2022 Thematic examination programme - The role of the MLCO
2022 Thematic examination programme - The role of the MLCOThematic examination programme 2022 – Feedback
The role of the Money Laundering Compliance Officer
Issued 10 May 2023
Glossary
|
AIB |
Alternative Investment Business |
|
AML |
anti-money laundering |
|
AML/CFT/CPF Codes of Practice |
the AML/CFT/CPF Codes of Practice contained in the Handbook |
|
The AML/CFT/CPF Handbook |
Handbook for the prevention and detection of money laundering, the countering of terrorist financing, and the countering of proliferation financing |
|
Board |
the Board of Directors or the Board function described in Section 2.1 of the Handbook |
|
BRA |
business risk assessment |
|
CFT |
countering the financing of terrorism |
|
CMP |
Compliance Monitoring Plan |
|
CPF |
Countering proliferation financing |
|
DC |
Licence issued to Supervised Persons registered under the Banking Business (Jersey) Law 1991 |
|
DNFBPs |
Designated Non-Financial Services Businesses and Professions |
|
Financial Crime |
money laundering, the financing of terrorism, proliferation financing, and non-implementation/breaching/circumvention/evasion of targeted financial sanctions |
|
financial services business |
Has the meaning given in Article 1 of the Proceeds of Crime (Jersey) Law 1999 |
|
FSB |
Fund Services Business |
|
IB |
Investment Business |
|
JFSC
|
Jersey Financial Services Commission |
|
Key person |
Has the meaning given in Article 1 of the Financial Services (Jersey) Law 1998 |
|
ML/TF/PF |
money laundering, terrorist financing, and proliferation financing |
|
MLCO |
Money Laundering Compliance Officer |
|
Money Laundering Order |
Money Laundering (Jersey) Order 2008 |
|
MSB |
Money Services Business |
|
P&Ps |
Policies and Procedures |
|
PEP |
Politically Exposed Person |
|
Regulatory Laws
|
collectively the Banking Business (Jersey) Law 1991; Collective Investment Funds (Jersey) Law 1988; Financial Services (Jersey) Law 1998; Insurance Business (Jersey) Law 1996 and the Alternative Investment Funds (Jersey) Regulations 2012 |
|
SARs |
Suspicious Activity Reports |
|
supervised person |
defined in Article 1 of the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008. Includes persons regulated by the JFSC under one of the Regulatory Laws and designated non-financial services businesses and professions (DNFBPs). |
|
Sch2 |
Licences issued relating to the carrying on of business listed in Part 3 of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999 |
|
TCB |
Trust Company Business |
1 Executive Summary
During the third quarter of 2022, we assessed the extent to which supervised persons had complied with their regulatory obligations with respect to the role of the MLCO. Information was requested covering a review period of 1 June 2021 to 31 May 2022.
Article 7 of the Money Laundering Order requires the appointment of a MLCO to monitor whether enactments in Jersey relating to money laundering and the financing of terrorism, and AML/CFT/CPF Codes of Practice, are being complied with. The MLCO therefore has an integral role to play within a supervised person’s business, having a direct impact on the maintenance of a robust AML/CFT/CPF framework.
To be effective in their role, the MLCO must have a sufficient level of seniority and authority within the supervised person. They must also have sufficient experience, skills, independence, and resources (including time and, if appropriate, compliance support staff). The responsibilities of the MLCO are expected to be clearly defined, understood, and include undertaking a compliance monitoring programme covering relevant areas of the AML/CFT/CPF regulatory framework.
Where any of these things are not in place, then the monitoring activities carried out may not be fully effective, leading to an increased risk of the supervised person being unable to effectively manage its risk.
The JFSC examined eight supervised persons regulated under the Regulatory Laws during the course of this thematic. A detailed overview of the examination findings is set out in section 3 below. Findings were also identified during the examinations which were outside of the scope of the thematic. These are referenced in section 4 below but are not explored in detail.
