Feedback from our examination of supervised persons’ reliance on obliged persons
Feedback from our examination of supervised persons’ reliance on obliged persons1 Executive summary
During the first quarter of 2023, we assessed the extent to which supervised persons had complied with their obligations relating to reliance on obliged persons. The purpose of this feedback paper is to publish an anonymised summary of the key findings we identified during the thematic examination and set out relevant good practice for the benefit of all supervised persons.
In strictly limited cases, supervised persons are permitted to rely on measures applied by a third party to meet some of their customer due diligence (CDD) and enhanced CDD measures obligations.
Reliance on third party measures must always be subject to six conditions set out in Article 16 of the Money Laundering (Jersey) Order 2008. Where the requirements of Article 16 are not met, supervised persons’ CDD measures may be ineffective, potentially exposing them to heightened risk of financial crime.
In addition to the requirements set out in Article 16, the Handbook includes further requirements relating to reliance in the form of AML/CFT/CPF Codes of Practice.
We selected 10 supervised persons for the examination, representing the following licence types:
banking
designated non-financial businesses and professions
fund service business
investment business
money service business
trust company business
A detailed overview of the examination findings is set out in section 6.
Supervised persons should consider the findings in this report and, where relevant, implement changes to align with good practice.
2 Summary of findings and good practice
The table below summarises the more detailed findings set out in section 6, with examples of good practice. Not all these examples of good practice were identified during the examination.
3 Key statistics and assessment of examination results
We identified 29 findings across seven of the 10 examinations. Some key statistics include:
more than half of the supervised persons had failings in relation to their policies and procedures
20% of supervised persons failed to perform testing of obliged persons
a further 30% failed to conduct testing appropriately
around a third of supervised persons had failings related to the conditions
During our previous 2019 examination of reliance on obliged persons, we examined 11 supervised persons and there were 54 findings. While we identified some findings of a similar nature across both thematic examinations, there were fewer instances of them during the 2023 thematic examination, for example:
more than half of the supervised persons examined during the 2019 thematic examination had a finding related to the conditions, which reduced to one third in the 2023 thematic examination
72% of supervised persons in the 2019 examination had a finding related to inadequacies in internal systems and controls, including policies and procedures, which reduced to 60% in the 2023 examination
the 2019 examination resulted in four findings in relation to customer risk assessments, whereas the 2023 examination resulted in three findings in this area
On the other hand, 46% of supervised persons in the 2019 examination had a finding related to their testing of obliged persons, which increased to 70% in the 2023 examination.
Of note is that three supervised persons had no findings in the 2023 examination.
Four supervised persons were examined in both the 2019 and 2023 examinations, two of which had no findings in 2023.
The above statistics indicate a reduction in the overall number of findings from the previous examination (54 to 29). This is indicates a general improvement in overall compliance and that supervised persons have worked to enhance their systems and controls in respect of reliance during the intervening period. There remains, however, room for improvement.
Three supervised persons had no findings identified during their respective examinations. The below chart sets out where findings were identified across the other seven supervised persons.
A detailed overview of the examination findings is contained within section 6.
4 Action required
We expect board and senior management of all supervised persons who rely on obliged persons to:
consider the findings and good practice highlighted in this feedback against their own arrangements
make changes to their systems and controls if they identify any areas for development
ensure that their business is complying with all relevant statutory and regulatory requirements in relation to reliance
Supervised persons are encouraged to continue reviewing and enhancing their systems and controls in relation to:
the first, second, third, fifth and sixth conditions
ongoing governance surrounding testing of reliance arrangements
policies and procedures
Where we identify findings which indicate prior remediation has been ineffective, for example
known deficiencies exist and have not been addressed by the board and senior management
appropriate consideration and action have not been taken following feedback issued by the JFSC
then supervised persons can expect these to be deemed as aggravating factors in determining our entity level regulatory strategy.
Where we identified findings which were serious in nature, we brought these to the attention of supervised persons and escalated. In some cases, we have taken further regulatory action.
