AML/CFT Business Risk Assessment and formal AML/CFT Strategy Feedback from 2022 Examinations

1 Executive Summary

A supervised person’s BRA and formal AML/CFT strategy are key tools to help establish a robust risk management framework to detect and prevent financial crime.

During the second quarter of 2022, we undertook a thematic examination to assess the extent to which supervised persons have undertaken and recorded an assessment of their exposure to financial crime risk and documented a resulting strategy to counter it.

Supervised persons are required to have a comprehensive and up to date BRA in place which assesses and records the ML/TF risks relevant to their business that is clearly supported by information and data. Based on the BRA, a supervised person must establish a formal strategy to manage and mitigate the risks identified.

Where a supervised person has not adequately assessed its ML/TF risks, then the strategy it sets and its systems and controls designed in response, are unlikely to be effective in mitigating and managing the ML/TF and wider financial crime risks it faces.

The JFSC examined 11 supervised persons which are regulated under the Regulatory Laws as part of this thematic. This population is referred to in this paper as regulated supervised persons. A questionnaire was issued to a further 17 DNFBPs.  In response to the answers submitted to the questionnaire, six DNFPBs were asked to provide further information and documentation to support their answers.  This information was then reviewed by JFSC officers. The results of 11 examined regulated supervised persons plus the six desk-based reviews carried out on DNFBPs are set out in more detail in section 3 below. The results of the remaining 11 DNFPBs who responded to the questionnaire are set out in section 4 below.

The chart below outlines areas where findings were identified across the 11 examined regulated supervised persons and the six DNFPBs subject to a desk-based review:

All of those who were examined or subject to a desk-based review received direct feedback in the form of an examination findings report or letter.  A total of 16 supervised persons were required to submit formal remediation plans setting out actions to be taken to address the findings along with timescales for completion.

There were examples of good practice identified during the examinations and desk-based reviews which we have highlighted throughout the following sections of this feedback paper.

We expect Boards of all supervised persons, not just those subject to this examination, to consider their own arrangements against the matters identified in this feedback paper and make changes to their systems and controls in the event they identify any areas for development.

2 Background and Scope

We regularly undertake thematic examinations to assess the extent to which statutory and regulatory requirements are being complied with in targeted areas.  Thematic examinations may be sector specific, but they often address wider themes which cross multiple sectors. The purpose of this feedback paper is to publish an anonymised summary of the key findings and best practice identified during the thematic examination for the benefit of all supervised persons.  Information about the examination process is available here.

In January 2022, we set out our planned thematic examination programme for the year ahead, with the theme of “Anti-Money Laundering and Countering the Financing of Terrorism Business Risk Assessment and Strategy” being the first of three thematic examinations for 2022.

The theme was chosen due to the potentially high impact of a failure by a supervised person to adequately assess its financial crime risks and to establish and maintain adequate and effective systems and controls (including policies and procedures) to prevent and detect financial crime.

Furthermore, in our wider supervisory activity, in particular our financial crime examinations, we continue to identify and highlight deficiencies to supervised persons in this area.

The objective of this thematic examination was to review and assess the extent to which supervised persons were complying with their obligations and could demonstrate that they had:

• undertaken an assessment of their exposure to ML/TF risks in the round as required by the AML/CFT Code of Practice set out at section 2.3 of the Handbook;
• established a formal strategy to counter ML/TF as required by the AML/CFT Code of Practice set out at section 2.3 of the Handbook; and
• appropriate and consistent systems and controls (including policies and procedures) in relation to the above in place as required by the Article 11(1)(f) of the Order and the AML/CFT Code of Practice set out at section 2.4 of the Handbook.

The selection process was supported by our risk model, information submitted by firms and our supervisory knowledge. 

The 11 examined regulated supervised persons were from the following sectors:

In addition, the questionnaire was issued to the following 17 DNFBPs:

A further desk-based review was then undertaken for a sample of two lawyers, two accountants and two estate agents from the above population.

3 Key Findings and Observations

The key findings summarised in this section are taken from the 11 examined regulated supervised persons and the six desk-based reviews of DNFBPs. They identify a number of deficiencies in systems and controls, that could expose supervised persons to a heightened risk of failing to prevent or detect financial crime.

