Reflections of 2016

Compliance monkeyAs the sun gets lower, the evenings longer and we get closer to the end of a year I cannot help but think what a year it has been and begin to reflect.  For me personally it has been a year that has been full of hard work, assistance and resolution of problems and all this led me to the beautiful Island of Bermuda to undertake a contract for a client.  Not only a fantastic opportunity to show case my skills and knowledge but a joy to work for some fantastic people and meet old and new friends as well as to experience another regulatory culture. While I would rather be pondering the last year and this post from a pool in Bermuda instead of next to a fire on a brisk cold day, Guernsey still very much holds my heart, though Bermuda is a close second.

In looking to the challenges of the future and what the next year may hold for us is it time to reflect on the past year, the regulatory framework and what is needed to ensure that our business moves forward, prospers and continues to uphold the regulatory standards and meet future challenges, and there is no better way to do this than look back over the last year.

There have unfortunately been instances where the Guernsey Financial Services Commission (GFSC) has had to take enforcement action in 2016, never an easy decision but essential in today’s world to assist in the safeguarding and continual success of our international reputation and prosperity.  I do not think it is right to dissect these cases as these are disclosed on the GFSC website but rather look at what lessons can be learnt to avoid a repeat to our businesses and to protect the Directors and Stakeholders.

Risk, Identification and Verification

Most of these incidents reported by the Commission are in respect of Anti-Money Laundering and Counter Terrorist Financing (AML/CTF) within businesses.  That is not to say that all these incidents related to actual financial crime but rather that businesses were not meeting the standards and expectation imposed by our regulatory framework to ensure that verification documentation mitigated the risk of the Island being utilised by criminals.

The identification and verification of customers and controllers to a business relationship is a continuing matter that is reported by the GFSC.  In many cases business’s application of a “risk based approach” had failed to ensure that the due diligence and enhanced due diligence for customers and required parties to a business relationship or occasional transaction, had been obtained and met the standards required by the regulatory framework, inclusive of rules and guidance issued by the GFSC for certification and the suitability of certifiers. It must be remembered that wherever you are licensed you must meet that jurisdictions regulatory requirements as a minimum!

Monitoring and Sanctions

Periodic monitoring of customers was another area where businesses struggled.  It was found in some cases that this monitoring was not undertaken or if undertaken did not meet the regulatory requirements. It was found that risk assessments were inadequate and not reviewed as required by a business’s policy and procedures to meet the obligations of the GFSC, especially where customers had been assessed as high risk.  The review of the rationale for the business relationship and transactions undertaken was found to missing or inadequate, leading to the GFSC questioning whether appropriate and effective policies and procedures were in place inclusive of suspicious activity reporting.

The review of customers to Sanction lists was also noted as an area of concern. While this may be undertaken at the start of a relationship and periodically is it suitable just to wait for these trigger events?  Is the review of transactions subject to sanction screening to ensure that sanctioned legal persons or those entities that they control are not financed? It may be that the GFSC believe terrorist financing to be a low risk to the Bailiwick but this will do nothing to deter terrorist financiers if they find a gap in our defences.  A definite area I think the GFSC will look to assess when conducting on-site examinations and through thematic reviews in 2017, so be warned!

Corporate Governance

Corporate Governance has also come to the forefront not only in the AML/CTF area but also in more prudential assessments of a business.  In all cases enforced by the GFSC the findings go back to the corporate governance requirements of the regulatory framework with the accusation that directors failed to ensure that they acted to ensure that the business could meet the Guernsey regulatory requirements.  THE GFSC also in some cases questioned the independence and integrity of directors due to the regulatory failings identified.  Not only will this area come more to forefront with shareholder activist and the spotlight of international bodies but also from the GFSC to ensure that Directors are suitable and safeguarding Stakeholders and the business.

With the Guernsey regulatory framework changing to meet the international requirements which are evolving it is difficult for any Director to ensure that their Business remains compliant.  Businesses in this ever-changing environment are at risk of falling behind the times.  While only minor infringements of the regulatory framework may be the result, if these infringements are many, systemic and material they may require to be reported to the GFSC.  By the Board bringing these issues to the GFSC, in some cases, remediation without the threat of enforcement can be undertaken, it is after all in the GFSC interest that businesses remediate and enhance themselves to meet the regulatory framework.  It is best to be able to show and have evidence that the Board have discussed the issues affecting the business and the action to be undertaken rather than hearsay in any regulatory inquiry!

