Paradise Papers – Seeing the Wood for the Trees

logoThe now infamous “Paradise Papers” contain personal data obtained from Appleby’s Bermuda office via an illegal hack. This data in part details the utilisation of International Finance Centres (IFC), by high net worth persons and corporates, for tax mitigation purposes. This post makes no comment on the legality or otherwise of using such data. Nor, is it a commentary about tax havens vs IFCs, the ethical considerations of society, and the freedoms for legal persons to engage in trade or invest in or through an IFC. Our focus instead is the failings that Trustees, Foundation Officials, Directors and Employees in Financial Services Businesses (FSB) must learn from in the wake of this saga. We do not purport to be a tax experts and so have not commented on the validity or otherwise of any advice given whether regarding tax or structuring. Our intention is to look at the compliance and “good business practice” considerations at the heart of good corporate governance. With offices in Guernsey, Jersey and having experience of  working in Bermuda we believe analysis of legal and regulatory frameworks by jurisdiction offers a less valuable insight than a clear understanding of the general principles and terms of good corporate governance.

 
Tax Advice
In order for Trustees, Foundation Officials and Directors to fulfil their responsibility and work in the best interest of their clients they must understand and follow the professional tax advice received. They must evidence that they are compliant with this advice and periodically, depending on the type of arrangement they are administering or controlling, ensure that they have up-to-date tax advice on file. They must also evidence that these arrangements remain legal and all tax liabilities are settled when due. The following are instances where those responsible may find that they have failed to attain an appropriate standard:

• Legal arrangements over time becoming tax non-compliant;
• Legal arrangements set up with draft tax advice without the advice ever being formalised;
• Legal arrangements undertaking new activities outside the scope of the original tax advice;
• Failure to follow tax advice fully, e.g. the non-repayment of a commercial loan arrangement;
• Tax advice provided by those who are not appropriately qualified;
• Tax advice held by the client but never shown to the Trustees, Foundation Officials and Directors.

Control
To ensure tax and legal compliance the Trustees, Foundation Officials and Directors must exert control. Here again to fulfil their responsibilities they must clearly document evidence that they have overarching control of the activities of the legal arrangement. The following are instances where those responsible may find that they have failed to attain an appropriate standard:

• Beneficiaries committing the legal arrangement to a business arrangement without due consideration and approval of the Trustees, Foundation Officials and Directors in the first instance;
• Those responsible acting without due consideration;
• Those responsible committing the legal arrangement to business activities which do not accord with the arrangement’s rationale;
• Those responsible lack sufficient independence from the client;
• Those responsible are unable to evidence their control of the assets and/or activities of the arrangement.

Investments
The Paradise Papers have also raised questions regarding the suitability and legality of investments undertaken by legal entities. Trustees, Foundation Officials and Directors must ensure that the investments or business activities undertaken by the entity are in line with its intended purpose. Those responsible must also ensure the legality of any investment or business activity does not breach any international sanctions. Though investments or business activities do not require due diligence to the same standard of beneficial ownership due diligence, sufficient research and evidence must be attained to ensure such activity is in the best interest and in line with the objective of the legal arrangement. At the same time sufficient checks must be undertaken to ensure legal compliance and suitability with its objectives both at initiation and on an on-going basis thereafter. The following are instances where those responsible may find that they have failed to attain an appropriate standard:

• Investing or engaging in a business relationship with legal entities related to a sanction regime or jurisdiction;
• Not undertaking sufficient due diligence to ensure that the investment or business engagement does not involve sanctioned legal persons or sanctions breaches;
• Investing or business relationships that are out of line with the entity’s purpose.

Source of Wealth and Funds
Trustees, Foundation Officials and Directors must ensure that they have sufficient understanding and evidence of their clients’ Source of Wealth and Funds (commensurate with their risk classification) to prevent and detect criminality and terrorist financing. Understanding the origin of assets and their usage assists those responsible in forming a picture of the true beneficial ownership, intention and nature of the relationship. This also allows those responsible to have sufficient transparency and enable effective reporting required by international regulatory and legal bodies.

 
Ethics of Doing Business
Those responsible must ensure that they have given ethical consideration to the activities of any legal arrangement. Ethical considerations must accord with the documented risk appetite and it must be understood that legal arrangements engaged in aggressive tax mitigation or higher risk industries pose a higher reputational risk to the Trustees, Foundation Officials and Directors, their business and those of the jurisdictions in which they are active. As such, these relationships must be properly understood and documented as they may be open to future challenge.

 
The ethics of doing business must also consider whether sufficient knowledge, qualifications and experience are inherent in those responsible. Trustees, Foundation Officials and Directors must document and evidence their consideration of whether a business relation, either new or continuing is within their realm of knowledge, understanding and experience. Where this is not the case they should remove themselves from responsible positions or obtain suitably experienced individuals as their replacement.

