Dear Board, don’t engage me to undertake your outsource compliance requirements until you have read this!

Compliance monkeyGuernsey has an amazing regulatory framework which has become quite a selling point with financial service businesses offering their products and services and those financial service businesses wanting to come and have operations here. Some will utilise outsource compliance professionals to assist them with the cost of set up, on-going costs,  ensuring their business can have knowledgeable and professional persons on-board while it establishes and grows its presence and offerings. Even established firms may need extra compliance support in their business to be able to ensure that they can at all times remain compliant with the Guernsey regulatory framework or ensure that remediation is appropriate and effective.

In the last year the use of outsource compliance professionals has come to the forefront of the regulatory radar, instances of their failure having been identified as contributing to businesses failing to adhere to the regulatory framework. There have been numerous communications from the Commission to the industry on the issues surrounding the requirements for utilising an outsourced compliance professional and failures where this has not been met, showing that the Commission are treating this seriously.

At the end of the day the responsibility for compliance to the regulatory framework is laid firmly at the feet of the Board and they are the first point of call when failings or regulatory deficiencies are identified by the Commission. The need to ensure a Licensee is meeting the regulatory requirements forms at the most basic level with the minimum criteria of licensing as well as being mentioned throughout the regulations, codes instructions, and guidance issued by the Commission.

So what needs to be considered by Boards? Here are some questions to be asked but at all times refer to the legislation regulations, rules,instruction and codes that pertain to your business and licence.

Prior to any engagement consider these points.

You wouldn’t employ anyone to undertake the role in a full-time capacity so why would you chose anyone to do your outsource function?

Prior to any engagement do your due diligence on the outsource company/ person, the person who will be your appointed compliance representative and the people who will be doing the work. At the very minimum the person who will be undertaking the work needs to be suitably qualified and knowledgeable of the area your business operates in and the regulatory rules that pertain to your licence.  You will need to ensure that you can evidence that they have been appropriately screened as you will be expected to have been as diligent with your provider as with your own staff!

You wouldn’t employ anyone who doesn’t have the time for your business?

Prior to any engagement you need to work out how much time will be required. This will change from the role that compliance professional will undertake, as an example an outsourced MLRO will have different time requirements to a compliance professional assisting with licensing.

When you actually look at it, if you have a compliance professional for two hours a week it would take them eighteen weeks to achieve one thirty-six hour working week in your business! Obviously cost is a major factor in this assessment and knowledge and experience never come cheap. The time any compliance professional spends on your business must be commensurate to the size, complexity and nature of your business and the role undertaken.

You need to be aware that a compliance professional will also be working for other firms, there is obviously a risk regarding resources. If their clients require more time or the outsource provider or person undertaking the role has issues with resources will you be affected? You need to ensure that there are controls in place or a plan B to mitigate these risk.

You wouldn’t have any old agreement?

You need to ensure that the outsource agreement meets the requirement of the Guernsey regulatory framework and is legally binding. The Board cannot discharge its responsibilities only delegate the work, it is often a good idea to have a Guernsey Advocate firm look over any agreement, especially if the Board are not familiar with Guernsey Law or this area.

During any engagement consider these points.

You wouldn’t want to be assessed by any old criteria, what criteria is the business or business area being assessed to?

Again this depends on the role you are utilising the outsourced compliance professional for, but you need to know how they are monitoring you and to what standard.  The Board must make sure that it can evidence and satisfy itself and the Commission that the Guernsey regulatory framework requirements have been met.

You wouldn’t want any report, do the reports provided give the full picture of the work being undertaken?

The reports that are provided to the Board must be meaningful and contain accurate management information. This allow the Board to see the whole picture of their business or the area that the outsourced provided has been contracted to service and assess the level of compliance to the regulatory framework. If areas or remediation work have been identified are the Board kept appropriately up to date?

You wouldn’t want to keep on anyone who isn’t performing, is the outsource provider performing to the required standards?

Throughout any engagement the Board must consistently monitor and evidence its monitoring of the outsource provider and/or those undertaking the work for the Licensee. Is the Board satisfied with the work undertaken, is the monitoring of the business meeting the requirements of the Guernsey regulatory framework, has the business changed in its complexity, nature or size and is the person doing the role still suitable?

