Today has been a lovely day in the coffee culture of St Peter Port, meeting and catching up with people, discussing contracts, plans and ideas, before returning home to work on some clients. Working from home allows me the time and space to not only work on engagements but also on ideas, while also being able to attend to the evening meal, taking breaks to collect fresh vegetables and herbs from the garden before slow cooking for the family. It suddenly struck me that a compliance framework is very similar to a recipe. You wouldn’t just throw random ingredients that look good into a pot and hope for the best — at least not if you wanted it to be edible and the same goes for compliance frameworks.
1. Ingredients (Policies & Procedures) Any recipe starts with a list of ingredients — the must-haves. In compliance, these are your policies, procedures, and controls that have been carefully designed to meet the expectations of regulators, clients, and stakeholders. Without them, you can’t “cook” a compliant organisation
2. Method (Processes & Workflows) The step-by-step instructions in a recipe are your workflows. They guide your team on how to use each ingredient in the right sequence — whether it’s onboarding clients, undertaking client transactions, or reporting breaches, complaints or suspicious activity. The method ensures consistency and clarity.
3. Measurements (Risk Appetite & Tolerances) A pinch of chilli adds flavour; too much overwhelms. Similarly, defining your risk appetite ensures the right balance between flexibility and control. While regulations set the boundaries, your organisation can tailor its approach to suit its unique palate.
4. Timing (Monitoring & Review) A good chef knows when to stir, when to simmer, and when to serve. In compliance, that’s your ongoing monitoring and periodic reviews to make sure the framework is still effective and the business can demonstrate its compliance to the regulatory framework and its appetite and objectives. It helps catch issues early, before they “burn” or for the sauce to curdle.
5. Presentation (Reporting & Audit) Even the tastiest meal needs to look appetising. Your reporting and audit trail present your compliance efforts clearly, demonstrating your compliance with the desired regulatory and business outcomes and your competence to regulators, stakeholders, and auditors.
The secret ingredient?Culture Without a shared commitment to doing the right thing — backed by the right resources, experience, and mindset, even the best-designed framework will fall flat. Culture binds it all together
If you’d like to chat about how to get the right ingredients or refine your recipe to make it more palatable for the Stakeholders and Regulator, feel free to reach out: sara@tspgsy.com and please have a look at our website https://technicalspecialistpartners.com/ and see what our menu can offer you.
In today’s fast-paced regulatory environment, Guernsey financial institutions must ensure they are not only compliant but also adaptive to ever-evolving domestic and international standards. The Guernsey Financial Services Commission (GFSC)Handbook provides a critical framework for ensuring Guernsey financial institutions uphold the highest standards of governance when countering financial crime, countering the financing of terrorism, and countering the Financing of Proliferation (CFC,CTF,CPF or Financial Crime) when undertaking their business activities. One of the most crucial sections, Chapter 8, delves into enhanced customer due diligence (ECDD) measures required for high-risk business relationships and situations. This blog will explore these ECDD measures and how organisations can align their operations and compliance frameworks with the Guernsey regulatory expectations set out in Chapter 8 of the GFSC Handbook.
Understanding the GFSC Handbook: A Regulatory Pillar
The GFSC Handbook is a guiding document that helps regulated entities in Guernsey comply with legislative and regulatory requirements, specifically around CFC, CTF, CPF and operational soundness to prevent and detect financial crime. By addressing both international and local standards, the Handbook covers areas such as:
Corporate governance
Risk management
Due diligence
Customer relationships
Transaction monitoring
However, when dealing with high-risk scenarios, standard measures are often insufficient. Chapter 8 is designed to mitigate risk in such situations through ECDD, enhanced monitoring, and enhanced reporting requirements to provide for effective corporate governance.
The Importance of Chapter 8: Enhanced Measures for High-Risk Situations
Chapter 8 of the GFSC Handbook specifically addresses scenarios where standard due diligence may not suffice to adequately mitigate risks of high risk business relationships. In such situations, Guernsey financial institutions and their directors and controllers are expected to employ ECDD measures to ensure robust risk management. These high-risk situations may arise from the following:
High-risk customers: Individuals or entities from jurisdictions with weaker CFC, CTF, CPF frameworks or with susceptibility to financing of terrorism or proliferation activities, politically exposed persons (PEPs), or clients involved in industries with higher susceptibility to financial crime.
Complex or unusual transactions: Large transactions that are inconsistent with the customer’s known profile or operations, or where the source of funds or rationale for the transaction is unclear.
Higher-risk products and services: Financial services that pose higher risks, such as correspondent banking, nominee services, and some services involving virtual assets.
Enhanced Customer Due Diligence (ECDD)
One of the critical components of Chapter 8 is ECDD, which goes beyond standard customer identification and verification processes. ECDD measures may include:
Additional documentation: Guernsey Financial institutions must collect more extensive documentation to verify the customer’s identity, business activities and rationale, and the source of their funds and wealth of their beneficial owners .
More in-depth investigations: Guernsey Financial institutions are required to dig deeper into a client’s background, including reviewing ownership structures, past transactions, and financial history (source of wealth and source of funds).
Regular updates: Ongoing due diligence must be performed more frequently, ensuring that any changes to the customer’s profile are promptly captured, investigated, and where required that documentation is obtained to confirm the continued legitimacy of the business relationship.
Key Requirements under Chapter 8 of the GFSC Handbook
To successfully implement Chapter 8, Guernsey Financial institutions need to address several critical areas:
Customer Due Diligence (CDD) and understanding and documenting the rationale of the business relationship and its components.
Under Chapter 8, financial institutions must enhance their CDD and while documenting and clearing demonstration the rationale and purpose of the business relationship. This includes verifying the identity of beneficial owners, understanding the nature and purpose of business relationships, and ensuring continuous monitoring. For high-risk customers, ECDD measures require more rigorous background checks, additional verification, a deeper understanding of the client’s source of wealth and funds, and ensuring that it the take on and continuation of the business relationship is signed off by a higher level of authority and oversight.
