Themed examination - reliance on obliged persons

1   Introduction

The Jersey Financial Services Commission (JFSC) regularly undertakes thematic examinations to assess the extent to which the Regulatory Framework is being complied with. Thematic examinations provide direct feedback to those entities examined and a public feedback document which summarises the key findings.

In November 2018, the JFSC set out in high-level terms its planned thematic examination programme to be undertaken in 2019, within which the theme of Reliance on Obliged Persons (OPs) was identified.

Jersey’s defences against the laundering of criminal funds and terrorist financing rely heavily on the vigilance and co-operation of the finance sector. Specific financial sector legislation (for example, the Money Laundering (Jersey) Order 2008 (Order)) is therefore in place and applicable to (i) a person carrying on a financial services business in or from within Jersey, and (ii) a Jersey body corporate or other legal person registered in Jersey carrying on a financial services business anywhere in the world (Relevant Person).

The JFSC strongly believes that the key to the prevention and detection of money laundering and the financing of terrorism lies in the implementation of, and strict adherence to, effective systems and controls, including sound identification measures based on international standards. Legislation in conjunction with the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for regulated Financial Services Businesses (Handbook) implements these standards.

Sound identification measures are vital because they:

  • help to protect the Relevant Person and the integrity of the financial sector in which it operates by reducing the likelihood of the business becoming a vehicle for, or a victim of, financial crime;
  • facilitate providing assistance to law enforcement, through provision of information on customers or activities and transactions which may be under investigation;
  • constitute an essential part of sound risk management, e.g. by providing the basis for identifying, limiting and controlling risk; and
  • help to guard against identity fraud.

The inadequacy or absence of identification measures increases the risk of money laundering and terrorist financing occurring as these may not be detected and can therefore subject a Relevant Person to serious reputational, regulatory and other operational risks which can result in significant financial cost to the business. Documents, data or information held also assist the Money Laundering Reporting Officer (MLRO) and business employees to determine whether a Suspicious Activity Report (SAR) is appropriate.

In some strictly limited circumstances, Article 16(2) of the Order provides that a Relevant Person may rely on identification measures that have already been applied by an OP to find out the identity of a mutual customer and to obtain evidence of identity. Where a Relevant Person opts to utilise the reliance regime, the statutory requirements and Anti-Money Laundering/Countering the Financing of Terrorism Code of Practice (AML/CFT Codes) and related Guidance Notes are detailed in Section 5 of the Handbook.

In addition to the above, persons registered by the JFSC under Article 9 of the Financial Services (Jersey) Law 1998 or Article 9 of the Banking Business (Jersey) Law 1991 must comply with the principles and detailed requirements in the conduct of its business, as set out in the relevant conduct Codes of Practice. Therefore the examinations also included reference to these requirements.

2   Scope and Methodology

The thematic examinations were conducted by the Supervision Examination Unit (SEU), commencing in the third quarter of 2019 and concluding in the first quarter of 2020.

Having reviewed and analysed data held by the JFSC, together with supervisory knowledge of Relevant Persons, a sample of 11 Relevant Persons was selected, representing the following licence types: Deposit-taking Business, Investment Business, Funds Services Business and Trust Company Business.

The objective of the thematic examination was to review and assess the following:

  1. Whether the Relevant Person could demonstrate that the conditions under Article 16 of the Order had been met;
  2. The Relevant Person’s governance and oversight in respect of the reliance on OPs;
  3. The results of the Relevant Person’s testing of the identification measures undertaken by the OPs;
  4. Whether the Relevant Person could demonstrate that it meets its legal obligations and the regulatory requirements in respect of customers where reliance on an OP had been utilised in respect of a mutual customer or connected third party; and
  5. The effectiveness of the Relevant Person’s internal control systems (including policies and procedures) in respect of all the above.

The themed examinations were conducted over three phases:

  • Phase One

A formal information request was sent to the identified Relevant Persons seeking the provision of the following documents:

Policies and Procedures: Policies, procedures, checklists, questionnaires and supporting documents relating to the application of concessions provided by Articles 16 of the Order.

Details of OPs: A list of all OPs upon which the Relevant Person placed reliance which included, inter alia, the name and jurisdiction of the OP; dates of testing conducted in an 18 month period; and risk ratings applied to the OP. The name, date of take on and risk rating of the mutual customer was also obtained.

Risk Assessment of OPs: Risk assessment of each OP undertaken by the Relevant Person in accordance with the requirements of Article 16(4) of the Order.

Testing of OPs: Details of any issues identified from testing conducted in the 18 month period in accordance with the requirements of Article 16(5) of the Order.

Assurances from the OPs: Standard terms of business, agreements and template assurance letters provided by OPs in accordance with Article 16(3) of the Order.

Assurance Testing: Details of any internal audit or assurance testing that had been undertaken in respect of reliance on OPs, in the same 18 months.

