Paradise Papers – Seeing the Wood for the Trees

logoThe now infamous “Paradise Papers” contain personal data obtained from Appleby’s Bermuda office via an illegal hack. This data in part details the utilisation of International Finance Centres (IFC), by high net worth persons and corporates, for tax mitigation purposes. This post makes no comment on the legality or otherwise of using such data. Nor, is it a commentary about tax havens vs IFCs, the ethical considerations of society, and the freedoms for legal persons to engage in trade or invest in or through an IFC. Our focus instead is the failings that Trustees, Foundation Officials, Directors and Employees in Financial Services Businesses (FSB) must learn from in the wake of this saga. We do not purport to be a tax experts and so have not commented on the validity or otherwise of any advice given whether regarding tax or structuring. Our intention is to look at the compliance and “good business practice” considerations at the heart of good corporate governance. With offices in Guernsey, Jersey and having experience of  working in Bermuda we believe analysis of legal and regulatory frameworks by jurisdiction offers a less valuable insight than a clear understanding of the general principles and terms of good corporate governance.

 
Tax Advice
In order for Trustees, Foundation Officials and Directors to fulfil their responsibility and work in the best interest of their clients they must understand and follow the professional tax advice received. They must evidence that they are compliant with this advice and periodically, depending on the type of arrangement they are administering or controlling, ensure that they have up-to-date tax advice on file. They must also evidence that these arrangements remain legal and all tax liabilities are settled when due. The following are instances where those responsible may find that they have failed to attain an appropriate standard:

• Legal arrangements over time becoming tax non-compliant;
• Legal arrangements set up with draft tax advice without the advice ever being formalised;
• Legal arrangements undertaking new activities outside the scope of the original tax advice;
• Failure to follow tax advice fully, e.g. the non-repayment of a commercial loan arrangement;
• Tax advice provided by those who are not appropriately qualified;
• Tax advice held by the client but never shown to the Trustees, Foundation Officials and Directors.

Control
To ensure tax and legal compliance the Trustees, Foundation Officials and Directors must exert control. Here again to fulfil their responsibilities they must clearly document evidence that they have overarching control of the activities of the legal arrangement. The following are instances where those responsible may find that they have failed to attain an appropriate standard:

• Beneficiaries committing the legal arrangement to a business arrangement without due consideration and approval of the Trustees, Foundation Officials and Directors in the first instance;
• Those responsible acting without due consideration;
• Those responsible committing the legal arrangement to business activities which do not accord with the arrangement’s rationale;
• Those responsible lack sufficient independence from the client;
• Those responsible are unable to evidence their control of the assets and/or activities of the arrangement.

Investments
The Paradise Papers have also raised questions regarding the suitability and legality of investments undertaken by legal entities. Trustees, Foundation Officials and Directors must ensure that the investments or business activities undertaken by the entity are in line with its intended purpose. Those responsible must also ensure the legality of any investment or business activity does not breach any international sanctions. Though investments or business activities do not require due diligence to the same standard of beneficial ownership due diligence, sufficient research and evidence must be attained to ensure such activity is in the best interest and in line with the objective of the legal arrangement. At the same time sufficient checks must be undertaken to ensure legal compliance and suitability with its objectives both at initiation and on an on-going basis thereafter. The following are instances where those responsible may find that they have failed to attain an appropriate standard:

• Investing or engaging in a business relationship with legal entities related to a sanction regime or jurisdiction;
• Not undertaking sufficient due diligence to ensure that the investment or business engagement does not involve sanctioned legal persons or sanctions breaches;
• Investing or business relationships that are out of line with the entity’s purpose.

Source of Wealth and Funds
Trustees, Foundation Officials and Directors must ensure that they have sufficient understanding and evidence of their clients’ Source of Wealth and Funds (commensurate with their risk classification) to prevent and detect criminality and terrorist financing. Understanding the origin of assets and their usage assists those responsible in forming a picture of the true beneficial ownership, intention and nature of the relationship. This also allows those responsible to have sufficient transparency and enable effective reporting required by international regulatory and legal bodies.