A supervised person’s BRA and formal strategy are the foundation of an effective financial crime prevention and detection framework.  If the BRA and strategy is ineffective, it can lead to systems and controls not operating as intended and exposing the supervised person to unacceptable levels of financial crime risk.

3.1 Business Risk Assessment

The key responsibilities of the Board of a supervised person are to:

• identify the supervised person’s financial crime risks and to consider them in the round;
• ensure that its systems and controls (including policies and procedures) are appropriately designed and implemented to manage those risks;
• to assess whether those systems and controls are operating effectively and as intended;
• consider whether residual financial crime risks are within the supervised person’s risk appetite and to implement action plans where those risks may be outside of its risk appetite either on an individual or cumulative basis; and
• ensure that sufficient resources are devoted to fulfilling these responsibilities.

The Board is assisted in fulfilling these responsibilities by the MLCO and MLRO, but the ultimate responsibility sits firmly with the Board.

3.1.1   Board Involvement

It is the Board that is required to conduct and record a BRA in respect of the supervised person’s operations with specific consideration given to the supervised person’s risk appetite and the extent of its exposure to ML/TF risks.

Across all the supervised persons examined there were 11 separate findings in relation to the Board’s involvement in the preparation of the BRA.   These findings range from no involvement at all to only limited evidence of the Board's discussion, challenge and scrutiny, as part of the preparation of the BRA recorded in the minutes.

Examples of the findings include:

• delegating the production and approval of the BRA to a sub-committee without any consultation, escalation or oversight from the Board;
• inadequate records of relevant discussions, decisions and the agreement of the Board to the assessment conclusions, for example, not clearly minuting the rationale for downgrading risk ratings;
• a lack of Board representation at meetings agreeing the output of the BRA; and
• inadequate or no record of the approval of the BRA by the Board, where this was mandated by the supervised person’s stated policies.

Examples of best practice and other resources to help supervised persons improve compliance in this area Involve all members of the Board in determining the financial crime risks posed, especially within those areas for which they have responsibility. Ensure contemporaneous records of the Board’s discussion, challenge and scrutiny of the BRA are created and maintained. Obtain and clearly record the Board’s approval of the BRA where this is required by the supervised person’s policies and procedures. In the event the Board wishes to delegate part of the process to another committee, the terms of reference for that committee should be clear and the Board must recognise that it cannot absolve itself of its overall responsibility to conduct and record a BRA, maintain oversight of the development of the BRA and own its ultimate output.

3.1.2   Risk Appetite

As part of conducting a BRA it is imperative that, on an on-going basis, the Board sets and monitors its risk appetite.  Without a clearly defined risk appetite, it is questionable how the business (including its staff) can understand the level of risk it is willing or able to accept and/or when to take action to reduce risk to an acceptable level. 

Three supervised persons had not clearly articulated the level of risk the business was willing to accept in its risk appetite statement.  One supervised person had not considered or documented its risk appetite at all.

Examples of best practice and other resources to help supervised persons improve compliance in this area When preparing a risk appetite statement, consider not only the risks faced, but the sophistication and effectiveness of systems and controls in place. Consider using a number of short, succinct statements, as opposed to one all-encompassing statement. Consider the use of very specific statements, so that staff members are clear about what is not acceptable.  For example, “We will not do business with clients with a connection to jurisdiction X”. Consider the use of quantitative parameters to clearly articulate the level of acceptable risk, for example: “we will limit our exposure to PEPs to X% of our client base”. Consider reporting metrics to the Board that allow it to monitor adherence with the risk appetite statement(s) and/or parameters set.

3.1.3   Assessment of Risks

A supervised person must assess the extent of its exposure to ML/TF risks “in the round” or as a whole by reference to the following factors:

• organisational structure;
• customers;
• the countries and territories with which those customers are connected;
• the products and services the supervised person provides; and
• how those products and services are delivered.

The assessment must consider the cumulative effect of risks identified, which may exceed the sum of each individual risk element.

