2023 countering the financing of terrorism and proliferation financing examination feedback

Glossary

Term

Definition

AML

anti-money laundering

AML/CFT/CPF Codes of Practice

the AML/CFT/CPF Codes of Practice set out in the handbook

board or senior management team

the Board of Directors or the Board function described in Section 2.1 of the handbook

BRA

business risk assessment

CDD

customer due diligence

CFT

countering the financing of terrorism

CPF

countering proliferation financing

CRA

customer risk assessment

DNFBPs

designated non-financial businesses and professions

EDD

enhanced customer due diligence

FATF

Financial Action Task Force

FCEU

the Financial Crime Examination Unit of the JFSC

financial crime

money laundering, the financing of terrorism, proliferation financing, and non-implementation/breaching/circumvention/evasion of targeted financial sanctions

FSB

fund services business

GIMB

general insurance mediation business

The handbook

handbook for the prevention and detection of money laundering, the countering of terrorist financing, and the countering of proliferation financing

IB

investment business

JFSC

Jersey Financial Services Commission

The Minister

Jersey’s Minister for External Relations

ML/TF/PF

money laundering, terrorist financing, and proliferation financing

Money Laundering Order

Money Laundering (Jersey) Order 2008

MSB

money service business

OSP

the JFSC’s Outsourcing Policy and guidance note

PEP

politically exposed person. An individual who is any of the following (within the meaning of Article 15A of the Money Laundering Order:

(a) A domestic politically exposed person

(b) A foreign politically exposed person

(c) A prominent person

POCL

Proceeds of Crime (Jersey) Law 1999

Relevant person

as defined in Article 1 of the Money Laundering Order

Review period

the period used by the JFSC when reviewing documents during an examination, normally a period of 12 months

SAFL

Sanctions and Asset-Freezing Law 2019

supervised person

as defined in Article 1 of the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008. Includes persons regulated by the JFSC under one of the Regulatory Laws, and DNFBPs

Targeted Financial Sanctions Measures

includes any measures made under:

SAFL

Any Regulations or Orders made under SAFL (e.g. the Sanctions and Asset-Freezing (Implementation of External Sanctions) (Jersey) Order 2021)

TCB

Trust company business

the thematic

The 2023 TF/PF thematic examination to which this feedback relates

UK

The United Kingdom of Great Britain and Northern Ireland

UN

The United Nations

1 Executive summary

Over the course of 2023, we assessed the extent to which supervised persons had implemented effective measures to counter terrorist financing (TF) and counter proliferation financing (PF), collectively referred to in this paper as “TF/PF”.

TF/PF risk, along with the linked risk of facilitating sanctions evasion, must be identified and managed throughout the operation of a supervised person’s business. This includes, but is not limited to:

documenting its TF/PF risk exposure in a business risk assessment (BRA)

maintaining adequate and effective systems and controls which cover TF/PF at the appropriate points

assessing the risk of a business relationship involving TF/PF

monitoring for potential TF/PF activity

delivering adequate training to employees

Where TF/PF controls are not adequate, the effectiveness of a supervised person’s wider financial crime controls will be impacted, potentially exposing them to a heightened risk of being used to facilitate financial crime.

Effective TF/PF controls are crucial because they:

help to protect the supervised person and the integrity of the financial sector in which it operates by reducing the likelihood of the business becoming a vehicle for, or a victim of, financial crime

assist law enforcement, by providing information on customers, activities or transactions being investigated

constitute an essential part of sound risk management, e.g. by providing the basis for identifying, limiting and controlling risk

contribute to the successful implementation of financial sanctions applied by, for example, the UN and the UK

Legislative requirements in respect of TF/PF controls are set out in the Money Laundering (Jersey) Order 2008 (the Money Laundering Order). Additional requirements are captured in our handbook for the prevention and detection of money laundering, the countering of terrorist financing, and the countering of proliferation financing (the handbook). Obligations in the relevant Codes of Practice may also be relevant to TF/PF controls.

Wherever reference is made in this feedback to “money laundering” when quoting requirements of the Money Laundering Order, this should be read to include TF and PF. The definition of “money laundering” detailed under Article 1 of the Proceeds of Crime (Jersey) Law 1999 (POCL) includes conduct which is an offence under the Terrorism (Jersey) Law 2002. Furthermore, the definition of “money laundering” detailed under Article 37 of POCL includes conduct which is an offence under any provision of the Sanctions and Asset-Freezing (Jersey) Law 2019 (SAFL), or any provision of an order made under Article 3 of SAFL, capturing the relevant UN and UK sanctions regimes related to proliferation and proliferation financing. Therefore, terrorist financing and proliferation financing are deemed to be captured within the definition of “money laundering” set out within the Money Laundering Order.

