Dear Board, don’t engage me to undertake your outsource compliance requirements until you have read this!

Lance Barclay Compliance, Corporate Governance, Guernsey , , , , , , , , ,

Compliance monkeyGuernsey has an amazing regulatory framework which has become quite a selling point with financial service businesses offering their products and services and those financial service businesses wanting to come and have operations here. Some will utilise outsource compliance professionals to assist them with the cost of set up, on-going costs,  ensuring their business can have knowledgeable and professional persons on-board while it establishes and grows its presence and offerings. Even established firms may need extra compliance support in their business to be able to ensure that they can at all times remain compliant with the Guernsey regulatory framework or ensure that remediation is appropriate and effective.

In the last year the use of outsource compliance professionals has come to the forefront of the regulatory radar, instances of their failure having been identified as contributing to businesses failing to adhere to the regulatory framework. There have been numerous communications from the Commission to the industry on the issues surrounding the requirements for utilising an outsourced compliance professional and failures where this has not been met, showing that the Commission are treating this seriously.

At the end of the day the responsibility for compliance to the regulatory framework is laid firmly at the feet of the Board and they are the first point of call when failings or regulatory deficiencies are identified by the Commission. The need to ensure a Licensee is meeting the regulatory requirements forms at the most basic level with the minimum criteria of licensing as well as being mentioned throughout the regulations, codes instructions, and guidance issued by the Commission.

So what needs to be considered by Boards? Here are some questions to be asked but at all times refer to the legislation regulations, rules,instruction and codes that pertain to your business and licence.

Prior to any engagement consider these points.

You wouldn’t employ anyone to undertake the role in a full-time capacity so why would you chose anyone to do your outsource function?

Prior to any engagement do your due diligence on the outsource company/ person, the person who will be your appointed compliance representative and the people who will be doing the work. At the very minimum the person who will be undertaking the work needs to be suitably qualified and knowledgeable of the area your business operates in and the regulatory rules that pertain to your licence.  You will need to ensure that you can evidence that they have been appropriately screened as you will be expected to have been as diligent with your provider as with your own staff!

You wouldn’t employ anyone who doesn’t have the time for your business?

Prior to any engagement you need to work out how much time will be required. This will change from the role that compliance professional will undertake, as an example an outsourced MLRO will have different time requirements to a compliance professional assisting with licensing.

When you actually look at it, if you have a compliance professional for two hours a week it would take them eighteen weeks to achieve one thirty-six hour working week in your business! Obviously cost is a major factor in this assessment and knowledge and experience never come cheap. The time any compliance professional spends on your business must be commensurate to the size, complexity and nature of your business and the role undertaken.

You need to be aware that a compliance professional will also be working for other firms, there is obviously a risk regarding resources. If their clients require more time or the outsource provider or person undertaking the role has issues with resources will you be affected? You need to ensure that there are controls in place or a plan B to mitigate these risk.

You wouldn’t have any old agreement?

You need to ensure that the outsource agreement meets the requirement of the Guernsey regulatory framework and is legally binding. The Board cannot discharge its responsibilities only delegate the work, it is often a good idea to have a Guernsey Advocate firm look over any agreement, especially if the Board are not familiar with Guernsey Law or this area.

During any engagement consider these points.

You wouldn’t want to be assessed by any old criteria, what criteria is the business or business area being assessed to?

Again this depends on the role you are utilising the outsourced compliance professional for, but you need to know how they are monitoring you and to what standard.  The Board must make sure that it can evidence and satisfy itself and the Commission that the Guernsey regulatory framework requirements have been met.

You wouldn’t want any report, do the reports provided give the full picture of the work being undertaken?

The reports that are provided to the Board must be meaningful and contain accurate management information. This allow the Board to see the whole picture of their business or the area that the outsourced provided has been contracted to service and assess the level of compliance to the regulatory framework. If areas or remediation work have been identified are the Board kept appropriately up to date?

You wouldn’t want to keep on anyone who isn’t performing, is the outsource provider performing to the required standards?

Throughout any engagement the Board must consistently monitor and evidence its monitoring of the outsource provider and/or those undertaking the work for the Licensee. Is the Board satisfied with the work undertaken, is the monitoring of the business meeting the requirements of the Guernsey regulatory framework, has the business changed in its complexity, nature or size and is the person doing the role still suitable?

