JFSC

Briefing note 002- Trust Company Business On-Site Examination Findings from Jersey

Lance Barclay AML/CTF, Business Risk Assessment, Compliance Monitoring, Corporate Governance , , , , , ,

Image

The Jersey Financial Services Commission (“JFSC”) has recently published its 2013 on-site regulatory examination findings in respect of Fiduciary business conducted in Jersey. These findings are pertinent to any financial service business, Compliance Officer and Money Laundering Reporting Officer (“MLRO”) in ensuring that they are adhering to the Guernsey regulatory framework. I believe that key points from the examination findings are as follows:

Evaluation of Suspicious Activity Report’s (“SAR’s”) and reporting to the Financial Intelligence Unit (“FIU”):

  • Delays in the acknowledgement of receipt of an internal SAR to the person disclosing.
  • Lack of detailed investigation by the MLRO to support the decision made.
  • Follow-up action resulting from internal reports not being undertaken or no evidence of follow-up action were noted.
  • Lack of autonomy by an MLRO and the decision to report to the FIU being made by Board rather than the MLRO.
  • Internal reports not being recorded accurately and being overlooked by the MLRO leading to late reporting to the FIU.

Corporate Governance:

  • Board discussions not being fully documented in some instances.
  • Concerns were identified in respect of the Board interaction, reporting lines and the functions of delegated risk committees of cross-divisional functions of a business.
  • Term’s of reference for delegated functions of the Board not being in place.

Business Risk Assessment (”BRA”) and Strategy:

  • Lacking details of the consideration of the following areas;
    • Organisational factors;
    • Jurisdiction of customers;
    • Underlying activities of Customers, including Politically Exposed Person risk;
    • Products and services specific to the business (third parties);
    • Delivery of those products and services;
    • Outsourcing risk to other branches or third parties and;
    • Not separating its BRA assessment from that of the Manager.

Conflicts of Interest:

  • No documented consideration of potential Conflicts of Interest where multiple licences are held and products are provided to customers who are common to both licenses.
  • Consideration and documentation of wider Conflicts of Interests, such as the investment in to customer structures by a Director.
  • Consideration of the risk where a significant shareholder of the business introduces customers.
  • Non-Executive Directors maintaining a direct relationship with a customer.
  • Conflicting roles of Compliance Officers the anti-money laundering function where the individuals also held a primary customer facing role.
  • Consideration of the impact of close staff relationships particularly at a senior level e.g. husband and wife.
  • Policies and procedures for declaring and monitoring were identified.

Compliance Function:

  • Inconsistent attendance at Board meetings by the Compliance Officer.
  • No separate reports in respect of Compliance and the anti-money laundering and combatting terrorist financing (“AML/CTF”) function.
  • Reports not containing the following;
    • Regulatory updates;
    • Progress of compliance monitoring;
    • Updated position on compliance registers, and;
    • Information on periodic reviews and accounting records.
  • In some cases there was a lack of documenting of matters brought to the attention of the Board.

Compliance Resourcing:

  • Back logs in periodic review cycle.
  • Delays in compliance monitoring
  • Not undertaking action in respect of regulatory updates.
  • Out of date policies and procedures
  • Ongoing projects and remedial work not completed.
  • Concerns in respect of the investigation and determination of SAR’s.
  • Meeting the day-to-day requirements of the compliance role, where the Compliance Officer or MLRO held other roles within the business.

Compliance Monitoring:

  • Compliance Monitoring Programme’s (“CMP’s”) task orientated rather than a schedule of testing of the operational procedures.
  • CMP’s not being seen or approved by the Board.
  • Ineffective reporting of the progress or completion of the CMP and of the remediation of compliance findings.
  • Compliance testing of the areas of the business lacking in detail.
  • Ineffective mapping of the business to the regulatory framework.

Business Acceptance Systems and Controls:

  • Procedures not being specific regarding the prescribed due diligence required for higher risk customers and business relationships.
  • Undertaking transactions prior to the acceptance of the customer by the Business.
  • The delay of obtaining verification documents and undertaking risk rating prior to the undertaking of customer transactions.

Customer Risk Management Systems and Controls:

  • Customer risk assessments not capturing fully the risks associated with customers or as detailed by the regulatory framework.
  • Customer risk assessment not capturing the risks identified by the business in the BRA.
  • Customer risk assessments not taking into account adverse information identified on the customer.
  • Weighting scores for risks not being appropriate to elevate overall the risk to high where required.
  • Lack of guidance to assist staff in the completion of the customer risk profile.