In the first half of 2023, 43 supervised persons completed a questionnaire in relation to their

corporate governance arrangements

internal systems and controls (including policies and procedures)

training related to TF/PF

The supervised persons who received questionnaires represented a cross-section of industry, ranging from designated non-financial business professionals (DNFBPs) to banking, fund services businesses and trust company businesses. The processes and outcomes of the questionnaire exercise are further explored at Sections 2 and 3 of this feedback.

Following receipt of the completed questionnaires, a sample of six supervised persons were selected for an on-site examination. The selection process was determined by supervisory risk data available to us. These on-site examinations took place in the third quarter of 2023. Each supervised person’s questionnaire responses informed the reviews conducted during the on-site activity. A detailed overview of the examination findings is set out at Section 4.

2 Background and scope

2.1 Background

We regularly undertake thematic examinations to assess the extent statutory and regulatory requirements are being complied with in targeted areas. Thematic examinations may be sector-specific, but they often address wider themes which cover multiple sectors. The purpose of this feedback paper is to publish an anonymised summary of the key findings identified during the thematic examination and set out relevant good practice for the benefit of all supervised persons.

Information about the examination process is available on our website: about the examination process.

Following the issuance of Jersey’s National Risk Assessment of Terrorist Financing in 2021 and its subsequent update in May 2023, we decided to conduct a programme of thematic examinations with a focus on countering the financing of terrorism and countering the financing of proliferation.

In general terms, TF is the provision or collection of funds from legitimate or illegitimate sources with the intention of, or in the knowledge that these funds are intended to be used to carry out any act of terrorism, whether or not those funds are in fact used for that purpose.

PF can be described as providing financial services and products to facilitate the transfer and export of:

nuclear, chemical or biological weapons

their means of delivery

related materials

It involves the financing of trade in proliferation sensitive goods but could also include other financial support for legal or natural persons or arrangements engaged in proliferation.

During a particular thematic examination, we may choose to also send questionnaires to additional supervised persons. This allows us to collect information relevant to the examination from a broader range of supervised persons, which can then be followed up via a desk-based review if necessary.

For this examination, a sample of 43 supervised persons were selected to receive a TF/PF questionnaire. The selection was driven by supervised persons’ level of exposure to a range of jurisdictions, as reported via the supervisory risk data collection exercise, which have greater exposure to TF/PF risk.

The questionnaire sought to gather information concerning:

corporate governance

internal systems and controls

customer risk assessments

screening of customers and activity

reporting of TF/PF

asset-freezes and related licences

training and awareness of employees

The industry sectors represented in our questionnaire exercise were as follows (where a supervised person held multiple licences, they are captured below based on the risk family we have assigned to them in our supervisory risk model):

2.2 Examination scope

The objective of this thematic examination was to establish how well effective measures had been implemented by supervised persons to counter TF and PF. To do so, we assessed compliance with the legislative and regulatory requirements set out in the Money Laundering Order and the handbook. Implementation of targeted financial sanctions is an important element of countering TF/PF. As a result, the effectiveness of sanctions controls was also tested during the on-site examinations.

The key areas of focus in this thematic examination included:

corporate governance (Section 2 of the handbook)

internal systems and controls, including policies and procedures (Section 2 of the handbook)

ongoing monitoring (Section 6 of the handbook)

reporting suspicious activity (Section 8 of the handbook)

sanctions reporting obligations (Section 8 of the handbook)

training and awareness of employees (Section 9 of the handbook)

From the 43 supervised persons selected to receive a questionnaire, a sample of six were selected for an on-site examination, focused on some of the larger sectors of the financial services industry, namely TCB and Banking.

Our assessment of compliance with statutory and regulatory requirements included in the examination scope was based on those in force during the review period set for each examination.

The industry sectors represented in our on-site examinations were as follows (where a supervised person operated across multiple sectors, they are captured below based on the risk family we have assigned to them in our supervisory risk model):

3 Overall findings and good practice

The table below summarises the detailed findings set out in Section 4, which were identified during the thematic examination. Examples of good practice are provided which relate to each of these areas. We have also included examples of good practice based on responses provided to the questionnaire. Not all these examples of good practice were necessarily identified during the thematic.