The most important aspect to any outsource relationship is that you have the right person/firm, they add something to your business, provide you with the accurate management information, they get on with you and are honest to you regarding their business and yours. By hopefully considering and evidencing these requirements a Board will be able to show that they have acted to ensure that their business meets the requirements of the Guernsey regulatory framework. In the unfortunate case where things have not worked out the Board will be able to evidence that they were aware of the issues at the earliest opportunity and have acted to mitigate any non-compliance and remediate the situation.

The Sum of All the Parts

Lance Barclay AML/CTF, Compliance, Due diligence, Guernsey , , , , , ,

Compliance monkeyThe Guernsey Anti-Money Laundering and Countering Terrorist Financing (“AML/CTF”) framework has continually developed to take in to account good practice, external pressures, requests and recommendations of onshore governments, quangos and international organisations  to ensure that financial crime in all its guises is effectively tackled. The Commission have sought to and I would say that they have largely achieved a cohesive framework that effectively mitigates against the use by criminals of Guernsey as an international finance centre while not over burdening the Financial Service Business operating here.

This cohesive framework has been achieved over the course of the years by open dialogue with local industry bodies, licensees and working effectively and productively with those outside of Guernsey to achieve a proportionate approach for  the products and services that are provided to clients wishing to utilise the jurisdiction. Most notably in 2013 the AML/CTF framework in Guernsey changed extensively and this resulted in general insurance products being removed, but did it remove all the products and services that can classified as General Insurance?

With regard to the Insurance sector in Guernsey, a legal entity can be licensed for general business or for long-term business. Long term business is defined in the Insurance Business (Bailiwick of Guernsey) Law, 2002 as contracts on human life, human longevity, marriage and birth, linked long-term, permanent health, capital redemption, pension fund management and credit life assurance. Due to the nature and the requirements of some clients, an insurance licensee with a general business categorisation may want to offer some of these products to their clients to supplement the range of products and services they currently or can offer their clients, but without the need to be licensed for long-term business.  Section 2(4) of the Insurance Business (Bailiwick of Guernsey) Law, 2002 does allow for an Insurance licensee to elect that a contract for a term of not more than 18 months that may be regarded as a long-term business contract and can be deemed to be general business.

This would appear to allow a general insurer to fit such products into their licence requirements e.g. general insurance, without the requirements to adhere to the Guernsey AML/CTF framework as per the changes that were made to the Commission’s AML/CTF Handbook (” Commission’s Handbook”), in 2013.  It should be noted that the treatment of these products, though allowed to be done in certain circumstances by an Insurance licensee does not change the definition of those products in the Insurance Business (Bailiwick of Guernsey) Law, 2002.

In the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007 at schedule 1 it states that a Financial Services Businesses for the purposes of the Regulations are detailed in part 1 of the schedule, except where they are incidental or are other activities as listed at Part 2 of the Schedule. Part 1 of the schedule includes the carrying on of “Long Term Business as defined by the Insurance Business (Bailiwick of Guernsey) Law, 2002 as being a Financial Services Business for the purposes of the Regulation and the Commission’s Handbook, it does not include any change in the treatment of an Insurance product by an Insurance Licensee. The Commission’s Handbook at section 4.8 specifically deals with the treatment of life or other investment linked insurance policies and as such these appear to directly fall in to the Guernsey AML/CTF regime. Effectively this is saying that if a product falls under the long-term definition stated in the Insurance Business (Bailiwick of Guernsey) Law, 2002 though a Licensee it may regard it as being General business they remain subject to the AML/CTF Regulations. Thus a licensee must adhere to the requirements of the Commission’s Handbook and AML/CTF framework when dealing with such products.

The sum of all these parts would indicate that an Insurance licensee effecting or carrying out life or other long-term products regardless of how a Licensee may be able to classify these products as general business under the Insurance Business (Bailiwick of Guernsey) Law, 2002, they would still fall under the AML/CTF regulations and Commission’s Handbook by way of the requirements of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Regulations, 2007 held at schedule 1. An Insurance Licensee regardless of how it treats such products under its licence would be required to have in place an effective AML/CTF framework.  A licensee must be able to evidence the suitability of its AML/CTF framework and compliance with the AML/CTF requirements pertaining to its business to the Commission.