 
The integrity and professional actions of those responsible will ultimately be assessed by the authorities to ensure that the best interests of stakeholders have been met at all times. This responsibility includes timely reporting of non-compliance with appropriate authorities.

 
Compliance
While the Trustees, Foundation Officials and Directors remain responsible and accountable for both and their own and the legal arrangements activities, a suitably resourced compliance function is required to assist and advise. Compliance must be a proactive force within a FSB rather than merely a tick box exercise. It must assist in ensuring that the business has attained appropriate tax and legal advice as well as ensuring it is understood and followed. Those responsible must demonstrate the required control and oversight of activities undertaken for and on behalf of the legal arrangement. Findings and recommendations must be reported back to those responsible and any remediation must be tracked to ensure that the business can demonstrate compliance, integrity and appropriate levels of knowledge and understanding of the entity’s activities.

 
Data Security
The Paradise Papers also clearly highlight the importance of implementing suitable and sufficient data security controls to protect stakeholders. These controls are not just IT system-focussed and must include effective staff training to reduce the risk of an unintentional data leak. Data security systems and processes must be monitored, tested and kept up-to-date. It goes without saying that failure to implement an efficient and effective control environment may lead to a catastrophic loss of data with disastrous reputational consequences for all stakeholders. FSB’s must also be aware and ensure that any 3rd parties who hold data do so effectively and have the necessary safeguards and review processes.

 
Conclusion
Compliance monkeyIFCs adhere to international standards and best practice. While recent data hacks have revealed that there are practitioners out there who have not abided by these requirements, the vast majority are conscientious and highly professional.

However, the current political backdrop is unfavourable to offshore jurisdictions and we should expect greater scrutiny in our professional activities for the foreseeable future. Applying the highest standards of corporate governance is our best path to a successful future.
If you have any concerns or would like to know more please either contact myself or Redwood Offshore

logo

 

Advertisements

Reflections of 2016

Compliance monkeyAs the sun gets lower, the evenings longer and we get closer to the end of a year I cannot help but think what a year it has been and begin to reflect.  For me personally it has been a year that has been full of hard work, assistance and resolution of problems and all this led me to the beautiful Island of Bermuda to undertake a contract for a client.  Not only a fantastic opportunity to show case my skills and knowledge but a joy to work for some fantastic people and meet old and new friends as well as to experience another regulatory culture. While I would rather be pondering the last year and this post from a pool in Bermuda instead of next to a fire on a brisk cold day, Guernsey still very much holds my heart, though Bermuda is a close second.

In looking to the challenges of the future and what the next year may hold for us is it time to reflect on the past year, the regulatory framework and what is needed to ensure that our business moves forward, prospers and continues to uphold the regulatory standards and meet future challenges, and there is no better way to do this than look back over the last year.

There have unfortunately been instances where the Guernsey Financial Services Commission (GFSC) has had to take enforcement action in 2016, never an easy decision but essential in today’s world to assist in the safeguarding and continual success of our international reputation and prosperity.  I do not think it is right to dissect these cases as these are disclosed on the GFSC website but rather look at what lessons can be learnt to avoid a repeat to our businesses and to protect the Directors and Stakeholders.

Risk, Identification and Verification

Most of these incidents reported by the Commission are in respect of Anti-Money Laundering and Counter Terrorist Financing (AML/CTF) within businesses.  That is not to say that all these incidents related to actual financial crime but rather that businesses were not meeting the standards and expectation imposed by our regulatory framework to ensure that verification documentation mitigated the risk of the Island being utilised by criminals.

The identification and verification of customers and controllers to a business relationship is a continuing matter that is reported by the GFSC.  In many cases business’s application of a “risk based approach” had failed to ensure that the due diligence and enhanced due diligence for customers and required parties to a business relationship or occasional transaction, had been obtained and met the standards required by the regulatory framework, inclusive of rules and guidance issued by the GFSC for certification and the suitability of certifiers. It must be remembered that wherever you are licensed you must meet that jurisdictions regulatory requirements as a minimum!

Monitoring and Sanctions

Periodic monitoring of customers was another area where businesses struggled.  It was found in some cases that this monitoring was not undertaken or if undertaken did not meet the regulatory requirements. It was found that risk assessments were inadequate and not reviewed as required by a business’s policy and procedures to meet the obligations of the GFSC, especially where customers had been assessed as high risk.  The review of the rationale for the business relationship and transactions undertaken was found to missing or inadequate, leading to the GFSC questioning whether appropriate and effective policies and procedures were in place inclusive of suspicious activity reporting.