Transaction Monitoring and Risk Profiling
Guernsey Financial institutions must implement more extensive and frequent transaction monitoring for high-risk clients. Chapter 8 mandates continuous monitoring of business relationships to detect suspicious activities promptly. This includes having lower thresholds for transaction monitoring, greater scrutiny and documentation of transactions, activity undertaken, and their rationale, to flag unusual patterns or irregular transactions that might indicate money laundering, terrorist financing or proliferation activity.
Source of Funds and Wealth Verification, Documentation and Monitoring
Enhanced measures under Chapter 8 place significant emphasis on identifying and verifying the source of funds and wealth and holding up to date documentation on this area. This goes beyond just knowing where the money comes from; Guernsey Financial institutions need to understand how the funds were acquired, the activities that generated them, and ensure they are legitimate. For example, funds coming from high-risk jurisdictions for terrorism or industries require additional scrutiny to prevent bribery and corruption, or activities that may be linked to proliferation activities.
Enhanced Monitoring and Reporting
Monitoring business relationships is a continuous process of both day-to-day review of the transactions and verification subjects and more frequent periodic reviews of the business relationship, especially for high-risk clients. Chapter 8 requires Guernsey financial institutions to apply more scrutiny to transactions for high risk business relationships and escalate suspicious activities to the Money Laundering Reporting Officer and where necessary to the authorities, such as the Financial Intelligence Unit, or for sanctionsto the Guernsey Policy Council . Guernsey Financial Institutions must ensure they have robust internal mechanisms to report suspicious transactions regardless of monetary value, or sanctions while maintaining comprehensive documentation to support their findings.
Risk-Based Approach
Chapter 8 promotes a risk-based approach, where enhanced measures are applied based on the level of risk posed by the customer, transaction, service or product provider and any higher risk area identified. Institutions must create internal policies and procedures that reflect this principle, ensuring flexibility in responding to varying levels and types of risk.
Implementing ECDD Measures: Best Practices
To successfully align with Chapter 8 and the broader GFSC Handbook requirements, organizations should consider the following best practices:
Comprehensive Risk Assessment: Conduct regular risk assessments to identify customers, products, and services that pose higher risks. This will help prioritize where ECDD measures are necessary.
Training and Awareness: Ensure that staff at all levels are trained to recognize high-risk scenarios and know when to apply ECDD measures and what ECDD measures are required.
Technological Integration: Utilize advanced technology such as automated sanction screening and transaction monitoring, to flag suspicious activity, and conduct more thorough and continuaous due diligence.
Documentation and Record-Keeping: Hold and maintain detailed records of all due diligence processes, transactions, and enhanced measures taken. This is crucial for regulatory reporting and audits.
Regular Reviews and Updates: Chapter 8 requires ongoing monitoring and re-assessment of business relationships inclusive of the verification subjects, so Guernsey financial institutions should regularly review their procedures, especially when regulatory changes occur or there are changes to the business plan and sphere of operation.
Conclusion: Staying Ahead of Compliance Obligations
Complying with Chapter 8 of the GFSC Handbook requires a proactive and well-structured approach by the Directors and relevant senior employees in managing high-risk scenarios. Guernsey financial institutions must be vigilant in applying enhanced customer due diligence, monitoring, and reporting, ensuring that all procedures meet the stringent regulatory requirements of the GFSC. By adopting best practices, leveraging technology, and promoting a culture of compliance, Guernsey financial institutions can better manage higher risks and maintain a strong relationship with regulators and stake holders in the Guernsey regualtory framework.
Staying compliant isn’t just about ticking boxes—it’s about detailing the approach to risk, applying the measures and documenting their effectiveness in protecting the local and international financial system from abuse in order to safeguard the reputation of your business and third-parties that provide services to you and your clients.
By carefully and proactively integrating the ECDD measures detailed in Chapter 8 of the Handbook, Guernsey financial institutions can navigate the financial crime risks posed successfully, maintain compliance with GFSC rules and regulations, reporting requirements, and better protect themselves from investigations, enforcement actions and financial crime while providing products and services to those business relationships and persons who are high risk.
Stay ahead of the curve—ensure your compliance regarding Enhanced Due Diligence and high risk business relationships are up to date!
Join us at Technical Specialist Partners in fostering a culture of integrity and accountability by contacting us at hello@technicalspecialistpartners.com to discuss your requirements and the services that we can provide. Together we can build a compliant and ethical work place.
The Guernsey Financial Services Handbook for Countering Financial Crime, Countering Terrorist Financing and Countering Proliferation Financing (GFSC Handbook or Handbook) sets forth comprehensive guidelines on how Guernsey financial institutions should address Source of wealth (SoW) and (SoF) as part of their customer due diligence (CDD) and enhanced due diligence (EDD) processes. These requirements are particularly stringent when dealing with high or higher-risk customers or complex transactions. Some of the key aspects include:
Collection of Information
Guernsey financial institutions must collect sufficient information about the client’s SoW and SoF to properly assess the legitimacy of their customers financial activities and rationale for the use of the Bailiwick. As detailed in the GFSC Handbook this may involve:
Verifying employment income through pay slips, tax returns, or employer references confirming salary.
Confirming inheritance via probate or legal documentation.
Assessing investment income by reviewing dividend statements, property sales records, or portfolio valuations.
The Handbook stresses that for high-risk customers, Guernsey financial institutions must obtain more granular detail to fully understand the journey to and/or origin of wealth and funds of the person and/or business relationship.
Verification of Information
It is not enough to simply collect SoW and SoF information—institutions must also verify and document it! Verification can include independent checks through public databases, third-party documentation, and government records and the generation of a SoW and SoF memo or document comprising these information sources.