Supervised persons may also refer to the following sources of information:
4.1 Chapter 5 of the Handbook – Identification Measures – Reliance on Obliged Persons
This chapter of the AML/CFT/CPF Handbook covers statutory requirements and the AML/CFT/CPF Codes of Practice relevant to reliance on obliged persons.
It also sets out relevant guidance notes, presenting practical ways in which supervised persons may demonstrate compliance with the statutory requirements and the AML/CFT/CPF Codes of Practice.
4.2 The 2019 thematic examination feedback paper
The feedback paper from the 2019 examination on reliance can be found here: Themed examination – reliance on obliged persons.
4.3 Reliance update and webinar recording
This webinar provides an overview of why reliance is important, what supervisory data told the JFSC at the time of its release and summarises the main findings from the 2019 Thematic. The webinar can be found here: Reliance update and webinar recording - (www.jerseyfsc.org)
Where a supervised person identifies any deficiencies in its systems and controls, we expect it to:
consider the notification requirements under the AML/CFT/CPF Code of Practice set out in Section 2.3 of the Handbook, and where applicable the relevant Codes of Practice (dealing with the JFSC in an open and co-operative manner)
prepare a remediation plan and discuss this with its supervisor, as it sees appropriate
execute its remediation plan in the manner set out and agreed with its supervisor
consider what assurance activities may provide comfort to its board or senior management team that deficiencies have been addressed effectively and apply appropriate ongoing controls
consider our guidance on remediation action plans
5 Background and scope
5.1 Background
We regularly undertake thematic examinations to assess the extent to which supervised persons are complying with statutory and regulatory requirements in targeted areas. Thematic examinations are sometimes sector-specific, but they often address wider themes across multiple sectors.
Information about the examination process is available on our website.
We chose the theme to revisit supervised persons’ application of reliance following the identification of deficiencies during our 2019 examination on reliance. Findings from the 2019 examination included:
written assurance: we identified instances of obliged persons not explaining the evidence of identity they had collated, and assurance certificates did not provide enough information for supervised persons to meet their own obligations
business risk assessment: several business risk assessments we reviewed did not adequately document the risks to the supervised persons associated with placing reliance
risk assessment: there were several examples of supervised persons not properly documenting their risk assessment of the obliged persons or failing to take into consideration all the relevant factors, such as equivalence of a jurisdiction
testing: some of the testing did not adequately assess the relevant controls in place with regard to the obliged persons’ identification measures
board minutes: often the decisions, discussions and challenge that had gone on at board or senior management meetings on matters relating to reliance and associated risks had not been adequately documented
5.2 Scope
The objective of this thematic examination was to review and assess the extent to which supervised persons had complied with legislative requirements and associated AML/CFT/CPF Codes related to reliance.
The selection process was supported by our risk model and supervised persons submitted information as part of the JFSC supervisory data collection exercise. Four supervised persons selected for this thematic examination were also subject to the 2019 examination .
The industry sectors[1] represented in our examination were as follows:
The examination assessed supervised persons’ compliance with Article 16 of the Order, including particular focus on the conditions:
the first condition (Article 16(2)(a)) is that the obliged person consents to being relied upon
the second condition (Article 16(4)) is that the identification measures have been applied by the obliged person in the course of an established business relationship/one-off transaction with the customer
the third condition (Article 16(4)(a), (b), (c) and (d)) is that the relevant person obtains adequate assurance in writing that the obliged person:
has applied reliance identification measures
has not itself relied upon another party to have applied any such measures
has not applied measures that are less than equivalent to the reliance identification measures
is required to keep, and does keep, evidence of identification relating to each of its customers
the fourth condition (Article 16(2)(b)) is that the information in relation to the identification of the customer must be immediately obtained by the relevant person
the fifth condition (Article 16(5)) is that the relevant person obtains adequate assurance in writing that the obliged person will keep the evidence of identity until provided to the relevant person or until the obliged person is notified that it is no longer required to provide it to the relevant person on its request and without delay
the sixth condition (Article 16(3)) is that relevant persons must assess the risk of placing reliance on an obliged person
The examination also considered how supervised persons complied with Article 16(8), which requires periodic testing of a reliance arrangement to establish whether the obliged person:
maintains appropriate and consistent policies and procedures to apply reliance identification measures
keeps the evidence obtained during the application of reliance identification measures and provides that evidence without delay when requested
is prevented, by application of a law, from providing the required information or evidence
We also considered whether supervised persons took necessary actions where they were not satisfied with the results of testing performed.
