Compliance monitoring examination: Feedback
- Issued:17 December 2020
Compliance monitoring examination: Feedback
Effective compliance monitoring is an invaluable process that enables senior management to demonstrate that they have implemented and maintained adequate and effective systems and controls (including policies and procedures), that they are being complied with, and that timely action is being taken to remedy any deficiencies brought to their attention.
Effective compliance monitoring also facilitates senior management’s risk assessment of their organisation’s compliance with its statutory obligations and regulatory requirements. Where heightened risks are identified or non-adherence to the regulatory framework is highlighted, then matters can be proactively escalated and managed.
In December 2013, the Jersey Financial Services Commission (JFSC) issued the Guidance Note: Compliance Monitoring (Guidance Note).
Since that time, supervisory examinations of all types undertaken by JFSC have continued to identify that, in relation to compliance monitoring, Registered Persons have been unable to evidence full compliance with the Money Laundering (Jersey) Order 2008 (the Order), the statutory obligations and regulatory requirements described in the Handbook for the Prevention and Detection of the Money Laundering and the Financing of Terrorism (Handbook) and Principal 3 of the relevant Codes of Practice (Codes).
As a result, during Q4 2019 and Q1 2020, the JFSC undertook a thematic review to test the adequacy and effectiveness of compliance monitoring carried out by Registered Persons. The thematic examination included an assessment of the governance and oversight of the compliance function by senior management of Registered Persons, the adequacy and effectiveness of compliance monitoring performed, the appropriateness of reporting delivered to senior management, and how effectively Registered Persons were able to demonstrate that timely action was taken to remedy deficiencies and mitigate heightened risks identified by compliance monitoring activities.
Senior management, including the board of directors (Board), of a Registered Person is responsible for the effective management of risk. As such, the JFSC expects senior management to be actively engaged in the compliance monitoring process. This should include approval of a Compliance Monitoring Plan (CMP) and ensuring the timely completion of any resulting remedial action. Senior management should also understand whether action taken to remedy such deficiencies would mitigate the risks identified.
Findings of the thematic examination indicate that Registered Persons were not able, in many cases, to demonstrate that the CMP was adequate and fully effective. Consequently, these Registered Persons were not able to demonstrate full compliance with statutory obligations and regulatory requirements, or adherence to the best practices described in the Guidance Note.
Of particular concern, the majority of the findings identified during this review were also highlighted by the JFSC the last time this type of review was undertaken by the JFSC in 2013.
It is imperative that senior management are able to demonstrate that they have considered the Guidance Note and the matters described in this Feedback Paper against their own compliance monitoring arrangements and have taken action where necessary to enhance systems and controls (including policies and procedures).
There were findings identified at 10 out of the 11 Registered Persons that were examined. The following graph shows how the 41 findings have been categorised as non-compliant with the Order, or a statutory obligation or regulatory requirement described in the Handbook, or the Codes, or was relevant to all three regulatory requirements.
During the examination process, JFSC officers identified additional findings that were outside of the scope of this review. These have been notified to the respective entities as part of the examination process. As with all examinations, Registered Persons were required to produce, and submit to the JFSC, a remediation plan designed to address the findings identified.
The JFSC would like to thank the selected Registered Persons and their staff for their assistance during this thematic examination.
The purpose of this paper is to provide an overview of the findings and examples of good practice identified by JFSC officers, both of which may apply to or be of use to other Registered Persons when assessing the adequacy and effectiveness of their own compliance monitoring activities. The themed examination was conducted over two phases:
- an information request was sent to a cross-section of Registered Persons; and
- a series of scheduled examinations were undertaken.
The information request sent out to the selected entities requested the following:
- their Business Risk Assessment (BRA);
- Board/senior management meeting minutes (minutes) evidencing discussion and approval of the BRA and the CMP;
- documentation supporting the compilation of the CMP, any mapping to the regulatory framework and the Registered Person’s compliance risk assessment used to prioritise monitoring activity;
- relevant policies and procedures;
- the status of the CMP and high level overview of the testing completed;
- evidence of reporting to the Board/senior management regarding the CMP findings and subsequent escalations of any regulatory breaches identified;
- the remediation action taken, how this was monitored and recorded as resolved; and
- confirmation of any internal or external assessments performed on the CMP together with copies of the relevant reports.
In total, 11 Registered Persons were selected for this thematic review covering the following licence types: Deposit-taking (Banking), Trust Company Business (TCB), Fund Services Business (FSB), General Insurance Mediation Business (GIMB) and Investment Business (IB).
