The Jersey Financial Services Commission (“JFSC”) has recently published its 2013 on-site regulatory examination findings in respect of Fiduciary business conducted in Jersey. These findings are pertinent to any financial service business, Compliance Officer and Money Laundering Reporting Officer (“MLRO”) in ensuring that they are adhering to the Guernsey regulatory framework. I believe that key points from the examination findings are as follows:
Evaluation of Suspicious Activity Report’s (“SAR’s”) and reporting to the Financial Intelligence Unit (“FIU”):
- Delays in the acknowledgement of receipt of an internal SAR to the person disclosing.
- Lack of detailed investigation by the MLRO to support the decision made.
- Follow-up action resulting from internal reports not being undertaken or no evidence of follow-up action were noted.
- Lack of autonomy by an MLRO and the decision to report to the FIU being made by Board rather than the MLRO.
- Internal reports not being recorded accurately and being overlooked by the MLRO leading to late reporting to the FIU.
- Board discussions not being fully documented in some instances.
- Concerns were identified in respect of the Board interaction, reporting lines and the functions of delegated risk committees of cross-divisional functions of a business.
- Term’s of reference for delegated functions of the Board not being in place.
Business Risk Assessment (”BRA”) and Strategy:
- Lacking details of the consideration of the following areas;
- Organisational factors;
- Jurisdiction of customers;
- Underlying activities of Customers, including Politically Exposed Person risk;
- Products and services specific to the business (third parties);
- Delivery of those products and services;
- Outsourcing risk to other branches or third parties and;
- Not separating its BRA assessment from that of the Manager.
Conflicts of Interest:
- No documented consideration of potential Conflicts of Interest where multiple licences are held and products are provided to customers who are common to both licenses.
- Consideration and documentation of wider Conflicts of Interests, such as the investment in to customer structures by a Director.
- Consideration of the risk where a significant shareholder of the business introduces customers.
- Non-Executive Directors maintaining a direct relationship with a customer.
- Conflicting roles of Compliance Officers the anti-money laundering function where the individuals also held a primary customer facing role.
- Consideration of the impact of close staff relationships particularly at a senior level e.g. husband and wife.
- Policies and procedures for declaring and monitoring were identified.
- Inconsistent attendance at Board meetings by the Compliance Officer.
- No separate reports in respect of Compliance and the anti-money laundering and combatting terrorist financing (“AML/CTF”) function.
- Reports not containing the following;
- Regulatory updates;
- Progress of compliance monitoring;
- Updated position on compliance registers, and;
- Information on periodic reviews and accounting records.
- In some cases there was a lack of documenting of matters brought to the attention of the Board.
- Back logs in periodic review cycle.
- Delays in compliance monitoring
- Not undertaking action in respect of regulatory updates.
- Out of date policies and procedures
- Ongoing projects and remedial work not completed.
- Concerns in respect of the investigation and determination of SAR’s.
- Meeting the day-to-day requirements of the compliance role, where the Compliance Officer or MLRO held other roles within the business.
- Compliance Monitoring Programme’s (“CMP’s”) task orientated rather than a schedule of testing of the operational procedures.
- CMP’s not being seen or approved by the Board.
- Ineffective reporting of the progress or completion of the CMP and of the remediation of compliance findings.
- Compliance testing of the areas of the business lacking in detail.
- Ineffective mapping of the business to the regulatory framework.
Business Acceptance Systems and Controls:
- Procedures not being specific regarding the prescribed due diligence required for higher risk customers and business relationships.
- Undertaking transactions prior to the acceptance of the customer by the Business.
- The delay of obtaining verification documents and undertaking risk rating prior to the undertaking of customer transactions.
Customer Risk Management Systems and Controls:
- Customer risk assessments not capturing fully the risks associated with customers or as detailed by the regulatory framework.
- Customer risk assessment not capturing the risks identified by the business in the BRA.
- Customer risk assessments not taking into account adverse information identified on the customer.
- Weighting scores for risks not being appropriate to elevate overall the risk to high where required.
- Lack of guidance to assist staff in the completion of the customer risk profile.
- Vague customer profiles not capturing the expected pattern and frequency of expected transactions.
- Customer information held in various places rather than centrally.
- Where the rationale for the business relationship was recorded as tax planning or mitigation, Licensee’s did not hold the relevant tax advice.
Politically Exposed Persons:
- PEP’s being declassified contrary to the regulatory framework.
- Immediate family members and close associates not being designated as PEP’s
In conclusion Licensees and the Boards must ensure that they have up to date compliance procedures, their functions are staffed and resourced appropriately and ensuring that they have suitable and sufficient management information for their compliance status being provided in a timely manner to them. The role of the MLRO is coming more into focus with Regulators especially its assessment by the Board. The MLRO function needs to be adequately resourced with a suitable and autonomous person, it is my opinion that this role will become more of a focus of regulatory visits and evidence of its review and suitability will required to be documented. I would always advise that a separate compliance report and MLRO report is provided to the Board to ensure that matters are easily identifiable to the Board. Conflicts of interest must be recorded and the risks assessed appropriately. The BRA must take into account the risks that customers pose to the business and also the AML/CTF risks detailed by the regulatory framework and where they are not applicable they should be noted as such. What I believe is the most important finding to come out is, ensuring customer risk assessments and profiles are detailed and maintained ensuring that all risks are covered in the BRA. I would advise that you assess your business to these findings and if any matters are found a remedial programme is put in place and signed off by the Board ensuring appropriate timescales and reporting is in place.