2021 Supervisory risk examinations feedback paper

1 Executive summary

The Jersey Financial Services Commission (JFSC) undertakes supervisory risk examinations (examinations) as part of its examination programme. These examinations are conducted in response to a known or perceived risk within a particular supervised person. The focus of the examination will therefore depend on the specific issues and concerns identified relating to compliance with relevant statutory and regulatory requirements:

  • Money Laundering (Jersey Order 2008 (Order).
  • Anti-money laundering and counter terrorist financing Code of Practice (AML/CFT Code) contained within the Handbook for the Prevention and Detection of Money Laundering (ML) and Financing of Terrorism (TF) for Regulated Financial Services Business (Handbook).
  • Code of Practice (Code), as relevant to the supervised person.

During 2021, examinations were conducted at nine supervised persons, including Deposit-taking Business (Banking), Money Service Business, Fund Services Business, Investment Business and Trust Company Business licence holders.

This feedback summarises key findings from the examinations. A number of key themes and detailed findings in this feedback paper are similar in nature to those contained within previous feedback papers issued by the JFSC. We expect the board and senior management of all supervised persons to review the feedback papers and consider their own arrangements. Where deficiencies are identified they should construct a remediation plan and take any action necessary. They should also consider the Code notification requirements:

  • Section 2.3 of the Handbook – requirement to notify the JFSC immediately in writing of any material failure to comply with the requirements of the Order or the Handbook.
  • Principle 6 of each relevant Code  – requirement to advise the JFSC in writing as soon as become aware of any matter that might reasonably be expected to affects its registration or be in the interests of its customers to disclose.

There were no findings identified for two of the supervised persons examined. For the remaining seven, 30 findings were identified, highlighting a range of statutory and regulatory requirements that had either not been complied with or had only partially been complied with. 37% of the findings identified were considered to be of a more serious nature.

Approximately 73% of the findings related to non-compliance or partial compliance with the statutory and AML/CFT code requirements. The remaining findings related to board responsibilities, compliance monitoring and conflict of interests.

All supervised persons examined received direct feedback. Where findings were identified, they were subject to appropriate follow-up action. Such follow-up action may include formal remediation plans setting out actions to be taken and timescales for completion.

In the case of serious findings, this may have resulted in further escalation and in some cases further regulatory action being taken or, action may be underway.

2 Scope and methodology

Information about the examination process is available on our website.

3 Preventing and detecting financial crime

73% of the findings from the examinations highlighted non-compliance or partial non-compliance with the statutory and AML/CFT code requirements, as set out in the Order and the Handbook.

The key to the prevention and detection of money laundering (ML) and terrorist financing (TF) lies in the implementation of, and strict adherence to, policies and procedures that set out adequate and effective controls. Such control frameworks should be commensurate with the risks that a supervised person has identified and assessed in its business and customer risk assessments.

3.1   Systems and controls – policies and procedures

3.1.1 A supervised person must establish and maintain adequate and effective systems and controls, which should be documented in its policies and procedures, to counter ML and TF. Policies and procedures must be tailored to the business and should be mapped against the statutory and regulatory requirements. Such policies and procedures should be periodically reviewed and compliance with them should be reviewed on an ongoing basis.

3.1.2 Five findings were identified where supervised persons had not established or maintained policies and procedures in a manner that enabled them to demonstrate compliance with the regulatory framework, including:

3.1.2.1 No policy and/or procedure in place for:

  • Ongoing monitoring, including transaction monitoring and sanctions screening.
  • Development of new products, services or practices.

3.1.2.2 The policy and procedure in place either did not contain appropriate detail, was inaccurate or inconsistent for:

  • Enhanced customer due diligence required for higher risk rated customers.
  • Politically exposed person (PEP) identification and classification.
  • Trigger events.

3.1.2.2 Regulatory developments had not been monitored, with the result that some policies and procedures had not been updated following changes to the regulatory framework.

3.2   Reporting money laundering and terrorist financing activity (suspicious activity reporting)

3.2.1 A supervised person must have adequate and effective systems and controls, including policies and procedures, in respect of reporting knowledge or suspicion of ML and TF.

3.2.2 Four findings were identified including:

3.2.2.1  Examples of internal suspicious activity reports (SARs) not containing all relevant information. For example the date the information or matter came to the employee’s attention.

3.2.2.2  Lack of documented consideration of the internal SAR by the MLRO, including the rationale on whether to submit an external SAR to the Joint Financial Crimes Unit (JFCU).