The GFSC Handbook and the Thematic Review provide a clear roadmap for Guernsey Financial institutions to manage risks related to SoW and SoF effectively. By following these guidelines, institutions can enhance their Countering Financial Crime, Countering Terrorist Financing and Countering Proliferation Financing (CFC,CTF,CPF) frameworks, protect their reputations, their third party suppliers and ensure good corporate governance while meeting domestic and internal regulatory obligations and requirements.
For higher and high-risk business relationships and scenarios, additional layers of verification are required, often involving more detailed documentation, such as bank statements, legal contracts, or public filings.
Ongoing Monitoring
SoW and SoF checks are not a one-off exercise. Institutions are required to monitor the source of wealth and funds on an ongoing basis, particularly when dealing with politically exposed persons (PEPs), high-net-worth individuals, or clients from jurisdictions with weaker CFC,CTF,CPF frameworks. If any red flags arise, institutions must investigate further and escalate the matter internally to their Money Laundering Reporting Officer (MLRO) who may externalise a report to the relevant authorities if necessary.
Record Keeping
Maintaining thorough records of all SoW and SoF inquiries, documentation, and verification processes is mandatory. These records are essential for audit trails and for satisfying GFSC’s requirements during compliance reviews or in the event of an on-site regulatory visit, thematic reviews, request for information from a regulatory or law enforcement authority and when making disclosures to the Guernsey FIU.
Insights from the Thematic Review: A Focus on Private Wealth Management
The Thematic Review conducted by the GFSC on Source of Funds and Source of Wealth in the private wealth management sector highlights several critical findings and areas for improvement within the Guernsey financial industry. This review provides deeper insight into how Guernsey financial institutions can bolster their compliance with SoW and SoF requirements.
Key Findings:
Insufficient Depth in SoW/SoF Information: The Thematic Review found that many institutions were not gathering enough detailed information on SoW and SoF, particularly for high-risk clients. A common issue was reliance on customer declarations without independent verification. The GFSC expects institutions to dig deeper, especially when there are signs of complexity or higher risk within a business relationship or transaction.
Lack of Independent Verification: While most institutions collected some form of SoW and SoF data, verification was often lacking. The GFSC stresses that for high-net-worth individuals, high-risk clients or clients with complex wealth structures, institutions must take extra steps to verify the authenticity of their SoW and SoF.
Inconsistent Risk-Based Approach: Many institutions had policies in place but did not apply them appropriately or consistently, particularly in identifying and managing higher and high-risk scenarios. The GFSC noted that this inconsistency poses a significant risk to effective of a Guernsey financial institutions CFC, CTF, CPF controls and the wider compliance with the Handbook’s corporate governance requirements.
Best Practices for Strengthening SoW and SoF Compliance
To better align with the GFSC’s expectations and the findings of the Thematic Review, Guernsey financial institutions should adopt the following best practices:
Implement a Robust Risk-Based Approach
A risk-based approach to SoW and SoF inquiries ensures that the level of investigation and verification matches the customer’s risk profile. High-risk clients, such as PEPs, those in or conducting transactions with high risk jurisdictions, or those involved in complex financial arrangements, should undergo enhanced due diligence (EDD), which includes more thorough SoW and SoF checks.
Increase Depth of Information Collection
Institutions must ensure that they gather comprehensive information about the client’s SoW and SoF. This includes not only basic facts but also deeper context, such as the history of wealth accumulation and the specific details behind large transactions.
Utilize Independent Sources for Verification
To avoid over-reliance on customer-provided information, institutions should use independent and reliable sources to verify SoW and SoF. This may involve using public records, financial databases, or independent experts.
Enhance Staff Training and Awareness
Staff at all levels should be trained to understand the importance of SoW and SoF checks, and how to conduct these inquiries effectively. Training should also cover the red flags to watch for potentially risky transactions or clients that may trigger a suspicion to the MLRO.
Ongoing Monitoring and Review
Regular reviews and continuous monitoring of client profiles and their transactions are vital. Institutions must be prepared to escalate any concerns about SoW or SoF to their MLRO , ensuring that these concerns are investigated and, if necessary, reported to the Guernsey FIU.
Conclusion: Ensuring Compliance and Mitigating Risk
Ensuring compliance with SoW and SoF requirements not only helps in meeting regulatory expectations but also plays a key role in maintaining the integrity of the Bailiwick and the global financial system.
For Guernsey financial institutions and those international firms wishing to set up in the Bailiwick, the message is clear: robust, well-documented, and verified SoW and SoF processes are critical for reducing exposure to financial crime risks and ensuring long-term success in the Guernsey Financial Sector for your business.
You can access the GFSC’s full Thematic Review on Source of Funds and Source of Wealth in the Private Wealth Management sector here .
Stay ahead of the curve—ensure your compliance is up to date! Join us at Technical Specialist Partners in fostering a culture of integrity and accountability by contacting us at hello@technicalspecialistpartners.com to discuss your requirements and the services that we can provide. Together we can build a compliant and ethical work place. website link
I am still wild at heart, surfing, kayaking, and diving sometimes to extremes here on the Island. Every time I go into the water there is risk but also reward. The risks I face will vary on the day and the activity. While the rewards I will gain range from deep relaxation to extreme adrenaline rushes and highs. Each journey into the great blue needs differing skills, preparation and an appreciation of circumstances within myself and outside in the environment to ensure that the risks are managed and mitigated. It is more than just turning up to the coast with cool gear, superficially ticking the box of safety, but ensuring that I have the right flow of information, the tools, and skills to stay within my risk appetite and avoid injury or more. In a fluid environment to extract the maximum I must ensure that the information provided from external and internal sources is processed, considered and acted on to ensure safety.
