2023 natural persons undertaking class G trust company business examination feedback
2023 natural persons undertaking class G trust company business examination feedbackGlossary
|
Term |
Definition |
|
AML |
anti-money laundering |
|
AML/CFT/CPF code |
the AML/CFT/CPF code of practice contained in the handbook |
|
CFT |
countering the financing of terrorism |
|
class G trust company business |
class G is the provision of director services as defined in part 2 of the schedule to the Financial Services (Financial Service Business) (Jersey) Order 2009 |
|
CPD |
continuous professional development |
|
CPF |
countering proliferation financing |
|
financial crime |
money laundering, terrorist financing and proliferation financing |
|
FIU |
Jersey’s Financial Intelligence Unit |
|
guidance note |
The JFSC Guidance Note: Natural Persons carrying on a single class of Trust Company Business |
|
handbook |
handbook for the prevention and detection of money laundering, the countering of terrorist financing, and the countering of proliferation financing |
|
licence holder |
natural persons holding a class G trust company business licence issued under the Financial Services (Jersey) Law 1998 who is subject to supervision by the JFSC for compliance with the order and AML/CFT/CPF code set out in the handbook pursuant to schedule 2 of the Proceeds of Crime (Jersey) Law 1999 |
|
order |
Money Laundering (Jersey) Order 2008 |
|
supervised person |
defined in Article 1 of the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008. Includes persons regulated by the JFSC under one of the regulatory laws (which includes licence holders). |
|
trust company business code |
code of practice for trust company business |
1 Executive summary
In 2023 we undertook a thematic examination of natural persons regulated to provide director services under the Financial Services (Jersey) Law 1998. The scope of the review assessed licence holders’ compliance with certain key parts of:
the trust company business code
the order
the AML/CFT/CPF code
The purpose of this feedback paper is to:
explain our findings
give examples of best practice
inform licence holders of next steps
During the examination we identified findings related to:
business risk assessments
ongoing monitoring
suspicious activity reporting
sanctions
continuous professional development
insurance arrangements
record keeping
Class G licence holders should now consider the findings and best practice highlighted in this feedback against their own arrangements.
2 Background and methodology
Licence holders’ obligations are set out in the trust company business code, the order and the AML/CFT/CPF code, except where the guidance note or a condition of the licence provides otherwise.
When defining the examination’s scope, we considered the information contained in the Guidance Note: Natural Persons carrying on a single class of Trust Company Business.
We issued a questionnaire to 62 licence holders in Q1 2023. We reviewed and analysed the responses to the questionnaire and then selected a sample of seven respondents to attend a follow-up interview in Q3 2023.
The follow-up interview sample included licence holders who we had further questions for based on their questionnaire responses, alongside those whose responses indicated good practice.
All 62 respondents to the questionnaire received a letter confirming the outcome of the review in Q4 2023.
A breakdown of the content of the letters is shown below:
3 Overall findings and observations
Findings relate to a failure to demonstrate full compliance with obligations. Observations are areas which fall below our expectations or are not in line with the terms or spirit of our published guidance.
In this examination, we identified a total of 35 findings and 135 observations across 9 key areas, as summarised below.
|
Area |
Total number of findings |
Total number of observations |
|
Business risk assessments |
2 |
4 |
|
Customer acceptance (including risk assessment) |
0 |
12 |
|
Ongoing monitoring |
4 |
21 |
|
Reporting suspicions of money laundering, terrorist financing, proliferation financing and sanctions reporting |
18 |
33 |
|
Record keeping |
4 |
49 |
|
Continuous professional development |
5 |
3 |
|
Complaints |
0 |
5 |
|
Financial resources |
0 |
7 |
|
Insurance arrangements |
2 |
1 |
|
Total |
35 |
135 |
4 Detailed findings
We understand that there can be variations in the way a licence holder complies with the obligations set out in the order, the AML/CFT/CPF code and the trust company business code, which were drafted principally from the perspective of corporate businesses rather than natural persons providing services.
As we operate in a principles-based framework, we expect licence holders to interpret the obligations in line with their specific circumstances. This includes considering their customers, the breadth of the director services they provide, and the manner and circumstances in which those services are provided.
This section explains our findings from the examination and includes some examples of good practice, some of which was seen during the examination. Licence holders can find additional resources and guidance on how to comply with their obligations in the handbook and the trust company business code and guidance note on our website.
We also encourage licence holders to read all published feedback relating to examinations and thematic assessment visits. Licence holders can demonstrate regulatory compliance by reviewing their existing systems and controls against our feedback, completing a gap analysis, and considering the good practice.
