Enhanced Customer Due Diligence (ECDD), Simplified Customer Due Diligence (SCDD) & Exemptions examination: Feedback
Enhanced Customer Due Diligence (ECDD), Simplified Customer Due Diligence (SCDD) & Exemptions examination: Feedback1 Background
The Jersey Financial Services Commission (JFSC) regularly undertakes thematic examinations to assess the extent to which statutory and regulatory requirements are being complied with in relation to a particular theme. Thematic examinations provide direct feedback to those within scope and a public feedback document which summarises the key findings.
The thematic examinations summarised within this document were conducted by the JFSC at ten regulated financial services businesses, which included Deposit-taking Business, Fund Services Business, Investment Business, and Trust Company Business licence holders.
In addition, a questionnaire was issued to 20 regulated financial services businesses across all sectors, with the responses considered alongside the examination findings.
Each of the businesses which were examined or sent a questionnaire was a relevant person as set out in the Money Laundering (Jersey) Order 2008 (the Order). For the purposes of this feedback, a relevant person is:
- registered with, or holding a permit issued by, the JFSC under one of the four regulatory laws and is referred to as a regulated business.
The findings of the thematic examinations are published with the aim of enabling all relevant persons to use the information to consider where their own arrangements may require enhancement in order to ensure strict adherence to all relevant statutory and regulatory requirements.
When considering such arrangements, boards and senior management may refer to previous feedback papers issued by the JFSC, particularly those which have highlighted similar themes. These papers are available on our website.
In November 2020, we set out in high-level terms our planned thematic examination programme for early 2021, within which the theme of ECDD, SCDD and Exemptions from Customer Due Diligence (CDD) measures (Exemptions) was identified. The thematic examinations took place between February and March 2021.
During 2016 and 2017, we conducted a series of examinations on ECDD and SCDD, the findings of which were published in August 2017.
The Money Laundering (Amendment No. 10) (Jersey) Order 2019 came into effect on 12 June 2019, which removed the simplified measures regime set out in Articles 17 and 18 of the Order and re-introduced them as statutory exemptions (with same conditions and exclusions). The Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism (Handbook) was updated to reflect the amendments with effect on the same date.
We revisited this theme, to assess the following:
- whether relevant persons were identifying the customer relationships where the application of ECDD was required by Article 15 of the Order and that adequate policies and procedures were in place for applying ECDD measures that were relevant to the particular risks presented;
- whether relevant persons were applying Exemptions in appropriate circumstances and in a manner consistent with the conditions set out in Articles 17 and 18 of the Order; and
- whether relevant persons had applied the concession allowing simplified identification measures in a manner consistent with the anti-money laundering and countering the financing of terrorism Code of Practice (AML/CFT CoP) described in Section 7.17 of the Handbook for the regulated financial services business and Section 7.16 of the Handbook for the legal sector (together the Handbooks).
2 Scope and methodology
The scope and methodology for our examinations is published on our website.
3 Executive summary
There were no findings identified for two of the relevant persons examined. JFSC officers identified 22 findings in total, 17 within and five outside scope of the theme, during the course of the examinations, in relation to the remaining eight relevant persons. The findings highlighted a range of statutory obligations or regulatory requirements with which the relevant persons had either not complied, or had only partially complied.
As a result, the majority of the relevant persons examined were unable to evidence a fully effective control environment, or in some cases, adequately robust arrangements for meeting the standards and requirements of the regulatory framework.
All relevant persons involved in the thematic have received direct feedback. Where findings were identified, they were subject to appropriate follow-up action. Such follow-up action may include formal remediation plans setting out actions to be taken and timescales for completion. In the case of significant and material findings identified by the JFSC, this may have resulted in further escalation and in some cases further regulatory action being taken or, action may be underway.
The findings are summarised in the below chart, which shows that of the findings within scope approximately 45% relate to internal systems and controls, 20% to the application of ECDD and 10% to the application of Exemptions. The remaining findings, whilst out of scope of the theme, relate to key areas in the prevention and detection of money laundering and terrorist financing.
ECDD
All of the relevant persons examined applied ECDD on a more than occasional basis, as such the JFSC expected there would be comprehensive procedures to align with the circumstances set out in the Order, as well as in relation to particular relationships presenting a higher risk of money laundering or financing of terrorism.
The majority of relevant persons had a means of identifying that a particular relationship required the application of ECDD. However, in half of the examinations conducted, relevant persons were not able to demonstrate that the ECDD measures applied were proportionate and commensurate with some of the risks presented. Additionally, a smaller number could not demonstrate adopting a risk based approach to the application of identifications measures, with the same measures applied to all customers.
The questionnaire responses indicated that ECDD was widely applied in all sectors, with 100% of respondents recording that they applied enhanced measures to some or all of their customers, as required. In addition, ECDD generally appeared to be well understood by respondents.