Area of findings

Findings

Good practice

Corporate governance

inadequate reference to PF in business risk assessment (BRA) and strategy for countering financial crime

BRA was not updated at an appropriate frequency

unable to evidence discussion of TF/PF matters by the Board

effectiveness of customer screening tool was not tested

outsourcing arrangements were not recorded and monitored

BRA assesses the supervised person’s ML/TF/PF risk holistically i.e. ‘in the round’, including the risk of being used to facilitate sanctions evasion

BRA is reviewed and updated on a frequency appropriate for   the business. This may differ based on whether the business is dynamic and growing, or has a stable customer base, products, and services

TF/PF risk appetite is clearly recorded

formal AML/CFT/CPF strategy separately addresses how ML, TF, and PF risk will each be managed, mitigated, and controlled

board/senior management receives and considers regular reporting on the effectiveness of, and compliance with, systems and controls relating to TF/PF

members of the board/senior management have clearly apportioned responsibilities where action to improve TF/PF controls is required

testing of screening tools includes checking any ‘fuzzy matching’ logic employed is working in line with expectations

Identification measures – customer risk assessments (CRA)

CRA tool did not capture sufficient factors to properly assess TF/PF risk of a customer

customer risk rating did not update in a timely manner following a change to a risk characteristic e.g. upon changing residence from a low-risk jurisdiction to a high-risk jurisdiction

due diligence measures include an assessment of TF/PF risk during customer onboarding

customer risk assessments consider TF, PF, and sanctions as unique risks

the CRA includes consideration of whether the customer has any connection to countries with higher TF/PF risk exposure e.g. those identified as such in Appendix D2 of the handbook

customer risk rating is recalculated on a timely basis when the circumstances of a customer changes

the CRA includes consideration of whether the customer is connected to sensitive activities which may pose a higher risk of TF/PF exposure e.g. shipping, manufacturing of dual-use goods

CDD measures – ongoing monitoring

TF and PF not considered when carrying out periodic reviews

periodic reviews not carried out at frequencies mandated in own policies and procedures

periodic reviews not carried out for low and medium risk customers and trigger event review processes for those types of customers were not adequate

scrutiny of customers’ transactions and activity was not adequate e.g. rationales for unusually large transactions were not validated or not reviewed in a timely manner

backlogs in the completion of periodic and trigger event reviews are escalated to senior management and a remediation plan put in place to clear them

periodic and trigger event reviews include specific consideration of TF/PF risk

alerts for sanctions regimes beyond UN and UK are considered where customer base means other sanctions regimes are relevant (e.g. USA)

systems and controls allow a change to sanctions designations lists to be reviewed and acted upon “without delay”

CDD measures – finding out identity and obtaining evidence

letter from a family office based in a non-equivalent jurisdiction, was accepted as verification of address for an individual

policies and procedures provide examples of what documents may be obtained as evidence of identity, along with clear processes for consideration of more unusual types of documents

Enhanced customer due diligence politically exposed persons (PEPs)

individuals were not correctly identified as PEPs by association

supervised person unable to demonstrate CDD measures applied to business relationship involving a PEP were proportionate to risk

policies and procedures set out examples of how an individual may be considered a PEP e.g. family connection, close associate, etc.

where a PEP is connected to a customer relationship, clear records are kept to demonstrate how a supervised person has concluded the CDD measures applied to the relationship are commensurate with the risk presented by the PEP

Internal systems and controls (including policies and procedures)

policies and procedures made little or no reference to TF and/or PF

policies and procedures did not make adequate reference to Jersey’s legal and regulatory framework

inadequate detail provided on what constituted suitable certification of documents

inadequate detail provided on CDD measures to be applied to particular types of customers

inadequate detail provided on customer screening and periodic review processes

policies and procedures were not consistent with one another

policies and procedures were not kept up to date

failure to follow own policies and procedures in respect of CDD measures

policies and procedures are periodically reviewed against Jersey’s legal and regulatory framework to ensure they remain fit for purpose, and prompt action is taken to address any deficiencies

policies and procedures cover how to investigate potential screening matches relating to sanctions, how to freeze assets of customers who are designated persons, and how to make sanctions reports to the Minister for External Relations (the Minister)

policies and procedures reflect current sanctions legislation

where compliance monitoring plan (CMP) testing identifies employees have breached policies and procedures relating to CDD, steps are taken to improve staff awareness of those requirements

delays to reviews of policies and procedures are promptly escalated to board/senior management and action plans put in place

Reporting suspicious activity and sanctions reporting

procedures did not require a sanctions compliance report to be made to the Minister in line with SAFL

procedures clearly state that where a sanctions compliance report is made, consideration should be given to whether a suspicious activity report (SAR) may also be required

Awareness and training of employees

training did not adequately cover TF and/or PF

TF/PF training was not delivered

training did not adequately cover sanctions

training had not been updated to reflect obligations of new sanctions legislation

training referenced legislation no longer in force

training provided to outsourced service providers did not adequately cover PF

employees are provided with periodic training on the characteristics, typologies, and red flags specific to TF/PF

enhanced training is provided to individuals where appropriate for their role e.g. those tasked with monitoring compliance with TF and PF requirements

training clearly outlines employee responsibilities in respect of sanctions compliance and reporting obligations for TF/PF

staff understanding of TF/PF matters is tested following the delivery of training

training is periodically updated, to take account of changes in TF/PF requirements and the latest guidance