The most important aspect to any outsource relationship is that you have the right person/firm, they add something to your business, provide you with the accurate management information, they get on with you and are honest to you regarding their business and yours. By hopefully considering and evidencing these requirements a Board will be able to show that they have acted to ensure that their business meets the requirements of the Guernsey regulatory framework. In the unfortunate case where things have not worked out the Board will be able to evidence that they were aware of the issues at the earliest opportunity and have acted to mitigate any non-compliance and remediate the situation.

Advertisements

Introducer Certificates the Pro’s and Con’s

Does anyone else find it so frustrating to constantly provide client due diligence when accessing financial services products or even when accessing legal services?  Is this constant due diligence treadmill stopping us and potentially our clients from accessing products and services?  I personally feel that this is unfortunately the case and in some cases I am aware that this has caused clients to utilise other jurisdictions or miss out on investment or business opportunities.  I believe that there is a solution to this which could add to the attraction of Guernsey as a place to do business as well as allowing clients greater access to the products and services that can be offered.

The current solution is that the regulated or registered business can if the introducer meets the requirements of an Appendix C business, utilise the introducer regime as stipulated by the Guernsey Financial Services Commissions (GFSC).  This allows the registered or regulated business to rely on a certificate confirming identity while promising that the due diligence they hold and maintain meets the Guernsey requirements and will be provided when requested from the regulated or registered business.  The regulated or registered business then has to test the introducer throughout the life of the business relationship, to ensure that the introducer can meet the obligations of the introducer certificate and that the due diligence does meets the Guernsey standards. The unfortunate downfall of this system is that sometimes an introducer won’t adhere to the obligations of the introducer certificate or requirements of the rules governing due diligence in Guernsey leaving the regulated or registered business with quite a headache, and remedial work to undertake.

Where an introducer provides clients to regulated or registered business by the use of introducer certificate, for example an IFA providing 300 clients to invest in various Funds at a Guernsey Fund provider, the introducer can become disillusioned with Guernsey and the regulated or registered business when year on year they receive requests to provide the copies of due diligence for a selection of these clients introduced by them.  This is a burdensome process for the introducer, taking them away from their business, only to provide documentation for which they can not necessarily recover the cost from their client.  Unfortunately some will not want to or be willing to keep their obligations, leading to problems for the regulated or registered business.  The solution to this problem is to undertake a 100% testing programme where copies are provided to the receiving regulated or registered business with the introducer form.  There is only the need to periodically on a risk based approach go back to the introducer to confirm that the clients details have not changed during the life of the business relationship, such as the address, and if the details have changed that the copies of the updated due diligence are provided.  Undertaking this approach allows the regulated or registered business potentially less risk as the due diligence will already have been assessed and deemed suitable at the start of the business relationship and less risk of the introducer not subsequently meeting or adhering to their obligations by not providing the required due diligence. This allows for beneficial relationships to develop between the regulated or registered business and the enhancement of Guernsey as a place to do business.

Where clients have a business relationship with a regulated or registered business that is over a period of years, rather than a one off legal transaction where the business relationship is only for a matter of days or weeks.  If the introducer sells these clients during the course of the business relationship to another provider or is taken over, new introducer certificates will have to be obtained by the registered or regulated business or the clients will need to provide due diligence in order that the rules of the GFSC can be met.  Therefore I would always recommend for these longer term business relationships that due diligence is obtained rather than relying on the introducer certificate.

The rules issued by the GFSC state that clients who are introduced cannot then be introduced again by the regulated or registered business e.g. no introducer chains.  This can lead to the issues of a regulated or registered business unknowingly becoming involved in an introducer chain and having then to obtain the client due diligence, which can have an adverse effect on the business relationship with the client and the relationship with the introducer.  This also has the potential for higher cost to the client or loss of earnings by not being able to access an investment product to take advantage of price and in the worst case scenario the client may miss the investment opportunity altogether.