The Guernsey Framework has brought in the requirement that firms must assess their business of risks related to money laundering, terrorist financing. Alongside the recent focus on assessing the proliferation financing risks posed by the products and services that they provide to their customers. This allows the level of risk that a business may face to be ascertained and for the board to then ensure that their policies, procedures, controls and the resources required are suitable and sufficient and remain within their risk appetite. A firm’s BRA must also look at the intrinsic risks of the firm as well as the external risks of the environment, which must be reviewed regularly or at least annually. Allowing the board to take due consideration of these changes, the level of risk that may have changed to their own risk appetite, and to ensure that risks continue to be managed and mitigated. Preventing the business from being subjected to financial crime.
The Guernsey regulatory framework sets out the areas that the board should be considering regularly, with suggested and meaningful questions to be considered, alongside a requirement that the board should consider other factors that are present in the business but not necessarily suggested in the framework. These questions or factors will change at different rates to the socio-political environment, the risk of the customers engaged by the business, and resources at hand to manage and mitigate the risks. The board needs to have up-to-date management information on the levels of risk of customers, the resources present, and the current and immediate future requirements. Allowing them to assess the risks and consider the suitability of its policies, procedures, and controls to protect the business and Guernsey.
The issue becomes where the BRA is treated as a document used to meet the regulatory requirements. Shown through the demonstration of ticking the box of what is believed to be expected in the regulations, an ornament to be brought out, dusted off annually before being put back into its box. The failure to ensure that the BRA remains suitable and sufficient, with up-to-date management information being presented to the board regularly on the risks posed internally and externally inclusive of resources and financial crime issues faced by the firm. Which leads to mis-informed decisions and the higher potential of the failure of policies procedures and controls to prevent financial crime and regulatory intervention.
It has always appeared odd to me that businesses require monthly management accounts to assess and control their business to its aims and objectives, but that financial crime risk is not considered in the same way. By ensuring that the financial risks are monitored with the resources required to manage and mitigate them a board is the best place to control the businesses exposure to risk, allow resources to be placed to risk, and allow early intervention to protect and preserve their business.
The BRA is much more than a superficial document that shows compliance with the requirements, being instead a tool to allow board consideration of risks faced and posed on a regular on-going basis to ensure appropriate management and mitigation. Allowing the board to ensure that resources are put to risks where required and that the direction of the business can be helmed effectively, they are able to handle the financial crime and regulatory squalls, overfalls, and rip currents that undoubtedly will be faced by the business. The BRA won’t stop financial crime but with up-to-date internal and external management information will assist the Business in reacting to risks, real or posed, take effective action by having the necessary resources, experience and skills to survive a storm and ensure the safety of the business by the minimisation of those risks.
Therefore, much like constant reviewing of conditions and potential risks and rewards when partaking in surf kayaking, firms must continually review and follow the due processes to manage and mitigate financial crime risks, protect the business endeavours and key stakeholders.
Guernsey has an amazing regulatory framework which has become quite a selling point with financial service businesses offering their products and services and those financial service businesses wanting to come and have operations here. Some will utilise outsource compliance professionals to assist them with the cost of set up, on-going costs, ensuring their business can have knowledgeable and professional persons on-board while it establishes and grows its presence and offerings. Even established firms may need extra compliance support in their business to be able to ensure that they can at all times remain compliant with the Guernsey regulatory framework or ensure that remediation is appropriate and effective.
In the last year the use of outsource compliance professionals has come to the forefront of the regulatory radar, instances of their failure having been identified as contributing to businesses failing to adhere to the regulatory framework. There have been numerous communications from the Commission to the industry on the issues surrounding the requirements for utilising an outsourced compliance professional and failures where this has not been met, showing that the Commission are treating this seriously.
At the end of the day the responsibility for compliance to the regulatory framework is laid firmly at the feet of the Board and they are the first point of call when failings or regulatory deficiencies are identified by the Commission. The need to ensure a Licensee is meeting the regulatory requirements forms at the most basic level with the minimum criteria of licensing as well as being mentioned throughout the regulations, codes instructions, and guidance issued by the Commission.
So what needs to be considered by Boards? Here are some questions to be asked but at all times refer to the legislation regulations, rules,instruction and codes that pertain to your business and licence.
Prior to any engagement consider these points.
You wouldn’t employ anyone to undertake the role in a full-time capacity so why would you chose anyone to do your outsource function?
Prior to any engagement do your due diligence on the outsource company/ person, the person who will be your appointed compliance representative and the people who will be doing the work. At the very minimum the person who will be undertaking the work needs to be suitably qualified and knowledgeable of the area your business operates in and the regulatory rules that pertain to your licence. You will need to ensure that you can evidence that they have been appropriately screened as you will be expected to have been as diligent with your provider as with your own staff!
You wouldn’t employ anyone who doesn’t have the time for your business?
Prior to any engagement you need to work out how much time will be required. This will change from the role that compliance professional will undertake, as an example an outsourced MLRO will have different time requirements to a compliance professional assisting with licensing.
When you actually look at it, if you have a compliance professional for two hours a week it would take them eighteen weeks to achieve one thirty-six hour working week in your business! Obviously cost is a major factor in this assessment and knowledge and experience never come cheap. The time any compliance professional spends on your business must be commensurate to the size, complexity and nature of your business and the role undertaken.
You need to be aware that a compliance professional will also be working for other firms, there is obviously a risk regarding resources. If their clients require more time or the outsource provider or person undertaking the role has issues with resources will you be affected? You need to ensure that there are controls in place or a plan B to mitigate these risk.
You wouldn’t have any old agreement?
You need to ensure that the outsource agreement meets the requirement of the Guernsey regulatory framework and is legally binding. The Board cannot discharge its responsibilities only delegate the work, it is often a good idea to have a Guernsey Advocate firm look over any agreement, especially if the Board are not familiar with Guernsey Law or this area.
During any engagement consider these points.
You wouldn’t want to be assessed by any old criteria, what criteria is the business or business area being assessed to?