Exemptions
Amendments to the Order in June 2019 removed the simplified measures regime previously set out in Articles 17 and 18 and reintroduced them as statutory Exemptions from CDD requirements that can be applied in strictly limited circumstances.
Of the relevant persons examined, eight utilised statutory Exemptions, with two using those set out in Article 17 and eight applying those detailed in Article 18.
The majority of relevant persons using Exemptions, were not able to demonstrate appropriate and adequate policies and procedures where Exemptions were applied.
Where Exemptions are used under 17B–D of the Order, relevant procedures should be clear and include detail relating to the reasons for their use, as well as the conditions of assurance, risk assessment and testing that will be used by the relevant persons to ensure the Exemptions remain valid.
85% of questionnaire respondents stated that they used statutory Exemptions. However, many respondents incorrectly understood SCDD to be a catch-all term for sections 7.17/7.16 of the Handbooks, Articles 17 and 18 of the Order and in some cases also Article 16, reliance on relevant person or person carrying on equivalent business.
SCDD
Since June 2019, the term simplified identification measures refers to the concession described in the Handbooks, setting out circumstances where simplified measures can be applied in relation to very low risk products or services.
In the examinations conducted, the relevant persons examined did not make use of the concession described in the Handbook.
However, there was evidence from the examinations and from a large number of questionnaire responses, that the term SCDD was being used interchangeably to include Article 16 reliance measures, as well as Exemptions permitted under Articles 17 and 18. Eight relevant persons indicated that simplified identification measures were being applied, with the majority of these eight then referencing obliged persons, Articles 17 or 18 in relation to the concession.
For example, in response to the question 5.1 ‘For scenarios in which SCDD measures are applied, how do you satisfy yourself that there is little risk of money laundering?’ a number of entities responded, that they did so via assessment of the obliged person. One respondent referenced SCDD measures when utilising Articles 16, 17 and 18 of the Order.
In response to question 5.2, ‘Please list the circumstances in which you utilise SCDD measures’ a number of relevant persons made reference to regulated or equivalent business, and others indicated that SCDD was utilised under Article 17B-D and Article 18.
We are reminding Industry that the term SCDD refers to the narrow concession described in the Handbooks, and using the term inaccurately could result in misinterpretation and/or misapplication of the regulatory framework. This risk is increased where there is inaccurate use of language in relation to these specific terms.
Where a relevant person has decided not to utilise either simplified due diligence measures or Exemptions, we consider it reasonable not to have established procedures in place.
4 Key findings
4.1 ECDD
4.1.1 A relevant person must apply ECDD measures in certain circumstances, as set out in the Order, and in any circumstance where there is a higher risk of money laundering or financing of terrorism. Such enhanced measures should be over and above those applied to standard risk customers and specific and adequate to compensate for the higher risk of money laundering.
4.1.2 All the relevant persons examined were aware of the statutory obligation to apply enhanced measures in the prescribed circumstances and to higher risk customers, with customer due diligence measures applied in all instances examined.
4.1.3 However, in half the relevant persons examined, it could not be demonstrated that the enhanced measures applied were always commensurate to the risks presented by the customer. For example, in one case, although generic, high level source of wealth information was collected from a high risk customer on the application form, reasonable measures were not undertaken to verify or corroborate the information.
4.1.4 Additionally, in a similar number of cases it was not clear what ECDD measures had been applied to mitigate the specific risks associated with the customer, over and above those applied as standard. For example, in a number of instances, the same due diligence measures were applied to all customers, irrespective of risk rating, therefore relevant persons could not evidence that the specific risks had been considered on a risk based approach.
4.1.5 In two instances, the risk based approach to ECDD was not documented within the policies and procedures.
4.1.6 In addition, there were examples where detailed procedures for applying ECDD in all relevant scenarios were not evidenced. It was not demonstrated how employees would know what information to obtain commensurate to each risk presented.
4.1.7 Records did not reflect the ECDD measures applied to mitigate the risks presented in two cases, with no details of the mitigants or controls applied recorded in the customer files.
4.1.8 At one relevant person, enhanced monitoring was not applied in all relevant cases.
4.1.9 At the same relevant person, new relationships were not subjected to adequate risk based scrutiny, oversight and challenge in the appropriate forum.
|
Good practice |
|
4.2 Exemptions from applying identification requirements (Exemptions)
4.2.1 Articles 17 and 18 of the Order describe the limited circumstances where Exemptions from applying identification measures may be utilised by a relevant person.
4.2.2 One relevant person applied an Article 18 exemption where the customer was risk rated as presenting a higher risk of money laundering. As set out in the Order, Exemptions must not be applied where the relevant person considers that there is a higher risk of money laundering.