1.1 Findings and best practice
The below table summarises the range of findings identified across the examinations. We have also listed some examples of best practice which relate to each of these areas. Note that not all these examples of best practice were identified in the examinations.
|
Area of findings |
Findings |
Best practice |
|
Corporate Governance – Role of the MLCO |
The MLCO could not demonstrate they had the appropriate independence or authority within their organisation. The MLCO could not demonstrate they had sufficient access to the Board. Key responsibilities and obligations of the MLCO had not been outlined to the role-holder, or allocated to a named individual. |
The MLCO has a comprehensive role profile, which is periodically refreshed to ensure it captures all of the role’s mandatory requirements. The MLCO personally attends Board meetings to deliver their reports. Where the MLCO holds multiple, potentially conflicting roles, for example where they also act as a Board member, the conflicts of interest register records this and it is also recorded as a potential risk in the BRA, with mitigating controls documented. To provide support and/or an additional level of assurance, the MLCO may consider making periodic use of independent parties to assist in evaluating the application of the supervised person’s systems and controls. The MLCO makes periodic use of independent parties to validate the design and effectiveness of the compliance monitoring activities they undertake.
|
|
Corporate Governance – Compliance Monitoring Plan (CMP) |
Procedures on how to carry out compliance monitoring activities provided insufficient or no detail on the testing to be undertaken. Compliance monitoring procedures made reference to incorrect obligations, e.g. UK rather than Jersey. Testing activities were not completed to schedule or were not performed, which could lead to risks crystallising or breaches not being addressed in a timely manner. Findings of CMP tests were not escalated, resulting in a failure to remediate. CMP reports did not accurately reflect the testing that had been carried out during the reporting period, hampering the Board’s decision-making. |
Compliance function makes best use of resources by applying a risk-based approach to monitoring, e.g. selecting appropriate sample sizes and undertaking focused testing for areas of heightened risk. Rationale for the themes of testing selected each year and scope of the testing to be conducted are clearly set out and agreed by the Board. CMP is clearly mapped to legal and regulatory requirements. Benchmarks or tolerance levels are established to assist the Board in considering the MLCO’s reports and deciding if any action needs to be taken. For example, using Red-Amber-Green ratings to classify CMP results. Board instigates remedial action where results of CMP testing are not satisfactory. |
|
Internal Systems and Controls – Policies and Procedures |
AML/CFT/CPF policies were either not updated at the appropriate frequencies or were not in place at all, suggesting the MLCO may not be fulfilling their statutory requirements to monitor compliance with the Jersey regulatory framework. Procedures referred to out-of-date legislation or former role-holders. |
The MLCO periodically benchmarks policies and procedures against Jersey’s legal and regulatory requirements to ensure all required policies and procedures are in place and fit for purpose. Action is taken to address any deficiencies. Where CMP testing identifies that employees have breached policies and procedures relating to AML/CFT/CPF, disciplinary processes are followed. Consistent approach is taken to preparing policies and procedures, e.g. each one has a named document owner, specific frequency of periodic review and update. CMP testing includes checking that policies and procedures are updated at appropriate times and include the correct references to external sources such as website links and relevant legislation. Policies and procedures are tailored to take into account Jersey’s legal and regulatory requirements, where the supervised person forms part of a multi-jurisdictional group. |
|
Internal Systems and Controls – Record-keeping |
Board minutes did not evidence scrutiny, discussion, and challenge in respect of MLCO reports to the Board. |
Matters within MLCO reports to the Board which require a Board decision are clearly highlighted, e.g. by listing the relevant matters under a “Decision required” heading. The MLCO’s report is featured as a standing agenda item of the Board meeting, to encourage consideration and challenge of the compliance matters reported. Board minutes accurately capture discussions held on matters raised by the MLCO, and comprehensively record the reasons why a decision was taken. |
|
Training of employees |
Training delivered to the MLCO and/or wider organisation was not tailored to Jersey’s specific legal and regulatory obligations. Training delivered to the MLCO and/or wider organisation contained references to Jersey legislation no longer in force or omitted certain key requirements which were in force. |
The MLCO meets their CPD requirements and receives training specific to their role, supplemented by regular updates, for example by:
Where employees receive group training, additional Jersey-specific training is also provided. Training is periodically reviewed and updated, to take account of the evolving regulatory environment and the changing nature of risk. Both internal and external presenters are utilised to deliver training. Case studies and typologies are used in training to bring concepts to life. Training is tailored to the customers, countries, territories or areas, products, services, transactions and delivery channels provided/used by the supervised person. |
Findings were identified in all the examinations undertaken. Some key statistics regarding the number of findings include:
Over a third of supervised persons examined were unable to demonstrate that the responsibilities and obligations of the MLCO had been properly outlined in a written job description and allocated to a named individual.