3.2.2.3 Policies and procedures which either did not:

  • Cover all the requirements of reporting procedures under Article 21 of the Order and Section 8 of the Handbook.
  • Provide consideration or guidance of Article 22 of the Order in respect of whether the DMLRO needs to forward a report to the MLRO for consideration.
  • Cover the limited circumstances where disclosure is permitted.
  • Fully articulate all the offences for not adhering to the reporting requirements.

3.2.2.4 Incomplete or inconsistent records of SARs.

3.3   Role of the MLRO and MLCO

3.3.1 A supervised person must appoint a Money Laundering Compliance Officer (MLCO) and Money Laundering Reporting Officer (MLRO). The MLCO must report regularly and directly to the board. Where appropriate, one or more Deputy MLROs may also be appointed, and the statutory and regulatory requirements that apply to the MLRO will apply to them.

3.3.2 Four findings were identified including:

3.3.2.1 It was not demonstrated that the MLCO reported directly to the board.

3.3.2.2 The MLCO reports did not contain adequate information to enable the board to consider whether the key AML/CFT controls were effective and being complied with.

3.3.2.3 The MLRO’s job description did not sufficiently detail the responsibilities of the role.

3.3.2.4 The DMLRO, who was actively fulfilling the MLRO role four days a week, was not resident in Jersey.

3.4   Identification measures

3.4.1 A supervised person must apply a risk based approach to determine the extent and nature of identification measures required to manage the ML and TF risk, in the most effective and proportionate way.

3.4.2 One supervised person was unable to demonstrate that it had, for some of the customer files reviewed:

  • Fully assessed the risks associated with the customer’s source of funds and source of wealth.
  • Verified the identity of the customer’s ultimate beneficial owner (UBO) prior to providing services.
  • Applied enhanced customer due diligence measures commensurate to the risk factors presented.

3.4.2 The other supervised person was unable to demonstrate that it had:

  • Verified the identity of a person purporting to act on behalf of the customer.
  • Adequately considered all information relating to a customer’s business and risk profile for some of the customers.
  • Identified two customers as politically exposed persons (PEPs).

3.5   Ongoing monitoring

3.5.1 A supervised person must apply ongoing monitoring throughout the course of a business relationship, which includes:

  • Scrutinising transactions and activity to establish that they are consistent with the supervised person’s knowledge of the customer.
  • Keeping documents, data and information up to date and relevant.

3.5.2 There were two findings identified, in which the supervised person was unable to demonstrate that it had:

3.5.2.1 Fully documented its customers expected business and risk profile, which would enable it to effectively monitor its customers on an ongoing basis.

3.5.2.2 Policies and procedures in place in respect of ongoing monitoring, including transaction monitoring.

3.6   Business risk assessment

3.6.1 A supervised person must conduct and record a business risk assessment, to consider, on an ongoing basis its risk appetite and the extent of its exposure to ML and TF risks, which must be kept up to date.

3.6.2 There was one finding in which it was identified that the business risk assessment (BRA) had not:

  • Been updated since 2019.
  • Had not been approved by the board.
  • Did not fully meet regulatory requirements.

3.6.3 In addition, the supervised person was unable to demonstrate that the board had been involved in the development of the BRA and members of the board were unable to articulate the key AML/CFT risks.

3.7   Training

3.7.1 A supervised person must makes its employees aware of its policies and procedures to prevent, detect and report money laundering and terrorist financing. In addition, employees need to be aware of their own and the supervised person’s obligations under the statutory and regulatory requirements.

3.7.2 There was one finding in which it was identified that the supervised person was unable to demonstrate it had:

  • Provided training.
  • Assessed the effectiveness of the training given to the board or senior management.
  • Maintained policy and procedures to test the effectiveness of training provided, in line with the requirements of the regulatory framework.

3.8   Record keeping

3.8.1 A supervised person must keep records of all the supporting documents, data and information in respect of a business relationship or one-off transaction which is the subject of customer due diligence measures, including the results of analysis undertaken in relation to the business relationship or any transaction.

3.8.2 There were three findings in which it was identified that the supervised person was unable to demonstrate that documents, data and information had been maintained in all instances.

4 Board responsibilities

To ensure effective oversight of compliance with statutory and regulatory requirements the board should, but is not limited to, consider the extent to which compliance risk is effectively managed on an annual basis, keep adequate records of such a review and also assess its own effectiveness on a periodic basis.

4.1   Compliance risk assessment

4.1.1 A supervised person must assess, at least on an annual basis, the extent to which compliance risk is effectively managed.

4.1.2 There was one finding in which it was identified that the supervised person had not undertaken an annual assessment of the effectiveness of management of compliance risk.

4.2   Board effectiveness review

4.2.1 A supervised person must regularly review corporate governance arrangements, including an assessment of the board’s effectiveness.