Reflections

So, reflect on this year, look at the enforcement cases to ensure that you do not fall foul of history, review your business plans and business assessments to make sure you have the policies and procedures in place to meet the regulatory framework and the requirements of the Business.  Review the Compliance function is it suitable and sufficient? Consider its independence or whether there needs to be independent oversight or outside assistance?  Does the compliance monitoring facilitate management information that is required for Directors to undertake their duties and safeguard the business and stakeholders?  Look outside of your own regulatory regime to other sectors as if something is happening in one there is a good chance that those developments will feed in to your own sector’s regulatory requirements.  Look outside to other jurisdictions as developments there may impact on the regulatory framework where you are.

If you have a last Board meeting of 2016 or even an early 2017 Board meeting set the agenda to reflect on 2016 ensuring that history does not repeat itself. If you do find that you are not in compliance, please ensure that you have the issues and remediation documented whether you consider it material or not to report to the GFSC.

Advertisements

Dear Board, don’t engage me to undertake your outsource compliance requirements until you have read this!

Compliance monkeyGuernsey has an amazing regulatory framework which has become quite a selling point with financial service businesses offering their products and services and those financial service businesses wanting to come and have operations here. Some will utilise outsource compliance professionals to assist them with the cost of set up, on-going costs,  ensuring their business can have knowledgeable and professional persons on-board while it establishes and grows its presence and offerings. Even established firms may need extra compliance support in their business to be able to ensure that they can at all times remain compliant with the Guernsey regulatory framework or ensure that remediation is appropriate and effective.

In the last year the use of outsource compliance professionals has come to the forefront of the regulatory radar, instances of their failure having been identified as contributing to businesses failing to adhere to the regulatory framework. There have been numerous communications from the Commission to the industry on the issues surrounding the requirements for utilising an outsourced compliance professional and failures where this has not been met, showing that the Commission are treating this seriously.

At the end of the day the responsibility for compliance to the regulatory framework is laid firmly at the feet of the Board and they are the first point of call when failings or regulatory deficiencies are identified by the Commission. The need to ensure a Licensee is meeting the regulatory requirements forms at the most basic level with the minimum criteria of licensing as well as being mentioned throughout the regulations, codes instructions, and guidance issued by the Commission.

So what needs to be considered by Boards? Here are some questions to be asked but at all times refer to the legislation regulations, rules,instruction and codes that pertain to your business and licence.

Prior to any engagement consider these points.

You wouldn’t employ anyone to undertake the role in a full-time capacity so why would you chose anyone to do your outsource function?

Prior to any engagement do your due diligence on the outsource company/ person, the person who will be your appointed compliance representative and the people who will be doing the work. At the very minimum the person who will be undertaking the work needs to be suitably qualified and knowledgeable of the area your business operates in and the regulatory rules that pertain to your licence.  You will need to ensure that you can evidence that they have been appropriately screened as you will be expected to have been as diligent with your provider as with your own staff!

You wouldn’t employ anyone who doesn’t have the time for your business?

Prior to any engagement you need to work out how much time will be required. This will change from the role that compliance professional will undertake, as an example an outsourced MLRO will have different time requirements to a compliance professional assisting with licensing.

When you actually look at it, if you have a compliance professional for two hours a week it would take them eighteen weeks to achieve one thirty-six hour working week in your business! Obviously cost is a major factor in this assessment and knowledge and experience never come cheap. The time any compliance professional spends on your business must be commensurate to the size, complexity and nature of your business and the role undertaken.

You need to be aware that a compliance professional will also be working for other firms, there is obviously a risk regarding resources. If their clients require more time or the outsource provider or person undertaking the role has issues with resources will you be affected? You need to ensure that there are controls in place or a plan B to mitigate these risk.

You wouldn’t have any old agreement?

You need to ensure that the outsource agreement meets the requirement of the Guernsey regulatory framework and is legally binding. The Board cannot discharge its responsibilities only delegate the work, it is often a good idea to have a Guernsey Advocate firm look over any agreement, especially if the Board are not familiar with Guernsey Law or this area.

During any engagement consider these points.

You wouldn’t want to be assessed by any old criteria, what criteria is the business or business area being assessed to?

Again this depends on the role you are utilising the outsourced compliance professional for, but you need to know how they are monitoring you and to what standard.  The Board must make sure that it can evidence and satisfy itself and the Commission that the Guernsey regulatory framework requirements have been met.

You wouldn’t want any report, do the reports provided give the full picture of the work being undertaken?

The reports that are provided to the Board must be meaningful and contain accurate management information. This allow the Board to see the whole picture of their business or the area that the outsourced provided has been contracted to service and assess the level of compliance to the regulatory framework. If areas or remediation work have been identified are the Board kept appropriately up to date?

You wouldn’t want to keep on anyone who isn’t performing, is the outsource provider performing to the required standards?

Throughout any engagement the Board must consistently monitor and evidence its monitoring of the outsource provider and/or those undertaking the work for the Licensee. Is the Board satisfied with the work undertaken, is the monitoring of the business meeting the requirements of the Guernsey regulatory framework, has the business changed in its complexity, nature or size and is the person doing the role still suitable?