An Insurance licensee must ensure that at all times they meet the requirements for the minimum criteria for licensing, schedule 4 of the Insurance Business (Bailiwick of Guernsey) Law, 2002. This includes a requirement to meet and adhere to any rules, codes, guidance, principles and instructions issued from time to time under any other enactment as may be applicable to the business, and this would also be inclusive of the Guernsey AML/CTF framework.

Missing the Elephant in the room.

Lance Barclay AML/CTF, Due diligence , ,

These last few weeks I have been thinking back to myCompliance monkey time in Law Enforcement. Those of you who can remember back that far probably have an image of a young surfer dude who turned up in the most scruffiest uniform, collar half in half out, requiring either a haircut or beard trim, usually both and never mind the lack of tie!

Those who worked with me will probably remember a person who worked manically yet methodically, questioning everything, discussing and testing theories before providing a list of potential targets for Officers to stop and check out. I am very proud to have been one of the highest seizing drugs Officers during my time, but all this could not have been done without the above, the support of my senior officers (and at times I pushed them to the limits) and the Law Enforcement Officers and teams I worked with, who looked at the whole.

In recent weeks there has been a lot of international interest in the offshore world regarding tax avoidance and tax evasion as well as financial crime, which has included revelations of HSBC in Switzerland. This post is not about HSBC, what is or isn’t tax evasion or even the ethics behind tax avoidance or financial crime, but I hope to try to provide some advice where the due diligence process fails. I have previously written about how due diligence is only part of the solution. As a past Customs and Immigration Officer and now as a compliance manager and consultant these documents are essential in identifying and verifying the target/ client but this is by no means the be all or end all.

It is all about the analysis of information in front of us, checking these details and asking the questions not our pre-conceived ideas or prejudices. Do we ask the question of why our clients invest offshore or set up dynastic structures or entrepreneurial structures offshore, do we understand and test and document, this rationale and reason and do the transactions make sense and fit the profile?

As a Law Enforcement Officer I would start by building a picture of travellers, and ask myself if the analysis I had in front of me made sense. Were there any comparisons to known smuggling and people trafficking profiles? Then I would seek out the experience of my peers, asking questions and gaining in-sights, understanding and clarifying what I had in front of me. This is no different from a Financial Services Business, where you are obtaining identification details, verifying these with documentation, researching through the various open-source intelligence databases for known facts, asking questions regarding the rationale. Seeking supporting evidence e.g. tax/ legal rationale and advice for the creation of a structure, its suitability and comparing the client and business relationship to known criminal profiles.

Having assisted licensees when they have been subjected to on-site visits by the Commission the main observation is, to a greater or lesser extent, that the requirements of the Regulations and the Handbook have been met. Some licensees have gone for just meeting the required standards others are far in excess of what is required by the regulations, but all generally pass with only the criticism of lack of former names or certification not meeting the expectations of the Commission. The real bug bear for the Commission is the lack of or insufficient periodic review. Yes we screen for sanctions, yes we check the appropriateness of our due diligence and we risk assess to what we see in our verification documents and from our refreshed our database checks but is this enough? Well unfortunately no it’s not and we are missing the Elephant in the room.

We spend alot of time getting the tax/ legal advice, the rationale of the relationship and the expected transactions at the start of the on-boarding process but we seldom question these areas again in the course of the business relationship. Tax advice is valid when it is given and after that it is outdated and what was legal tax mitigation can become tax evasion, transactions vary due to life circumstances including financial crime, entrepreneurial relationships change due to economic reasons and taking advantage of situations, some which can be financial crime. The information is in front of our eyes yet we fail to look at it, react to it, analysis it and document these changes or question the rationale.