Record-keeping

documentation held for customers, such as evidence of identity, was either incomplete or not legible

discussions undertaken and decisions made regarding risk matters were not adequately documented

board/senior management unable to evidence systems and controls (including policies and procedures) had been reviewed

rationales for discounting screening hits were not adequately detailed

policies and procedures include a version control which clearly records when they were revised, who approved the revision, and a summary of the changes made

minutes of meetings capture the substance of discussions undertaken and clearly record agreed actions, due dates, and who is responsible for completing them

customer file reviews undertaken post-onboarding (e.g. a 90-day review) to ensure CDD obtained is complete and of adequate quality

rationales for discounting screening hits are clear, understandable, and easily accessible for future review

3.1 Key statistics

A total of 24 findings were identified across the six on-site examinations undertaken. Findings were identified at all the examined supervised persons.

Some key statistics regarding the number of on-site examination findings include:

Two thirds of examined supervised persons (four) had findings in relation to their policies and procedures

half of the examined supervised persons had policies and procedures which made little reference to PF

JFSC officers also identified one case were policies and procedures were not consistent with one another, along with two cases where supervised persons had failed to follow their own policies and procedures

Two thirds of examined supervised persons (four) were unable to demonstrate fully effective corporate governance arrangements were in place. In particular, half of the examined supervised persons had issues identified with respect to their BRAs.

Two thirds of examined supervised persons (four) also had failings regarding awareness and training of employees. In all four cases, PF was not adequately covered in the training delivered.

We identified similar findings to those described in the points above in previous examination programmes over the last two years. For example:

policies and procedures findings were identified in the 2022 programme of financial crime examinations, 2022 thematic examination on the role of the MLCO, and 2023 thematic examination on reliance on obliged persons

corporate governance findings in respect of the BRA were identified in the 2022 financial crime examinations, 2022 thematic examination on the BRA and formal strategy for countering financial crime, and 2023 thematic examination in Independent Financial Advisor’s investment services to vulnerable persons

findings in respect of training featuring out-of-date legislation or not covering key areas of the Jersey regulatory framework were identified in the 2022 financial crime examinations, 2022 thematic on the role of the MLCO, and 2022 thematic examination on beneficial ownership and control

3.2 Assessment of examination results

Across the on-site examinations, we identified that whilst TF was reasonably well-embedded in BRAs and customer risk assessment processes, there was a wide variation in the level of consideration given to PF risk. This ranged from PF being considered as a unique and specific risk, to being considered under the umbrella of ML/TF/sanctions, to not being considered at all. Furthermore, PF was omitted from supervised persons’ training and systems and controls more frequently than TF.

Whilst the handbook was updated to specifically reference PF in December 2022, legal and regulatory requirements in respect of PF have been in force in Jersey for some time, for example as part of SAFL. We have also been publishing guidance on PF on our website since 2011 .

Furthermore, countering proliferation financing is a core element of the FATF recommendations, with industry being required to, for example, identify and assess the risks of

potential breaches

non-implementation

evasion of targeted financial sanctions relating to PF

Supervised persons were therefore expected to have reasonably mature and effective training and systems and controls in place in respect of PF when the thematic examination took place.

It is vital that supervised persons regularly review and, where necessary, enhance their systems and controls in relation to:

consideration of TF/PF risk within their business risk assessment, strategy for countering financial crime, and risk appetite statement

assessment of TF/PF risk at customer onboarding and periodic/trigger event reviews

ensuring sufficient coverage of TF/PF obligations, typologies, and characteristics within training delivered to employees

Where we identify examination findings that indicate

prior remediation has been ineffective

known deficiencies exist and have not been addressed by the board/senior management

appropriate consideration and action have not been taken following our historic examination feedback

Supervised persons can expect these to be deemed as aggravating factors in determining our entity-level regulatory strategy.

Where we identified findings considered to be serious in nature, they were brought to the attention of supervised persons and have resulted in escalation.

3.3 Findings

The below chart sets out where findings were identified across the six examined supervised persons. A supervised person may have more than one finding identified against a given area, for example two findings identified which relate to the broader area of corporate governance.

A detailed overview of the on-site examination findings is set out at Section 4.

Where statistics in relation to questionnaire responses are discussed in this feedback, these figures exclude the six supervised persons who received an on-site examination. Therefore, they cover the remaining population of 37 supervised persons.