Half of supervised persons examined were unable to evidence scrutiny, discussion, and challenge in respect of MLCO reports to the Board.
A quarter of supervised persons examined were unable to demonstrate their training was tailored to their business.
We undertook a thematic examination during Q4 2019 and Q1 2020 to test the adequacy and effectiveness of compliance monitoring carried out by supervised persons (the CMP thematic). Whilst the scope of the CMP thematic did not align precisely with the MLCO thematic, findings of a similar nature were identified across both examinations, including:
Unclear allocation of MLCO responsibilities;
Potential issues with the independence of the MLCO;
The Board being unable to evidence effective challenge, discussion, and scrutiny of MLCO reports or the CMP itself; and
Policies and procedures not being kept up-to-date.
1.3 Assessment of examination results
The number of findings, and their similarity to those identified in the CMP thematic, indicate that work is needed by supervised persons in this area. It is particularly concerning that we continue to identify findings around the independence of key persons like the MLCO, and their capacity to do their job, despite these issues being highlighted in multiple previous Feedback (such as those for the CMP thematic and our 2021 Financial Crime Examinations).
Furthermore, the continued widespread identification of corporate governance findings relating to Business Risk Assessments (BRAs), following on from our 2022 thematic examination on this area, emphasises that conducting and maintaining an effective BRA remains a key challenge for supervised persons to address.
The below chart outlines areas where findings were identified across the eight examined supervised persons:
We expect Boards and senior management of all supervised persons, not just those subject to this examination, to:
consider the findings and best practice highlighted in this Feedback against their own arrangements;
make changes to their systems and controls if they identify any areas for development; and
ensure that their business is complying with all relevant statutory and regulatory requirements in relation to the role of the MLCO.
Supervised persons may also refer to our guidance note on compliance monitoring.
Where supervised persons identify any deficiencies in systems and controls, we expect them to:
prepare a remediation plan and discuss this with their Supervisor;
consider the notification requirements under the AML/CFT/CPF Code of Practice set out in Section 2.3 of the AML/CFT/CPF Handbook, and the relevant Codes of Practice (dealing with the JFSC in an open and co-operative manner);
remedy any identified matters in the manner set out in the remediation plan agreed with their Supervisor; and
consider what assurance activities may provide comfort to the Board and senior management that deficiencies identified have been addressed effectively.
Supervised persons should consider our guidance on remediation action plans.
2 Background and Scope
We regularly undertake thematic examinations to assess the extent to which statutory and regulatory requirements are being complied with in targeted areas. Thematic examinations may be sector-specific, but they often address wider themes which cover multiple sectors. The purpose of this Feedback is to publish an anonymised summary of the key findings identified during the thematic examination and set out relevant best practice for the benefit of all supervised persons. Information about the examination process is available on our website.
The theme of the role of the MLCO was chosen due to our continued identification of deficiencies in this area at supervised persons, as part of our ongoing supervisory activity. These issues have been particularly apparent during our financial crime examinations.
The objective of this thematic examination was to review and assess the extent to which the MLCO had:
monitored compliance with legislation in Jersey relating to the prevention and detection of money laundering, the financing of terrorism, and the financing of proliferation, and the AML/CFT/CPF Codes of Practice contained within the AML/CFT/CPF Handbook; and
reported on this to senior management.
The selection process was supported by our risk model, information submitted by supervised persons, and our supervisory knowledge.
The JFSC’s assessment of compliance with statutory and regulatory requirements included in the examination scope was based on those in force during the Review Period.
The eight supervised persons subject to an examination held a variety of licence types, as outlined by the below chart. Note that some supervised persons held more than one type of licence. The abbreviated terms used in the chart are defined in the Glossary set out at the end of this paper.