The examination reviewed and assessed:
- The Registered Person’s governance and oversight in respect of the compliance monitoring carried out;
- How the CMP was designed and whether it had been effective in monitoring compliance with, and testing the effectiveness of, the Registered Person’s internal systems and controls (including policies and procedures);
- Whether the Registered Person had met its responsibilities in regard to compliance monitoring under the Order, the statutory obligations and regulatory requirements described in the Handbook, and the relevant Code(s) of Practice;
- Whether timely action had been taken to remedy deficiencies and mitigate heightened risks highlighted by the compliance monitoring activity; and
- Whether the Registered Person had considered the Guidance Note against its own arrangements and taken action where necessary.
Using the documentation provided, together with the information provided during interviews with Principal and Key Persons and employees of the Registered Person, separate examination reports were issued where findings were identified.
Article 11 sets out the policies and procedures that a Registered Person must maintain. It also states that a Registered Person must also implement and maintain appropriate and consistent policies and procedures for the monitoring and management of compliance with such policies and procedures. Article 11 prescribes that a Registered Person must ensure the monitoring and testing performed is relative to the risk of money laundering that exists in respect of the Registered Person’s business. The Order also states, amongst other things, that a Registered Person must have regard to matters that have an impact on that risk, such as size, nature and structure of the Registered Person’s business.
Sections 2.3 and 2.4 of the Handbook set out the statutory obligations and regulatory requirements in relation to the systems and controls (including policies and procedures) that must be implemented and maintained by Registered Persons. The same sections also describe that Registered Persons must check that such systems and controls are being complied with and must take prompt action to remedy any deficiencies.
Codes of Practice
Principle 3 of the Codes highlights the requirement that a Registered Person must organise and control its affairs effectively for the proper performance of its business activities and be able to demonstrate the existence of adequate risk management systems. As with the Order and Handbook, there is a requirement that Registered Persons must implement robust arrangements for maintaining and testing adherence to policies and procedures covering the operation of the business. This Principle, its detailed requirements and associated guidance explains the areas where there is a requirement to be able to provide documentation to demonstrate that the Registered Person complies with the regulatory framework.
Dear CEO letter and guidance note
The Dear CEO: compliance monitoring letter issued by the JFSC in December 2013, together with the Guidance Note bring the legislative requirements stated above together. They outline the expected approach to compliance monitoring for senior management and the Board to consider against their own arrangements.
The findings from the thematic examination have been categorised into themes and these are shown in the graph below. No findings were identified at one of the Registered Persons examined.
Compliance monitoring policies and procedures
Nine of the 11 entities examined had findings in this area which included:
- local requirements not being adequately identified when following group policies resulting in potential gaps;
- approved policies and procedures not fully covering Jersey legislative requirements;
- not providing enough evidence that policies and procedures would mitigate the risks identified;
- lack of documented detail in the escalation process;
- the timescales for remediation action to be taken not being articulated; and
- by design, policies and procedures should be detailed enough to ensure that the same objective methodology is applied to all testing so as to provide meaningful analysis. JFSC officers found that this was not always the case.
Six of the 11 entities examined had findings in this area which included:
- Board/management meeting minutes lacking detail of any discussions on the CMP, be that the approval process, issues highlighted as high or medium risk or current progress; and
- records retained by Registered Persons were often not comprehensive. For example, registers such as the Breaches Register or Complaints Register where the initial date of the entry/observation had not been captured, agreed actions not adequately recorded and evidence of follow up to ensure closure was not documented.
- To support the compliance monitoring work undertaken, there is an expectation that all supporting documentation, including clear details of how the review was undertaken, should be retained by Registered Persons, along with records that demonstrate that prompt action was taken to remedy deficiencies.
Five of the 11 entities examined had findings in this area which included:
- the Board/senior management minutes not providing any evidence of scrutiny, challenge and/or approval of the CMP for the year ahead;
- examples of the Board not showing evidence of appropriate oversight of the reporting expected with incomplete reports being submitted and approved;
- the BRA not being reviewed and updated in a timely manner or on a frequent basis, with the result that senior management were unable to demonstrate that the Registered Person’s Compliance Risk Assessment and approach to compliance monitoring was aligned to an up to date business and risk profile as articulated within the BRA.
Five of the 11 entities examined had findings in this area.