 
Ethics of Doing Business
Those responsible must ensure that they have given ethical consideration to the activities of any legal arrangement. Ethical considerations must accord with the documented risk appetite and it must be understood that legal arrangements engaged in aggressive tax mitigation or higher risk industries pose a higher reputational risk to the Trustees, Foundation Officials and Directors, their business and those of the jurisdictions in which they are active. As such, these relationships must be properly understood and documented as they may be open to future challenge.

 
The ethics of doing business must also consider whether sufficient knowledge, qualifications and experience are inherent in those responsible. Trustees, Foundation Officials and Directors must document and evidence their consideration of whether a business relation, either new or continuing is within their realm of knowledge, understanding and experience. Where this is not the case they should remove themselves from responsible positions or obtain suitably experienced individuals as their replacement.

 
The integrity and professional actions of those responsible will ultimately be assessed by the authorities to ensure that the best interests of stakeholders have been met at all times. This responsibility includes timely reporting of non-compliance with appropriate authorities.

 
Compliance
While the Trustees, Foundation Officials and Directors remain responsible and accountable for both and their own and the legal arrangements activities, a suitably resourced compliance function is required to assist and advise. Compliance must be a proactive force within a FSB rather than merely a tick box exercise. It must assist in ensuring that the business has attained appropriate tax and legal advice as well as ensuring it is understood and followed. Those responsible must demonstrate the required control and oversight of activities undertaken for and on behalf of the legal arrangement. Findings and recommendations must be reported back to those responsible and any remediation must be tracked to ensure that the business can demonstrate compliance, integrity and appropriate levels of knowledge and understanding of the entity’s activities.

 
Data Security
The Paradise Papers also clearly highlight the importance of implementing suitable and sufficient data security controls to protect stakeholders. These controls are not just IT system-focussed and must include effective staff training to reduce the risk of an unintentional data leak. Data security systems and processes must be monitored, tested and kept up-to-date. It goes without saying that failure to implement an efficient and effective control environment may lead to a catastrophic loss of data with disastrous reputational consequences for all stakeholders. FSB’s must also be aware and ensure that any 3rd parties who hold data do so effectively and have the necessary safeguards and review processes.

 
Conclusion
Compliance monkeyIFCs adhere to international standards and best practice. While recent data hacks have revealed that there are practitioners out there who have not abided by these requirements, the vast majority are conscientious and highly professional.

However, the current political backdrop is unfavourable to offshore jurisdictions and we should expect greater scrutiny in our professional activities for the foreseeable future. Applying the highest standards of corporate governance is our best path to a successful future.
If you have any concerns or would like to know more please either contact myself or Redwood Offshore

logo

 

Advertisements

Reflections of 2016

Compliance monkeyAs the sun gets lower, the evenings longer and we get closer to the end of a year I cannot help but think what a year it has been and begin to reflect.  For me personally it has been a year that has been full of hard work, assistance and resolution of problems and all this led me to the beautiful Island of Bermuda to undertake a contract for a client.  Not only a fantastic opportunity to show case my skills and knowledge but a joy to work for some fantastic people and meet old and new friends as well as to experience another regulatory culture. While I would rather be pondering the last year and this post from a pool in Bermuda instead of next to a fire on a brisk cold day, Guernsey still very much holds my heart, though Bermuda is a close second.

In looking to the challenges of the future and what the next year may hold for us is it time to reflect on the past year, the regulatory framework and what is needed to ensure that our business moves forward, prospers and continues to uphold the regulatory standards and meet future challenges, and there is no better way to do this than look back over the last year.

There have unfortunately been instances where the Guernsey Financial Services Commission (GFSC) has had to take enforcement action in 2016, never an easy decision but essential in today’s world to assist in the safeguarding and continual success of our international reputation and prosperity.  I do not think it is right to dissect these cases as these are disclosed on the GFSC website but rather look at what lessons can be learnt to avoid a repeat to our businesses and to protect the Directors and Stakeholders.