Being miles above and beyond regulation may serve little purpose apart from to annoy clients and make the offshore world difficult to invest in and access for those with legitimate reasons and rationales. You may think it looks good to a Regulator to be gold platted but that is not the case as they are only looking at compliance with the regulatory requirements. The information to detect financial crime in all its guises is in front of us, the transactions, the file notes of meetings and the tax advice or legal advice. All this allows us to analyse the client to ensure that what we have fits in to our knowledge and understanding of the them and that what we have is legal and remains legal. This though is the Elephant in the room we seldom look at and where Regulators will not look kindly on when they find it lacking, regardless of how high above the required due diligence standards you are!

In all these Financial crime and Tax evasion cases if the advice had been looked at, the transactions and rationale been reviewed in detail would things have been different? It is not OK to say things were different back in the day, it does not absolve you or anyone from financial crime or being complicit in it.

If the only thing you take from this is to look at the whole picture, analyse all the information and rationale of a client, ask any questions you can’t fathom out, and obtain answers and document your full review, this post will have been worth it.

What doesn’t kill us only makes us stronger

Lance Barclay Business Risk Assessment , ,

drift drivingOne cylinder shut down due to a malfunctioning regulator and now my other regulator had started to malfunction, I realised that the situation was now extremely serious and the next decisions would be the most important of my life. As I drifted there at thirty eight meters, unlikely to successfully survive a dash to the surface I took a deep breath trying not to choke on the seawater as it came into my mouth, I focused on the task at hand and dismantled my switched off regulator and signalled to my buddy to put up a surface marker.

We all have to make decisions, the regulations force us to make decisions for the protection of our customers ourselves and our jurisdictions. We demonstrate this by risk assessments, an exercise that can be seen as pointless and only for the sake of the regulations. By engaging with the assessment process and thoroughly reviewing and demonstrating the potential areas of risk that we face we are able to understand, minimise and hopefully withstand potential events that may and will occur. It goes without saying that any risk assessment needs to be monitored and assessed regularly as environments and situations change, it also allows us to be more alert and able to detect and deal with new or unknown risks and risk areas as and when they arise.

I knew my focus was narrowing and it had become darker, my fingers replaced the membrane in the regulator and I screwed it together, I moved to the valve of my cylinder and slowly turned on the air, nothing happened and no air escaped. Slowly pressing down I purged the regulator it worked, thank God, and I put it in my mouth and tasted the sweet air. By no means was this a fix, more a patch as within seconds it started to leak again. I looked up to be greeted by two huge eyes of my dive buddy who had just released the surface marker, with a smile I signalled it was time to depart to the surface and I put my fingers round the line attached to the surface marker as we began our leisurely ascent.

At eighteen meters the patch was failing, at seventeen meters the regulator was finished and I put in to my mouth the other semi working regulator and felt air and cool salt water, at sixteen meters I could see the sun shimmering and new that the odds of them both working to a lifesaving capacity to the surface was not in my favour, it was time to change the plan to meet the situation and I signalled to my buddy. At fifteen meters with my buddy’s emergency octopus and air filling my lungs we gently continued our ascent to the surface. At the surface we were both smiling and greeted by our safety boat.

We had addressed the known risks by our planning and checks pre dive, during the dive we had calmly and successfully dealt with a worst case scenario, assessing the situation and assigning tasks to create a better situation. The ascent had been undertaken in a control manner avoiding the potential of the bends and though it had required a change to meet the situation we had accomplished the task successfully. The risk had morphed but we had successfully dealt with the new and unknown risk due to good training, assessment and management.

Risk assessments are not pointless or just for regulators or governing bodies to review and assess but are vital. Life and business is about risk, just make sure that you have realised and assessed them initially and then periodically, fate has a nasty habit of striking when you least expect it as history and the present time shows us, make sure you can survive.

When things go wrong review, understand, remediate and enhance, I know that is what I will be doing, it wont be pointless and will make me stronger.

Questions, Coffee and Ghosts.

Lance Barclay Guernsey , ,

imagesAre we now being regulated by international organisations and their regulators rather that our own regulators?  Is our regulatory framework becoming a secondary consideration to the regulatory frameworks and group policies of international organisations that finance our community?  Is this leading to the stagnation of Guernsey as a whole where compliance cost rise to meet these external influences rather than our own bespoke regulatory framework? Is our competing and partaking in business in the international or developing world inhibited? Are the policies of the international regulatory community focused on large organisations, with a one size fits all attitude to the detriment of our smaller bespoke financial service providers? Even looking outside of our Financial Service Industry have international organisations, regulators and governments lost contact with local industry and people making them unproductive, uncompetitive and restricted?