The findings we identified in relation to financial crime prevention and detection obligations, as set out in the order and AML/CFT/CPF code, were in the following areas:
business risk assessments
ongoing monitoring
reporting suspicions of money laundering, terrorist financing and/or proliferation financing
sanctions
record keeping
We also identified findings in relation to obligations set out in the trust company business code. These key areas were:
continuous professional development
insurance arrangements
record keeping
4.1 Business risk assessments
Licence holders must conduct and record a business risk assessment. The business risk assessment must be specific to a licence holder’s services and customers. Licence holders must also consider, on an ongoing basis, their risk appetite and the extent of their exposure to financial crime risks from the directorships they hold.
In line with the guidance note, business risk assessments should include:
operational risks
economic and market exposures
geographical risks
the risk of a licence holder’s services being used to facilitate financial crime
The following table sets out our findings on business risk assessments, alongside our expectations of licence holders based on what we saw in the examination:
Good practice
A business risk assessment should:
record the methodology for how the licence holder manages and mitigates exposure to financial crime risk in the context of the directorships they hold
differentiate, where relevant, between services which are provided in conjunction with another regulated services provider and those which are not
identify the highest risk areas
document the events or triggers which would prompt a review of existing systems and controls
record updates and changes made to the business risk assessment, including the date of changes (for example through tracked changes or version control)
explain what the financial crime risks are and how they are rated (for example high/medium/low) in the context of services provided to customers
For more information on licence holders’ business risk assessment obligations see:
2022 AML/CFT business risk assessment and formal AML/CFT strategy feedback
4.2 Ongoing monitoring
Licence holders must scrutinise their business relationships. The licence holder must ensure that their customer’s activity is consistent with the licence holder’s knowledge and understanding of the customer and its intended activities. This scrutiny includes keeping the customer’s business and risk profile under review.
We identified four findings related to failings to adequately monitor or screen customer activity, which spanned:
not undertaking any monitoring or periodic reviews for appointments
over-reliance on personal and business relationships (for example, being too comfortable that associates and/or other board members were well known to licence holders)
not applying any ongoing monitoring measures, such as adverse media screening
In line with provisions set out in the guidance note, licence holders providing services jointly with a JFSC-regulated fund services business or trust company business deferred to the regulated business’s ongoing monitoring processes to meet their own obligations to varying degrees.
The following table sets out our findings on ongoing monitoring, alongside our expectations of licence holders based on what we saw in the examination:
Good practice
set up Google alerts or other notification alerts in relation to beneficial owners and/or controllers of the companies for which director services are provided
where viable, subscribe to an automated screening tool
understand what “red flags” to look out for and what search terms to use for any open-source searches
where you rely on a regulated service provider’s systems and controls, have a clear, documented agreement in place which articulates what is and is not included in the services agreement, in line with the guidance note
For more information on licence holders’ ongoing monitoring obligations, see page 14 of our financial crime examinations feedback from 2022 examinations.
4.3 Reporting suspicions or knowledge of money laundering, terrorist financing, proliferation financing
Licence holders have an obligation to report knowledge or suspicion of money laundering, terrorist financing and/or proliferation financing under the Proceeds of Crime (Jersey) Law 1999 and the Terrorism (Jersey) Law 2002.
Licence holders who fail to report knowledge or suspicion of money laundering, terrorist financing and/or proliferation financing are liable to imprisonment of a term not exceeding five years and/or a fine.
The order sets out the obligations for a licence holder to establish and maintain procedures for complying with their reporting obligations, which include reporting the knowledge or suspicion to the Financial Intelligence Unit, Jersey (FIU) as soon as practicable.
The following table sets out our findings on reporting suspicions of money laundering, terrorist financing and/or proliferation financing, alongside our expectations of licence holders based on what we saw in the examination:
|
Obligation |
Findings |
What we expect |
|
Article 11(1)(b) and 21 of the order – adequate and maintained procedures relating to the reporting of knowledge or suspicion of money laundering, terrorist financing and proliferation financing to the FIU. |
No documented policies or procedures relating to reporting obligations.
|
Licence holders have policies and procedures in place relating to their personal obligations to report knowledge or suspicion of money laundering, terrorist financing and/or proliferation financing. These personal obligations are in addition to those of: the company for whom the licence holder acts as director (e.g. the customer) the regulated service provider the licence holder works alongside to provide the director services (e.g. an administrator) |
|
AML/CFT/CPF code set out at paragraph 8.3.2 (87) of the handbook requires a licence holder to maintain procedures which require them to: document the basis for submitting a report to the FIU
record all reports sent to the FIU in a register which includes the date of the report, the name of the person submitting the report and information to allow supporting documentation to be retrieved in a timely manner |
Inadequate procedures relating to the licence holder’s reporting obligations |
Licence holders must have adequate procedures in place covering their reporting obligations, including a suspicious activity report register. A copy of the handbook is not a substitute for a licence holder maintaining their own procedures. |
Good practice
policies and procedures clearly articulate how and when knowledge or suspicion of financial crime should be reported to the FIU, along with a documented register of any filings clearly noting the date on which the knowledge or suspicion came about and the date the report was filed.