A total of 24 findings were identified across 10 of the 37 supervised persons who received and completed a questionnaire. The below chart sets out the broad areas where these findings were identified across the 37 supervised persons who received and completed a questionnaire. Note that a supervised person may have more than one finding identified against a given area e.g. two findings identified which relate to the broader area of board responsibilities.

3.4 Action required

We expect the boards/senior management of all supervised persons to consider the findings and good practice highlighted in this feedback against their own arrangements.

Where a supervised person identifies any deficiencies in its systems and controls, we expect it to:

consider the notification requirements under the AML/CFT/CPF Codes of Practice set out in Section 2.3 of the handbook, and where applicable the relevant Codes of Practice (dealing with the JFSC in an open and co-operative manner)

prepare a remediation plan and discuss this with its Supervisor, as it sees appropriate

execute its remediation plan in the manner set out and agreed with its Supervisor

consider what assurance activities may provide comfort to its board or senior management team that deficiencies identified have been addressed effectively, applying appropriate ongoing controls

Supervised persons should also consider our guidance on remediation action plans.

TF/PF and sanctions guidance

As noted above, a broad range of guidance notes and other information sources regarding TF, PF, and sanctions are available in the ‘Financial crime’ section of our website. These include:

detailed explorations of TF/PF methods and typologies

a comparison of the differences and similarities between ML/TF/PF

links to various third-party information sources from bodies such as FATF and the Government of Jersey

4 Detailed findings

The key findings summarised in this section are taken from the on-site examinations conducted at six supervised persons as part of this thematic. They identify a range of deficiencies in systems and controls which could expose those supervised persons to a heightened risk of failing to prevent or detect TF/PF.

If a supervised person does not have adequate systems and controls in place, its AML/CFT/CPF framework may be fundamentally compromised, exposing the supervised person, and Jersey, to unacceptable levels of financial crime risk.

Please note that each finding identified during the examinations may be comprised of multiple individual elements.

4.1 Corporate governance

Section 2.3 of the handbook outlines the key responsibilities of the board/senior management of a supervised person in the context of preventing and detecting financial crime as:

identifying the supervised person’s financial crime risks

ensuring its systems and controls (including policies and procedures) are appropriately designed and implemented to manage those risks

ensuring sufficient resources are devoted to fulfilling these responsibilities

Section 2.4 of the handbook further requires a supervised person to check that its systems and controls (including policies and procedures) are operating effectively and test they are being complied with.

Across the examined supervised persons there were five findings in respect of corporate governance. Note that one supervised person had two findings identified which fell under the broader area of corporate governance.

Examples of the issues identified relating to the BRA:

in two cases, there was inadequate consideration of PF risk within the supervised persons’ BRAs

in one case, there was no reference to PF within the BRA whatsoever

in one case, there was little evidence the board had properly discussed TF or PF risks at their meetings

in one case, we identified the supervised person’s BRA had not been updated on a timely basis following external trigger events which could reasonably have impacted its risk profile, such as the publication of national risk assessments for Jersey

Where a supervised person does not identify all the TF/PF risks it faces within its BRA, it may be unable to determine whether it has systems and controls to manage and mitigate those risks. In the absence of adequate controls, the likelihood of risks crystallising is increased.

Where discussions of TF/PF risk matters are not properly evidenced or processes for escalation of customer risk are unclear, the board may be unable to demonstrate it is fulfilling its obligations as set out in the handbook.

We also identified corporate governance findings relating to assessing the effectiveness of systems and controls:

In one case, a supervised person had not tested the effectiveness of its customer screening tool. Where a screening tool is not subject to regular testing, this creates the risk that deficiencies will not be identified and addressed in a timely manner, increasing the possibility financial crime issues connected to a customer may go undetected

In another case, the supervised person had engaged an external service provider to conduct initial reviews of screening hits on its behalf. The service provider would discount hits where it was clear there was no match to the supervised person’s customers and would only forward hits to the supervised person if they could not be discounted. Because the service provider was reviewing and discounting hits on the supervised person’s behalf, this arrangement met the definition of an outsourcing arrangement as set out in our outsourcing policy and guidance note (the OSP).

However, the supervised person had not identified the arrangement as outsourcing and was unable to demonstrate compliance with the OSP’s core principles. Where an outsourcing arrangement is not subject to appropriate governance, there is a risk that processes will not be in place to take action if the service is not delivered as expected. This could lead to a financial crime control not functioning correctly for an undue amount of time

4.2 Awareness and training of employees

Article 11 of the Money Laundering Order sets out statutory obligations to make employees whose duties relate to the provision of a financial services business aware of the policies and procedures put in place under that article.

Article 11 also requires a supervised person to provide those employees with training on recognising and handling suspicious transactions and activity, as well as monitoring and testing the effectiveness of said training.