  • Phase Two

Following receipt of Phase One documentation, JFSC officers selected a sample of customers where reliance had been placed on an OP by the Relevant Person; and testing carried out on those OPs. The formal information request sent to the identified Relevant Persons requested the provision of the following documents:

OPs: Extracts of all Board of Directors (Board) and/or Committee minutes demonstrating the consideration and approval process for the selected OPs.

Customers: Copies of the risk assessment for the selected customers.

Tests: Evidence of the testing conducted by the Relevant Person (including scope, testing and outputs regarding the appropriateness of placing reliance) for the selected OPs.

  • Phase Three

This included a desk-based review of the information provided by the Relevant Persons, and one or two days of on-site activity whereby the sample of pre-selected customer files from Phase Two was reviewed and a number of interviews were held with various employees of the Relevant Persons.

In the event that any findings were identified, these were based upon information provided by the Relevant Person and evidence available at the time of the examination. Those findings have been provided to the Relevant Persons and are being separately addressed.

The purpose of this paper is to summarise the key findings from this themed examination. It is not intended to comprehensively describe all risks that may be associated with non-adherence to the Regulatory Framework and not all Relevant Persons within scope face the issues described below.

The JFSC takes this opportunity to thank the Relevant Persons for the courtesy and assistance shown during the examination process.

3 Key findings

3.1 Conditions of Article 16

3.1.1   When assessing whether the Relevant Person could demonstrate the conditions under Article 16 of the Order had been met, the JFSC identified the following findings

3.1.1.1 JFSC identified that one Relevant Person was not able to demonstrate it had applied the Regulatory Framework to its internal processes in a manner which was consistent with the requirements of the reliance regime.

3.1.1.2 At one examination conducted it could not be demonstrated that consideration had been given to using the reliance regime where money laundering was suspected.

3.1.1.3 One Relevant Person could not evidence it acted to address the fact that an OP had itself relied on Articles 16 and 17 of the Order, in respect of investors into funds under administration.

3.1.1.4 In regards to its statutory obligations another Relevant Person could not evidence consideration of the equivalence of the supervisory regime of part of a financial group upon which it placed reliance; this jurisdiction, namely British Virgin Islands (BVI), also did not appear on a list of approved regulators maintained by the Relevant Person. The BVI business effectively relied upon the services of a group entity incorporated in a jurisdiction which had been assessed, however this did not meet the obligations contained within the Order.

3.1.1.5 A fifth Relevant Person was unable to demonstrate compliance as it had not correctly identified its customer following the transfer of services from another part of the Relevant Person’s group which had resulted in it applying the reliance regime.

3.1.2   Article 16 outlines the requirements of the written assurance from the OP. JFSC officers noted a number of instances of non-compliance in this regard.

3.1.2.1 These included one instance where the written assurance was not held, as the Relevant Person considered that the assurance received regarding the parent company of the underlying customer was sufficient.

3.1.2.2 One case in which it could not be demonstrated that the OP had explained what evidence of identity it had obtained in regard to the mutual customer.

3.1.2.3 Another example did not contain information on identity in respect of the customer list appended, this matter was addressed by the Relevant Person prior to the examination being conducted.

3.1.2.4 JFSC officers noted one occasion where the assurance did not specifically state the OP had not relied on another party to have applied identification measures.

3.1.2.5 One example in which the Relevant Person had not established whether further identification measures were required after consideration of those applied by the OP.

3.1.2.6 Two instances where the written assurance did not include the requirements in respect of not applying measures which are less than equivalent to reliance identification measures.

3.1.2.7 One example was identified in which the assurance had been drafted by the OP and did not state that evidence of identity would be kept in line with the statutory requirements and another in which the assurance provided by the Relevant Person did not clearly state the OP would keep records of evidence of identity. The JFSC expects that in instances where a Relevant Person relies on an assurance produced by the OP, the Relevant Person ensures it complies with the relevant obligations.

3.1.3   Before relying on an OP a Relevant Person must assess the risk of doing so and document the reasons for considering this appropriate. Several findings were identified in regards to this process.

3.1.3.1 One example where the OPs were considered low risk as they were supervised by the JFSC. This consideration and its rationale was not documented however.

3.1.3.2 A further example was noted in which the equivalence of a jurisdiction, as per Appendix B of the Handbook, appeared to be one of the few factors considered as part of the assessment.

3.1.3.3 Two Relevant Persons had not formally documented its risk assessment of the OP at the time of the relationship being established. The Board minutes were also silent in regards to the reliance agreement at one of these entities despite the agreement being entered into two months prior to the Board meeting.

3.1.3.4 As a consequence of not assessing the equivalence of a jurisdiction in which an OP was incorporated, as detailed above, one Relevant Person was unable to evidence an adequate risk assessment of part of a financial group on which it placed reliance.

3.1.3.5 It was identified in one instance that reliance had been placed on an OP before the risk assessment in respect of doing so had been undertaken.

3.1.3.6 Finally it was identified that the reasons one Relevant Person considered it appropriate to place reliance on OPs was not recorded sufficiently, this was particularly concerning in instances where the risk associated with the OP may have increased.