The most important aspect to any outsource relationship is that you have the right person/firm, they add something to your business, provide you with the accurate management information, they get on with you and are honest to you regarding their business and yours. By hopefully considering and evidencing these requirements a Board will be able to show that they have acted to ensure that their business meets the requirements of the Guernsey regulatory framework. In the unfortunate case where things have not worked out the Board will be able to evidence that they were aware of the issues at the earliest opportunity and have acted to mitigate any non-compliance and remediate the situation.

Diving in to Compliance

Entering the waterMy weekends are spent reviewing overarching risk assessments and analysing specific risk assessments as well as undertaking the compliance review of policies and procedures, finishing with the review of performance of the systems and controls.  I am not taking work home with me nor am I moon-lighting or taking on further roles, I am though a qualified Diver and a qualified Solo Diver.

Diving can be a high risk pursuit and can lead to death even at shallow depths. My joy and passion is to go deep, exploring wrecks and reefs of the Channel Islands below 30 meters or 100ft and seeing the beauty and fragility of the alien world below illuminated in beautiful colours with its abundance of life.  The chance of swimming to the surface and surviving without any injury after a total gear failure or panic attack are slim at best, at these depths. The choices I make are calculated and risks are mitigated using similar principles that a Financial Services Business (“FSB”) would utilise.

I start every dive season off with an overarching risk assessment, looking at the risk I am prepared to take, what I want to achieve and the factors affect me. This is not overly different to the Anti-Money Laundering and Combatting Terrorist Financing (“AML/CTF”) Business Risk Assessment for any FSB in Guernsey.  My overarching risk assessment is where I look at what I want to achieve and the risks that I am prepared to take in essence what my risk appetite is, and it does vary year to year.

For a FSB the AML/CTF Business Risk Assessment looks at the risks posed by its products and services and its customers. In my case these translate to the types of diving I want to engage in, my planning and who I dive with.  My mitigation of the risks faced would be my diving gear and its set up and my overall health to make the dive.

I then put into action a monitoring programme taking into account my overarching risk assessment.  A full review of my diving gear is essential as is my fitness, this will involve servicing both gear, body and mind and reviewing them on a periodic basis.  This is similar to the provision of management information to the Directors of a FSB. They require to know the state of health of their policies, procedures, systems and controls, to ensure that they are maintained and remain in good condition and fit for purpose in order to mitigate the risks their business face. Knowing that my gear is in good condition and works is essential for whatever dive I do while the health of my body and mind will dictate the dive that can be undertaken safely. Resources must be put to where areas of concern are noted to ensure that the potential for errors or incidents are reduced to a minimum.

drift drivingThen it all comes down to the day, where I undertake a specific risk assessment of myself, the conditions, the type of dive to be undertaken and who I am diving with or if I am going solo. In a sense this is similar to the customer risk assessment that FSB’s undertake for each customer, in order to identify the risk they pose to the FSB and whether the risks are acceptable.

FSB’s by appreciating the risk posed and faced by the customer can decide whether they are prepared to engage in a business relationship with a customer.  In some cases when I have dived I have been satisfied with the risk I face and have dived but I have also be known to decide that the risks are too high or that my systems and controls are not up to the task and have declined the dive or undertaken an easier dive.  I always work on the idea that it is better to be on the surface wishing you were diving then being in trouble under the water away from help and wishing you were on the surface.

Due to the higher risks I take my systems and controls are tailored to me and include as a minimum two independent air cylinders.  I implement my systems and controls by dividing my body in to two halves, one side has computers connected to one cylinder and the other side has old-fashioned gauges connect to my other cylinder, the idea being that should one side fail I can rely on the other as back up.  It also means I can monitor the performance of my systems and controls effectively ensuring that any false readings or dangerous situations are detected early and evasive action taken.

The last thing I do after every dive is to review my systems and controls obtaining data from my computers, analysing this to ensure my policies and procedures remain fit for purpose.  I then assess my overarching risk assessment making changes if required. This has similarities to the quarterly and annual reviews that are done by management and Directors of a FSB to ensure that their businesses are meeting the regulatory framework and mitigating the risks that they face, in essence it’s just good corporate governance.

Diver OKThings do go wrong and no matter how good your policies, procedures, systems and controls are.  I have been in situations where I have had to shut down one side of my systems and controls due to sudden failure of a hose or regulator as well as having to rely on my old-fashioned gauges, watch and mental arithmetic when my computer has failed. It does not come down to luck that I am here writing this but that my risk assessments and planning have taken these situations into account.  My compliance monitoring has reduced these incidents and malfunctions to a minimum and I have put resources to the risks I face ensuring I am suitable trained and able to deal with incidents of this nature.