The examination did not consider group reliance, the requirements for which are set out at Article 16A of the Order.
Our assessment was based on the statutory and regulatory requirements in force during the review period.
6 Key findings
The key findings summarised in this section are taken from the examinations of seven supervised persons where findings were identified. They identify a range of deficiencies in systems and controls which could expose those supervised persons to a heightened risk of failing to prevent or detect financial crime.
If a supervised person does not have sufficient controls in place regarding its use of reliance, it’s AML/CFT/CPF framework may be fundamentally compromised, exposing the supervised person, and Jersey, to unacceptable levels of financial crime risk.
6.1 Conditions
The conditions are set out in section 5.2 of this feedback paper. Three supervised persons received findings in this area.
one supervised person’s policies and procedures did not adequately cover the six conditions for reliance, resulting in:
roughly half of its customers not having an approved written assurance in place confirming the obligations under both Article 16(4) and Article 16(5) of the Order
six written assurance letters being incomplete and two others being missing
an insufficient level of customer information being obtained from the obliged person
the written assurance of one obliged person, based outside of Jersey, did not document record retention and provision in line with the fifth condition
one supervised person had not obtained adequate assurance from an obliged person at the outset of the relationship that it would keep evidence of identification measures as required by the third condition of reliance
one supervised person failed to consider whether an obliged person’s business, based outside of Jersey, constituted equivalent business, which is a prerequisite to establishing a reliance arrangement and must form part of the supervised person’s assessment of the obliged person
6.2 Testing of obliged persons
After appropriately establishing a relationship with an obliged person, Article 16(8) of the Order sets out the obligations with respect to testing. Where results of that testing are unsatisfactory, Article 16(9) of the Order requires the relevant person to immediately apply reliance identification measures.
Five supervised persons received findings in this area including:
two supervised persons failed to perform any testing of obliged persons
the board of one supervised person decided to pause testing of reliance arrangements to focus its resource towards reducing its use of reliance, but at the time of the examination, had not performed any testing for a three-year period
one supervised person failed to review and determine whether it was appropriate to maintain a reliance arrangement where:
CDD deficiencies were identified
provision of documentation was outside of acceptable timeframes
The supervised person did not escalate these results to its board and failed to take immediate action despite identifying CDD deficiencies and the provision of documents being outside of acceptable timeframes.
two supervised persons were unable to evidence that they had conducted adequate testing of obliged persons in relation to:
the content of the obliged person’s written assurance, in particular that it included confirmation that evidence of identification measures would be held until the supervised person notified the obliged person the evidence was no longer required.
whether obliged persons had appropriate and consistent policies and procedures in place to apply reliance identification measures - in one case, the obliged person was the subject of a JFSC public statement, but the supervised person was unable to demonstrate how it had considered the information and satisfied itself that it was appropriate to continue the reliance arrangement
one supervised person had multiple instances where it was unable to evidence that it had considered whether obliged persons may be prevented, by application of law (e.g. secrecy legislation), from providing information or evidence
6.3 CDD
While it is permissible to place reliance on an obliged person to find out the identity of customer and parties related to the customer, it is not possible to place reliance on an obliged person to obtain information on the purpose and intended nature of a business relationship or one-off transaction, nor to apply ongoing monitoring during a business relationship.
A supervised person is always responsible for undertaking the overall CDD including risk assessment, transaction/activity monitoring and keeping documents and information up to date.
We identified instances of inappropriate use of reliance relating to identification measures.
