Diving in to Compliance

Entering the waterMy weekends are spent reviewing overarching risk assessments and analysing specific risk assessments as well as undertaking the compliance review of policies and procedures, finishing with the review of performance of the systems and controls.  I am not taking work home with me nor am I moon-lighting or taking on further roles, I am though a qualified Diver and a qualified Solo Diver.

Diving can be a high risk pursuit and can lead to death even at shallow depths. My joy and passion is to go deep, exploring wrecks and reefs of the Channel Islands below 30 meters or 100ft and seeing the beauty and fragility of the alien world below illuminated in beautiful colours with its abundance of life.  The chance of swimming to the surface and surviving without any injury after a total gear failure or panic attack are slim at best, at these depths. The choices I make are calculated and risks are mitigated using similar principles that a Financial Services Business (“FSB”) would utilise.

I start every dive season off with an overarching risk assessment, looking at the risk I am prepared to take, what I want to achieve and the factors affect me. This is not overly different to the Anti-Money Laundering and Combatting Terrorist Financing (“AML/CTF”) Business Risk Assessment for any FSB in Guernsey.  My overarching risk assessment is where I look at what I want to achieve and the risks that I am prepared to take in essence what my risk appetite is, and it does vary year to year.

For a FSB the AML/CTF Business Risk Assessment looks at the risks posed by its products and services and its customers. In my case these translate to the types of diving I want to engage in, my planning and who I dive with.  My mitigation of the risks faced would be my diving gear and its set up and my overall health to make the dive.

I then put into action a monitoring programme taking into account my overarching risk assessment.  A full review of my diving gear is essential as is my fitness, this will involve servicing both gear, body and mind and reviewing them on a periodic basis.  This is similar to the provision of management information to the Directors of a FSB. They require to know the state of health of their policies, procedures, systems and controls, to ensure that they are maintained and remain in good condition and fit for purpose in order to mitigate the risks their business face. Knowing that my gear is in good condition and works is essential for whatever dive I do while the health of my body and mind will dictate the dive that can be undertaken safely. Resources must be put to where areas of concern are noted to ensure that the potential for errors or incidents are reduced to a minimum.

drift drivingThen it all comes down to the day, where I undertake a specific risk assessment of myself, the conditions, the type of dive to be undertaken and who I am diving with or if I am going solo. In a sense this is similar to the customer risk assessment that FSB’s undertake for each customer, in order to identify the risk they pose to the FSB and whether the risks are acceptable.

FSB’s by appreciating the risk posed and faced by the customer can decide whether they are prepared to engage in a business relationship with a customer.  In some cases when I have dived I have been satisfied with the risk I face and have dived but I have also be known to decide that the risks are too high or that my systems and controls are not up to the task and have declined the dive or undertaken an easier dive.  I always work on the idea that it is better to be on the surface wishing you were diving then being in trouble under the water away from help and wishing you were on the surface.

Due to the higher risks I take my systems and controls are tailored to me and include as a minimum two independent air cylinders.  I implement my systems and controls by dividing my body in to two halves, one side has computers connected to one cylinder and the other side has old-fashioned gauges connect to my other cylinder, the idea being that should one side fail I can rely on the other as back up.  It also means I can monitor the performance of my systems and controls effectively ensuring that any false readings or dangerous situations are detected early and evasive action taken.

The last thing I do after every dive is to review my systems and controls obtaining data from my computers, analysing this to ensure my policies and procedures remain fit for purpose.  I then assess my overarching risk assessment making changes if required. This has similarities to the quarterly and annual reviews that are done by management and Directors of a FSB to ensure that their businesses are meeting the regulatory framework and mitigating the risks that they face, in essence it’s just good corporate governance.

Diver OKThings do go wrong and no matter how good your policies, procedures, systems and controls are.  I have been in situations where I have had to shut down one side of my systems and controls due to sudden failure of a hose or regulator as well as having to rely on my old-fashioned gauges, watch and mental arithmetic when my computer has failed. It does not come down to luck that I am here writing this but that my risk assessments and planning have taken these situations into account.  My compliance monitoring has reduced these incidents and malfunctions to a minimum and I have put resources to the risks I face ensuring I am suitable trained and able to deal with incidents of this nature.