FSB’s that have a good corporate governance culture, a suitable compliance framework and a compliance monitoring programme that meets their needs and provides the required management information effectively, have in general survived the financial crisis and have adapted to business and regulatory changes with ease.  Where issues have surfaced they have been able to deal with them effectively and/or report at the earliest opportunity where required to the regulatory authorities or Financial Intelligence Unit.

(Pictures by kind permission of Colin Peters)

Briefing note 002- Trust Company Business On-Site Examination Findings from Jersey

Image

The Jersey Financial Services Commission (“JFSC”) has recently published its 2013 on-site regulatory examination findings in respect of Fiduciary business conducted in Jersey. These findings are pertinent to any financial service business, Compliance Officer and Money Laundering Reporting Officer (“MLRO”) in ensuring that they are adhering to the Guernsey regulatory framework. I believe that key points from the examination findings are as follows:

Evaluation of Suspicious Activity Report’s (“SAR’s”) and reporting to the Financial Intelligence Unit (“FIU”):

  • Delays in the acknowledgement of receipt of an internal SAR to the person disclosing.
  • Lack of detailed investigation by the MLRO to support the decision made.
  • Follow-up action resulting from internal reports not being undertaken or no evidence of follow-up action were noted.
  • Lack of autonomy by an MLRO and the decision to report to the FIU being made by Board rather than the MLRO.
  • Internal reports not being recorded accurately and being overlooked by the MLRO leading to late reporting to the FIU.

Corporate Governance:

  • Board discussions not being fully documented in some instances.
  • Concerns were identified in respect of the Board interaction, reporting lines and the functions of delegated risk committees of cross-divisional functions of a business.
  • Term’s of reference for delegated functions of the Board not being in place.

Business Risk Assessment (”BRA”) and Strategy:

  • Lacking details of the consideration of the following areas;
    • Organisational factors;
    • Jurisdiction of customers;
    • Underlying activities of Customers, including Politically Exposed Person risk;
    • Products and services specific to the business (third parties);
    • Delivery of those products and services;
    • Outsourcing risk to other branches or third parties and;
    • Not separating its BRA assessment from that of the Manager.

Conflicts of Interest:

  • No documented consideration of potential Conflicts of Interest where multiple licences are held and products are provided to customers who are common to both licenses.
  • Consideration and documentation of wider Conflicts of Interests, such as the investment in to customer structures by a Director.
  • Consideration of the risk where a significant shareholder of the business introduces customers.
  • Non-Executive Directors maintaining a direct relationship with a customer.
  • Conflicting roles of Compliance Officers the anti-money laundering function where the individuals also held a primary customer facing role.
  • Consideration of the impact of close staff relationships particularly at a senior level e.g. husband and wife.
  • Policies and procedures for declaring and monitoring were identified.

Compliance Function:

  • Inconsistent attendance at Board meetings by the Compliance Officer.
  • No separate reports in respect of Compliance and the anti-money laundering and combatting terrorist financing (“AML/CTF”) function.
  • Reports not containing the following;
    • Regulatory updates;
    • Progress of compliance monitoring;
    • Updated position on compliance registers, and;
    • Information on periodic reviews and accounting records.
  • In some cases there was a lack of documenting of matters brought to the attention of the Board.

Compliance Resourcing:

  • Back logs in periodic review cycle.
  • Delays in compliance monitoring
  • Not undertaking action in respect of regulatory updates.
  • Out of date policies and procedures
  • Ongoing projects and remedial work not completed.
  • Concerns in respect of the investigation and determination of SAR’s.
  • Meeting the day-to-day requirements of the compliance role, where the Compliance Officer or MLRO held other roles within the business.

Compliance Monitoring:

  • Compliance Monitoring Programme’s (“CMP’s”) task orientated rather than a schedule of testing of the operational procedures.
  • CMP’s not being seen or approved by the Board.
  • Ineffective reporting of the progress or completion of the CMP and of the remediation of compliance findings.
  • Compliance testing of the areas of the business lacking in detail.
  • Ineffective mapping of the business to the regulatory framework.

Business Acceptance Systems and Controls:

  • Procedures not being specific regarding the prescribed due diligence required for higher risk customers and business relationships.
  • Undertaking transactions prior to the acceptance of the customer by the Business.
  • The delay of obtaining verification documents and undertaking risk rating prior to the undertaking of customer transactions.

Customer Risk Management Systems and Controls:

  • Customer risk assessments not capturing fully the risks associated with customers or as detailed by the regulatory framework.
  • Customer risk assessment not capturing the risks identified by the business in the BRA.
  • Customer risk assessments not taking into account adverse information identified on the customer.
  • Weighting scores for risks not being appropriate to elevate overall the risk to high where required.
  • Lack of guidance to assist staff in the completion of the customer risk profile.