Again this depends on the role you are utilising the outsourced compliance professional for, but you need to know how they are monitoring you and to what standard. The Board must make sure that it can evidence and satisfy itself and the Commission that the Guernsey regulatory framework requirements have been met.
You wouldn’t want any report, do the reports provided give the full picture of the work being undertaken?
The reports that are provided to the Board must be meaningful and contain accurate management information. This allow the Board to see the whole picture of their business or the area that the outsourced provided has been contracted to service and assess the level of compliance to the regulatory framework. If areas or remediation work have been identified are the Board kept appropriately up to date?
You wouldn’t want to keep on anyone who isn’t performing, is the outsource provider performing to the required standards?
Throughout any engagement the Board must consistently monitor and evidence its monitoring of the outsource provider and/or those undertaking the work for the Licensee. Is the Board satisfied with the work undertaken, is the monitoring of the business meeting the requirements of the Guernsey regulatory framework, has the business changed in its complexity, nature or size and is the person doing the role still suitable?
The most important aspect to any outsource relationship is that you have the right person/firm, they add something to your business, provide you with the accurate management information, they get on with you and are honest to you regarding their business and yours. By hopefully considering and evidencing these requirements a Board will be able to show that they have acted to ensure that their business meets the requirements of the Guernsey regulatory framework. In the unfortunate case where things have not worked out the Board will be able to evidence that they were aware of the issues at the earliest opportunity and have acted to mitigate any non-compliance and remediate the situation.
My weekends are spent reviewing overarching risk assessments and analysing specific risk assessments as well as undertaking the compliance review of policies and procedures, finishing with the review of performance of the systems and controls. I am not taking work home with me nor am I moon-lighting or taking on further roles, I am though a qualified Diver and a qualified Solo Diver.
Diving can be a high risk pursuit and can lead to death even at shallow depths. My joy and passion is to go deep, exploring wrecks and reefs of the Channel Islands below 30 meters or 100ft and seeing the beauty and fragility of the alien world below illuminated in beautiful colours with its abundance of life. The chance of swimming to the surface and surviving without any injury after a total gear failure or panic attack are slim at best, at these depths. The choices I make are calculated and risks are mitigated using similar principles that a Financial Services Business (“FSB”) would utilise.
I start every dive season off with an overarching risk assessment, looking at the risk I am prepared to take, what I want to achieve and the factors affect me. This is not overly different to the Anti-Money Laundering and Combatting Terrorist Financing (“AML/CTF”) Business Risk Assessment for any FSB in Guernsey. My overarching risk assessment is where I look at what I want to achieve and the risks that I am prepared to take in essence what my risk appetite is, and it does vary year to year.
For a FSB the AML/CTF Business Risk Assessment looks at the risks posed by its products and services and its customers. In my case these translate to the types of diving I want to engage in, my planning and who I dive with. My mitigation of the risks faced would be my diving gear and its set up and my overall health to make the dive.
I then put into action a monitoring programme taking into account my overarching risk assessment. A full review of my diving gear is essential as is my fitness, this will involve servicing both gear, body and mind and reviewing them on a periodic basis. This is similar to the provision of management information to the Directors of a FSB. They require to know the state of health of their policies, procedures, systems and controls, to ensure that they are maintained and remain in good condition and fit for purpose in order to mitigate the risks their business face. Knowing that my gear is in good condition and works is essential for whatever dive I do while the health of my body and mind will dictate the dive that can be undertaken safely. Resources must be put to where areas of concern are noted to ensure that the potential for errors or incidents are reduced to a minimum.
Then it all comes down to the day, where I undertake a specific risk assessment of myself, the conditions, the type of dive to be undertaken and who I am diving with or if I am going solo. In a sense this is similar to the customer risk assessment that FSB’s undertake for each customer, in order to identify the risk they pose to the FSB and whether the risks are acceptable.
FSB’s by appreciating the risk posed and faced by the customer can decide whether they are prepared to engage in a business relationship with a customer. In some cases when I have dived I have been satisfied with the risk I face and have dived but I have also be known to decide that the risks are too high or that my systems and controls are not up to the task and have declined the dive or undertaken an easier dive. I always work on the idea that it is better to be on the surface wishing you were diving then being in trouble under the water away from help and wishing you were on the surface.
Due to the higher risks I take my systems and controls are tailored to me and include as a minimum two independent air cylinders. I implement my systems and controls by dividing my body in to two halves, one side has computers connected to one cylinder and the other side has old-fashioned gauges connect to my other cylinder, the idea being that should one side fail I can rely on the other as back up. It also means I can monitor the performance of my systems and controls effectively ensuring that any false readings or dangerous situations are detected early and evasive action taken.
The last thing I do after every dive is to review my systems and controls obtaining data from my computers, analysing this to ensure my policies and procedures remain fit for purpose. I then assess my overarching risk assessment making changes if required. This has similarities to the quarterly and annual reviews that are done by management and Directors of a FSB to ensure that their businesses are meeting the regulatory framework and mitigating the risks that they face, in essence it’s just good corporate governance.
Things do go wrong and no matter how good your policies, procedures, systems and controls are. I have been in situations where I have had to shut down one side of my systems and controls due to sudden failure of a hose or regulator as well as having to rely on my old-fashioned gauges, watch and mental arithmetic when my computer has failed. It does not come down to luck that I am here writing this but that my risk assessments and planning have taken these situations into account. My compliance monitoring has reduced these incidents and malfunctions to a minimum and I have put resources to the risks I face ensuring I am suitable trained and able to deal with incidents of this nature.
FSB’s that have a good corporate governance culture, a suitable compliance framework and a compliance monitoring programme that meets their needs and provides the required management information effectively, have in general survived the financial crisis and have adapted to business and regulatory changes with ease. Where issues have surfaced they have been able to deal with them effectively and/or report at the earliest opportunity where required to the regulatory authorities or Financial Intelligence Unit.