The review of customers to Sanction lists was also noted as an area of concern. While this may be undertaken at the start of a relationship and periodically is it suitable just to wait for these trigger events?  Is the review of transactions subject to sanction screening to ensure that sanctioned legal persons or those entities that they control are not financed? It may be that the GFSC believe terrorist financing to be a low risk to the Bailiwick but this will do nothing to deter terrorist financiers if they find a gap in our defences.  A definite area I think the GFSC will look to assess when conducting on-site examinations and through thematic reviews in 2017, so be warned!

Corporate Governance

Corporate Governance has also come to the forefront not only in the AML/CTF area but also in more prudential assessments of a business.  In all cases enforced by the GFSC the findings go back to the corporate governance requirements of the regulatory framework with the accusation that directors failed to ensure that they acted to ensure that the business could meet the Guernsey regulatory requirements.  THE GFSC also in some cases questioned the independence and integrity of directors due to the regulatory failings identified.  Not only will this area come more to forefront with shareholder activist and the spotlight of international bodies but also from the GFSC to ensure that Directors are suitable and safeguarding Stakeholders and the business.

With the Guernsey regulatory framework changing to meet the international requirements which are evolving it is difficult for any Director to ensure that their Business remains compliant.  Businesses in this ever-changing environment are at risk of falling behind the times.  While only minor infringements of the regulatory framework may be the result, if these infringements are many, systemic and material they may require to be reported to the GFSC.  By the Board bringing these issues to the GFSC, in some cases, remediation without the threat of enforcement can be undertaken, it is after all in the GFSC interest that businesses remediate and enhance themselves to meet the regulatory framework.  It is best to be able to show and have evidence that the Board have discussed the issues affecting the business and the action to be undertaken rather than hearsay in any regulatory inquiry!

Reflections

So, reflect on this year, look at the enforcement cases to ensure that you do not fall foul of history, review your business plans and business assessments to make sure you have the policies and procedures in place to meet the regulatory framework and the requirements of the Business.  Review the Compliance function is it suitable and sufficient? Consider its independence or whether there needs to be independent oversight or outside assistance?  Does the compliance monitoring facilitate management information that is required for Directors to undertake their duties and safeguard the business and stakeholders?  Look outside of your own regulatory regime to other sectors as if something is happening in one there is a good chance that those developments will feed in to your own sector’s regulatory requirements.  Look outside to other jurisdictions as developments there may impact on the regulatory framework where you are.

If you have a last Board meeting of 2016 or even an early 2017 Board meeting set the agenda to reflect on 2016 ensuring that history does not repeat itself. If you do find that you are not in compliance, please ensure that you have the issues and remediation documented whether you consider it material or not to report to the GFSC.

Instruction 01/2016

Compliance monkeyThe Commission have released their latest Business from Sensitive Sources Instruction, no 01/2016 (“the Instruction”) for Financial Services Businesses and Prescribed Businesses replacing the previous instruction 04/2015 that was issued back in November 2015.  The upshot is that Myanmar, Loa PDR and Vanuatu are now included in Part B of the Instruction which lists countries and territories with improving Global AML/CTF Compliance, while Algeria, Angola and Panama have been removed altogether from the Instruction. For Financial Services Businesses and Prescribed Businesses, it would appear to be that they can now apply a risked based approach to relationships or transaction through or from Myanmar, Loa PDR and Vanuatu, and as much is said in the Commission’s statement on their Instruction, but is that really the case?

A quick look at Chapter 3 of the Handbook and rule 58 sets out the Commissions requirement for designating high risk Business Relationships or Occasional Transactions.  These characteristics are those identified in section 1 (a) to (c) of Regulation 5 of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007, as amended (“the Regulations”) and also those connected with Parts A or Part C of the Business from Sensitive Sources issued by the Commission. At first glance it would therefore appear that Business Relationships or Occasional Transactions with Myanmar, Loa PDR and Vanuatu do not necessarily need to be high risk as they are on Part B of the instruction.

What is important to realise is that section 5 (1) (c) (i) of the Regulation states that customers established in or situated in a country or territory that does not apply or insufficiently applies the Financial Action Task Force (“FATF”) recommendations on Money Laundering must be designated as high risk.  As part B of the Instruction relates to countries or territories who are improving but not meeting the FATF requirements on Money Laundering it would indicate to me that Myanmar, Loa PDR and Vanuatu, still require to designated as high risk in order that a Financial Service Business or a Prescribe Business can meet their obligations under the RegulationTO13-3s.

If this is not confusing enough for any Director, Compliance/ Risk Officer or Money Laundering Reporting Officer, please also be aware of your banking arrangements and relationships.  Though this Instruction on the face of things allows you to apply a risk based approach which may or may not be in line with the requirements of the Regulations, your Bankers may not deem these jurisdictions to be anything other than high risk.  You may have decided as a business to apply a risk based approach but if this is not in line with your Bankers you may find yourself in bother.

The only advice I can give is make sure that your risk designation of a client meets the requirements of the regulations and that of your Bankers.