Customer Profile

  • Vague customer profiles not capturing the expected pattern and frequency of expected transactions.
  • Customer information held in various places rather than centrally.
  • Where the rationale for the business relationship was recorded as tax planning or mitigation, Licensee’s did not hold the relevant tax advice.

Politically Exposed Persons:

  • PEP’s being declassified contrary to the regulatory framework.
  • Immediate family members and close associates not being designated as PEP’s

In conclusion Licensees and the Boards must ensure that they have up to date compliance procedures, their functions are staffed and resourced appropriately and ensuring that they have suitable and sufficient management information for their compliance status being provided in a timely manner to them.  The role of the MLRO is coming more into focus with Regulators especially its assessment by the Board.  The MLRO function needs to be adequately resourced with a suitable and autonomous person, it is my opinion that this role will become more of a focus of regulatory visits and evidence of its review and suitability will required to be documented.  I would always advise that a separate compliance report and MLRO report is provided to the Board to ensure that matters are easily identifiable to the Board.  Conflicts of interest must be recorded and the risks assessed appropriately.   The BRA must take into account the risks that customers pose to the business and also the AML/CTF risks detailed by the regulatory framework and where they are not applicable they should be noted as such. What I believe is the most important finding to come out is, ensuring customer risk assessments and profiles are detailed and maintained ensuring that all risks are covered in the BRA.  I would advise that you assess your business to these findings and if any matters are found a remedial programme is put in place and signed off by the Board ensuring appropriate timescales and reporting is in place.

.

Briefing Note: Jersey Financial Services Commission Onsite Examination Findings.

Compliance monkey

The Jersey Financial Services Commission (“JFSC”) conducted an onsite examination of one of its fiduciary licensee’s which has resulted in a public statement being issued. The findings provide an insight in to the areas that our sister Island regulator is focusing on and the regulatory action they are taking in respect of their findings. I believe that the key points of the onsite examination are as follows;

Anti-Money Laundering and Combatting Financing of Terrorism (“AML/CTF”)

The key points made in respect of the examination of the area of AML/CFT noted the following areas as failure to comply with the AML/CFT regulatory requirements:

  • Out of date CDD.
  • Lack of sufficient evidencing of source of funds and source of wealth.
  • Lack of evidence to demonstrate that CDD had been sufficiently evaluated.
  • Inadequate evidence of EDD having been undertaken on High Risk customers
  • Inadequate evidence of the review of risk assessments.
  • Providing registered office only business and the issuance of Powers of Attorney with little control of the risks and oversight expected to be applied to these products.

 

An investigation was also undertaken into a customer entity that had received funds that may have been connected to a fraud. The investigation found the following matters of concern:

  • Mind and management not with the Jersey appointed Directors but with the beneficial owners.
  • Lack of questioning and properly understanding the activities of the customer entity.
  • Allowing payments to be made by the Customer entity without knowing or assessing whether adequate funds would be available to complete transactions.
  • Over reliance on the ultimate beneficial owners instructions and did not challenge the rationale for acquiring assets.
  • Receiving loans which did not have formal loan agreements and were from entities that had the same beneficial owners.
  • Failing to understand the source of funds through the customer entity.
  • Failing to consider adverse information made available to it regarding the source of funds received by the customer’s entity.
  • Receiving funds without knowledge of the remitter and paying them out the next day.
  • Failing to keep adequate books and records for the customer entity
  • Being re-active instead of pro-active in the management of the customer entity.

 

Breaches of the Code of Conduct of Trust Company Business

The key points that led to breaches of the Jersey regulatory framework and principles for the conduct of Trust Company Business were as follows:

  • Failing to act with skill, care and diligence.
  • Failing to evidence in writing decisions made.
  • Failing to identify conflicts of interests.
  • Failing to ensure adequate review procedures were implemented to monitor Trust Company Business.
  • Failing to maintain adequate internal systems and controls.
  • Failing to exercise an adequate level of Corporate Governance.

These failures led to remedial action having to be implemented as follows:

  • Directors stepping down and the appointment of new local Directors and a new Non-Executive Chairperson.
  • Review in conjunction with an external resource of the processes and procedures of the business to effect changes to strengthen its systems and controls.
  • Initiation of a review process of customer files to remedy customer due diligence deficiencies.
  • Remediation programme has been put in place to rectify issues identified by the investigation.

In conclusion I believe that a robust compliance function and a compliance monitoring programme encompassing the regulatory framework would have alerted the business to its deficiencies and assisted in the evidencing of areas of concern that required remedial action that were subsequently identified by the JFSC .  I recommend that the points raised are taken in to account in any Financial Regulated or Registered Business and assessed against its current compliance framework. If you do find that you have issues of concern or that you cannot adequately evidence compliance to the regulatory framework my advice is to form a remediation plan and inform the Commission as soon as practical. A problem shared is a problem halved, I cannot give any guarantees that you will not face regulatory sanction but being open and honest has the potential to reduce or negate the use of regulatory sanctions, as William Mason Director General, mentioned in his December 2013 address to the Industry.  If the regulator in our sister Island is looking at these areas I believe that the Guernsey Commission will also be.