Our businesses whether in finance or outside must adhere in some degree, to the requirements of committees and boardrooms far flung from our Island, and the whims of persons who lack connection understanding or appreciation of our island economy and value. Are these institutions aware of our idiosyncrasies as they strive to achieve a mythical norm presented by scoring sheets, algorithms and public opinion of their home countries? Has the international community lost the ability or the want to differentiate between the size nature and complexity of their own and other communities, businesses and financial centres?

A thought struck me while handing over my Guernsey one pound notes for my coffee today, if we print money why can’t we loan money? Why can’t we create a bank of the Bailiwick or other funding enterprises, regulated to our own standards that are acceptable international standards and set up for the needs, development and innovation of our local businesses?  Could we run a bank for the good and development of our community and its financial and non-financial businesses, lessening compliance expense faced by our businesses by focusing achieving the requirements of our regulations? Are we not best placed to understand, develop, innovate and realise the hopes and dreams of our Island community? Could we provide this as yet another string to our bow allowing us to partake and compete effectively in the international community? Rather than fit in to a box could we provide the bespoke solution tailored to our needs and requirements?

WilliamLeLacheurLooking into the last of my coffee as the rain began my mind was taken back to the ocean that I love so much, and yes we are but a drop in the ocean. The ocean has allowed us to raise some of the earliest taxes known, an anchor tax no less for the benefit of our Island and the development of our harbour in the 1400’s.  The ocean was mastered by our forefathers, and none other than William Le Lacheur who imported coffee and went on to influence economic and spiritual development in South America, as I walked through the Arcade I recalled how it was financed by Guernsey ingenuity and innovation.  I headed home past the Thomas De La Rue Public House, named after a Guernsey man who went from humble beginnings to founding De La Rue, who having adapted over the centuries and who have continually innovated while still printing bank notes today. These are but a few of the great historical figures that this Island has had and I could not help but wonder what these ghosts would suggest the same today, what would they think of my thoughts, would they see the potential of such ideas or a necessary to bring the development and innovation required to make the reality of tomorrow?

The ocean is vast and bountiful with a diversity of species and opportunities leading to competition and equilibrium, the loss of the equilibrium leads to the destruction of these unique habitats and species. Could the ripples of this idea radiate out to the benefit of our Island both domestically and internationally or will we be bound by the strangling nets of direct and/or indirect extra-territorial international regulation and policy? We need to look and focus on tomorrow while reflecting on the lessons of yesterday to achieve the dynamic solutions and adapt to the changing world as our forefathers did.

F1- Team Guernsey

Lance Barclay Compliance Monitoring, Corporate Governance , ,

Singapore F1The excitement of the Singapore Grand Prix has only be heightened by the restriction on what information can be passed to the Drivers. This addition to the regulations has come about as a result of what the fans and the controllers of Formula 1 believe is the driving of the car from the pit wall rather than the Driver actually driving and racing. To me, though the cars are complex, it is the Drivers who have the best perspective and the feel of what is going on around them in order to make the winning or best decisions, as we saw with Hamilton in Monza, who then capitalised on the situation and went on to win the race.

I don’t think it can be questioned that Guernsey is racing in the Formula 1 of Financial Centres globally, or that it has developed a high standard of regulation to be adhered to, while flexible enough to allow businesses to develop and have an advantage over other competing jurisdictions. One of the concerns that I am spoken to about and have previously posted on is whether the Directors and Partners of our Financial Service Businesses are becoming controlled by Compliance Officers and departments, and that essential business decisions are being curtailed and taken out of the hands of these Drivers.

The Board or Partners of a business must work to achieve the aims and objectives that have been set down. To do this they must obtain suitable and sufficient management information to assess whether opportunities are able to be taken. This information does not just come from the compliance department or officer but from a whole host of potential reports from committees and operational units.  They are listening, analysing and digesting all this information in much the same way that a racing driver pre-race will do with his team.  The strategies will be discussed and engineers and technicians will provide reams of information to allow the drivers to realise their strengths and weaknesses and those of the opposition. Drivers must also be aware of the regulations and where the track limits are and what is acceptable and what will be punished and penalised.