Dear Board, don’t engage me to undertake your outsource compliance requirements until you have read this!

Compliance monkeyGuernsey has an amazing regulatory framework which has become quite a selling point with financial service businesses offering their products and services and those financial service businesses wanting to come and have operations here. Some will utilise outsource compliance professionals to assist them with the cost of set up, on-going costs,  ensuring their business can have knowledgeable and professional persons on-board while it establishes and grows its presence and offerings. Even established firms may need extra compliance support in their business to be able to ensure that they can at all times remain compliant with the Guernsey regulatory framework or ensure that remediation is appropriate and effective.

In the last year the use of outsource compliance professionals has come to the forefront of the regulatory radar, instances of their failure having been identified as contributing to businesses failing to adhere to the regulatory framework. There have been numerous communications from the Commission to the industry on the issues surrounding the requirements for utilising an outsourced compliance professional and failures where this has not been met, showing that the Commission are treating this seriously.

At the end of the day the responsibility for compliance to the regulatory framework is laid firmly at the feet of the Board and they are the first point of call when failings or regulatory deficiencies are identified by the Commission. The need to ensure a Licensee is meeting the regulatory requirements forms at the most basic level with the minimum criteria of licensing as well as being mentioned throughout the regulations, codes instructions, and guidance issued by the Commission.

So what needs to be considered by Boards? Here are some questions to be asked but at all times refer to the legislation regulations, rules,instruction and codes that pertain to your business and licence.

Prior to any engagement consider these points.

You wouldn’t employ anyone to undertake the role in a full-time capacity so why would you chose anyone to do your outsource function?

Prior to any engagement do your due diligence on the outsource company/ person, the person who will be your appointed compliance representative and the people who will be doing the work. At the very minimum the person who will be undertaking the work needs to be suitably qualified and knowledgeable of the area your business operates in and the regulatory rules that pertain to your licence.  You will need to ensure that you can evidence that they have been appropriately screened as you will be expected to have been as diligent with your provider as with your own staff!

You wouldn’t employ anyone who doesn’t have the time for your business?

Prior to any engagement you need to work out how much time will be required. This will change from the role that compliance professional will undertake, as an example an outsourced MLRO will have different time requirements to a compliance professional assisting with licensing.

When you actually look at it, if you have a compliance professional for two hours a week it would take them eighteen weeks to achieve one thirty-six hour working week in your business! Obviously cost is a major factor in this assessment and knowledge and experience never come cheap. The time any compliance professional spends on your business must be commensurate to the size, complexity and nature of your business and the role undertaken.

You need to be aware that a compliance professional will also be working for other firms, there is obviously a risk regarding resources. If their clients require more time or the outsource provider or person undertaking the role has issues with resources will you be affected? You need to ensure that there are controls in place or a plan B to mitigate these risk.

You wouldn’t have any old agreement?

You need to ensure that the outsource agreement meets the requirement of the Guernsey regulatory framework and is legally binding. The Board cannot discharge its responsibilities only delegate the work, it is often a good idea to have a Guernsey Advocate firm look over any agreement, especially if the Board are not familiar with Guernsey Law or this area.

During any engagement consider these points.

You wouldn’t want to be assessed by any old criteria, what criteria is the business or business area being assessed to?

Again this depends on the role you are utilising the outsourced compliance professional for, but you need to know how they are monitoring you and to what standard.  The Board must make sure that it can evidence and satisfy itself and the Commission that the Guernsey regulatory framework requirements have been met.

You wouldn’t want any report, do the reports provided give the full picture of the work being undertaken?

The reports that are provided to the Board must be meaningful and contain accurate management information. This allow the Board to see the whole picture of their business or the area that the outsourced provided has been contracted to service and assess the level of compliance to the regulatory framework. If areas or remediation work have been identified are the Board kept appropriately up to date?

You wouldn’t want to keep on anyone who isn’t performing, is the outsource provider performing to the required standards?

Throughout any engagement the Board must consistently monitor and evidence its monitoring of the outsource provider and/or those undertaking the work for the Licensee. Is the Board satisfied with the work undertaken, is the monitoring of the business meeting the requirements of the Guernsey regulatory framework, has the business changed in its complexity, nature or size and is the person doing the role still suitable?

The most important aspect to any outsource relationship is that you have the right person/firm, they add something to your business, provide you with the accurate management information, they get on with you and are honest to you regarding their business and yours. By hopefully considering and evidencing these requirements a Board will be able to show that they have acted to ensure that their business meets the requirements of the Guernsey regulatory framework. In the unfortunate case where things have not worked out the Board will be able to evidence that they were aware of the issues at the earliest opportunity and have acted to mitigate any non-compliance and remediate the situation.