The examination identified findings for eight supervised persons in relation to the BRA not adequately considering the risks posed to the business.  Examples include:

• one supervised person had simply adopted its UK-based parent’s BRA meaning it was not tailored its Jersey business and the specific risks it faced;
• one supervised person had produced, along with two other group entities, a consolidated BRA, but failed to consider certain risks specific to the supervised person subject to the examination;
• two supervised persons who provided services to customers with connections to jurisdictions listed on Appendix D2 of the Handbook, had not considered the risks associated with those higher risk jurisdictions;
• one supervised person had not recorded and considered the risk associated with its customers known to be involved in sensitive activities which are subject to the Sound Business Practice Policy;
• one supervised person made no mention of cybercrime in its BRA despite four out of the six senior managers interviewed by JFSC officers identifying this as one of the top three biggest financial crime risks to the business; and
• one supervised person did not record the risk posed by its CO, MLRO and MLCO role holder also being a director with potentially conflicting customer facing responsibilities in the BRA.

Where a business has not identified the financial crime risk it faces, it consequently cannot determine whether its systems and controls are effective to manage and mitigate those risks.  In the absence of adequate controls, the likelihood of risks crystallising is significantly increased.

Two supervised persons had no documented methodology for rating or scoring risks highlighted in the BRA.  A failure to adequately document this could result in a lack of consistency and increased subjectivity in assessing risks, leading to incorrect risk and control assessments and a failure to adequately respond to prevalent financial crime risks.

It is generally accepted best practice that a supervised person should: Ensure that people who know the business best determine what risks the business faces, rather than relying solely on an “off the shelf”, non-tailored view of risk. Describe its risk exposure and resultant risk appetite in language that is understandable and relevant to its employees. When assessing risks, consider the likelihood of them occurring and the impact should they occur. Clearly define what risk means to the business. Assess risk on a variety of impact parameters, e.g. financial, legal, regulatory, reputational, etc. Clearly document a methodology for assessing risks. Include consideration of and clearly distinguish between the different types of financial crime risks (money laundering, terrorist financing, proliferation financing, and non-implementation/breaching/circumvention/evasion of targeted financial sanctions) by evaluating the associated risks independently. Consider emerging risks that may not yet have presented themselves to the business but may become relevant as a result of a proposed change to the business model. This activity may be referred to as “horizon scanning”. Ensure that residual risks are considered against risk appetite and prioritise actions to reduce risk exposure to within appetite.

3.1.4   Assessment of controls

The Board is required to ensure that its systems and controls (including policies and procedures) are appropriately designed and implemented to manage the financial crime risks it has identified in its BRA and that they are appropriate to the circumstances of its business.

A supervised person should be considering the following:

• assessing its inherent risks, i.e. the level of risk without mitigation or controls;
• assessing the effectiveness of its systems and controls in mitigating risk;
• calculating its residual risk, i.e. the level of risk that remains after taking into account the effectiveness of its systems and controls; and
• considering residual risk against risk appetite and reacting, if necessary, for example: where residual risk is assessed as being outside of appetite, enhancing controls to reduce residual risk to an acceptable level.

One supervised person had not mapped or considered the effect of controls against its inherent risks, meaning it was unable to demonstrate how it had calculated its residual risk ratings. Another had listed specific controls as mitigants which did not actually address the risk posed.

The Board is required to consider what barriers (including cultural barriers) exist to prevent the operation of effective systems and controls (including policies and procedures) in relation to ML/TF risks and to take measures to address any identified barriers. Two supervised persons were unable to evidence consideration of such barriers.

Examples of best practice and other resources to help supervised persons improve compliance in this area Consider assessing the effectiveness of controls on more than one parameter, for example how well do the controls a) reduce the likelihood of the risk occurring and b) lower the impact in the event a risk crystallises. Consider using the findings of assurance activities, such as compliance monitoring or other reviews, to inform and support the effectiveness assessment of systems and controls. Consider using an anonymised staff questionnaire to gauge the prevalence of cultural barriers in the business and to assess how those barriers may prevent controls from operating as intended or prevent the controls from being effective (see section 2.4.3 of the Handbook).

3.1.5   Keeping the BRA up to date

The Board of a supervised person must consider, on an ongoing basis, its risk appetite and exposure to ML/TF risks in the round and carry out and record a business risk assessment. Its assessment must be kept up to date.