For more information on licence holders’ obligations to report knowledge or suspicion of money laundering, terrorist financing and/or proliferation financing see:
Additional information sources – ML / PF / TF
AML/CFT/CPF Handbook - Section 8
States of Jersey Police - Suspicious activity reports
4.4 Reporting in relation to sanctions
Licence holders are required to comply with specific reporting obligations in relation to sanctions under the Sanctions and Asset-Freezing (Jersey) Law 2019. In particular, they must report any attempts to breach or circumvent sanctions to the Minister for External Relations.
It is important to be aware that these reporting obligations are in addition to the obligations to file suspicious activity reports with the FIU.
A person guilty of an offence under the sanctions law is liable on conviction to imprisonment and/or a fine.
The following table sets out our findings on sanctions reporting, alongside our expectations of licence holders based on what we saw in the examination:
|
What we expect |
||
|
Article 11(1)(b) and 21 of the Order – adequate and maintained procedures relating to the reporting of sanctions matches to the Minister of External Relations
|
No documented policies or procedures relating to reporting sanctions. |
Licence holders have policies and procedures in place relating to their personal obligations to report sanctions matches. These personal obligations are in addition to those of: the company for whom the licence holder acts as director (e.g. the customer) the regulated service provider the licence holder works alongside to provide the director services (for example an administrator) |
Good practice
policies and procedures clearly articulate how and when sanctions breaches should be reported to the Minister of External Relations, along with a documented register of any filings
For more information on licence holders’ obligations to report sanctions matches see:
AML/CFT/CPF Handbook - Section 8
the Government of Jersey’s sanctions webpage
4.5 Continuous professional development
Licence holders are registered and therefore not considered to be trust company business employees for the purpose of the trust company business code. However, the guidance note makes it clear that licence holders are still subject to the same obligations in relation to CPD as trust company business employees.
The following table sets out our findings on CPD, alongside our expectations of licence holders based on what we saw in the examination:
|
Paragraph 3.4.2 of the trust company business code – licence holders are required to maintain CPD records. |
Lack of documentation evidencing CPD undertaken. |
Licence holders should keep a record of all CPD undertaken over the course of each year and, where possible, maintain evidence of the CPD undertaken (for example certificates of attendance). |
|
Paragraph 3.4.4 of the trust company business code – licence holders are required to undertake a minimum of 25 hours of CPD (with no more than 5 hours being attributed to relevant reading). |
Failure to undertake the required annual number of CPD hours. |
Licence holders should keep their professional knowledge up-to-date and include CPD relevant to the services provided and/or the activities of the companies for whom they provide director services. |
Good practice
use of professional standards bodies’ websites, applications and/or portals to adequately record CPD
documenting an appropriate level of detail relating to the content of the training undertaken
4.6 Insurance arrangements
Licence holders are required to maintain and demonstrate the existence of adequate insurance arrangements. Licence holders need to have and maintain adequate insurance cover commensurate with their business activities at all times.
Professional indemnity insurance must cover negligence, errors and omissions by the licence holder from wherever they are providing their services. Section 5.2.4 of the trust company business code provides further information on the required terms of this insurance.
The guidance note states the limits of professional indemnity insurance cover required by licence holders, which differs to the limits set out in the trust company business code. It confirms that licence holders should have:
directors and officers insurance cover – this can be through their own policy, as an extension of another’s policy (for example a regulated service provider’s policy or the customer’s own policy), or a combination of both
professional indemnity insurance cover when exercising an executive function (such as being a signatory to a bank account belonging to the customer) – this can be through their own policy or as an extension of another’s policy covering the services provided by the licence holder
Licence holders need to ensure the protection meets requirements set out in the guidance note regarding the minimum level of cover (£1,000,000) and the maximum permitted excess (£20,000). Licence holders must notify us of any excess over £20,000.
The following table sets out our findings on insurance arrangements, alongside our expectations of licence holders based on what we saw in the examination:
|
What we expect |
||
|
Trust company business code: 5.2.1 - a licence holder must have and maintain adequate insurance cover at all times, commensurate with its business activities.