The AML/CFT/CPF Codes of Practice relating to training and awareness at Section 9.5 of the handbook require a supervised person to provide adequate training to employees at appropriate frequencies. Such training must, among other things:

be tailored to the supervised person and be relevant to the employees receiving the training

cover key aspects of AML/CFT/CPF legislation

Across the examined supervised persons there were four findings in respect of training. Examples of the issues identified:

In one case, the training delivered to employees on TF and PF was very limited

In another case, the supervised person did not provide adequate PF training to its outsourced service providers

the services provided to the supervised person included performing a range of financial crime controls

in the same case, training provided to employees referred to the Terrorist Asset-Freezing (Jersey) Law 2011, which was replaced by the SAFL in 2019

In the two remaining cases, no PF training was delivered to employees.

4.3 Reporting suspicious activity and sanctions reporting

Article 11 of the Money Laundering Order requires supervised persons to maintain appropriate and consistent policies and procedures for matters including reporting of suspicious activity in accordance with the Proceeds of Crime (Jersey) Law 1999 (POCL).

In addition, all supervised persons have reporting obligations under Article 32 of SAFL, where they have a business relationship with or have been approached by a designated person, or a person who has committed an offence under that law. Reports made under this obligation must be submitted to the Minister and must include the information specified in Article 32.

Reports made under POCL and SAFL are required to be made “as soon as practicable”. A supervised person may encounter situations where in addition to a SAR, a sanctions compliance report to the Minister will need to be made.

There was one finding in respect of suspicious activity and sanctions reporting. The supervised person’s policies and procedures did not include the requirement to make a report to the Minister in accordance with Article 32 of SAFL.

Where suspicious activity and sanctions reporting requirements are not adequately covered within policies and procedures, there is a risk that an employee may not know what action to take when identifying activity which must be reported under POCL or SAFL. This may lead to a failure to submit a report to the FIU and/or Minister in a timely manner.

4.4 CDD measures

Article 3 of the Money Laundering Order states that CDD measures are comprised of identification measures and ongoing monitoring and sets out what each must include. Article 13 of the Money Laundering Order requires relevant persons to apply CDD measures. Identification measures are further detailed in Sections 3 and 4 of the handbook, whilst ongoing monitoring is covered in Section 6 of the handbook.

Identification measures – Customer risk assessments

Article 3(5) of the Money Laundering Order requires supervised persons to assess the risk that any business relationship or one-off transaction will involve money laundering, as part of the wider identification measures set out in Article 3(2). In addition, Section 3.3 of the handbook includes an AML/CFT/CPF Code of Practice that requires supervised persons to apply a risk-based approach to determine what measures should be applied during the identification process.

When supported by a correctly applied risk assessment, a risk-based approach allows a supervised person to manage the financial crime risk posed by a customer relationship in an effective and proportionate manner. However, if a risk assessment has not been properly carried out, appropriate measures and controls might not be applied to a customer relationship to adequately mitigate the risk.

Across the examined supervised persons there was one finding in respect of customer risk assessments. In this finding, we identified that the supervised person’s CRA tool did not include sufficient risk factors to allow it to make a full assessment of the financial crime risk posed by the customer for example

the tool did not consider the nature and scope of the customer’s business/employment activities

a customer’s risk rating was not recalculated in a timely manner following a change in the customer’s circumstances e.g. a change in country of residence

a manual review was undertaken before making updates to the customer's risk rating, causing an undue delay to the recalculation process.

Where a customer risk assessment does not consider an adequate range of factors, potential TF/PF risks may not be identified, leading to an incorrect risk rating and  inadequate due diligence measures being applied to a customer. Furthermore, if a customer’s risk rating does not promptly reflect changes to their circumstances, this could lead to measures to properly mitigate increased TF/PF risk not being applied to the customer in a timely manner.

Ongoing monitoring

Article 3 of the Money Laundering Order states that ongoing monitoring means scrutinising transactions undertaken throughout the course of a business relationship and ensuring that documents, data, or information obtained under identification measures are kept up to date by undertaking reviews of existing records.