F1- Team Guernsey

Singapore F1The excitement of the Singapore Grand Prix has only be heightened by the restriction on what information can be passed to the Drivers. This addition to the regulations has come about as a result of what the fans and the controllers of Formula 1 believe is the driving of the car from the pit wall rather than the Driver actually driving and racing. To me, though the cars are complex, it is the Drivers who have the best perspective and the feel of what is going on around them in order to make the winning or best decisions, as we saw with Hamilton in Monza, who then capitalised on the situation and went on to win the race.

I don’t think it can be questioned that Guernsey is racing in the Formula 1 of Financial Centres globally, or that it has developed a high standard of regulation to be adhered to, while flexible enough to allow businesses to develop and have an advantage over other competing jurisdictions. One of the concerns that I am spoken to about and have previously posted on is whether the Directors and Partners of our Financial Service Businesses are becoming controlled by Compliance Officers and departments, and that essential business decisions are being curtailed and taken out of the hands of these Drivers.

The Board or Partners of a business must work to achieve the aims and objectives that have been set down. To do this they must obtain suitable and sufficient management information to assess whether opportunities are able to be taken. This information does not just come from the compliance department or officer but from a whole host of potential reports from committees and operational units.  They are listening, analysing and digesting all this information in much the same way that a racing driver pre-race will do with his team.  The strategies will be discussed and engineers and technicians will provide reams of information to allow the drivers to realise their strengths and weaknesses and those of the opposition. Drivers must also be aware of the regulations and where the track limits are and what is acceptable and what will be punished and penalised.

It then comes down to the race. Though the reports from the data sources are important to the team and must be continually analysed to ensure that the engines and electrical systems are performing as well as identifying and managing potential issues as they happen. The most important feedback though comes from the Drivers, who feel the track, the car and can see the tyres and the degradation, while eyeing the competition, corners and hazards.  The Directors and Partners are the drivers seeing through their visors the race as it develops, more than a compliance officer, the operational staff and support services, who remain in the pits or the pit wall, working hard behind the scenes and preparing for any eventuality that may occur and ensuring the strategy remains on track. This is why there is a need to have effective management information that is relevant, short and succinct for the Drivers who are racing.

At the end of the day it is up for the drivers to decide how to use the information they receive, some will push too hard and end up in the barriers, blow their engines or destroy their tyres. Blowing the engine or planting yourself into a barrier ensures that the race is over and for a financial service business it potentially means a total rebuild of the business, legal expenses and a loss of reputation. If the Directors or Partners act recklessly or with a cavalier attitude why would an investor or customer place their money or assets with the business? Destroying your tyres means that the driver can continue the race but they will be slower and need to pit stop more, allowing the competitors to seize the advantage, potentially the sponsors as well if the poor performance continues.  We have already seen this year in F1 how sponsors and investors have left or sold their holdings as well as the threats of doing so due to legal proceedings relating to the sport.

By over controlling the drivers or providing them with excessive information or information that is not succinct there are two possible outcomes.

  • The Driver cannot race effectively and take advantage of the opportunities as they arise with the potential of not seeing the hazards ahead or;
  • The Driver does not understand the severity of what they are being told or chooses to ignore the information, acting recklessly they or the team are penalised.

For the Directors and Partners this has the potential of substandard performance to potential legal and regulatory action against them and the business.

2014 SingaporeAs Sterling Moss said before the 2014 Singapore Grand Prix “to win the race you must be the first home”, and to do this the Drivers must have the freedom to race while also respecting the information that they are receiving. For any Director or Partner to have the right information delivered at the right time will assist them in driving the race to their full potential and to bring the race home, while minimising regulatory and legal exceptions or issues that may inhibit them being the first home. Drivers need to have the trust in their teams to continually advance the car to the changing regulations.  The team must provide the Driver with appropriate and effective information so that they can run to the regulations.

The trust developed between the compliance function as well as the other functions of the Business with the Directors and Partners is essential and will assist in the development of the business and the achieving of the Businesses aims and objectives in and effective and efficient manner. Undoubtedly in any season there will be set backs, but for any Driver to have trust and respect of their team reciprocated means that these setbacks can be overcome, potentially without detriment to their championship hopes. Most importantly this cohesiveness will allow the team to focus on the future, perfecting their car to ensure that they remain competitive providing the best outcome for their sponsors and greatest potential to win points and achieve the rewards, Team Guernsey must aspire to this.  Failure to let the Driver race can lose you the race or race advantage the same as the Driver not accurately analysing the right information provided succinctly to manage the car.

Thoughts for the week ahead.

After a great time on or in the Ocean this weekend here are some thoughts for the week ahead.

Thoughts for the Week ahead

Review to your policies and procedures as well as the regulatory framework applicable to your business.

Record and evidence your findings. Where you can not meet the regulations have you thought of the Comply or Explain principle?

Report to the Directors and the Board effectively and accurately.

Remediate areas of non-compliance and put your two cents in to assist the business remediate effectively.