During a particular thematic examination, we may choose to also send questionnaires to additional supervised persons. This allows us to collect information relevant to the examination from a broader range of supervised persons, which can then be followed up via a desk-based review if necessary. No questionnaires were sent to additional supervised persons as part of this thematic examination.
3 Key findings
The key findings summarised in this section are taken from the eight examined supervised persons. They identify a range of deficiencies in systems and controls which could expose supervised persons to a heightened risk of failing to prevent or detect financial crime.
If a supervised person’s MLCO is not able to adequately perform their role, or the Board does not act appropriately in respect of the MLCO’s output, it can lead to systems and controls not operating as intended and exposing the supervised person, and Jersey, to unacceptable levels of financial crime risk.
Section 2.3 of the AML/CFT/CPF Handbook outlines the key responsibilities of the Board of a supervised person in the context of preventing and detecting financial crime as:
identifying the supervised person’s financial crime risks;
ensuring that its systems and controls (including policies and procedures) are appropriately designed and implemented to manage those risks; and
ensuring that sufficient resources are devoted to fulfilling these responsibilities.
The MLCO will assist the Board in fulfilling these duties, but the ultimate responsibility sits firmly with the Board.
As noted above, supervised persons must appoint a MLCO to monitor whether regulatory obligations in Jersey are being complied with. Amongst other things, the MLCO must have sufficient resources, and have their responsibilities clearly defined, by the supervised person.
Across the examined supervised persons there were six corporate governance findings in relation to the MLCO. Examples of the findings include:
The MLCO not having appropriate independence. If the MLCO is not able to act independently, there is a risk that the supervised person will not properly apply its systems and controls, potentially leading to an unacceptable level of financial crime risk. During the examination, the following issues were identified:
- In one case, the MLCO was carrying out testing of business relationships which they themselves had on-boarded;
- In another case, the MLCO was undertaking CMP tests and then signing-off on those same tests to confirm they had been completed adequately, rather than the tests being independently checked and verified; and
- In another case, the supervised person could not demonstrate how they were managing the potential conflicts arising from their MLCO also being a shareholder and acting as a director.
One supervised person could not evidence that the MLCO had direct access to the Board. Where a MLCO cannot directly access the Board, this may indicate that the individual does not have sufficient authority and seniority within the business, preventing them from adequately performing their duties.
In one case, the MLCO held multiple roles and did not have sufficient capacity to carry out all of their duties at the required times, resulting in backlogs in monitoring tasks developing.
In three cases, role profiles for the individuals holding the MLCO role did not provide an adequate description of that role’s key responsibilities and obligations. This increases the risk that the role-holder might not be fully aware of their statutory and AML/CFT/CPF Code of Practice obligations, resulting in compliance monitoring duties not being carried out and the supervised person being in breach of Jersey’s regulatory framework.
In one case, only a limited list of MLCO duties had been documented and allocated to a named individual within the business. The supervised person was therefore unable to demonstrate that the MLCO was carrying out all of their responsibilities set out in the regulatory framework.
3.1.2 Compliance Monitoring Plan
Article 7 of the Money Laundering Order requires the appointment a MLCO to monitor whether enactments in Jersey relating to money laundering and the financing of terrorism, and AML/CFT/CPF Codes of Practice, are being complied with. The AML/CFT/CPF Handbook provides guidance as to how a supervised person may demonstrate that its MLCO is conducting this monitoring, including:
regular monitoring and testing of compliance with the supervised person’s systems and controls (widely known as a Compliance Monitoring Plan or CMP); and
periodic reporting to the Board on the outcomes of the CMP.
Across the supervised persons examined there were four corporate governance findings in relation to the CMP. Where the CMP is not sufficiently detailed, or testing is not properly undertaken, this creates the risk that compliance deficiencies will not be identified and addressed, increasing the supervised person’s exposure to financial crime. Examples of the findings include:
Compliance procedures in two cases did not provide sufficient detail regarding how to perform the testing to be undertaken as part of the CMP.
In one case, a testing procedure was not in place at all.