Article 3(2)(c)(ii) of the Order sets out that, in respect of a customer that is not an individual, a relevant person must understand:
ownership and control of that customer
the provisions under which the customer can enter into contracts or other similar legally binding arrangements with third parties
Three supervised persons failed to identify customers. Of these, two were unable to demonstrate they had identified the beneficial owners and controllers where reliance was placed on an obliged person, instead, relying on the measures performed by the obliged person without reasonable assessment or challenge.
The other supervised person was unable to evidence that it had considered its customer’s exposure to money laundering. The supervised person had relied upon the risk assessment performed by the obliged person and was unable to demonstrate that it understood the risk associated with the ownership and control structure, beneficial ownership, and significant controllers of four of its customer files selected for the sample.
Article 3(5) of the Order requires that identification measures must include the assessment by the relevant person of the risk that any business relationship or one-off transaction will involve money laundering, including obtaining appropriate information for assessing that risk.
The AML/CFT/CPF Code of Practice set out at paragraph 3.3 (29) of the Handbook requires a supervised person to apply a risk-based approach in determining the extent and nature of measures to be taken during the identification process. Three supervised persons had findings in this area:
one supervised person was unable to evidence that it performed customer risk assessments where reliance was placed on an obliged person, resulting in the supervised person not fully understanding the risks associated with its customer and consequently failing to apply a commensurate level of due diligence
one supervised person used a 'blended’ risk assessment that considered risk characteristics of both the obliged person and the customer, resulting in a failure to appropriately identify and assess certain higher risk attributes of the customer (for example country risk) and the application of an inadequate risk-based approach to ongoing monitoring
one supervised person received information from the obliged person regarding its customer’s ownership and control structure, beneficial ownership, and significant controllers, however it failed to assess whether it was accurate or complete, which led to a failure to consider the extent of its financial crime exposure
In several cases, supervised persons did not consider whether the identification measures applied by an obliged person, based outside of Jersey, were sufficient for the supervised person to meet its obligations under Article 3 of the Order.
We identified instances where reliance was being used inappropriately. In all instances, the supervised person failed to comply with Article 13(1) of the Order, which requires a relevant person to apply CDD measures, including ongoing monitoring. Two supervised persons had findings in this area:
one supervised person was unable to demonstrate that it was adequately screening and monitoring its customers where a reliance arrangement was in place, resulting in a failure to identify a politically exposed person
one supervised person failed to obtain an appropriate level of detail in respect of its customer’s source of funds and source of wealth, simply accepting an inadequate statement provided by the obliged person
6.4 Internal systems and controls
Article 11(3) requires a supervised person to maintain appropriate and consistent policies and procedures for placing reliance on obliged persons. Six supervised persons had failings in this area, our findings included:
one supervised person had no policies and procedures in place for reliance on an obliged person
one supervised person failed to follow its policies and procedures by not escalating failed testing to its board for consideration
another supervised person was unable to demonstrate from the minutes of decision-making committees that it had considered, discussed and recorded decisions relating to CDD deficiencies where a reliance arrangement was used
three supervised persons had inconsistencies within their policies and procedures, including:
document retrieval periods and associated internal approval requirements
actual practices did not follow what was required by the procedures
an undocumented, alternative process was used where CDD deficiencies were identified
one supervised person’s policies and procedures did not:
direct staff to the list of approved obliged persons
specify the forms to be used to ensure that reliance is being placed appropriately
one supervised person was unable to demonstrate that it gave due regard to our Sound Business Practice Policy in relation to its ongoing monitoring of a customer’s potential involvement, directly or indirectly, in mining, drilling, or quarrying for natural resource
one supervised person could not demonstrate it had applied appropriate ongoing monitoring to customers, where reliance was placed on an obliged person, resulting in a failure to identify a connection to an enhanced risk state - under Article 16(11) of the Order, a relevant person is not permitted to place reliance on an obliged person where there is a connection to an enhanced risk state
7 Next steps
We have given direct feedback to all the supervised persons we examined. Where findings were identified, the supervised persons were required to submit a formal remediation plan setting out actions to be taken and timescales for completion. On 6 April 2023, we issued a comprehensive guidance note titled which supervised persons used when designing their remediation plan. Read it here: Remediation action plans guidance note.