Have fun and most importantly enjoy!

Don’t change for the sake of change!

It has been an interesting few weeks with lots of nervous Directors concerned with their compliance functions and wondering what to do in light of the recent Commission’s findings and fines that have been publically issued. What must be remembered is that the Directors are responsible for the compliance function and framework (Chapter 2 of the Commission’s Handbook’s) of their business and not the consultants they may employ.  So what needs to be done?

Don’t Panic! There really is little point in panicking and it will only tend to make things worse. Panicking only creates more fears, which may not be justified in some cases, fear then leads to aggression and that only leads to breakdown in communication. The key in gaining an understanding of what has happened and where your business may sit in the regulatory framework will be down to communication with your compliance provider.

Review your compliance framework. Are you satisfied that you have all the evidence to support the previous findings of your compliance function provided by your consultants? Does their review go far enough and look at all the areas of the regulation that pertains to your business? Are they evidencing their findings suitably to back up their conclusions? At the end of the day your compliance framework is your responsibility and you need to evidence that you are satisfied with it, those that undertake the review role and that you have oversight to control it.

I have previously had licensees who would sit down with me during the year and go through my monitoring programme and how they correlated to the reports I was providing them. The positive was that it gave them comfort and evidenced to the Commission that they had true oversight and control of their compliance framework.

Communicate clearly and calmly. This is important, the oversight review you have done will provide you with questions that you need to have satisfied.  In light of the recent Commission actions and public statement released, you will also need to know the facts of what happened and why it happened as you need to assess if you could find yourself in the same situation of being incorrectly reported to on the regulatory requirements.

Even if your provider was not concerned in the recent Commission’s action you need to ensure that they would not put your business in jeopardy. It is important that from your review you can put any queries or concerns across in a calm manner. Your consultants may be defensive but the discussion needs to be open and honest so you can establish the facts. It is vital that your consultants and/or their management have the ability to constructively deal and satisfy any questions or concerns you may have.

Potential areas to discuss and obtain evidence on. Are you satisfied with the work that has been and continues being undertaken? Do you need to increase the time that the consultants provide to your business? Is the compliance monitoring utilised to assess your business suitable? Do the reports provided to you evidence the review that has been undertaken and do they cover the requirements of the regulatory framework? Are you getting the service that you require and want, remember you are the customer here!

Are the consultants suitably qualified or knowledgeable in the areas pertaining to your business, and have you got the evidence? It is always best to assume that you need enough information to satisfy yourself as you would for any of your employees. Your compliance consultants will be able to provide you with evidence of the consultant’s qualifications and suitability.  I was always more than happy to provide my certificates to licensees as I am very proud of what I have achieved!

Review, assess, conclude and evidence. Once you have the responses to your queries and concerns, you will be in a situation where you can review and assess where your current framework is and where it is going. You may be satisfied that everything is suitable or your compliance consultants are making changes to bring their game up for you and are able to service your requirements appropriately going forward. You may find that it’s time to bring your compliance function in-house wholly or partially, or if you remain unsatisfied you have the option to move to another provider, but do your due diligence.

What is vitally important in your conclusion is that you evidence all of the findings. The Commission will be asking you the questions about your compliance framework, how you monitor and mitigate the risks and are able to ensure oversight. You will be held accountable by the Commission so you need to have the answers and evidence. It’s just good Corporate Governance at the end of the day.

I was approached earlier this week by a Licensee who had just been visited by the Commission. The Commission was impressed that AML/CTF was discussed and documented at their meetings and how this evidenced the oversight and responsibility the Licensee took. One happy Licensee always means one happy Compliance monkey. This shows the power of good minutes and how the Commission view the importance of them in the evidencing of the oversight of the compliance function taken by Licensees.

At the end of the day you do not want to be jumping from the frying pan into the fire. People make mistakes it is whether they can learn from them.  Whatever conclusion you come to will allow you to make the best decision for your business, just make sure that it is clearly evidenced. Don’t change just for change sake!

Diving in to Compliance

Entering the waterMy weekends are spent reviewing overarching risk assessments and analysing specific risk assessments as well as undertaking the compliance review of policies and procedures, finishing with the review of performance of the systems and controls.  I am not taking work home with me nor am I moon-lighting or taking on further roles, I am though a qualified Diver and a qualified Solo Diver.

Diving can be a high risk pursuit and can lead to death even at shallow depths. My joy and passion is to go deep, exploring wrecks and reefs of the Channel Islands below 30 meters or 100ft and seeing the beauty and fragility of the alien world below illuminated in beautiful colours with its abundance of life.  The chance of swimming to the surface and surviving without any injury after a total gear failure or panic attack are slim at best, at these depths. The choices I make are calculated and risks are mitigated using similar principles that a Financial Services Business (“FSB”) would utilise.