FSB’s that have a good corporate governance culture, a suitable compliance framework and a compliance monitoring programme that meets their needs and provides the required management information effectively, have in general survived the financial crisis and have adapted to business and regulatory changes with ease.  Where issues have surfaced they have been able to deal with them effectively and/or report at the earliest opportunity where required to the regulatory authorities or Financial Intelligence Unit.

(Pictures by kind permission of Colin Peters)

Advertisements

Getting the right fit for the BRA

Being the holiday season its time to sit back relax and take stock of all that has happened in 2013. Time for any Compliance professional to take stock of the year and to review the key business documents of a licensee and assess if they remain fit for purpose or need to be enhanced.

One such document that requires to be reviewed at least annually is the Business Risk Assessment (BRA) to ensure it is fit for the regulatory framework and the Licensee.  The BRA though is a document  that licensees struggle with and the Guernsey Financial Services Commission (Commission) constantly find as deficient. What lessons can we learn that will allow our 2014 BRA’s to be fit for the licensee and for the rules and regulations?

Essentially the BRA is a high level overarching document that the Board of a licensee must have in place. It evidences what the business is about, identifies the risks associated with its products and services, clients and the jurisdictions that it undertakes business in or through. The Commission have commented on how these documents tend to fall short of the mark, being generic, over simplified and not representative of the licensee.

Whenever I re-draft or assist a licensee with a BRA I take the approach of creating a document that tells the story of the licensee ensuring that it flows into the policies, procedures and forms. I use the BRA to create the framework from which the licensee’s policies and the procedures enlarge upon and stipulate the full requirements of the licensee requirements and the regulatory framework.

My BRA’s look at what the licensee business plan is, the Money Laundering, Bribery and Corruption and Terrorist Financing (ML/BC/TF) risks that the business is exposed to from following its business plan. I then look at how the licensee will mitigate the risks by the implementation of its policies, periodic reviews and training. How it will differentiate its high risk’s from its low risk’s to ensure that a risk based approach can be applied successfully and cost effectively. My BRA’s look at how the Board will be kept informed of the ML/BC/TF risks and what their responsibilities are, from ensuring policies and staff are sufficient to  how they will review the existing and new business.

Licensees often complain that I am stating the obvious in my BRA’s, that the BRA will not stop a criminal or terrorist and so add little to no value to a business. The BRA is not about stopping criminals but assisting in their identification and prevention of a licensee being an unwitting conduit for them, criminals will always seek to abuse the financial system to their own ends. Unfortunately though licensees will be unknowingly utilised by criminals and they, their clients and insurers may suffer reputation loss and in the worst cases material loss. A licensee can never negate these risks in all cases, though the BRA does allow a business to protect itself, and so adds value.

We live in a contentious and litigious society, it is now not the case that a crime has to have been committed, but has a licensee done enough to reduce the possibility of a crime occurring or to protect against being a conduit in a crime as required by the regulatory framework.  The Commission whether on a regulatory visit or dare I say it, when things have gone wrong and Lawyers and Advocates are involved they will review the BRA intently to assess if a licensee has acted recklessly by not assessing or identifying the risks posed by their business. It goes without saying that a licensee who has considered in-depth the risks posed by the business activities and the preventative measures that they have employed (stating the obvious) is going to be treated more sympathetically than a business who did not evidence their consideration of the risks that they faced.

There have been numerous regulatory cases over the last few years that were not about ML/BC/TF having occurred but that licensee’s did not have suitable and sufficient policies or information at hand for the Board or the MLRO to consider and mitigate the risks posed and inherent in their business.  If you need help in assessing or redrafting your BRA the Commission has guidance on what they deem are the minimum requirements. You can ask Consultants to review your BRA and provide suggestions if required. You can simply ask around your fellow peers to see if they can assist or provide guidance.

It must be remembered that the Board of a licensee must take full responsibility and can’t contract out of their responsibility for having a suitable BRA. The Board and the MLRO must ensure that the BRA is fit for purpose and identifies and mitigates the risks while evidencing the preventative measures, and most importantly meets the regulatory requirements. The Compliance professional is only there to suggest what they believe is suitable in how the Licensee has evidence the consideration of the risks that it faces.

Over the course of 2013 a licensee’s business, the risks posed by clients,  products and services it offers inclusive of the jurisdiction that they are associated with or their clients are associated with will have changed.  Now is the perfect time to take stock of the current status of the licensee, its future intentions and go forward in to 2014 with the risk duly considered and mitigated.

Merry Christmas one and all.