Trust company business code: 5.2.1.1 - such cover must include professional indemnity insurance extended to include fidelity guarantee (employee dishonesty or fraud), insurance and directors insurance, and officers insurance.
|
No professional indemnity insurance in place despite being a signatory over bank accounts containing client assets. |
Licence holders have adequate insurance arrangements in place for the services they provide. Licence holders have a clear understanding of the insurance arrangements both: taken out personally extended to the services provided by them because of the directorships they hold |
|
Guidance note: where a person personally meets the professional indemnity insurance requirements, the JFSC would accept a level of PII cover calculated on the same basis as in the trust company business code, but with minimum cover reduced to £1million. |
Inadequate level of professional indemnity insurance cover held. |
Licence holders ensure that the services provided to each customer are adequately covered by the insurance arrangements and that the cover taken out is: not less than the minimum amount of cover provided for in the guidance note is, at all times, commensurate with the risks associated with the services provided |
Good practice
licence holders document that insurance arrangements are adequate to cover each directorship they hold
licence holders review on an annual basis (for example, at the point of renewal) the scope of the insurance arrangements to ensure the total cover remains commensurate with the services being provided
4.7 Record-keeping
Record-keeping obligations are included in the order, the AML/CFT/CPF code and the trust company business code.
The order requires a retention period of five years from the termination of a business relationship for all documentation, data and evidence in relation to applied customer due diligence measures and transaction records.
The handbook sets out specific obligations for record-keeping relating to evidence of identity (customer due diligence measures), transaction records, corporate governance, identification measures and ongoing monitoring, suspicious activity reports, screening and access to records.
The trust company business code sets out obligations in relation to business records, customer records and provisions which cover all records.
During the examination, we asked licence holders about their record-keeping arrangements. We asked about:
the testing arrangements for access to records held by a third party
how long records were retained after termination of the business relationship
the arrangements in place to access records held by a third-party following termination of a business relationship
The following table sets out our findings on record-keeping, alongside our expectations of licence holders based on what we saw in the examination:
|
Paragraph 3.7.3 of the trust company business code – a licence holder must have a clearly documented policy and procedure regarding record retention that includes periodic review of the accessibility and condition of paper and electronic records. |
Where records are in part held by a licence holder and in part held by another regulated service provider, no testing was undertaken to ensure records retained by the regulated service provider could be accessed. |
Licence holders consider each directorship’s record-keeping processes separately and understand how to access each specific appointment’s records for the duration of the relevant retention period. Licence holders, from time to time, test their access to relevant records. |
|
Paragraph 3.7.6.3 – where records relate to significant corporate governance matters, such as management meeting minutes or risk assessment matters, or are records relating to requirements established by the code, these must be retained for ten years from the date of the record. |
Retention periods were set at five years for all documentation. |
Licence holders are aware of all provisions relating to record-keeping in the order, the handbook and the trust company business code, and apply the relevant timeframe to the right category of documentation. |
Good practice
engagement letters or service agreements with customers or other regulated service providers expressly state the retention periods for documentation and an agreement that the licence holder will continue to have access to the information and documentation throughout that retention period.
5 Feedback on the areas with observations
5.1 Customer acceptance (including risk assessments)
Licence holders must undertake a customer risk assessment before accepting a directorship, and they must periodically review this risk assessment. There are many factors which could affect a customer’s risk rating over the course of the relationship, which is why it is not a one-off exercise at the engagement stage.
There is no prescribed format for this assessment and a licence holder may wish to work with another regulated service provider to get comfortable with the level of risk posed by a directorship.
5.2 Financial resources
The guidance note states that licence holders must have and maintain personal unencumbered net liquid assets amounting to at least £25,000.
During the examination, we identified instances where the liquidity of the assets held was questionable. The guidance note states that, in most circumstances, a copy of a bank statement would evidence that the obligation is being met.
5.3 Complaints
We expect licence holders to have a process in place on how to handle a complaint they receive about their services.
The guidance note states that an exhaustive documented procedure may not be required. However, a licence holder must still be able to satisfy their supervisor that a complaint would be recorded in a way that complies with the requirements on the treatment of complaints. It must also be recorded in a way that enables the relevant recorded information to be reviewed (for example, through a complaints register).
6 Next steps
We have given direct feedback to all licence holders subject to this thematic examination. Where we identified findings, the licence holder was required to submit a remediation plan setting out the actions to be taken and timescales for completion.
When conducting remediation activity, we expect licence holders to consider the wider implications of the findings, rather than reviewing them in isolation.
It is important for regulatory effectiveness that a licence holder who has completed remediation activity does so in a way that is not only effective, but also sustainable. This ensures that they can demonstrate compliance with the statutory and regulatory requirements on an ongoing basis.