Are we guilty of stopping investment in the developing world?

Compliance monkeyOne of the questions that I am asked when undertaking Anti-Money Laundering and Combating Terrorist Financing (“AML/CTF”) training is “should we just stop dealing with areas and customers that have a higher risk of money laundering and terrorist financing”? Why is it that people believe that Licensee’s and Guernsey must stop any business that may have a higher risk of money laundering terrorist financing? Has this led to a paranoia within our financial industry and could this be leading our industry to be potential uncompetitive and lacking the entrepreneurial spirit that directors, management and compliance officers should aspire to? Most importantly is our paranoia stopping us from providing investment into the developing world and allowing these people to remain in poverty?

The laws, regulations, codes, rules and guidance (“the Framework”) as published by the Guernsey Financial Services Commission (“Commission”) require that licensees have suitable and sufficient policies procedures and controls for the products and services provided to customers in order to protect the Licensee and the Bailiwick of Guernsey from being susceptible to money launderers and terrorist financiers. Licensee’s must not avoid their responsibilities or manipulate the framework, but ensure that at all times they conduct their business within the Framework. The Commission does not prohibit engagement with higher risk clients or Licensees and their customers being engaged in sensitive activities that are of a higher risk of money laundering or terrorist financing, only that licensees mitigate the risks suitably and demonstrably.

The policies, procedures and controls of a Licensee must meet the minimum requirements of the Framework, though there is nothing stopping a licensee from exceeding these requirements. The Framework is merely requiring Licensees and their employees to be able to identify and verify their customers, understand the reason and rationale of their customer in order that they can assess whether the use of the product or service is reasonable. The Framework also ensures that the minimum required information on a customer is obtained and can be provided by the licensee expediently to Regulators or Law Enforcement if required.

The Licensee must assess its customer’s not on prejudice or paranoia but on a risk based approach at the start and during the business relationship ensuring that they have sufficient knowledge and information on their client as required by their risk based approach and the Framework. Just because a customer is a higher risk of money laundering and terrorist financing does not necessarily mean that they are a criminal, just that the activities or the jurisdiction amongst other things may make the customer or their activities more susceptible to money laundering and terrorist financing and that more frequent monitoring is required to be undertaken.

 There are many opportunities in the developing world that will not only allow our customers to prosper but also the people of these jurisdictions to also prosper and be able to move themselves out of poverty.Telecommunications, mining, agriculture and cash machines are some of the business propositions that I have seen being presented to licensees by their customers only to be met by the paranoia that these may expose the licensee to money laundering or terrorist financing and must be avoided or declined.

Should the question that licensees ask when they take on customers or provided products or services to a client relate to the Licensee’s knowledge and experience of the customers activity, and if the policies, procedures and controls of the licensee are suitable and sufficient for this type of activity? If the answer is no can the Licensee enhance their knowledge or policies, procedures and controls or oversight of the customers activity to become comfortable in undertaking the engagement.

By acting in paranoia it is the Licensee and their employees not the Commission or the Framework that is letting customers down and the people of these developing countries. In some ways it could be argued that we are allowing money laundering and terrorist financing to prosper by not engaging with the development of legitimate business and opportunities in these developing countries.

We can never eradicate money laundering and terrorist financing, but by ensuring that a Licensee’s policies procedures and controls meet the requirements of the Framework I believe that they can engage with customers and activities that will provide a benefit to people in developing countries and enhance the living conditions and education for all. Would it not benefit these countries and people if by applying our high standards that money laundering and terrorist financing in all guises could be reduced?

The need for effective reporting at Board level

The current financial crisis has brought many failings to the forefront, none more so than the failings of the Corporate Governance framework in businesses. The Corporate Governance framework allows for both business objectives and ethical drivers to be incorporated into a business whilst seeking to protect both the Business, its stakeholders and investors or customers. Are failings in Corporate Governance solely as documented in the newspapers and media reports down to the Board’s greed and disregard for its stakeholders, or was the compliance framework in these businesses defunct by opaque reporting by key functions?

We have been lucky in Guernsey to have been insulated from the crisis at large, but I know from experience and we all know from the Commissions industry presentations that Corporate Governance is a key regulatory theme that will be assessed on their regulatory visits to licensees, to assess the risk and reward culture of a business and assist in mitigating these risks successfully. While it has been acknowledged by the Commission that they believe that this is a healthy area, could there be licensees that have put together a good document but the statements made by them do not resemble their Business or their Business’s current prudential business plan or their current regulatory compliance status?