Linked to the findings identified under the headings of Corporate Governance and Record Keeping, the common theme was the failure to undertake and document a Compliance Risk Assessment to ensure that the appropriate testing was being performed in line with the regulatory requirements relevant to the entity. Principle 3 of the Codes is very clear on the requirement to undertake an annual assessment of the extent to which compliance risk is managed effectively, for the Registered Persons within the scope of this report.
As noted above it was identified in some instances that the BRA was not kept up to date with the subsequent impact on the effectiveness of the Compliance Risk Assessment when compared to the Registered Person’s outdated business and risk profile described in its BRA.
Five of the entities examined had findings in this area.
The main finding in this area regarded the role of the Compliance Officer (CO) and how it could be evidenced that they had taken responsibility for ensuring appropriate monitoring of operational performance and managing regulatory and compliance risk within the Registered Person. JFSC officers noted instances where activities such as transaction monitoring and suspicious activity reporting had not been included in the CMP, and where certain testing had not been undertaken for a period of time despite showing as a regular test on the CMP.
There were also examples where the role of the CO and the MLCO appeared to have become blurred with the CO signing off on AML monitoring and reporting AML issues to the Board rather than the MLCO where these roles were held by separate individuals.
Candour and Independence
For one entity, it was found that items which were considered regulatory breaches had not been recorded as such and no notifications had been made to the JFSC.
At another entity, it was noted that the independence of the Compliance function could be questioned due to individuals holding Key Person roles, as well as undertaking client facing activities and having partial ownership and control of the entity. It was also identified in this entity that an individual had been reviewing their own work, as well as that of another person who was a close relation and who also helped control the entity.
There were instances where best practices described in the Guidance Note were not being followed which could potentially result in those entities not identifying and managing the risks in their business. Examples included:
- the Compliance Report to the Board not including compliance monitoring as a standard agenda item;
- the CMP not being reviewed on a regular basis;
- the CMP not being periodically approved by senior management (it is required, at least, annually) to ensure that changes to the Registered Person’s Compliance Risk Assessment are appropriately reflected;
- the lack of a documented approach for testing to be performed; and
- no or incomplete retention of the working paperwork/evidence collected during that testing.
Examples of good practice identified
Whilst 10 of the 11 entities visited were found not to be fully adhering to the regulatory framework in regards to compliance monitoring, it is not to say these entities did not provide evidence of good practices in place.
The following practices are considered by the JFSC to show where Registered Persons have a good understanding of the CMP requirements. These include:
- A designated Board member having oversight of the CMP allowing for oversight not just from a resource perspective but to ensure that there is a clear and direct line to the Board for the raising of any issues;
- A CMP which is clearly mapped to the Registered Person’s BRA and the regulatory framework. This displays that Registered Persons have a good understanding of the risks faced, had considered local statutory obligations and regulatory requirements, had implemented systems and controls designed to mitigate or manage those risks and had developed a CMP which is designed to test the adequacy and effectiveness of those systems and controls;
- CMPs are submitted to senior management for approval at the beginning of the year and minutes make reference to the discussion, scrutiny and challenge and subsequent agreement of the coverage for the coming year; and
- The provision of regular and clear reporting to senior management detailing the activities performed and the resulting findings with clear actions and remediation detail included. Again, this must be documented in the minutes, which must also reflect senior management discussions and decisions.
The JFSC is concerned that in many cases Registered Persons were still unable to demonstrate that they had implemented adequate and effective CMPs that were consistent with the Guidance Note. As a result, the JFSC has concluded that there is an increased risk that other Registered Persons may not be able to demonstrate compliance with the regulatory framework. This conclusion is amplified by the fact that the majority of the findings identified during this review were also highlighted by the JFSC the last time this type of review was undertaken in 2013.
All Registered Persons should consider their own arrangements in relation to the Guidance Note and the findings of this paper and where necessary, consider enhancing systems and controls, so that they are able to demonstrate full compliance with the regulatory framework.
The JFSC considers compliance monitoring to be an integral part of a Registered Person’s risk management framework. When executed effectively and in conjunction with other activities, an effective CMP enables the Registered Person to evidence that risk is being proactively and appropriately managed and that as a result consumers, other users of Jersey’s financial services industry, and the reputation and integrity of Jersey remain adequately protected by the Island’s regulatory framework.
The JFSC will continue to review compliance monitoring arrangements and associated systems and controls when conducting future examinations.
 Registered Persons are also Relevant Persons, see Glossary.
 Findings that were identified as non-compliant with the Guidance Note are not included in this graph but are covered as a separate section later in the report.