It then comes down to the race. Though the reports from the data sources are important to the team and must be continually analysed to ensure that the engines and electrical systems are performing as well as identifying and managing potential issues as they happen. The most important feedback though comes from the Drivers, who feel the track, the car and can see the tyres and the degradation, while eyeing the competition, corners and hazards.  The Directors and Partners are the drivers seeing through their visors the race as it develops, more than a compliance officer, the operational staff and support services, who remain in the pits or the pit wall, working hard behind the scenes and preparing for any eventuality that may occur and ensuring the strategy remains on track. This is why there is a need to have effective management information that is relevant, short and succinct for the Drivers who are racing.

At the end of the day it is up for the drivers to decide how to use the information they receive, some will push too hard and end up in the barriers, blow their engines or destroy their tyres. Blowing the engine or planting yourself into a barrier ensures that the race is over and for a financial service business it potentially means a total rebuild of the business, legal expenses and a loss of reputation. If the Directors or Partners act recklessly or with a cavalier attitude why would an investor or customer place their money or assets with the business? Destroying your tyres means that the driver can continue the race but they will be slower and need to pit stop more, allowing the competitors to seize the advantage, potentially the sponsors as well if the poor performance continues.  We have already seen this year in F1 how sponsors and investors have left or sold their holdings as well as the threats of doing so due to legal proceedings relating to the sport.

By over controlling the drivers or providing them with excessive information or information that is not succinct there are two possible outcomes.

  • The Driver cannot race effectively and take advantage of the opportunities as they arise with the potential of not seeing the hazards ahead or;
  • The Driver does not understand the severity of what they are being told or chooses to ignore the information, acting recklessly they or the team are penalised.

For the Directors and Partners this has the potential of substandard performance to potential legal and regulatory action against them and the business.

2014 SingaporeAs Sterling Moss said before the 2014 Singapore Grand Prix “to win the race you must be the first home”, and to do this the Drivers must have the freedom to race while also respecting the information that they are receiving. For any Director or Partner to have the right information delivered at the right time will assist them in driving the race to their full potential and to bring the race home, while minimising regulatory and legal exceptions or issues that may inhibit them being the first home. Drivers need to have the trust in their teams to continually advance the car to the changing regulations.  The team must provide the Driver with appropriate and effective information so that they can run to the regulations.

The trust developed between the compliance function as well as the other functions of the Business with the Directors and Partners is essential and will assist in the development of the business and the achieving of the Businesses aims and objectives in and effective and efficient manner. Undoubtedly in any season there will be set backs, but for any Driver to have trust and respect of their team reciprocated means that these setbacks can be overcome, potentially without detriment to their championship hopes. Most importantly this cohesiveness will allow the team to focus on the future, perfecting their car to ensure that they remain competitive providing the best outcome for their sponsors and greatest potential to win points and achieve the rewards, Team Guernsey must aspire to this.  Failure to let the Driver race can lose you the race or race advantage the same as the Driver not accurately analysing the right information provided succinctly to manage the car.

Thoughts for the week ahead.

Lance Barclay Compliance Monitoring, Corporate Governance

After a great time on or in the Ocean this weekend here are some thoughts for the week ahead.

Thoughts for the Week ahead

Review to your policies and procedures as well as the regulatory framework applicable to your business.

Record and evidence your findings. Where you can not meet the regulations have you thought of the Comply or Explain principle?

Report to the Directors and the Board effectively and accurately.

Remediate areas of non-compliance and put your two cents in to assist the business remediate effectively.

Have fun and most importantly enjoy!

Don’t change for the sake of change!

Lance Barclay AML/CTF, Compliance Monitoring, Corporate Governance , ,

It has been an interesting few weeks with lots of nervous Directors concerned with their compliance functions and wondering what to do in light of the recent Commission’s findings and fines that have been publically issued. What must be remembered is that the Directors are responsible for the compliance function and framework (Chapter 2 of the Commission’s Handbook’s) of their business and not the consultants they may employ.  So what needs to be done?