Risk, Identification and Verification

Most of these incidents reported by the Commission are in respect of Anti-Money Laundering and Counter Terrorist Financing (AML/CTF) within businesses.  That is not to say that all these incidents related to actual financial crime but rather that businesses were not meeting the standards and expectation imposed by our regulatory framework to ensure that verification documentation mitigated the risk of the Island being utilised by criminals.

The identification and verification of customers and controllers to a business relationship is a continuing matter that is reported by the GFSC.  In many cases business’s application of a “risk based approach” had failed to ensure that the due diligence and enhanced due diligence for customers and required parties to a business relationship or occasional transaction, had been obtained and met the standards required by the regulatory framework, inclusive of rules and guidance issued by the GFSC for certification and the suitability of certifiers. It must be remembered that wherever you are licensed you must meet that jurisdictions regulatory requirements as a minimum!

Monitoring and Sanctions

Periodic monitoring of customers was another area where businesses struggled.  It was found in some cases that this monitoring was not undertaken or if undertaken did not meet the regulatory requirements. It was found that risk assessments were inadequate and not reviewed as required by a business’s policy and procedures to meet the obligations of the GFSC, especially where customers had been assessed as high risk.  The review of the rationale for the business relationship and transactions undertaken was found to missing or inadequate, leading to the GFSC questioning whether appropriate and effective policies and procedures were in place inclusive of suspicious activity reporting.

The review of customers to Sanction lists was also noted as an area of concern. While this may be undertaken at the start of a relationship and periodically is it suitable just to wait for these trigger events?  Is the review of transactions subject to sanction screening to ensure that sanctioned legal persons or those entities that they control are not financed? It may be that the GFSC believe terrorist financing to be a low risk to the Bailiwick but this will do nothing to deter terrorist financiers if they find a gap in our defences.  A definite area I think the GFSC will look to assess when conducting on-site examinations and through thematic reviews in 2017, so be warned!

Corporate Governance

Corporate Governance has also come to the forefront not only in the AML/CTF area but also in more prudential assessments of a business.  In all cases enforced by the GFSC the findings go back to the corporate governance requirements of the regulatory framework with the accusation that directors failed to ensure that they acted to ensure that the business could meet the Guernsey regulatory requirements.  THE GFSC also in some cases questioned the independence and integrity of directors due to the regulatory failings identified.  Not only will this area come more to forefront with shareholder activist and the spotlight of international bodies but also from the GFSC to ensure that Directors are suitable and safeguarding Stakeholders and the business.

With the Guernsey regulatory framework changing to meet the international requirements which are evolving it is difficult for any Director to ensure that their Business remains compliant.  Businesses in this ever-changing environment are at risk of falling behind the times.  While only minor infringements of the regulatory framework may be the result, if these infringements are many, systemic and material they may require to be reported to the GFSC.  By the Board bringing these issues to the GFSC, in some cases, remediation without the threat of enforcement can be undertaken, it is after all in the GFSC interest that businesses remediate and enhance themselves to meet the regulatory framework.  It is best to be able to show and have evidence that the Board have discussed the issues affecting the business and the action to be undertaken rather than hearsay in any regulatory inquiry!

Reflections

So, reflect on this year, look at the enforcement cases to ensure that you do not fall foul of history, review your business plans and business assessments to make sure you have the policies and procedures in place to meet the regulatory framework and the requirements of the Business.  Review the Compliance function is it suitable and sufficient? Consider its independence or whether there needs to be independent oversight or outside assistance?  Does the compliance monitoring facilitate management information that is required for Directors to undertake their duties and safeguard the business and stakeholders?  Look outside of your own regulatory regime to other sectors as if something is happening in one there is a good chance that those developments will feed in to your own sector’s regulatory requirements.  Look outside to other jurisdictions as developments there may impact on the regulatory framework where you are.