I start every dive season off with an overarching risk assessment, looking at the risk I am prepared to take, what I want to achieve and the factors affect me. This is not overly different to the Anti-Money Laundering and Combatting Terrorist Financing (“AML/CTF”) Business Risk Assessment for any FSB in Guernsey.  My overarching risk assessment is where I look at what I want to achieve and the risks that I am prepared to take in essence what my risk appetite is, and it does vary year to year.

For a FSB the AML/CTF Business Risk Assessment looks at the risks posed by its products and services and its customers. In my case these translate to the types of diving I want to engage in, my planning and who I dive with.  My mitigation of the risks faced would be my diving gear and its set up and my overall health to make the dive.

I then put into action a monitoring programme taking into account my overarching risk assessment.  A full review of my diving gear is essential as is my fitness, this will involve servicing both gear, body and mind and reviewing them on a periodic basis.  This is similar to the provision of management information to the Directors of a FSB. They require to know the state of health of their policies, procedures, systems and controls, to ensure that they are maintained and remain in good condition and fit for purpose in order to mitigate the risks their business face. Knowing that my gear is in good condition and works is essential for whatever dive I do while the health of my body and mind will dictate the dive that can be undertaken safely. Resources must be put to where areas of concern are noted to ensure that the potential for errors or incidents are reduced to a minimum.

drift drivingThen it all comes down to the day, where I undertake a specific risk assessment of myself, the conditions, the type of dive to be undertaken and who I am diving with or if I am going solo. In a sense this is similar to the customer risk assessment that FSB’s undertake for each customer, in order to identify the risk they pose to the FSB and whether the risks are acceptable.

FSB’s by appreciating the risk posed and faced by the customer can decide whether they are prepared to engage in a business relationship with a customer.  In some cases when I have dived I have been satisfied with the risk I face and have dived but I have also be known to decide that the risks are too high or that my systems and controls are not up to the task and have declined the dive or undertaken an easier dive.  I always work on the idea that it is better to be on the surface wishing you were diving then being in trouble under the water away from help and wishing you were on the surface.

Due to the higher risks I take my systems and controls are tailored to me and include as a minimum two independent air cylinders.  I implement my systems and controls by dividing my body in to two halves, one side has computers connected to one cylinder and the other side has old-fashioned gauges connect to my other cylinder, the idea being that should one side fail I can rely on the other as back up.  It also means I can monitor the performance of my systems and controls effectively ensuring that any false readings or dangerous situations are detected early and evasive action taken.

The last thing I do after every dive is to review my systems and controls obtaining data from my computers, analysing this to ensure my policies and procedures remain fit for purpose.  I then assess my overarching risk assessment making changes if required. This has similarities to the quarterly and annual reviews that are done by management and Directors of a FSB to ensure that their businesses are meeting the regulatory framework and mitigating the risks that they face, in essence it’s just good corporate governance.

Diver OKThings do go wrong and no matter how good your policies, procedures, systems and controls are.  I have been in situations where I have had to shut down one side of my systems and controls due to sudden failure of a hose or regulator as well as having to rely on my old-fashioned gauges, watch and mental arithmetic when my computer has failed. It does not come down to luck that I am here writing this but that my risk assessments and planning have taken these situations into account.  My compliance monitoring has reduced these incidents and malfunctions to a minimum and I have put resources to the risks I face ensuring I am suitable trained and able to deal with incidents of this nature.

FSB’s that have a good corporate governance culture, a suitable compliance framework and a compliance monitoring programme that meets their needs and provides the required management information effectively, have in general survived the financial crisis and have adapted to business and regulatory changes with ease.  Where issues have surfaced they have been able to deal with them effectively and/or report at the earliest opportunity where required to the regulatory authorities or Financial Intelligence Unit.

(Pictures by kind permission of Colin Peters)

Briefing note 002- Trust Company Business On-Site Examination Findings from Jersey

Image

The Jersey Financial Services Commission (“JFSC”) has recently published its 2013 on-site regulatory examination findings in respect of Fiduciary business conducted in Jersey. These findings are pertinent to any financial service business, Compliance Officer and Money Laundering Reporting Officer (“MLRO”) in ensuring that they are adhering to the Guernsey regulatory framework. I believe that key points from the examination findings are as follows:

Evaluation of Suspicious Activity Report’s (“SAR’s”) and reporting to the Financial Intelligence Unit (“FIU”):

  • Delays in the acknowledgement of receipt of an internal SAR to the person disclosing.
  • Lack of detailed investigation by the MLRO to support the decision made.
  • Follow-up action resulting from internal reports not being undertaken or no evidence of follow-up action were noted.
  • Lack of autonomy by an MLRO and the decision to report to the FIU being made by Board rather than the MLRO.
  • Internal reports not being recorded accurately and being overlooked by the MLRO leading to late reporting to the FIU.