4.2.3 It was not clear which exemption had been applied in three cases, as this was not evidenced in the customer files.
4.2.4 Findings were identified at seven relevant persons, where policies and procedures were not consistent with the regulatory framework, in particular by not reflecting the amendments made to the Order in 2019, with outdated references and a number of inconsistencies noted.
4.2.5 In one case, where an Article 18 exemption had been applied, the relevant person made reference to the superseded Articles of the Order, as amended in June 2019, in response to JFSC queries raised during the course of the examination.
4.2.6 In a number of cases, procedures did not outline the circumstances in which exemptions could be applied or what evidence and documentation must be undertaken to comply with the regulatory requirements.
|
Good practice |
|
4.3 Internal systems and controls
4.3.1 The key to prevention and detection of money laundering and terrorist financing lies in the implementation of and strict adherence to adequate and effective systems and controls, (including policies and procedures) that are commensurate with the risks specific to a relevant person.
Policies and procedures
4.3.1.1 As referenced above, there were examples in the majority of examinations, that policies and procedures had not been adequately maintained and/or kept up to date. Robust policies and procedures are key to the implementation of effective systems and controls to enable the prevention, detection and reporting of money laundering and the financing of terrorism.
4.3.1.2 There were also examples where policies and procedures did not include version control, an audit trail of material changes, or did not state a review date.
4.3.1.3 Where documented policies and procedures were not updated and aligned to current statutory obligations and regulatory requirements, this potentially indicates a number of risk factors including poor AML/CFT governance, resourcing constraints or lack of understanding of the Jersey AML/CFT regulatory framework.
4.3.2 Five findings were identified outside the scope of the theme, relating to ongoing monitoring, customer risk assessment, suspicious activity reporting and the identification of politically exposed persons.
5 Questionnaire
The questionnaire was sent to 20 relevant persons across all industry sectors: www.jerseyfsc.org/media/4628/sddedd-questionnaire.pdf
100% of respondents stated that they did apply ECDD to some or all of their customers, with 85% applying exemptions. Whilst eight relevant persons indicated that simplified identification measures were utilised, it was not clear from subsequent answers provided, as discussed earlier in the paper, that this was correct in all cases.
The following areas are of particular note from responses received.
AML/CFT Governance
Relevant persons indicated the following responses in relation to whether the AML/CFT Business Risk Assessment (BRA) had a section dedicated to the risks of carrying on business with customers where ECDD, SCDD and Exemptions were applied.
|
ECDD |
50% |
|
SCDD |
30% |
|
Exemptions |
40% |
As highlighted above, all relevant persons indicated that ECDD measures were applied where required. Therefore, it was notable that only 50% of respondents considered the application of ECCD measures within the AML/CFT BRA.
Additionally, there were examples in the responses provided, where relevant persons used SCDD or applied Exemptions, however this did not feature in the BRA (four relevant persons applying SCDD and ten applying Exemptions). Conversely, there were examples where relevant persons did not utilise SCDD or Exemptions but these ‘risks’ featured in the BRA.
This would suggest the AML/CFT BRAs require further development as the assessment may not have fully considered the effectiveness of the control environment in regards to ECDD, SCDD and Exemptions, or that these key risks were not considered in any detail.
AML/CFT monitoring
95% of respondents indicated that systems and controls (including policies and procedures) in relation to ECDD were tested via compliance monitoring and 100% for application of Exemptions. Eight respondents indicated that SCDD was utilised however 12 relevant persons detailed that compliance monitoring was undertaken for SCDD, which further evidenced the misunderstanding of the term.
The majority of the testing was conducted by the Compliance Function on an annual basis. The average number of days elapsed since the last ECDD test was 215 days, SCDD 135 days and Exemptions, 128 days.
As respondents indicated that ECDD was applied where relevant and the Exemptions were applied by the majority of relevant persons, the JFSC would expect to observe greater frequency of monitoring of the applicable systems and controls.
Systems and controls
Responses indicated that there were a number of ways, in which the Money Laundering Compliance Officer (MLCO) ensured the policies and procedures (in which ECDD, SCDD and Exemptions are referenced) were kept up to date.
Some relevant persons provided detailed answers on how changes were monitored and various sources used.
Only one respondent did not appear to operate a regular review process or monitor legislative changes. In two cases the MLCO appeared to have delegated the process to a Policies and Procedures function. Of concern, in one instance, the MLCO appeared to only receive updates via a group function, which did not appear to be Jersey based.
The JFSC reminds industry that monitoring changes to the AML/CFT regulatory framework and implementing these to policies and procedures in a timely manner, is critical to an effective AML/CFT governance framework.
Self-identified deficiencies
12 respondents confirmed that deficiencies or areas for development had been identified in approaches to CDD measures and keeping information up to date, either as a result of completing the questionnaire or through Business as Usual (BAU) activity, with resulting actions including:
- Introduction of ECDD, SCDD and Exemptions Registers
- Update of BRA, risk appetite statement and CMP
- Update to policies and procedures
- Legal advice on the use of Exemptions
Where deficiencies are self-identified, whether in the course of BAU activity or following consideration of internal systems and controls upon review a feedback paper, the Board/Senior Management of a relevant person must notify the JFSC immediately in writing of any material failures to comply with the requirements of the Order or the Handbooks, as required.