There were three findings in respect of ongoing monitoring. Examples of the issues identified:

In two cases, the supervised persons’ arrangements for periodic reviews were not adequate

in one case, TF/PF risks were not considered when carrying out periodic reviews

in another case, periodic reviews were not carried out for low or medium-risk customers. Whilst the supervised person had a trigger event review process in place for these customers, it was deficient and therefore the overall periodic review arrangements were not adequate

In two cases, ongoing monitoring activity was not carried out in a timely manner

in one case, periodic reviews were not carried out for a customer as required in the supervised person’s policies and procedures

in the other case, trigger event reviews arising from transaction alerts were not carried out in a timely manner

In all three cases, the supervised person did not take appropriate action because of its ongoing monitoring activities

for example, deficiencies in evidence of identity held for a customer were identified during a periodic review, but those issues were not remediated

in another case, the supervised person did not obtain updated evidence of identity on a timely basis following a customer’s change of residential address (a trigger event)

In two cases, the supervised person did not check the rationale provided by a customer for an unusually large transaction identified through transaction monitoring to ensure it was reasonable

in one of the two cases, the supervised person also could not demonstrate it had considered whether the transaction was in line with its existing knowledge of the customer

Where a supervised person’s ongoing monitoring arrangements are not adequate, or ongoing monitoring activity is not completed on a timely basis, there is an increased likelihood that a potential TF/PF risk will not be identified and may crystallise before it can be mitigated.

Finding out identity and obtaining evidence

Article 3 of the Money Laundering Order states that identification of a person means finding out the identity of that person, and obtaining evidence that is reasonably capable of verifying that the person being identified is who they claim to be. Section 4 of the handbook sets out various methods by which a supervised person may demonstrate it has obtained adequate evidence of identity for a person.

Section 4 further states that other acceptable methods of obtaining evidence of identity may be employed by supervised persons outside those explored in the handbook, provided they are equally as robust in verifying the person being identified is who they claim to be. A supervised person will be expected to demonstrate how the method applied is equally as robust.

Across the examined supervised persons there was one finding in respect of obtaining evidence of identity. In this finding, we identified the supervised person had accepted a letter from a customer’s family office in the Middle East as verification of the customer’s address. The family office did not meet the definition of “a person carrying on a supervised business which is regulated and operates in a well-regulated country or territory”. As a result, we considered the letter did not constitute adequate evidence of identity.

If the method used to obtain evidence of identity is not sufficiently robust, the risk arises that the supervised person may fail to correctly identify the person with whom they form a business relationship or undertake a one-off transaction and that person could be engaged in financial crime.

4.5 Enhanced customer due diligence – PEPs

Article 15A of the Money Laundering Order requires a supervised person to apply EDD measures on a risk-sensitive basis where a business relationship or one-off transaction involves a foreign PEP, or where a high-risk business relationship or one-off transaction involves a domestic PEP or prominent person. Section 7.6 of the handbook provides guidance on determining whether an individual is a PEP and what EDD measures may be appropriate in various circumstances.

Across the examined supervised persons there were two findings in relation to EDD measures for PEPs. Examples of the issues identified:

In one case, we identified two individuals from their review of sampled customer files who met the definition of a PEP. However, the supervised person had incorrectly determined they were not PEPs

In the other case, the supervised person determined that an individual’s PEP status was not relevant to the risk rating of the customer, because of the nature of their connection to the customer structure, and therefore EDD measures were not required to be applied to the business relationship. However, the supervised person had not documented its conclusions in this matter. As a result, it was unable to demonstrate its CDD measures applied to the business relationship were proportionate to the risk exposure generated by the PEP connection

If a supervised person does not correctly identify an individual as a PEP, this could lead to inadequate financial crime controls, including EDD and CDD measures, being applied to a customer. Furthermore, if a supervised person does not document how its EDD measures are commensurate with the risk posed by a PEP, it may be unable to demonstrate how it is meeting its obligations to apply EDD measures on a risk-sensitive basis.

4.6 Internal systems and controls (including policies and procedures)

Article 11 of the Money Laundering Order requires supervised persons to maintain appropriate and consistent policies and procedures for matters including customer due diligence measures. Section 2.4 of the handbook includes AML/CFT/CPF Codes of Practice that require supervised persons to establish and maintain a range of systems and controls to prevent and detect financial crime. These systems and controls must enable the supervised person to meet a range of obligations set out in Jersey’s legal and regulatory framework, including:

the application of policies and procedures set out in Article 11 of the Money Laundering Order

screening, training, and awareness of employees

taking action to comply with the Targeted Financial Sanctions Measures

Across the examined supervised persons there were four internal systems and controls findings in relation to policies and procedures, including:

Three supervised persons’ policies and procedures made little reference to PF

some policies and procedures made no reference to PF even though they were relevant to controlling PF risk

similarly, one supervised person’s policies and procedures did not make adequate reference to the specific requirements of the Jersey legal and regulatory framework regarding the countering of TF/PF

Three supervised persons’ policies and procedures provided inadequate detail on how to apply CDD measures

for example, they were not sufficiently clear on what constituted suitable certification of documents, what CDD measures should be applied to medium and high-risk customers, and how to properly carry out screening of customers

If a supervised person’s policies and procedures do not cover the requirements of the Jersey legal and regulatory framework, there is a risk those policies and procedures will not enable it to meet all its obligations in Jersey.