4.2.2 There was one finding in which it was identified that the supervised person had not undertaken a formal assessment of the board’s effectiveness.

4.3   Records of meetings

4.3.1 A supervised person must ensure its board minutes are adequate, orderly and up to date.

4.3.2   There was one finding in which it was identified that the board minutes did not evidence adequate detail of discussion or rationale for decisions made.

5 Compliance monitoring

5.1.1 A supervised person must, through the design and implementation of a risk based compliance monitoring plan, assess both the effectiveness of, and compliance with, systems and controls, including policies and procedures. Where deficiencies are identified they should take prompt action necessary to address them.

5.1.2 There were four findings identified in relation to the compliance monitoring programme (CMP) including the following issues:

5.1.2.1 A CMP was not in place for the period under review.

5.1.2.2 The CMP had not been approved by the board.

5.1.2.3 It was not demonstrated that the board had sufficient oversight of the progress of CMP or had taken prompt action to address the deficiencies identified.

5.1.2.4 The CMP referenced incorrect and out of date statutory and regulatory requirements and the procedure in place for determination and execution of the CMP was not fit for purpose.

6 Conflict of interests

6.1.1 A supervised person must ensure that adequate procedures are implemented to avoid any conflict of interest arising or where conflicts arise keep adequate records of such conflicts and address them by:

  • disclosure;
  • applying internal rules of confidentiality;
  • declining to act; or
  • otherwise as appropriate

6.1.2 There was one finding in which the procedure for managing conflicts of interest did not contain an appropriate level of detail with regard to all the mitigants that may be used to manage the conflict.

7 Conclusion

Several supervised persons will need to make comprehensive changes to internal systems and controls, including policies and procedures, to fully comply with the regulatory framework.

All supervised persons examined have received direct feedback and the seven businesses which received findings were required to submit a formal remediation plan setting out actions to be taken and timescales for completion.

When conducting remediation activity, we expect that issues are not reviewed in isolation, and consideration is given to the wider implications of the findings detailed in individual examination reports. In addition, understanding and addressing the root cause of findings will generally result in better outcomes and a more robust control framework.

Supervisors work closely with supervised persons to ensure that the steps taken to address findings are appropriate to the breadth of risks identified.

A key component of regulatory effectiveness is to ensure that where a supervised person has completed remediation activity, they have done so in a way that is sustainable and addresses the findings identified. Therefore, we undertake a programme of remediation effectiveness testing on a risk-based approach, following confirmation of completion from supervised persons.

Examination findings form part of a regulatory track record and the manner in which a supervised person addresses the findings and engages with us are key to informing supervisory strategy. Where appropriate, we may consider the implementation of heightened risk supervisory engagement strategies, the use of statutory powers and the imposition of regulatory sanctions.

There were similar findings detailed within our examination feedback papers issued during 2020 and 2021. We expect the board/senior management of all supervised persons, to review all feedback papers and consider their own arrangements to ensure full compliance with the regulatory framework. Where the findings can be applied to other aspects of the regulatory framework, conducting a gap analysis to current working practices is recommended to industry as a whole.

Next steps

Review the findings highlighted in this paper, considering your own arrangements to ensure that they are complying with all the relevant statutory and regulatory requirements.

Where you identify any deficiencies in your systems and controls:

  • Construct a remediation plan and discuss this with your supervisor.
  • Consider the notification requirements under the AML/CFT CoP within section 2.3 of the relevant handbook and Principle 6 of the relevant Codes of Practice.
  • Address the issues identified through remedial action.
  • Consider what assurance activities will provide comfort to the board/senior management that the gaps identified have been addressed effectively.

You may be asked to demonstrate, in future engagements, the steps taken to address deficiencies in the control environment.

Where this action is not considered adequate or where we identify gaps of a similar nature in the future, we will consider appropriate regulatory action.

8   Glossary of terms

AML

Anti-money laundering

AML/CFT CoP

Codes of practice contained within the Handbook

Board

Board of directors

BRA

Business risk assessment

CFT

Countering the financing of terrorism

CMP

Compliance monitoring programme

Handbook

Handbook/s for the Prevention and Detection of Money Laundering and the Financing of Terrorism

JFSC

Jersey Financial Services Commission

Order

Money Laundering (Jersey) Order 2008

MLCO

Money Laundering Compliance Officer

MLRO

Money Laundering Reporting Officer

ML

Money laundering

PEP

Politically Exposed Person as described in Article 1 and 15A of the Order

Supervised person

Means a person carrying on financial services business in or from within Jersey as defined under Article 1(1) of the Order

SAR

Suspicious activity report

TF

Terrorist financing