Where serious breaches are identified, we consider the appropriate level of response on a case-by-case basis with the supervised person. In some cases, this may result in a referral to our Heightened Risk Response team and, in other cases, formal enforcement action may follow.
When conducting remediation activity, issues should not be reviewed in isolation. Supervised persons should instead consider the wider implications of the findings detailed in the examination reports. Our supervisors work closely with supervised persons to ensure that the steps they have taken to address findings are appropriate to the scale of risks identified.
A key component of regulatory effectiveness is ensuring that supervised persons complete remediation activity in a way that is not only effective but also sustainable, so they can demonstrate compliance with the statutory and regulatory requirements on an ongoing basis.
We may, in certain cases, mandate remediation effectiveness testing following confirmation of completion from supervised persons.
In future engagements with us, supervised persons may be asked to evidence steps taken to address identified deficiencies in their control environment.
Where this action is not considered to be adequate, or where deficiencies of a similar nature are identified to those highlighted in previous JFSC feedback, we will consider our future supervisory strategy and, where appropriate, regulatory action.
We may undertake a reliance thematic examination again in the future, to assess whether industry has taken on board the guidance set out in this feedback and whether the compliance rates have improved.
Please direct any questions or clarifications regarding the examination to FSCSupervisionExaminationUnit@jerseyfsc.org
Glossary
|
AML |
Anti-money laundering |
|
AML/CFT/CPF Code of Practice |
The AML/CFT/CPF Codes of Practice contained within the Handbook |
|
Appendix C1 |
The AML/CFT/CPF Handbook written assurance template relating to Article 16 of the Money Laundering (Jersey) Order 2008 |
|
Article 16 of the Order |
Article 16 of the Money Laundering (Jersey) Order 2008 relating to reliance on relevant person or person carrying on equivalent business |
|
Board or senior management team |
The board of directors or the board function described in Section 2.1 of the Handbook |
|
CDD |
Customer due diligence |
|
CFT |
Countering the financing of terrorism |
|
CPF |
Countering proliferation financing |
|
DNFBPs |
Designated non-financial businesses and professions |
|
FCEU |
The Financial Crime Examination Unit of the JFSC |
|
Financial crime |
Money laundering, the financing of terrorism, proliferation financing, and non-implementation/breaching/circumvention/evasion of targeted financial sanctions |
|
FSB |
Fund services business |
|
The Handbook |
Handbook for the prevention and detection of money laundering, the countering of terrorist financing, and the countering of proliferation financing |
|
IB |
Investment business |
|
JFSC
|
Jersey Financial Services Commission |
|
ML/TF/PF |
Money laundering, terrorist financing, and proliferation financing |
|
MSB |
Money service business |
|
Obliged person |
Obliged person as defined in the Article 16 and 16A of the Order |
|
The Order |
Money Laundering (Jersey) Order 2008 |
|
Policies and procedures |
The way in which a business’ systems and controls are implemented into the day-to-day operation of the business |
|
PEP |
Politically exposed person. An individual who is any of the following (within the meaning of Article 15A of the Money laundering Order: (a) a domestic politically exposed person (b) a foreign politically exposed person (c) a prominent person |
|
Relevant person |
As defined in Article 1 of the Order |
|
Reliance identification measures |
As defined in Article 16(1) of the Order |
|
Review period |
The period of 1 February 2022 – 31 January 2023 which the JFSC used as a time period for file testing |
|
SEU |
The Supervision Examination Unit of the JFSC |
|
Supervised person |
As defined in Article 1 of the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008. Includes persons regulated by the JFSC under one of the regulatory laws and designated non-financial services businesses and professions (DNFBPs) |
|
TCB |
Trust company business |
Where any term used within this feedback paper is not defined in the glossary above it means the same as in the AML/CFT/CPF Handbook Glossary.
[1] Where a supervised person held multiple licences they are included on the basis of their principle licence type.