subject to the AML/CTF Regulations. Thus a licensee must adhere to the requirements of the Commission’s Handbook and AML/CTF framework when dealing with such products.

The sum of all these parts would indicate that an Insurance licensee effecting or carrying out life or other long-term products regardless of how a Licensee may be able to classify these products as general business under the Insurance Business (Bailiwick of Guernsey) Law, 2002, they would still fall under the AML/CTF regulations and Commission’s Handbook by way of the requirements of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007 held at schedule 1. An Insurance Licensee regardless of how it treats such products under its licence would be required to have in place an effective AML/CTF framework.  A licensee must be able to evidence the suitability of its AML/CTF framework and compliance with the AML/CTF requirements pertaining to its business to the Commission.

An Insurance licensee must ensure that at all times they meet the requirements for the minimum criteria for licensing, schedule 4 of the Insurance Business (Bailiwick of Guernsey) Law, 2002. This includes a requirement to meet and adhere to any rules, codes, guidance, principles and instructions issued from time to time under any other enactment as may be applicable to the business, and this would also be inclusive of the Guernsey AML/CTF framework.