If you have a last Board meeting of 2016 or even an early 2017 Board meeting set the agenda to reflect on 2016 ensuring that history does not repeat itself. If you do find that you are not in compliance, please ensure that you have the issues and remediation documented whether you consider it material or not to report to the GFSC.

Questions, Coffee and Ghosts.

imagesAre we now being regulated by international organisations and their regulators rather that our own regulators?  Is our regulatory framework becoming a secondary consideration to the regulatory frameworks and group policies of international organisations that finance our community?  Is this leading to the stagnation of Guernsey as a whole where compliance cost rise to meet these external influences rather than our own bespoke regulatory framework? Is our competing and partaking in business in the international or developing world inhibited? Are the policies of the international regulatory community focused on large organisations, with a one size fits all attitude to the detriment of our smaller bespoke financial service providers? Even looking outside of our Financial Service Industry have international organisations, regulators and governments lost contact with local industry and people making them unproductive, uncompetitive and restricted?

Our businesses whether in finance or outside must adhere in some degree, to the requirements of committees and boardrooms far flung from our Island, and the whims of persons who lack connection understanding or appreciation of our island economy and value. Are these institutions aware of our idiosyncrasies as they strive to achieve a mythical norm presented by scoring sheets, algorithms and public opinion of their home countries? Has the international community lost the ability or the want to differentiate between the size nature and complexity of their own and other communities, businesses and financial centres?

A thought struck me while handing over my Guernsey one pound notes for my coffee today, if we print money why can’t we loan money? Why can’t we create a bank of the Bailiwick or other funding enterprises, regulated to our own standards that are acceptable international standards and set up for the needs, development and innovation of our local businesses?  Could we run a bank for the good and development of our community and its financial and non-financial businesses, lessening compliance expense faced by our businesses by focusing achieving the requirements of our regulations? Are we not best placed to understand, develop, innovate and realise the hopes and dreams of our Island community? Could we provide this as yet another string to our bow allowing us to partake and compete effectively in the international community? Rather than fit in to a box could we provide the bespoke solution tailored to our needs and requirements?

WilliamLeLacheurLooking into the last of my coffee as the rain began my mind was taken back to the ocean that I love so much, and yes we are but a drop in the ocean. The ocean has allowed us to raise some of the earliest taxes known, an anchor tax no less for the benefit of our Island and the development of our harbour in the 1400’s.  The ocean was mastered by our forefathers, and none other than William Le Lacheur who imported coffee and went on to influence economic and spiritual development in South America, as I walked through the Arcade I recalled how it was financed by Guernsey ingenuity and innovation.  I headed home past the Thomas De La Rue Public House, named after a Guernsey man who went from humble beginnings to founding De La Rue, who having adapted over the centuries and who have continually innovated while still printing bank notes today. These are but a few of the great historical figures that this Island has had and I could not help but wonder what these ghosts would suggest the same today, what would they think of my thoughts, would they see the potential of such ideas or a necessary to bring the development and innovation required to make the reality of tomorrow?

The ocean is vast and bountiful with a diversity of species and opportunities leading to competition and equilibrium, the loss of the equilibrium leads to the destruction of these unique habitats and species. Could the ripples of this idea radiate out to the benefit of our Island both domestically and internationally or will we be bound by the strangling nets of direct and/or indirect extra-territorial international regulation and policy? We need to look and focus on tomorrow while reflecting on the lessons of yesterday to achieve the dynamic solutions and adapt to the changing world as our forefathers did.

Introducer Certificates the Pro’s and Con’s

Does anyone else find it so frustrating to constantly provide client due diligence when accessing financial services products or even when accessing legal services?  Is this constant due diligence treadmill stopping us and potentially our clients from accessing products and services?  I personally feel that this is unfortunately the case and in some cases I am aware that this has caused clients to utilise other jurisdictions or miss out on investment or business opportunities.  I believe that there is a solution to this which could add to the attraction of Guernsey as a place to do business as well as allowing clients greater access to the products and services that can be offered.