The Jersey Financial Services Commission (“JFSC”) has recently published its 2013 on-site regulatory examination findings in respect of Fiduciary business conducted in Jersey. These findings are pertinent to any financial service business, Compliance Officer and Money Laundering Reporting Officer (“MLRO”) in ensuring that they are adhering to the Guernsey regulatory framework. I believe that key points from the examination findings are as follows:
Evaluation of Suspicious Activity Report’s (“SAR’s”) and reporting to the Financial Intelligence Unit (“FIU”):
Delays in the acknowledgement of receipt of an internal SAR to the person disclosing.
Lack of detailed investigation by the MLRO to support the decision made.
Follow-up action resulting from internal reports not being undertaken or no evidence of follow-up action were noted.
Lack of autonomy by an MLRO and the decision to report to the FIU being made by Board rather than the MLRO.
Internal reports not being recorded accurately and being overlooked by the MLRO leading to late reporting to the FIU.
Corporate Governance:
Board discussions not being fully documented in some instances.
Concerns were identified in respect of the Board interaction, reporting lines and the functions of delegated risk committees of cross-divisional functions of a business.
Term’s of reference for delegated functions of the Board not being in place.
Business Risk Assessment (”BRA”) and Strategy:
Lacking details of the consideration of the following areas;
Organisational factors;
Jurisdiction of customers;
Underlying activities of Customers, including Politically Exposed Person risk;
Products and services specific to the business (third parties);
Delivery of those products and services;
Outsourcing risk to other branches or third parties and;
Not separating its BRA assessment from that of the Manager.
Conflicts of Interest:
No documented consideration of potential Conflicts of Interest where multiple licences are held and products are provided to customers who are common to both licenses.
Consideration and documentation of wider Conflicts of Interests, such as the investment in to customer structures by a Director.
Consideration of the risk where a significant shareholder of the business introduces customers.
Non-Executive Directors maintaining a direct relationship with a customer.
Conflicting roles of Compliance Officers the anti-money laundering function where the individuals also held a primary customer facing role.
Consideration of the impact of close staff relationships particularly at a senior level e.g. husband and wife.
Policies and procedures for declaring and monitoring were identified.
Compliance Function:
Inconsistent attendance at Board meetings by the Compliance Officer.
No separate reports in respect of Compliance and the anti-money laundering and combatting terrorist financing (“AML/CTF”) function.
Reports not containing the following;
Regulatory updates;
Progress of compliance monitoring;
Updated position on compliance registers, and;
Information on periodic reviews and accounting records.
In some cases there was a lack of documenting of matters brought to the attention of the Board.
Compliance Resourcing:
Back logs in periodic review cycle.
Delays in compliance monitoring
Not undertaking action in respect of regulatory updates.
Out of date policies and procedures
Ongoing projects and remedial work not completed.
Concerns in respect of the investigation and determination of SAR’s.
Meeting the day-to-day requirements of the compliance role, where the Compliance Officer or MLRO held other roles within the business.
Compliance Monitoring:
Compliance Monitoring Programme’s (“CMP’s”) task orientated rather than a schedule of testing of the operational procedures.
CMP’s not being seen or approved by the Board.
Ineffective reporting of the progress or completion of the CMP and of the remediation of compliance findings.
Compliance testing of the areas of the business lacking in detail.
Ineffective mapping of the business to the regulatory framework.
Business Acceptance Systems and Controls:
Procedures not being specific regarding the prescribed due diligence required for higher risk customers and business relationships.
Undertaking transactions prior to the acceptance of the customer by the Business.
The delay of obtaining verification documents and undertaking risk rating prior to the undertaking of customer transactions.
Customer Risk Management Systems and Controls:
Customer risk assessments not capturing fully the risks associated with customers or as detailed by the regulatory framework.
Customer risk assessment not capturing the risks identified by the business in the BRA.
Customer risk assessments not taking into account adverse information identified on the customer.
Weighting scores for risks not being appropriate to elevate overall the risk to high where required.
Lack of guidance to assist staff in the completion of the customer risk profile.
Customer Profile
Vague customer profiles not capturing the expected pattern and frequency of expected transactions.
Customer information held in various places rather than centrally.
Where the rationale for the business relationship was recorded as tax planning or mitigation, Licensee’s did not hold the relevant tax advice.
Politically Exposed Persons:
PEP’s being declassified contrary to the regulatory framework.
Immediate family members and close associates not being designated as PEP’s
In conclusion Licensees and the Boards must ensure that they have up to date compliance procedures, their functions are staffed and resourced appropriately and ensuring that they have suitable and sufficient management information for their compliance status being provided in a timely manner to them. The role of the MLRO is coming more into focus with Regulators especially its assessment by the Board. The MLRO function needs to be adequately resourced with a suitable and autonomous person, it is my opinion that this role will become more of a focus of regulatory visits and evidence of its review and suitability will required to be documented. I would always advise that a separate compliance report and MLRO report is provided to the Board to ensure that matters are easily identifiable to the Board. Conflicts of interest must be recorded and the risks assessed appropriately. The BRA must take into account the risks that customers pose to the business and also the AML/CTF risks detailed by the regulatory framework and where they are not applicable they should be noted as such. What I believe is the most important finding to come out is, ensuring customer risk assessments and profiles are detailed and maintained ensuring that all risks are covered in the BRA. I would advise that you assess your business to these findings and if any matters are found a remedial programme is put in place and signed off by the Board ensuring appropriate timescales and reporting is in place.
One of the great things about compliance is that you get to assist licensees in creating and maintaining a suitable compliance framework. It is not just about meeting the regulatory requirements, part of the role is to also make a compliance framework that is suitable to also achieve the aims and objectives of the licensee’s business. I have worked as a compliance consultant, compliance officer and MLRO in the Regulated, Prescribed and Registered sectors of our financial services industry and each Licensee I worked for or provided advice to, was unique in its aims and objectives as were their products and services. For a Licensee to be successful in their business, aims and objectives as well as adherence to regulatory requirements, make up a bespoke compliance solution.