In one case, testing performed for a Jersey branch was undertaken as part of a group-wide CMP. It sampled a portion of each jurisdiction’s activity relative to size, meaning only a small sample of the Jersey branch’s activity was reviewed, increasing the risk that non-compliance in Jersey would not be identified.
In another case, compliance monitoring procedures referenced UK obligations, rather than Jersey-specific obligations.
In one case, CMP tests were not completed on-time or were suspended altogether during the review period.
In another case, a CMP test identified non-compliance with procedure, but the breach was not escalated and therefore not remediated.
In one case, a CMP test on trigger events was undertaken, however this was not accurately reflected in the quarterly CMP report to the Board, which stated that no test had been undertaken. If CMP reports do not accurately reflect the actual testing undertaken during a reporting period, the Board will not have access to all the facts when considering what actions may need to be taken. This creates the risk that necessary remedial action identified through the CMP is not taken, potentially leaving breaches unresolved.
3.2 Internal Systems and controls
Section 2.4 of the Handbook includes an AML/CFT/CPF Code of Practice that requires supervised persons to establish and maintain a range of systems and controls to prevent and detect ML/TF/PF. These systems and controls must enable the supervised person to meet a range of obligations set out elsewhere within the AML/CFT/CPF Handbook and in Jersey’s legal framework, including:
the application of policies and procedures set out in Article 11 of the Money Laundering Order;
the application of CDD measures (Sections 3-7 of the AML/CFT/CPF Handbook);
reporting suspicious activity (Section 8 of the AML/CFT/CPF Handbook); and
screening, training, and awareness of employees.
Article 11(1) of the Money Laundering Order requires supervised persons to maintain appropriate and consistent policies and procedures for matters including:
record-keeping;
risk assessment and management; and
the monitoring and management of compliance with the policies and procedures detailed in Article 11(1).
Across the examined supervised persons there were a range of internal systems and controls findings in relation to policies and procedures. Examples of the findings include:
A supervised person had an internal control to review and update its compliance policy on an annual basis. However, this review had only been conducted three times in the past seven years, creating the risk that the compliance policy did not always reflect the current Jersey regulatory framework.
One supervised person did not have a compliance policy in place for a portion of the review period. This exposed it to the risk of systems and controls, including the CMP, being applied inconsistently and AML/CFT/CPF deficiencies being missed.
In one case, a section of a supervised person’s compliance manual mandated testing for low-risk customers to be carried out at a specific frequency, but another section of the same document required the testing be carried out at a different frequency. These inconsistencies created the risk that testing might not be carried out at the appropriate times, meaning potential AML/CFT/CPF deficiencies could go undetected for longer than appropriate and possibly crystallise.
In two cases, it was identified that documents reviewed included references to out-of-date legislation and AML/CFT/CPF Codes of Practice. In one of these two cases, documents also did not have a date of issue and referenced staff who were no longer in certain roles, including an MLCO who had since left the business.
Articles 19 and 20 of the Money Laundering Order set out statutory requirements in respect of records which must be kept by a supervised person. These requirements are supplemented by the AML/CFT/CPF Codes of Practice in Section 10 of the AML/CFT/CPF Handbook. In particular, Section 10.4.1 requires a supervised person to keep adequate and orderly records showing how the Board has assessed both the effectiveness of, and compliance with, systems and controls (including policies and procedures). This requirement includes keeping adequate and orderly records of reports presented by the MLCO on compliance matters.
Across the examined supervised persons there were four internal systems and controls findings in relation to record-keeping. In all cases, supervised persons were unable to evidence sufficient scrutiny, discussion, and challenge in respect of the MLCO’s reports by the Board.
In these cases, the Board are unable to demonstrate that they have properly considered whether the supervised person’s systems and controls are functioning correctly, and are therefore unable to demonstrate that they are fulfilling all of their duties under Jersey’s regulatory framework.