The current solution is that the regulated or registered business can if the introducer meets the requirements of an Appendix C business, utilise the introducer regime as stipulated by the Guernsey Financial Services Commissions (GFSC).  This allows the registered or regulated business to rely on a certificate confirming identity while promising that the due diligence they hold and maintain meets the Guernsey requirements and will be provided when requested from the regulated or registered business.  The regulated or registered business then has to test the introducer throughout the life of the business relationship, to ensure that the introducer can meet the obligations of the introducer certificate and that the due diligence does meets the Guernsey standards. The unfortunate downfall of this system is that sometimes an introducer won’t adhere to the obligations of the introducer certificate or requirements of the rules governing due diligence in Guernsey leaving the regulated or registered business with quite a headache, and remedial work to undertake.

Where an introducer provides clients to regulated or registered business by the use of introducer certificate, for example an IFA providing 300 clients to invest in various Funds at a Guernsey Fund provider, the introducer can become disillusioned with Guernsey and the regulated or registered business when year on year they receive requests to provide the copies of due diligence for a selection of these clients introduced by them.  This is a burdensome process for the introducer, taking them away from their business, only to provide documentation for which they can not necessarily recover the cost from their client.  Unfortunately some will not want to or be willing to keep their obligations, leading to problems for the regulated or registered business.  The solution to this problem is to undertake a 100% testing programme where copies are provided to the receiving regulated or registered business with the introducer form.  There is only the need to periodically on a risk based approach go back to the introducer to confirm that the clients details have not changed during the life of the business relationship, such as the address, and if the details have changed that the copies of the updated due diligence are provided.  Undertaking this approach allows the regulated or registered business potentially less risk as the due diligence will already have been assessed and deemed suitable at the start of the business relationship and less risk of the introducer not subsequently meeting or adhering to their obligations by not providing the required due diligence. This allows for beneficial relationships to develop between the regulated or registered business and the enhancement of Guernsey as a place to do business.

Where clients have a business relationship with a regulated or registered business that is over a period of years, rather than a one off legal transaction where the business relationship is only for a matter of days or weeks.  If the introducer sells these clients during the course of the business relationship to another provider or is taken over, new introducer certificates will have to be obtained by the registered or regulated business or the clients will need to provide due diligence in order that the rules of the GFSC can be met.  Therefore I would always recommend for these longer term business relationships that due diligence is obtained rather than relying on the introducer certificate.

The rules issued by the GFSC state that clients who are introduced cannot then be introduced again by the regulated or registered business e.g. no introducer chains.  This can lead to the issues of a regulated or registered business unknowingly becoming involved in an introducer chain and having then to obtain the client due diligence, which can have an adverse effect on the business relationship with the client and the relationship with the introducer.  This also has the potential for higher cost to the client or loss of earnings by not being able to access an investment product to take advantage of price and in the worst case scenario the client may miss the investment opportunity altogether.

But what if Guernsey could offer a due diligence depository overseen by a regulating authority subject to stringent audits? Just think if clients provided their due diligence to this depository who then ensured that it met the regulatory standards, could this avoid altogether the need to obtain copies of due diligence or have a testing programme?  This depository could then provide registered or regulated businesses with an introducer certificate which would be more reliable and there would be less potential of unknowingly becoming part of an introducer chain or finding out the introducer was unable to meet its obligations. Could this reduce compliance cost to a regulated business and make Guernsey more competitive, the Jurisdiction of choice? Clients would be able to access products and services offered by other regulated or registered business with ease and certainty without suffering from the due diligence treadmill. Why stop at just offering this service to local registered and regulated businesses why not take an international approach and service other jurisdictions.  This could then lead to an enhancing of our economy while diversifying it at the same time.  We have all the right ingredients in Guernsey to undertake this opportunity we just need the political want to do this. But until my utopia happens please think carefully about the use of introducer certificates, sometimes it is actually easier and more beneficial for a registered or regulated business to get original due diligence and can save time money and cost in man hours to undertake the monitoring and any remedial work.