But what if Guernsey could offer a due diligence depository overseen by a regulating authority subject to stringent audits? Just think if clients provided their due diligence to this depository who then ensured that it met the regulatory standards, could this avoid altogether the need to obtain copies of due diligence or have a testing programme?  This depository could then provide registered or regulated businesses with an introducer certificate which would be more reliable and there would be less potential of unknowingly becoming part of an introducer chain or finding out the introducer was unable to meet its obligations. Could this reduce compliance cost to a regulated business and make Guernsey more competitive, the Jurisdiction of choice? Clients would be able to access products and services offered by other regulated or registered business with ease and certainty without suffering from the due diligence treadmill. Why stop at just offering this service to local registered and regulated businesses why not take an international approach and service other jurisdictions.  This could then lead to an enhancing of our economy while diversifying it at the same time.  We have all the right ingredients in Guernsey to undertake this opportunity we just need the political want to do this. But until my utopia happens please think carefully about the use of introducer certificates, sometimes it is actually easier and more beneficial for a registered or regulated business to get original due diligence and can save time money and cost in man hours to undertake the monitoring and any remedial work.

Getting the right fit for the BRA

Being the holiday season its time to sit back relax and take stock of all that has happened in 2013. Time for any Compliance professional to take stock of the year and to review the key business documents of a licensee and assess if they remain fit for purpose or need to be enhanced.

One such document that requires to be reviewed at least annually is the Business Risk Assessment (BRA) to ensure it is fit for the regulatory framework and the Licensee.  The BRA though is a document  that licensees struggle with and the Guernsey Financial Services Commission (Commission) constantly find as deficient. What lessons can we learn that will allow our 2014 BRA’s to be fit for the licensee and for the rules and regulations?

Essentially the BRA is a high level overarching document that the Board of a licensee must have in place. It evidences what the business is about, identifies the risks associated with its products and services, clients and the jurisdictions that it undertakes business in or through. The Commission have commented on how these documents tend to fall short of the mark, being generic, over simplified and not representative of the licensee.

Whenever I re-draft or assist a licensee with a BRA I take the approach of creating a document that tells the story of the licensee ensuring that it flows into the policies, procedures and forms. I use the BRA to create the framework from which the licensee’s policies and the procedures enlarge upon and stipulate the full requirements of the licensee requirements and the regulatory framework.

My BRA’s look at what the licensee business plan is, the Money Laundering, Bribery and Corruption and Terrorist Financing (ML/BC/TF) risks that the business is exposed to from following its business plan. I then look at how the licensee will mitigate the risks by the implementation of its policies, periodic reviews and training. How it will differentiate its high risk’s from its low risk’s to ensure that a risk based approach can be applied successfully and cost effectively. My BRA’s look at how the Board will be kept informed of the ML/BC/TF risks and what their responsibilities are, from ensuring policies and staff are sufficient to  how they will review the existing and new business.

Licensees often complain that I am stating the obvious in my BRA’s, that the BRA will not stop a criminal or terrorist and so add little to no value to a business. The BRA is not about stopping criminals but assisting in their identification and prevention of a licensee being an unwitting conduit for them, criminals will always seek to abuse the financial system to their own ends. Unfortunately though licensees will be unknowingly utilised by criminals and they, their clients and insurers may suffer reputation loss and in the worst cases material loss. A licensee can never negate these risks in all cases, though the BRA does allow a business to protect itself, and so adds value.

We live in a contentious and litigious society, it is now not the case that a crime has to have been committed, but has a licensee done enough to reduce the possibility of a crime occurring or to protect against being a conduit in a crime as required by the regulatory framework.  The Commission whether on a regulatory visit or dare I say it, when things have gone wrong and Lawyers and Advocates are involved they will review the BRA intently to assess if a licensee has acted recklessly by not assessing or identifying the risks posed by their business. It goes without saying that a licensee who has considered in-depth the risks posed by the business activities and the preventative measures that they have employed (stating the obvious) is going to be treated more sympathetically than a business who did not evidence their consideration of the risks that they faced.