Don’t Panic! There really is little point in panicking and it will only tend to make things worse. Panicking only creates more fears, which may not be justified in some cases, fear then leads to aggression and that only leads to breakdown in communication. The key in gaining an understanding of what has happened and where your business may sit in the regulatory framework will be down to communication with your compliance provider.

Review your compliance framework. Are you satisfied that you have all the evidence to support the previous findings of your compliance function provided by your consultants? Does their review go far enough and look at all the areas of the regulation that pertains to your business? Are they evidencing their findings suitably to back up their conclusions? At the end of the day your compliance framework is your responsibility and you need to evidence that you are satisfied with it, those that undertake the review role and that you have oversight to control it.

I have previously had licensees who would sit down with me during the year and go through my monitoring programme and how they correlated to the reports I was providing them. The positive was that it gave them comfort and evidenced to the Commission that they had true oversight and control of their compliance framework.

Communicate clearly and calmly. This is important, the oversight review you have done will provide you with questions that you need to have satisfied.  In light of the recent Commission actions and public statement released, you will also need to know the facts of what happened and why it happened as you need to assess if you could find yourself in the same situation of being incorrectly reported to on the regulatory requirements.

Even if your provider was not concerned in the recent Commission’s action you need to ensure that they would not put your business in jeopardy. It is important that from your review you can put any queries or concerns across in a calm manner. Your consultants may be defensive but the discussion needs to be open and honest so you can establish the facts. It is vital that your consultants and/or their management have the ability to constructively deal and satisfy any questions or concerns you may have.

Potential areas to discuss and obtain evidence on. Are you satisfied with the work that has been and continues being undertaken? Do you need to increase the time that the consultants provide to your business? Is the compliance monitoring utilised to assess your business suitable? Do the reports provided to you evidence the review that has been undertaken and do they cover the requirements of the regulatory framework? Are you getting the service that you require and want, remember you are the customer here!

Are the consultants suitably qualified or knowledgeable in the areas pertaining to your business, and have you got the evidence? It is always best to assume that you need enough information to satisfy yourself as you would for any of your employees. Your compliance consultants will be able to provide you with evidence of the consultant’s qualifications and suitability.  I was always more than happy to provide my certificates to licensees as I am very proud of what I have achieved!

Review, assess, conclude and evidence. Once you have the responses to your queries and concerns, you will be in a situation where you can review and assess where your current framework is and where it is going. You may be satisfied that everything is suitable or your compliance consultants are making changes to bring their game up for you and are able to service your requirements appropriately going forward. You may find that it’s time to bring your compliance function in-house wholly or partially, or if you remain unsatisfied you have the option to move to another provider, but do your due diligence.

What is vitally important in your conclusion is that you evidence all of the findings. The Commission will be asking you the questions about your compliance framework, how you monitor and mitigate the risks and are able to ensure oversight. You will be held accountable by the Commission so you need to have the answers and evidence. It’s just good Corporate Governance at the end of the day.

I was approached earlier this week by a Licensee who had just been visited by the Commission. The Commission was impressed that AML/CTF was discussed and documented at their meetings and how this evidenced the oversight and responsibility the Licensee took. One happy Licensee always means one happy Compliance monkey. This shows the power of good minutes and how the Commission view the importance of them in the evidencing of the oversight of the compliance function taken by Licensees.

At the end of the day you do not want to be jumping from the frying pan into the fire. People make mistakes it is whether they can learn from them.  Whatever conclusion you come to will allow you to make the best decision for your business, just make sure that it is clearly evidenced. Don’t change just for change sake!

Diving in to Compliance

Lance Barclay AML/CTF, Business Risk Assessment, Compliance Monitoring, Corporate Governance , , , , , ,

Entering the waterMy weekends are spent reviewing overarching risk assessments and analysing specific risk assessments as well as undertaking the compliance review of policies and procedures, finishing with the review of performance of the systems and controls.  I am not taking work home with me nor am I moon-lighting or taking on further roles, I am though a qualified Diver and a qualified Solo Diver.