6 Findings compared to 2016/17
The ECDD, SCDD and Exemptions from CDD thematic examinations were a focused programme that did not seek to replicate the 2016/17 Enhanced & Simplified Due Diligence themed examination programme precisely. However, some areas of ongoing concern were identified which relevant persons should consider, including:
- Where relevant persons relied on non-Jersey compliance functions that failed to maintain up-to-date local procedures in line with the Order and AML/CFT CoPs.
- Where PEPS had not been identified, including at take-on, and were therefore not subject to adequate ongoing monitoring.
- The adequacy of compliance monitoring.
- The updating of procedures following legislative change continues to be an issue as identified at several relevant persons which had not incorporated, or not adequately incorporated the 2019 amendments to the Order into policies and procedures.
While there may be some evidence of general improvement from 2016/17 across the limited pool of entities examined, relevant persons which have not already done so should undertake a review of policies, procedures and processes in light of the 2019 amendments, particularly where they form part of a group.
7 Conclusion
Several relevant persons will need to make comprehensive changes to internal systems and controls, including policies and procedures, to fully comply with the requirements for ECDD, SCDD and Exemptions from CDD.
The majority of relevant persons were largely compliant with ECDD requirements detailed in Article 15 of the Order, however will need to make some adjustments and improvements to fully comply with statutory obligations and/or regulatory requirements.
The majority of relevant persons using Exemptions were unable to demonstrate full compliance with the requirements of the Order, being unable to demonstrate appropriate internal systems and controls, including policies and procedures, where Exemptions were applied.
A significant number of relevant persons examined and questionnaire respondents were unable to demonstrate a clear understanding of statutory obligations and regulatory requirements relating to Exemptions and simplified identification measures. All relevant persons should have understood and kept up to date with the changes made to the Order in 2019.
A small number of relevant persons had self-identified where changes were necessary and were implementing actions to address this prior to the examination commencing.
When conducting remediation activity, we expect that issues are not reviewed in isolation, and consideration is given to the wider implications of the findings detailed in individual examination reports. Supervisors work closely with relevant persons to ensure that the steps taken to address findings are appropriate to the breadth of risks identified.
In respect of internal systems and controls, relevant persons should ensure that these are tested to ensure they are fit for purpose. Policies and procedures must meet local legal and regulatory requirements, be maintained and updated through a regular review cycle, and clear enough so that employees are able to easily apply them to the processes conducted. Ensuring that policies and procedures are adhered to through a line of defence model is also vital in supporting a relevant person’s’ compliance with the regulatory framework, and the management of ML/TF risk.
We expect that the Board/Senior Management of relevant persons who were not involved in the examination to review this paper and consider their own arrangements. Where the findings can be applied to other aspects of the regulatory framework, conducting a gap analysis to current working practices is also recommended to Industry as a whole.
A key component of regulatory effectiveness is to ensure that where a relevant persons has completed remediation activity, they have done so in a way that is sustainable and addresses the breaches of statutory obligations and regulatory requirements identified. We will therefore undertake a programme of remediation effectiveness testing, following confirmation of completion from relevant persons.
In addition, as highlighted in the executive summary, we will consider the range of regulatory sanctions available where we consider findings to be significant and material.
8 Glossary of terms
|
AML |
Anti-Money Laundering |
|
AML/CFT CoP |
Codes of Practice contained within the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism |
|
BAU |
Business as Usual |
|
Board |
Board of Directors |
|
BRA |
Business Risk Assessment |
|
CDD |
Customer Due Diligence |
|
CFT |
Countering the Financing of Terrorism |
|
CMP |
Compliance Monitoring Programme |
|
ECDD |
Enhanced Customer Due Diligence |
|
Exemptions |
Exemptions from applying identification requirements |
|
Handbook |
Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism |
|
MLCO |
Money Laundering Compliance Officer |
|
Order |
Money Laundering (Jersey) Order 2008 |
|
JFSC |
Jersey Financial Services Commission |
|
Regulated business |
A person that is registered with, or holds a permit issued by, the JFSC under one of the regulatory laws |
|
Regulatory laws |
Collectively the: Banking Business (Jersey) Law 1991; Collective Investment Funds (Jersey) Law 1988; Financial Services (Jersey) Law 1998; and Insurance Business (Jersey) Law 1996 |
|
Relevant person |
A person carrying on financial services business in or from within Jersey as defined under Article 1(1) of the Money Laundering (Jersey) Order 2008 |
|
SCDD |
Simplified Customer Due Diligence |