There have been numerous regulatory cases over the last few years that were not about ML/BC/TF having occurred but that licensee’s did not have suitable and sufficient policies or information at hand for the Board or the MLRO to consider and mitigate the risks posed and inherent in their business.  If you need help in assessing or redrafting your BRA the Commission has guidance on what they deem are the minimum requirements. You can ask Consultants to review your BRA and provide suggestions if required. You can simply ask around your fellow peers to see if they can assist or provide guidance.

It must be remembered that the Board of a licensee must take full responsibility and can’t contract out of their responsibility for having a suitable BRA. The Board and the MLRO must ensure that the BRA is fit for purpose and identifies and mitigates the risks while evidencing the preventative measures, and most importantly meets the regulatory requirements. The Compliance professional is only there to suggest what they believe is suitable in how the Licensee has evidence the consideration of the risks that it faces.

Over the course of 2013 a licensee’s business, the risks posed by clients,  products and services it offers inclusive of the jurisdiction that they are associated with or their clients are associated with will have changed.  Now is the perfect time to take stock of the current status of the licensee, its future intentions and go forward in to 2014 with the risk duly considered and mitigated.

Merry Christmas one and all.

The Dark Art

To the uninitiated the Compliance officer is an alchemist who from his Compliance Monitoring Programme (CMP) allows a licensee to reach a gold standard. It is essential that a licensee understands their status in the regulatory framework and environment at anytime in order to protect client, investor and themselves. What are the elements of this dark art of compliance monitoring? How can such a programme assist a licensee achieve a gold standard without the process becoming resource and cost intensive?

From the recent Guernsey Financial Services Commission (GFSC) industry presentations there was a theme running through that for Boards to achieve high standards of Corporate Governance and regulatory compliance had to be aware of the risks that they faced. The detecting of breaches of regulation needed to be identified at the earliest opportunity and appropriate action taken to remediate. The tool to identify the risks and detect the breaches is the CMP.

The Jersey Financial Services Commission (JFSC)has released this week a “Dear CEO” letter that details the benefits and requirements of an effective CMP.  Though there are many documents and articles on how to create an effective Compliance Monitoring Programme though I believe the guidance as issued by the JFSC  would benefit any licensee in Guernsey.

The Compliance Officer when undertaking the creation or review of their CMP must ensure that all the applicable rules and regulation that the licensee must be compliant with are identified.  The controls of the licensee then need to be matched to these rules and the regulations. It is essential that a licensee can evidence that they can manage the risk of non-compliance by having suitable controls that meet its identified regulatory framework.

The Compliance Officer needs to assess the impact and the probability of non compliance with the regulatory framework.  From this assessment the frequency of testing the licensee’s controls to the identified regulatory framework can be established.   It goes without saying that what is assessed as high impact and has a  high probability must be reviewed more often, allowing the Compliance Officer to effectively place resources to the risk of non-compliance.

It is essential that the Board review the CMP and if satisfied of its suitability formally adopt it.  The Board should periodically assess the suitability of the programme to its applicable regulatory framework to ensure its continued suitability.

In undertaking the monitoring process utilising the CMP the Compliance Officer must not place over reliance on verbal assertions, reports or assurances from other business units.  The Compliance Officer must find the evidence that the controls are satisfactory and that the applicable regulatory framework applicable to the licensee is being met.  The findings of the monitoring must be recorded and the supporting evidence to the findings documented in the CMP.

The results of the CMP findings must be reported to relevant persons at the Licensee and also the Board.   The findings must be presented to the Board and relevant persons in a concise and effective manner confirming the compliance status, areas where enhancements are required and the details of any remedial actions.  This will allow the licensee to assess and consider where areas of non-compliance are identified the seriousness of the non-compliance, remedial action to be undertaken and whether the GFSC should be notified.

The CMP process is cyclical allowing the effective monitoring and risk based monitoring while adapting to the changing regulatory framework. The CMP helps to establish a culture of compliance and assists in providing the gold standard that any client, investor or regulator will want to see.  Not necessarily a dark art but one, when done well will certainly add value to any licensee while providing comfort and assurance to any board allowing them to continually work to a gold standard.