Guidance provided in the Handbook states that, in the case of a supervised person that is dynamic and growing, the Board may demonstrate that its BRA is kept up to date where it is reviewed annually. However, in other cases, for example a supervised person with stable products and services, this may be too often.

In all cases, the Board may demonstrate that its BRA is kept up to date where it is reviewed when events (internal and external) occur that may materially change the financial crime risk.

One supervised person was unable to demonstrate that the Board had considered its exposure to financial crime risks on an ongoing basis, because whilst it had documented that it would review and update its BRA on an annual basis, it was not doing so in practice.

Another supervised person was unable to demonstrate that its BRA was up to date, because it had used data about its client base that was materially out of date.

Where a supervised person does not periodically undertake an assessment of its exposure to financial crime risks, including the cumulative effect of the risks identified, then it is unlikely to fully understand the likelihood of those risks manifesting themselves and the resultant impact on the supervised person's business and risk profile. In the absence of such a regular assessment a supervised person will be unlikely to be able to determine whether its control environment would be effective in managing its risks. 

Examples of best practice and other resources to help supervised persons improve compliance in this area Formally consider and agree appropriate intervals for review of the BRA and strategy and ensure the minimum frequency of review is maintained in practice. Agree a range of events that will trigger a refresh of the BRA and/or strategy, such as planned or actual changes to your business and risk profile which may alter the assessment of risks or your control environment. Ensure that the data and information used in the preparation of the BRA is refreshed to ensure the assessment remains current.

3.2 Provision of BRA to JFSC

The AML/CFT Code of Practice detailed at section 2.3.1 of the Handbook requires a supervised person to maintain appropriate policies and procedures to enable it, when requested by the JFSC, to make available to that authority a copy of its BRA.

Eight supervised persons were unable to evidence that policies and procedures were in place to reflect the above requirement.

Examples of best practice and other resources to help supervised persons improve compliance in this area A firm need not have an explicit provision in its policies and procedures to make a copy of its BRA available to the JFSC upon request, but rather it may meet the requirement of the AML/CFT Codes of Practice by having more general provisions covering the delivery of data or information to the JFSC upon its request.

3.3 Formal AML/CFT Strategy

Based on its BRA, the Board must establish a formal AML/CFT strategy to counter ML/TF risks identified in its business.

One supervised person had not documented a formal AML/CFT strategy and another supervised person’s strategy was considered to be inadequate because it had very limited content.

Without a comprehensive formal AML/CFT strategy, a supervised person’s ability to organise and control its affairs in a way that effectively mitigates the risks identified in its BRA will be hampered.

Examples of best practice and other resources to help supervised persons improve compliance in this area Ensure the formal AML/CFT strategy clearly and separately articulates the firm’s response to each financial crime risk (money laundering, terrorist financing, proliferation financing, and non-implementation/breaching/circumvention/evasion of targeted financial sanctions). Share the formal AML/CFT strategy with staff members to raise awareness and increase the likelihood it will be applied in practice. Ensure your BRA, formal AML/CFT strategy and risk appetite are aligned and actively used to manage financial crime risks by customer facing and support staff.

4 Questionnaire

All respondents to the Questionnaire confirmed that they had in place an AML/CFT BRA, however three indicated that they had not documented a resultant formal AML/CFT strategy.

All respondents confirmed that systems and controls had been designed and implemented to mitigate the risks identified in their BRA, with six respondents stating that as a result of undertaking the BRA they had self-identified deficiencies or areas for development.

The following deficiencies were identified within the responses provided by the respondents:

• four respondents did not have a policy and/or procedure in place to enable them, when requested by the JFSC, to make available to it a copy of their BRA;

• five respondents did not maintain documentation to evidence the consideration and approval of the BRA and formal AML/CFT strategy;
• one respondent did not have a documented risk assessment methodology in place;
• four respondents did not make employees aware of the risks, controls and conclusions contained within the BRA and/or strategy; and
• one respondent had not assessed its systems and controls, to ensure they were effectively mitigating the risks identified in its BRA.