Articles 11(9) to (12) of the Money Laundering Order set out statutory obligations to promote the awareness of, and provide training to, employees whose duties relate to the provision of a financial services business. AML/CFT/CPF Codes of Practice relating to training and awareness are set out in the AML/CFT/CPF Handbook. In particular, Section 9.5 of the AML/CFT/CPF Handbook requires a supervised person to provide adequate training to employees at appropriate frequencies. Such training must, among other things:
Be tailored to the supervised person and be relevant to the employees receiving the training; and
cover key aspects of AML/CFT/CPF legislation.
Section 9.5.3 of the AML/CFT/CPF Handbook provides guidance on how a supervised person may demonstrate adequate training has been provided to the MLCO, namely that the training provided addresses the monitoring and testing of compliance with systems and controls (including policies and procedures) in place to counter ML/TF/PF.
Across the examined supervised persons there were three findings in relation to training, including:
In most cases, training was not sufficiently tailored to reflect the specific obligations applicable in Jersey. In particular, JFSC officers identified one case where the MLCO did not receive any training which was tailored to their Jersey obligations.
Training provided by two supervised persons referred to out-of-date Jersey legislation.
In one case, sanctions compliance matters were not included in the training delivered to employees. The training therefore did not cover all necessary aspects of the AML/CFT/CPF framework.
If employees are not provided with training on the correct legislation and AML/CFT/CPF Codes of Practice, or if certain areas are omitted, they may not be aware of their obligations within the Jersey regulatory framework. This could mean, for example, that suspected financial crime is not detected and reported, or customer due diligence is not applied properly.
4 Findings out of scope
During the examinations, JFSC officers also identified findings which were deemed to be outside the scope of the thematic. These are summarised below, along with links to previous examination Feedback where these areas are covered in greater detail. We encourage supervised persons to consider the examples of best practice outlined in the below-linked Feedback.
PEPs – The supervised person examined had declassified a local politician who was no longer in office. There is currently no provision in Jersey legislation for the declassification of PEP status. In addition, the supervised person’s risk assessment methodology was set so that all local PEPs were assessed as Low Risk, rather than undertaking a holistic risk assessment for each individual. This area has previously been highlighted in Section 7.2 of our 2021 Financial Crime Examinations Feedback.
SARs – JFSC officers reviewed a supervised person’s internal SAR form and identified that it lacked a field to record the date at which the matter giving rise to knowledge, suspicion, or reasonable grounds for suspicion originally came to the employee’s attention. Best practice in respect of reporting financial crime is set out in Section 7.3 of our 2021 Financial Crime Examinations Feedback.
BRAs – A range of issues were identified similar to those described in our 2022 thematic Feedback on AML/CFT Business Risk Assessments and formal AML/CFT Strategy. These included, but were not limited to, the BRA:
- not being up-to-date;
- not being tailored to the supervised person’s business in Jersey;
- not sufficiently considering the supervised person’s exposure to AML/CFT/CPF risk; and
- not sufficiently considering risk mitigations and controls.
5 Next Steps
All supervised persons examined have received direct feedback from us. The supervised persons were required to submit a formal remediation plan setting out actions to be taken and timescales for completion.
Where serious or significant and material breaches are identified, we consider the appropriate level of response on a case-by-case basis with the supervised person. In some cases, this may result in a referral to the JFSC’s Heightened Risk Response team and in other more serious cases, formal enforcement action may follow.
When conducting remediation activity, we expect that issues are not reviewed in isolation, but consideration is given to the wider implications of the findings detailed in the examination reports. JFSC Supervisors work closely with supervised persons to ensure that the steps taken to address findings are appropriate to the scale of risks identified.
A key component of regulatory effectiveness is to ensure that where a supervised person has completed remediation activity, it has done so in a way that is not only effective, but also sustainable, to demonstrate compliance with the statutory and regulatory requirements on an ongoing basis.
We may, in certain cases, mandate remediation effectiveness testing following confirmation of completion from supervised persons.
In future engagements with us, supervised persons may be asked to evidence steps taken to address identified deficiencies in their control environment.
Where this action is not considered to be adequate, or where we identify deficiencies of a similar nature to those highlighted in our Feedback, we will consider our future supervisory strategy and where appropriate, regulatory action.
In future planning, we will consider repeating this thematic examination, to test whether industry have taken on-board the guidance set out in this Feedback and whether the compliance rates have improved.