We are in an ever-changing business and regulatory climate, it’s not just the rules and the regulations that are changing but the approach the Commission takes in its supervision to Licensees. This leads to a real business problem for Directors in ensuring that their business meets the requirements and expectations of the Commission as well having to meet its own business aims and objectives. Compliance professionals can assist Licensees through their greater exposure to changes in industry practice and their exposure to the Commission and an understanding of the current supervision expectations. It’s really a no brainer having a compliance professional on tap and this will take away the worry of ensuring you are meeting the regulatory requirements and expectations while having a compliance framework that meets the aims and objectives of your business, or is it?
Having worked in many sectors of our financial services industry undertaking various roles to do with regulatory compliance and anti-money laundering and countering financing of terrorism does not mean that I am the font of all practical or theoretical knowledge in this area to be paid homage to and worshipped, I can assure you all I am not always right! Like everyone I am strong in some areas, adequate in others, and weak in a few (well maybe one or two). I always ensure that anything I undertake is something I can do well, and I believe it is refreshing to Directors when I turn round and tell them that what they are asking is out of my remit and refer them to compliance professional’s or experts who is more suitable. It is what compliance professionals and experts are there to provide isn’t it?
For compliance professionals contracts are their bread and butter. This can lead them to grab everything that comes their way, with potentially their financial security coming at the expense of the quality of service and relations with a Licensee. There is also the potential to obtain contracts for the financial security of the compliance professional rather than the financial best interest of the Licensee, leading to conflicts of interests. I have previously advised Licensees to keep projects in-house due to the cost involved and more importantly that they were actually best placed to do the work themselves. It was great to be contacted later to be advised by the Licensee that they had decided that they were actually best placed to do the work and offered me a smaller contract which they did not have the expertise to undertake on their own. Honesty means that Licensees will come back to you and also recommend your services, trust is a currency of the highest value.
Part of any compliance professional’s work is in writing and producing compliance documents and programmes to facilitate the Licensee’s compliance framework. It is all too easy for Licensees, who do not have the necessary compliance expertise in this area to unknowingly engage and pay for an all singing all dancing document that meets the regulatory requirements and some more, but won’t easily facilitate the achievement of the businesses aims and objectives. I once assisted a Licensee on review of the suitability of their compliance procedures that had been previously provided by a compliance professional. Their manual was at a very high level having a multitude of committees and quangos written into their procedures that would not be out-of-place in a global financial institution but totally unworkable for a firm that employed less than ten people locally and had a Board of six directors (inclusive of two employees). Though this document showed the theoretical prowess of the previous consultant, the manual was unworkable for the Licensee’s business and showed a lack of understanding of the regulatory framework. The Licensee had abandoned trying to follow the draconian requirements of this manual and had instead reverted to good industry practice, leading to the corporate governance headache of not following their own procedures. In this case the Licensee ended up paying twice to ensure that they had a suitable compliance procedures for their business.
Unfortunately there are compliance professionals out there who take on business they can’t service or do not have the expertise to manage effectively and/or facilitate adequately. There are compliance professionals who gold plate policies and procedures to impress their knowledge on the Licensee and obviously fail by not tailoring the policies and procedures to the business, leading to further costs being incurred by the Licensee. Unfortunately some compliance professionals negatively portray the Commission as a Vlad the Impaler archetype to scare Licensees into taking on unnecessary work due to potential misunderstanding of the rules or regulations or work the licensee would be best place to undertake themselves.
What can a Licensee do to minimise getting something that they do not require and ensure that they get the service they have paid for? It is all about doing your due diligence and I believe that the following points will be able to help a licensee.
Understand what knowledge and qualifications a compliance professional has. They should be able to provide qualifications and a resume.
Get references or speak to previous customers of the compliance professional to get a feel of the suitability of the compliance consultant. The benefits of Guernsey is that it is quite easy to find out about people.
Talk to the compliance professional get a feel of their experience and knowledge, are they just about enhancing themselves, are they financially independent and are they interested in actually providing something that will enhance your business.
Is the compliance professional informing you as to potential or actual the regulatory issues or are they about scaring you into using their service.
Has the compliance professional got the capability and capacity? If it’s a firm is the actual person that will be undertaking work for you qualified, suitable and have the time?
Shop around with other compliance professional’s to see what they have to say about the work you need to be undertaken.
At the end of the day it is the Licensee and its Directors who are responsible for the suitability of their compliance framework and adherence to it, the Commission will hold them accountable for any failings regardless of who undertook the work. A compliance professional can be part of the problem if you do not do your due diligence on them or understand the needs of your business but, if you have done your research and you are aware of the requirements that you need to meet, they can definitely be part of the solution in achieving a suitable and sufficient compliance framework that meets the regulatory obligations, expectations and the business aims and objectives of the Licensee.
The current financial crisis has brought many failings to the forefront, none more so than the failings of the Corporate Governance framework in businesses. The Corporate Governance framework allows for both business objectives and ethical drivers to be incorporated into a business whilst seeking to protect both the Business, its stakeholders and investors or customers. Are failings in Corporate Governance solely as documented in the newspapers and media reports down to the Board’s greed and disregard for its stakeholders, or was the compliance framework in these businesses defunct by opaque reporting by key functions?
We have been lucky in Guernsey to have been insulated from the crisis at large, but I know from experience and we all know from the Commissions industry presentations that Corporate Governance is a key regulatory theme that will be assessed on their regulatory visits to licensees, to assess the risk and reward culture of a business and assist in mitigating these risks successfully. While it has been acknowledged by the Commission that they believe that this is a healthy area, could there be licensees that have put together a good document but the statements made by them do not resemble their Business or their Business’s current prudential business plan or their current regulatory compliance status?