Corporate Governance:

  • Board discussions not being fully documented in some instances.
  • Concerns were identified in respect of the Board interaction, reporting lines and the functions of delegated risk committees of cross-divisional functions of a business.
  • Term’s of reference for delegated functions of the Board not being in place.

Business Risk Assessment (”BRA”) and Strategy:

  • Lacking details of the consideration of the following areas;
    • Organisational factors;
    • Jurisdiction of customers;
    • Underlying activities of Customers, including Politically Exposed Person risk;
    • Products and services specific to the business (third parties);
    • Delivery of those products and services;
    • Outsourcing risk to other branches or third parties and;
    • Not separating its BRA assessment from that of the Manager.

Conflicts of Interest:

  • No documented consideration of potential Conflicts of Interest where multiple licences are held and products are provided to customers who are common to both licenses.
  • Consideration and documentation of wider Conflicts of Interests, such as the investment in to customer structures by a Director.
  • Consideration of the risk where a significant shareholder of the business introduces customers.
  • Non-Executive Directors maintaining a direct relationship with a customer.
  • Conflicting roles of Compliance Officers the anti-money laundering function where the individuals also held a primary customer facing role.
  • Consideration of the impact of close staff relationships particularly at a senior level e.g. husband and wife.
  • Policies and procedures for declaring and monitoring were identified.

Compliance Function:

  • Inconsistent attendance at Board meetings by the Compliance Officer.
  • No separate reports in respect of Compliance and the anti-money laundering and combatting terrorist financing (“AML/CTF”) function.
  • Reports not containing the following;
    • Regulatory updates;
    • Progress of compliance monitoring;
    • Updated position on compliance registers, and;
    • Information on periodic reviews and accounting records.
  • In some cases there was a lack of documenting of matters brought to the attention of the Board.

Compliance Resourcing:

  • Back logs in periodic review cycle.
  • Delays in compliance monitoring
  • Not undertaking action in respect of regulatory updates.
  • Out of date policies and procedures
  • Ongoing projects and remedial work not completed.
  • Concerns in respect of the investigation and determination of SAR’s.
  • Meeting the day-to-day requirements of the compliance role, where the Compliance Officer or MLRO held other roles within the business.

Compliance Monitoring:

  • Compliance Monitoring Programme’s (“CMP’s”) task orientated rather than a schedule of testing of the operational procedures.
  • CMP’s not being seen or approved by the Board.
  • Ineffective reporting of the progress or completion of the CMP and of the remediation of compliance findings.
  • Compliance testing of the areas of the business lacking in detail.
  • Ineffective mapping of the business to the regulatory framework.

Business Acceptance Systems and Controls:

  • Procedures not being specific regarding the prescribed due diligence required for higher risk customers and business relationships.
  • Undertaking transactions prior to the acceptance of the customer by the Business.
  • The delay of obtaining verification documents and undertaking risk rating prior to the undertaking of customer transactions.

Customer Risk Management Systems and Controls:

  • Customer risk assessments not capturing fully the risks associated with customers or as detailed by the regulatory framework.
  • Customer risk assessment not capturing the risks identified by the business in the BRA.
  • Customer risk assessments not taking into account adverse information identified on the customer.
  • Weighting scores for risks not being appropriate to elevate overall the risk to high where required.
  • Lack of guidance to assist staff in the completion of the customer risk profile.

Customer Profile

  • Vague customer profiles not capturing the expected pattern and frequency of expected transactions.
  • Customer information held in various places rather than centrally.
  • Where the rationale for the business relationship was recorded as tax planning or mitigation, Licensee’s did not hold the relevant tax advice.

Politically Exposed Persons:

  • PEP’s being declassified contrary to the regulatory framework.
  • Immediate family members and close associates not being designated as PEP’s

In conclusion Licensees and the Boards must ensure that they have up to date compliance procedures, their functions are staffed and resourced appropriately and ensuring that they have suitable and sufficient management information for their compliance status being provided in a timely manner to them.  The role of the MLRO is coming more into focus with Regulators especially its assessment by the Board.  The MLRO function needs to be adequately resourced with a suitable and autonomous person, it is my opinion that this role will become more of a focus of regulatory visits and evidence of its review and suitability will required to be documented.  I would always advise that a separate compliance report and MLRO report is provided to the Board to ensure that matters are easily identifiable to the Board.  Conflicts of interest must be recorded and the risks assessed appropriately.   The BRA must take into account the risks that customers pose to the business and also the AML/CTF risks detailed by the regulatory framework and where they are not applicable they should be noted as such. What I believe is the most important finding to come out is, ensuring customer risk assessments and profiles are detailed and maintained ensuring that all risks are covered in the BRA.  I would advise that you assess your business to these findings and if any matters are found a remedial programme is put in place and signed off by the Board ensuring appropriate timescales and reporting is in place.

.