What must be remembered is that any Corporate Governance assessment undertaken by the regulator on a licensee will look at a multitude of documents and reports that make up the core of any Board meeting, such as compliance reports, risk mitigation, internal audit as well as the business plan. These reports must be factual, clear and concise and encompass the whole status of the business in order that the directors can evidence their oversight and rationale for their understanding of the business. Theses documents and reports must all fall into the Corporate Governance assessment by the Board of the Business.

Has the Board questioned the effectiveness of its compliance framework, from the Compliance monitoring programme to the actual board reports it receives? Has the Board allowed the compliance function and other key functions to provide an independent review or are these key functions in fear of upsetting the Board and reporting only what they deem the Board should know or focus on? The importance of independent, full and factual reporting by these key functions is of the up most importance. It is vitally important that those of us who undertake these key roles provide effective reporting on all areas of the Business so that the Board can discharge their obligations successfully. We must not be in fear of providing reports that show areas that require action or gaps as by doing so we only assist the Board in becoming ineffective.

I have been privileged to have worked for and with Boards who have proactively sought to allow their key functions to independently report to them allowing the Board to successfully document and encompass their key functions in to their Corporate Governance framework. This has assisted the Business in the formulation of strategy, goals and effective work practices. For those licensees who I have assisted in remedial work in this area, though it has been hard to start off with the end result has been commented on by these Boards as being beneficial to their Business, optimising understanding and discussion on current and future business opportunities, obligations and assisting in evidencing of why certain opportunities were not followed up.

In my experience the failings in a Business’s Corporate Governance framework are down to opaque and ineffective reporting by the Business’s key functions leading to the blind following the blind. Where ineffective compliance reporting or monitoring has been identified during a regulatory visit the Board are often criticised and this is generally reported by the Commission as a failure in Corporate Governance. While the business of the Business is vital the understanding of the Board as to its current regulatory compliance is as important and cannot be underestimated. If the Board are aware of issues that require to be enhanced or remediated it can deal with them, most of the time hand in hand with fulfilling its business objectives, but to be effective the Board must have the oversight by effective reporting.

The culture of Corporate Governance must not be seen as a tick box exercise or as a regulatory obligation that serves no practical use to a business. I would advocate that a good culture need not be expensive in time or cost but rather a tool to optimise the Business for all stakeholders. As stakeholders move from being passive the need to document and show your culture of Corporate Governance becomes more of a focal point in the overall success of your Business and its cost effectiveness, and in the next few blogs I will go more in to detail on this. An effective Corporate Governance framework adds to safeguarding a business by requiring effective reporting from the key functions allowing for the dynamism and entrepreneurial spirit that has become part of our industry to be exercised by the Board in the continual development of its products and services.

The Compliance Conundrum

A topic of conversation that often comes up is about “how compliance has become a monster”, sapping the dynamism of a business while slowly choking the new business streams by making the business over compliant. Has the compliance function gone too far and are they now holding Boards and Directors to a compliance and regulatory ransom leading to a loss in commerciality of the Guernsey Finance Sector?

Directors constantly berate me about having board packs that have compliance reports running to some 40 pages or more, how they spend more resources on compliance matters then on the direction of the business and that the compliance function does not assist them in achieving their business objectives. To my mind there is a balance that needs redressing in order that businesses can achieve high standards of compliance, while also achieving the businesses purpose and providing products and services to their clients that are competitive in cost with other jurisdictions.

The relationship between the Board and the compliance function must be one that is symbiotic, both assisting and nurturing one another. The compliance function must undertake suitable and sufficient monitoring of its business and report its findings effectively and efficiently to the Board. This is normally done by either an exception report or in a traditional report style over 40 pages and both have their own benefits and problems.

While using an exception reporting format this allows for immediate notifications of compliance and regulatory issues to the Board. The exception report though can fail to provide the assurance to the Board that the compliance function is suitable or sufficient due to its lack of content and oversight of the business.

The traditional compliance report of 40 pages or more will ensure that the Board can assess the suitability of its monitoring programme and compliance function. The problem with the traditional Compliance report is that its size may lead to regulatory or compliance issues being lost in the pages of the document. I am also aware that in some cases the traditional report format provided so much content but actually lacked the substance required to be provided to the Board in assessing the compliance status and function, a failing for the compliance function and a regulatory failing for the Board.

The compliance function must ensure that it has a suitable and sufficient Compliance Monitoring Programme and the Board must review this document annually to ensure that they are satisfied that it meets the Business and the regulatory requirements for the risks of the business being undertaken. The Compliance Monitoring Programme is the working paper of the compliance function, it shows the testing and findings of the compliance function and allows for suitable and informative compliance reports to be generated for the Board. The compliance report’s to the Board need to be a hybrid version of the traditional report and the exception report becoming more a précis of the Compliance Monitoring Programme, allowing the Board to see the matters of concern while also being assured of the compliance status of the Business.