5 Conclusion

The examinations and desk-based reviews were undertaken at 17 supervised persons.  The key findings were:

• 65% of supervised persons were unable to demonstrate adequate discussion, challenge and scrutiny by the Board, as part of the preparation of the BRA.
• 24% of supervised persons were unable to demonstrate that they had in place an appropriate formal AML/CFT strategy.
• 47% of supervised persons were unable to demonstrate they had adequately considered their exposure to all relevant financial crime risks.
• 47% of supervised persons were unable to evidence that they had policies and procedures to enable a copy of their BRA to be provided to the JFSC upon request.

The number and extent of examination findings indicates that work continues to be required by supervised persons in order to ensure they are able to demonstrate full compliance with the regulatory framework.

Where serious, significant and/or material breaches are identified, we consider the appropriate level of response on case-by-case basis with the supervised person.  In some cases, this may result in a referral to the JFSC’s Heightened Risk Response team and in other, more serious cases, formal enforcement action may follow.

6 Next Steps

All regulated supervised persons examined and those DNFBPs subject to a desk-based review have received direct feedback from us. The 16 supervised persons with findings were required to submit a formal remediation plan setting out actions to be taken and timescales for completion.

When conducting remediation activity, we expect that issues are not reviewed in isolation, but consideration is given to the wider implications of the findings detailed in individual examination reports. JFSC supervisors work closely with supervised persons to ensure that the steps taken to address findings are appropriate to the scale of risks identified.

A key component of regulatory effectiveness is to ensure that where a supervised person has completed remediation activity, they have done so in a way that is not only effective, but is also sustainable in order to demonstrate compliance with the statutory and regulatory requirements on an ongoing basis.

We may, in certain cases, mandate remediation effectiveness testing on a risk-based approach, following confirmation of completion from supervised persons.

We expect Boards and senior management of supervised persons who were not involved in the examination to consider the findings highlighted in this feedback paper and the content of the thematic questionnaire against their own arrangements to ensure their business is complying with all relevant statutory and regulatory requirements in relation to the BRA and formal AML/CFT strategy.

Where supervised persons identify any deficiencies in systems and controls, we expect them to:

• prepare a remediation plan and discuss this with their supervisor;
• consider the notification requirements under the AML/CFT Code of Practice set out in Section 2.3 of the Handbook and Principle 6 of the relevant Codes of Practice;
• remedy any identified matters in the manner set out in the documented remediation plan agreed with their supervisor; and
• consider what assurance activities may provide comfort to the Board and senior management that deficiencies identified have been addressed effectively.

In future engagements with us, supervised persons may be asked to evidence steps taken to address identified deficiencies in their control environment.

Where this action is not considered to be adequate or where we identify deficiencies of a similar nature to those highlighted in our feedback papers, we will consider our future supervisory strategy and where appropriate, regulatory action.

In future planning, we will consider repeating this thematic examination, to test whether industry have taken on-board the guidance set out in this feedback paper and whether the compliance rates have improved.

7 Glossary

AML	anti-money laundering
AML/CFT Code of Practice	the AML/CFT Codes of Practice contained in the Handbook
Board	the Board of Directors or the Board function described in Section 2.1 of the Handbook
BRA	business risk assessment
CDD	customer due diligence as defined in the Order and the Handbook
CFT	countering the financing of terrorism
CO	compliance officer
Directions law	the Money Laundering and Weapons Development (Directions) (Jersey) Law 2012
DNFBP	designated non-financial services business or profession described in Part B of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999
Financial Crime	money laundering, the financing of terrorism, proliferation financing, and non-implementation/breaching/circumvention/evasion of targeted financial sanctions
Guidance	guidance provided to supervised persons contained in the Handbook
Handbook	the Handbook for the prevention and detection of money laundering and the countering of terrorist financing
JFSC	Jersey Financial Services Commission
ML/TF	money laundering and terrorist financing
MLCO	money laundering compliance officer
MLRO	money laundering reporting officer
Order	the Money Laundering (Jersey) Order 2008
Regulatory Laws	collectively the Banking Business (Jersey) Law 1991; Collective Investment Funds (Jersey) Law 1988; Financial Services (Jersey) Law 1998; Insurance Business (Jersey) Law 1996 and the Alternative Investment Funds (Jersey) Regulations 2012
SBPP	sound business practice policy
Supervised person	defined in Article 1 of the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008. Includes persons regulated by the JFSC under one of the Regulatory Laws and DNFBPs.