Similarly, if policies and procedures are unclear on how to apply CDD measures, there is a risk that a customer may not have appropriate measures applied to them which are commensurate with the risk.

Within the four internal systems and controls findings regarding policies and procedures, we also identified the following issues:

in one case, policies and procedures were maintained which were not consistent with one another. For example, the customer on-boarding procedure stated that reliance on obliged persons was permitted, whereas the main procedures manual stated reliance was not permitted

we also identified two supervised persons which had failed to follow their own policies and procedures. one supervised person did not adequately consider sensitive activities that two customers were involved with, in breach of its policies and procedures

another supervised person failed to validate the credentials of the individuals who had certified due diligence documents for two high risk customers, in breach of its procedure

If a supervised person’s policies and procedures are not consistent, there is a risk that employees may follow an incorrect process. This could lead to, for example, inadequate CDD measures being applied to a customer.

4.7 Record-keeping

Articles 19 and 20 of the Money Laundering Order set out statutory requirements in respect of records which must be kept by a supervised person. These requirements are supplemented by the AML/CFT/CPF Codes of Practice in Section 10 of the handbook.

Section 10.4.1 requires a supervised person to keep adequate and orderly records showing how the board has assessed both the effectiveness of, and compliance with, systems and controls (including policies and procedures). This requirement includes keeping adequate and orderly records of reports presented by the MLCO on compliance matters.

Section 10.4.2 requires a supervised person to keep adequate and orderly records of identification measures applied to customers, in line with the record-keeping requirements set out in the Money Laundering Order.

Across the examined supervised persons there were three findings in relation to record-keeping. Note that one supervised person had two findings identified which fell under the broader area of record-keeping. Some of the issues identified related to recording the application of identification measures:

In one case the copy held of an individual’s passport was illegible.

In another case, customer onboarding forms which had not been fully completed.

Furthermore, in two of the three cases the supervised person had not adequately documented its rationale for the discounting of potential hits identified on its adverse media screening system

in one of these two cases, the supervised person did not make records of the escalation and consideration of screening alerts available to the appropriate employees.

in one case, the supervised person was unable to provide a written record of a meeting held with a customer which was meant to provide assurance the customer was complying with multiple sanctions regimes

in the same case, the supervised person could not provide written evidence or rationale for a decision not to apply EDD to a customer

Where a supervised person does not keep an adequate and orderly record of an identification measure applied, or how the risk factors linked to a customer are managed and mitigated, it may be unable to demonstrate it has applied appropriate identification measures in line with the Jersey legal and regulatory framework. Furthermore, if the reason for discounting a match has not been properly documented, the compliance function may not be able to consider whether the right decision was made, impacting its ability to make a proper assessment on whether the supervised person’s systems and controls are functioning effectively.

We also identified a record-keeping issue within one of the three findings, which related to policies and procedures. In this case, the supervised person was unable to evidence it had reviewed policies and procedures and determined no amendments were necessary.

Where a supervised person has conducted a review but not recorded its conclusions, it may not be able to demonstrate it has assessed the effectiveness of its systems and controls. As a result, the board may be unable to demonstrate it is fulfilling all its duties under Jersey’s regulatory framework.

5 Next steps

All supervised persons who received and completed a questionnaire, and all examined supervised persons have received direct feedback from us. Where findings were identified, the supervised persons were required to submit a formal remediation plan setting out actions to be taken and timescales for completion.

Where serious breaches are identified, we consider the appropriate level of response on a case-by-case basis. In some cases, this may result in a referral to our Heightened Risk Response team and in other cases, formal enforcement action may follow.

When conducting remediation activity, it is expected that issues are not reviewed in isolation, but consideration is given to the wider implications of the findings. Our Supervisors work closely with supervised persons to ensure that the steps taken to address findings are appropriate to the scale of risks identified.

A key component of regulatory effectiveness is to ensure that where a supervised person has completed remediation activity, it has done so in a way that is not only effective, but also sustainable, to demonstrate compliance with the statutory and regulatory requirements on an ongoing basis.

In certain cases we may mandate remediation effectiveness testing following confirmation of completion from supervised persons.

In future engagements with us, supervised persons may be asked to evidence steps taken to address identified deficiencies in their control environment.

Where this action is not considered to be adequate, or where deficiencies of a similar nature are identified to those highlighted in our previous feedback, we will consider our future supervisory strategy and where appropriate, regulatory action.

We may undertake a TF/PF thematic examination again in the future, to assess whether industry have taken on-board the guidance set out in this feedback.

Please contact our Supervision Examination Unit for questions or clarifications on this thematic examination.