Diving can be a high risk pursuit and can lead to death even at shallow depths. My joy and passion is to go deep, exploring wrecks and reefs of the Channel Islands below 30 meters or 100ft and seeing the beauty and fragility of the alien world below illuminated in beautiful colours with its abundance of life.  The chance of swimming to the surface and surviving without any injury after a total gear failure or panic attack are slim at best, at these depths. The choices I make are calculated and risks are mitigated using similar principles that a Financial Services Business (“FSB”) would utilise.

I start every dive season off with an overarching risk assessment, looking at the risk I am prepared to take, what I want to achieve and the factors affect me. This is not overly different to the Anti-Money Laundering and Combatting Terrorist Financing (“AML/CTF”) Business Risk Assessment for any FSB in Guernsey.  My overarching risk assessment is where I look at what I want to achieve and the risks that I am prepared to take in essence what my risk appetite is, and it does vary year to year.

For a FSB the AML/CTF Business Risk Assessment looks at the risks posed by its products and services and its customers. In my case these translate to the types of diving I want to engage in, my planning and who I dive with.  My mitigation of the risks faced would be my diving gear and its set up and my overall health to make the dive.

I then put into action a monitoring programme taking into account my overarching risk assessment.  A full review of my diving gear is essential as is my fitness, this will involve servicing both gear, body and mind and reviewing them on a periodic basis.  This is similar to the provision of management information to the Directors of a FSB. They require to know the state of health of their policies, procedures, systems and controls, to ensure that they are maintained and remain in good condition and fit for purpose in order to mitigate the risks their business face. Knowing that my gear is in good condition and works is essential for whatever dive I do while the health of my body and mind will dictate the dive that can be undertaken safely. Resources must be put to where areas of concern are noted to ensure that the potential for errors or incidents are reduced to a minimum.

drift drivingThen it all comes down to the day, where I undertake a specific risk assessment of myself, the conditions, the type of dive to be undertaken and who I am diving with or if I am going solo. In a sense this is similar to the customer risk assessment that FSB’s undertake for each customer, in order to identify the risk they pose to the FSB and whether the risks are acceptable.

FSB’s by appreciating the risk posed and faced by the customer can decide whether they are prepared to engage in a business relationship with a customer.  In some cases when I have dived I have been satisfied with the risk I face and have dived but I have also be known to decide that the risks are too high or that my systems and controls are not up to the task and have declined the dive or undertaken an easier dive.  I always work on the idea that it is better to be on the surface wishing you were diving then being in trouble under the water away from help and wishing you were on the surface.

Due to the higher risks I take my systems and controls are tailored to me and include as a minimum two independent air cylinders.  I implement my systems and controls by dividing my body in to two halves, one side has computers connected to one cylinder and the other side has old-fashioned gauges connect to my other cylinder, the idea being that should one side fail I can rely on the other as back up.  It also means I can monitor the performance of my systems and controls effectively ensuring that any false readings or dangerous situations are detected early and evasive action taken.

The last thing I do after every dive is to review my systems and controls obtaining data from my computers, analysing this to ensure my policies and procedures remain fit for purpose.  I then assess my overarching risk assessment making changes if required. This has similarities to the quarterly and annual reviews that are done by management and Directors of a FSB to ensure that their businesses are meeting the regulatory framework and mitigating the risks that they face, in essence it’s just good corporate governance.

Diver OKThings do go wrong and no matter how good your policies, procedures, systems and controls are.  I have been in situations where I have had to shut down one side of my systems and controls due to sudden failure of a hose or regulator as well as having to rely on my old-fashioned gauges, watch and mental arithmetic when my computer has failed. It does not come down to luck that I am here writing this but that my risk assessments and planning have taken these situations into account.  My compliance monitoring has reduced these incidents and malfunctions to a minimum and I have put resources to the risks I face ensuring I am suitable trained and able to deal with incidents of this nature.

FSB’s that have a good corporate governance culture, a suitable compliance framework and a compliance monitoring programme that meets their needs and provides the required management information effectively, have in general survived the financial crisis and have adapted to business and regulatory changes with ease.  Where issues have surfaced they have been able to deal with them effectively and/or report at the earliest opportunity where required to the regulatory authorities or Financial Intelligence Unit.

(Pictures by kind permission of Colin Peters)