The compliance function is the adviser to the Board in respect of the regulatory framework, providing advice and solutions to the Board in order that they can achieve the chosen business direction. This is where the business can become choked and the dynamism and competitiveness lost due to the gold plating of a business’s policies and procedures. The compliance function must always remember that it is the Board who decide the level of risk that they are satisfied to work with and that the compliance function is there to mitigate the risk by insuring that suitable and sufficient policies are in place. The compliance function must assess the regulatory requirements applicable to the business being undertaken and ensure that the Business is meeting these minimum requirements. The compliance function must never seek to direct the Board or the Business but to inform the Board what is required and expected of them in respect of the risks that the Board have deemed as acceptable.

I do believe that in some cases the compliance function has gone too far and seeks to control the business due to their own personal views or prejudices. It must always be remembered by all stakeholders in the finance industry in Guernsey that without the business there is no compliance function and without a compliance function there can be no business. It is vital that the compliance function is able to provide the required regulatory information to the Board in a succinct and effective manner in order that the Board can discharge their regulatory duties effectively and efficiently.

It is important that the compliance function provide the Board with first class regulatory advice that is free from their own personal prejudices. This is required in order that the Board can ascertain what the minimum regulatory requirements are and how best they can meet these requirements and make business decisions that will not endanger the Business or its clients. The Board must assess on an annual basis the suitability of its compliance function, if it is not providing the Board with the required information or are making the business lack commerciality by over compliance of the policies and procedures the Board must address these matters as they are ultimately responsible for the compliance function and its suitability and effectiveness.

The Dark Art

To the uninitiated the Compliance officer is an alchemist who from his Compliance Monitoring Programme (CMP) allows a licensee to reach a gold standard. It is essential that a licensee understands their status in the regulatory framework and environment at anytime in order to protect client, investor and themselves. What are the elements of this dark art of compliance monitoring? How can such a programme assist a licensee achieve a gold standard without the process becoming resource and cost intensive?

From the recent Guernsey Financial Services Commission (GFSC) industry presentations there was a theme running through that for Boards to achieve high standards of Corporate Governance and regulatory compliance had to be aware of the risks that they faced. The detecting of breaches of regulation needed to be identified at the earliest opportunity and appropriate action taken to remediate. The tool to identify the risks and detect the breaches is the CMP.

The Jersey Financial Services Commission (JFSC)has released this week a “Dear CEO” letter that details the benefits and requirements of an effective CMP.  Though there are many documents and articles on how to create an effective Compliance Monitoring Programme though I believe the guidance as issued by the JFSC  would benefit any licensee in Guernsey.

The Compliance Officer when undertaking the creation or review of their CMP must ensure that all the applicable rules and regulation that the licensee must be compliant with are identified.  The controls of the licensee then need to be matched to these rules and the regulations. It is essential that a licensee can evidence that they can manage the risk of non-compliance by having suitable controls that meet its identified regulatory framework.

The Compliance Officer needs to assess the impact and the probability of non compliance with the regulatory framework.  From this assessment the frequency of testing the licensee’s controls to the identified regulatory framework can be established.   It goes without saying that what is assessed as high impact and has a  high probability must be reviewed more often, allowing the Compliance Officer to effectively place resources to the risk of non-compliance.

It is essential that the Board review the CMP and if satisfied of its suitability formally adopt it.  The Board should periodically assess the suitability of the programme to its applicable regulatory framework to ensure its continued suitability.

In undertaking the monitoring process utilising the CMP the Compliance Officer must not place over reliance on verbal assertions, reports or assurances from other business units.  The Compliance Officer must find the evidence that the controls are satisfactory and that the applicable regulatory framework applicable to the licensee is being met.  The findings of the monitoring must be recorded and the supporting evidence to the findings documented in the CMP.

The results of the CMP findings must be reported to relevant persons at the Licensee and also the Board.   The findings must be presented to the Board and relevant persons in a concise and effective manner confirming the compliance status, areas where enhancements are required and the details of any remedial actions.  This will allow the licensee to assess and consider where areas of non-compliance are identified the seriousness of the non-compliance, remedial action to be undertaken and whether the GFSC should be notified.

The CMP process is cyclical allowing the effective monitoring and risk based monitoring while adapting to the changing regulatory framework. The CMP helps to establish a culture of compliance and assists in providing the gold standard that any client, investor or regulator will want to see.  Not necessarily a dark art but one, when done well will certainly add value to any licensee while providing comfort and assurance to any board allowing them to continually work to a gold standard.