Customer Profile

  • Vague customer profiles not capturing the expected pattern and frequency of expected transactions.
  • Customer information held in various places rather than centrally.
  • Where the rationale for the business relationship was recorded as tax planning or mitigation, Licensee’s did not hold the relevant tax advice.

Politically Exposed Persons:

  • PEP’s being declassified contrary to the regulatory framework.
  • Immediate family members and close associates not being designated as PEP’s

In conclusion Licensees and the Boards must ensure that they have up to date compliance procedures, their functions are staffed and resourced appropriately and ensuring that they have suitable and sufficient management information for their compliance status being provided in a timely manner to them.  The role of the MLRO is coming more into focus with Regulators especially its assessment by the Board.  The MLRO function needs to be adequately resourced with a suitable and autonomous person, it is my opinion that this role will become more of a focus of regulatory visits and evidence of its review and suitability will required to be documented.  I would always advise that a separate compliance report and MLRO report is provided to the Board to ensure that matters are easily identifiable to the Board.  Conflicts of interest must be recorded and the risks assessed appropriately.   The BRA must take into account the risks that customers pose to the business and also the AML/CTF risks detailed by the regulatory framework and where they are not applicable they should be noted as such. What I believe is the most important finding to come out is, ensuring customer risk assessments and profiles are detailed and maintained ensuring that all risks are covered in the BRA.  I would advise that you assess your business to these findings and if any matters are found a remedial programme is put in place and signed off by the Board ensuring appropriate timescales and reporting is in place.

.

The Dark Art

Lance Barclay Compliance Monitoring , , ,

To the uninitiated the Compliance officer is an alchemist who from his Compliance Monitoring Programme (CMP) allows a licensee to reach a gold standard. It is essential that a licensee understands their status in the regulatory framework and environment at anytime in order to protect client, investor and themselves. What are the elements of this dark art of compliance monitoring? How can such a programme assist a licensee achieve a gold standard without the process becoming resource and cost intensive?

From the recent Guernsey Financial Services Commission (GFSC) industry presentations there was a theme running through that for Boards to achieve high standards of Corporate Governance and regulatory compliance had to be aware of the risks that they faced. The detecting of breaches of regulation needed to be identified at the earliest opportunity and appropriate action taken to remediate. The tool to identify the risks and detect the breaches is the CMP.

The Jersey Financial Services Commission (JFSC)has released this week a “Dear CEO” letter that details the benefits and requirements of an effective CMP.  Though there are many documents and articles on how to create an effective Compliance Monitoring Programme though I believe the guidance as issued by the JFSC  would benefit any licensee in Guernsey.

The Compliance Officer when undertaking the creation or review of their CMP must ensure that all the applicable rules and regulation that the licensee must be compliant with are identified.  The controls of the licensee then need to be matched to these rules and the regulations. It is essential that a licensee can evidence that they can manage the risk of non-compliance by having suitable controls that meet its identified regulatory framework.

The Compliance Officer needs to assess the impact and the probability of non compliance with the regulatory framework.  From this assessment the frequency of testing the licensee’s controls to the identified regulatory framework can be established.   It goes without saying that what is assessed as high impact and has a  high probability must be reviewed more often, allowing the Compliance Officer to effectively place resources to the risk of non-compliance.

It is essential that the Board review the CMP and if satisfied of its suitability formally adopt it.  The Board should periodically assess the suitability of the programme to its applicable regulatory framework to ensure its continued suitability.

In undertaking the monitoring process utilising the CMP the Compliance Officer must not place over reliance on verbal assertions, reports or assurances from other business units.  The Compliance Officer must find the evidence that the controls are satisfactory and that the applicable regulatory framework applicable to the licensee is being met.  The findings of the monitoring must be recorded and the supporting evidence to the findings documented in the CMP.

The results of the CMP findings must be reported to relevant persons at the Licensee and also the Board.   The findings must be presented to the Board and relevant persons in a concise and effective manner confirming the compliance status, areas where enhancements are required and the details of any remedial actions.  This will allow the licensee to assess and consider where areas of non-compliance are identified the seriousness of the non-compliance, remedial action to be undertaken and whether the GFSC should be notified.

The CMP process is cyclical allowing the effective monitoring and risk based monitoring while adapting to the changing regulatory framework. The CMP helps to establish a culture of compliance and assists in providing the gold standard that any client, investor or regulator will want to see.  Not necessarily a dark art but one, when done well will certainly add value to any licensee while providing comfort and assurance to any board allowing them to continually work to a gold standard.