The Compliance Conundrum

A topic of conversation that often comes up is about “how compliance has become a monster”, sapping the dynamism of a business while slowly choking the new business streams by making the business over compliant. Has the compliance function gone too far and are they now holding Boards and Directors to a compliance and regulatory ransom leading to a loss in commerciality of the Guernsey Finance Sector?

Directors constantly berate me about having board packs that have compliance reports running to some 40 pages or more, how they spend more resources on compliance matters then on the direction of the business and that the compliance function does not assist them in achieving their business objectives. To my mind there is a balance that needs redressing in order that businesses can achieve high standards of compliance, while also achieving the businesses purpose and providing products and services to their clients that are competitive in cost with other jurisdictions.

The relationship between the Board and the compliance function must be one that is symbiotic, both assisting and nurturing one another. The compliance function must undertake suitable and sufficient monitoring of its business and report its findings effectively and efficiently to the Board. This is normally done by either an exception report or in a traditional report style over 40 pages and both have their own benefits and problems.

While using an exception reporting format this allows for immediate notifications of compliance and regulatory issues to the Board. The exception report though can fail to provide the assurance to the Board that the compliance function is suitable or sufficient due to its lack of content and oversight of the business.

The traditional compliance report of 40 pages or more will ensure that the Board can assess the suitability of its monitoring programme and compliance function. The problem with the traditional Compliance report is that its size may lead to regulatory or compliance issues being lost in the pages of the document. I am also aware that in some cases the traditional report format provided so much content but actually lacked the substance required to be provided to the Board in assessing the compliance status and function, a failing for the compliance function and a regulatory failing for the Board.

The compliance function must ensure that it has a suitable and sufficient Compliance Monitoring Programme and the Board must review this document annually to ensure that they are satisfied that it meets the Business and the regulatory requirements for the risks of the business being undertaken. The Compliance Monitoring Programme is the working paper of the compliance function, it shows the testing and findings of the compliance function and allows for suitable and informative compliance reports to be generated for the Board. The compliance report’s to the Board need to be a hybrid version of the traditional report and the exception report becoming more a précis of the Compliance Monitoring Programme, allowing the Board to see the matters of concern while also being assured of the compliance status of the Business.

The compliance function is the adviser to the Board in respect of the regulatory framework, providing advice and solutions to the Board in order that they can achieve the chosen business direction. This is where the business can become choked and the dynamism and competitiveness lost due to the gold plating of a business’s policies and procedures. The compliance function must always remember that it is the Board who decide the level of risk that they are satisfied to work with and that the compliance function is there to mitigate the risk by insuring that suitable and sufficient policies are in place. The compliance function must assess the regulatory requirements applicable to the business being undertaken and ensure that the Business is meeting these minimum requirements. The compliance function must never seek to direct the Board or the Business but to inform the Board what is required and expected of them in respect of the risks that the Board have deemed as acceptable.

I do believe that in some cases the compliance function has gone too far and seeks to control the business due to their own personal views or prejudices. It must always be remembered by all stakeholders in the finance industry in Guernsey that without the business there is no compliance function and without a compliance function there can be no business. It is vital that the compliance function is able to provide the required regulatory information to the Board in a succinct and effective manner in order that the Board can discharge their regulatory duties effectively and efficiently.

It is important that the compliance function provide the Board with first class regulatory advice that is free from their own personal prejudices. This is required in order that the Board can ascertain what the minimum regulatory requirements are and how best they can meet these requirements and make business decisions that will not endanger the Business or its clients. The Board must assess on an annual basis the suitability of its compliance function, if it is not providing the Board with the required information or are making the business lack commerciality by over compliance of the policies and procedures the Board must address these matters as they are ultimately responsible for the compliance function and its suitability and effectiveness.