What must be remembered is that any Corporate Governance assessment undertaken by the regulator on a licensee will look at a multitude of documents and reports that make up the core of any Board meeting, such as compliance reports, risk mitigation, internal audit as well as the business plan. These reports must be factual, clear and concise and encompass the whole status of the business in order that the directors can evidence their oversight and rationale for their understanding of the business. Theses documents and reports must all fall into the Corporate Governance assessment by the Board of the Business.
Has the Board questioned the effectiveness of its compliance framework, from the Compliance monitoring programme to the actual board reports it receives? Has the Board allowed the compliance function and other key functions to provide an independent review or are these key functions in fear of upsetting the Board and reporting only what they deem the Board should know or focus on? The importance of independent, full and factual reporting by these key functions is of the up most importance. It is vitally important that those of us who undertake these key roles provide effective reporting on all areas of the Business so that the Board can discharge their obligations successfully. We must not be in fear of providing reports that show areas that require action or gaps as by doing so we only assist the Board in becoming ineffective.
I have been privileged to have worked for and with Boards who have proactively sought to allow their key functions to independently report to them allowing the Board to successfully document and encompass their key functions in to their Corporate Governance framework. This has assisted the Business in the formulation of strategy, goals and effective work practices. For those licensees who I have assisted in remedial work in this area, though it has been hard to start off with the end result has been commented on by these Boards as being beneficial to their Business, optimising understanding and discussion on current and future business opportunities, obligations and assisting in evidencing of why certain opportunities were not followed up.
In my experience the failings in a Business’s Corporate Governance framework are down to opaque and ineffective reporting by the Business’s key functions leading to the blind following the blind. Where ineffective compliance reporting or monitoring has been identified during a regulatory visit the Board are often criticised and this is generally reported by the Commission as a failure in Corporate Governance. While the business of the Business is vital the understanding of the Board as to its current regulatory compliance is as important and cannot be underestimated. If the Board are aware of issues that require to be enhanced or remediated it can deal with them, most of the time hand in hand with fulfilling its business objectives, but to be effective the Board must have the oversight by effective reporting.
The culture of Corporate Governance must not be seen as a tick box exercise or as a regulatory obligation that serves no practical use to a business. I would advocate that a good culture need not be expensive in time or cost but rather a tool to optimise the Business for all stakeholders. As stakeholders move from being passive the need to document and show your culture of Corporate Governance becomes more of a focal point in the overall success of your Business and its cost effectiveness, and in the next few blogs I will go more in to detail on this. An effective Corporate Governance framework adds to safeguarding a business by requiring effective reporting from the key functions allowing for the dynamism and entrepreneurial spirit that has become part of our industry to be exercised by the Board in the continual development of its products and services.
There are many tools in Guernsey’s Anti-Money Laundering and Combatting Terrorist Financing framework (“AML/CTF”) that can be used to allow customers to access the financial services and products as efficiently and effectively as possible. One of the most interesting and often wrongly utilised of these tools is the intermediary route and I would like to try to de-mystify this tool for you.
An Intermediary is a Financial Service Business (“FSB”) who enters in to a business relationship with you on behalf of its client or clients. The FSB must meet the provisions as stipulated in The Handbook for Financial Services Business on Countering Financial Crime and Terrorist Financing (“the Handbook”) at chapter 6. For example the FSB must be either an Appendix C business or a wholly owned subsidiary vehicle of an Appendix C Business, a wholly owned pension trustee subsidiary vehicle of an Appendix C Business and Lawyers or Estate Agents operating in Guernsey for the purposes of purchasing Guernsey real estate, though the funds must have been received by a bank operating in an Appendix C jurisdiction or Guernsey Bank.
Not all FSB’s who are Appendix C businesses can be an Intermediary and it relates to the products and services that are sought and the type of FSB who requires these products and services, these are listed in the Handbook and chapter 6. It must be stressed for Fiduciaries that they can only be Intermediaries if they are licensed under the Regulation of Fiduciaries, Administration Businesses and Company Directors, etc. (Bailiwick of Guernsey) Law 2000.
Where you have deemed that the FSB meets the requirements of the Handbook and is an Intermediary you can obtain reduced Customer Due Diligence. The Intermediary must confirm to you in writing that it has appropriate risk grading processes to differentiate between high and low risk clients, that it has effective policies and procedure to identify and verify Politically Exposed Person’s and obtain enhanced due diligence. The Intermediary must provide you with sufficient rationale in order that you can understand the purpose and the nature of the proposed business relationship and most importantly that Intermediary will only operate the account. You must assess that the Intermediary can undertake these obligations and requirements throughout the course of the business relationship.
When assessing an intermediary relationship I believe the key is who is authorised to provide you with instructions. If it is the underlying customer or customers who can provide you with instructions you have an introducer relationship and not an intermediary relationship. Where this is the case you must cease to treat the intermediary as such and obtain the required due diligence on the underlying customer or customers.
The current framework in Guernsey does not allow for Prescribed Businesses such as Guernsey Advocates to utilise the intermediary route, is this right? Advocates when conducting or preparing for transactions generally do so for other Appendix C Law firms, who must comply with international standards in AML/CTF. The Guernsey Advocates are generally acting on instructions from an Appendix C Law firm in preparing for transactions that are occurring outside Guernsey but involve Guernsey legal bodies, such as the issue of shares for a Guernsey entity listed on the AIM market or the purchase of a property held in a Guernsey legal body. The Appendix C law firm’s customer may not even be aware that a Guernsey Advocate firm is or has been engaged to assist or prepare for the transaction. I would contend that there is an argument that this route be opened up for Advocates to allow for the efficient and cost-effective provision of legal services to the international community and assist with promoting Guernsey as a destination for business and also for the use of Guernsey legal bodies.
Technical Specialists 