3.1.4   Section 5 of the Handbook contains guidance and specific AML/CFT Codes in respect of Article 16 of the Order. Findings were identified in regards to the evidence of identity provided by OPs.

3.1.4.1 Two Relevant Persons had not ensured the documents were certified in line with the regulatory requirements.

3.2 Governance and Oversight of Reliance on OPs

3.2.1   The JFSC expects that when a Relevant Person places reliance on an OP in regards to identification measures that this features in the Business Risk Assessment (BRA), and that approval of OPs is considered and discussed by either the Board/Senior Management or a subcommittee of such. Evidence of these decisions must be clearly documented. When assessing whether the Relevant Person could demonstrate effective governance and oversight of OPs the JFSC identified the following findings.

3.2.1.1 JFSC officers identified that use of the reliance regime had not been documented in the BRA at one Relevant Person.

3.2.1.2 At a second the risks of placing reliance on an OP had not been captured sufficiently.

3.2.1.3 In a third instance the BRA incorrectly stated that there were no reliance arrangements in place when this was not the case.

3.2.2   To demonstrate that a Relevant Person has regard for the higher risk of money laundering and the financing of terrorism when placing reliance on an OP, the JFSC expects that Relevant Persons consider various factors.

3.2.2.1 One Relevant Person stated that reliance was placed on OPs with a similar risk appetite as it considered reputational risk to be the biggest risk to which it was exposed. However JFSC officers identified that in three instances the OPs appeared to have a higher risk appetite than the Relevant Person which did not align with the statements made. JFSC officers were also advised that the risk of money laundering and terrorist financing sat with the bank which remitted funds on behalf of the OP to the Relevant Person. The JFSC finds this lack of awareness in respect of financial crime risk to be extremely concerning.

3.3 Relevant Person’s Testing of OPs

3.3.1   Conducting tests to ascertain whether the OP maintain appropriate policies and procedures in regards to identification measures, keeps evidence of identity and will provide this without delay, or may be prevented from providing the evidence, is a requirement of Article 16 of the Order. When assessing whether the Relevant Person could demonstrate testing the OPs as described under Article 16 of the Order, the JFSC identified the following findings.

3.3.1.1 One Relevant Person had not commenced its testing programme as it considered the OPs to be low risk.

3.3.1.2 A second was unable to demonstrate that any testing had been conducted despite the BRA stating that testing was performed on an annual basis.

3.3.1.3 Testing conducted by three Relevant Persons was not deemed sufficient;

  • In one instance the testing cycle had not been conducted for four years despite internal documents stating testing should be undertaken every two years and testing conducted on an OP had not sufficiently tested the policies and procedures in respect of identification measures.
  • In a second instance potential red flags which had been identified during the testing process had in one case not resulted in a documented discussion by the committee which approved and had oversight of the OPs, despite the apparent increased risk profile of the OP; furthermore information which should have prompted further investigation by the Relevant Person appears to have not been considered. The documents which supported the testing conducted by this Relevant Person contained little evidence to support a review of the OPs financial crime related policies and procedures and the questionnaire used as part of the process contained little evidence to support the points made within the document; as such the testing was not considered sufficient or effective by the JFSC.

3.3.2   One Relevant Person had conducted testing and the requested documents had not been provided in a timely manner. The Order is clear in respect of the Relevant Person immediately applying identification measures in these circumstances.

3.4 Legal Obligations and the Regulatory Requirements Regarding Mutual Customers or Third Parties;

3.4.1   When assessing whether the Relevant Person could demonstrate it met its legal obligations and the regulatory requirements in respect of customers where reliance on an OP had been utilised, in respect of a mutual customer or connected third party, the JFSC identified the following findings. Undertaking a robust customer risk assessment is both a statutory and regulatory requirement. Inadequate or ineffective customer risk assessments were identified at a number of examinations conducted.

3.4.1.1 One Relevant Person had relied on a bulk risk assessment for a client group which contained a number of individual companies.

3.4.1.2 In a second example customer risk assessments had not been performed when services had been transferred from one part of a group to the Relevant Person, the adequacy of the initial assessments conducted by the group entity could also not be demonstrated.

3.4.1.3 JFSC officers identified several examples of higher risk factors such as bribery and corruption, and links to or relationships with, Politically Exposed Persons not always considered sufficiently when reviewing customer files at three Relevant Persons.

3.4.1.4 Finally the risk assessment at one Relevant Person partly risk assessed the OP and partly assessed the underlying customer.

3.4.2   Several examples were also noted in which detail regarding source of funds and source of wealth was found to be inadequate. Both the Order and the Handbook clarify the difference between source of funds and source of wealth and highlight the instances in which this information must be obtained and verified. The JFSC expects the implementation of specific and adequate controls to compensate for the higher risk of money laundering and the financing of terrorism where enhanced due diligence measures are required.

3.4.3   It was identified at one examination that the Relevant Person was not able to demonstrate it understood the ownership and control structure of a customer, and as a result had not identified the individuals who were the customer’s beneficial owners and controllers in line with Articles 2 and 3 of the Order.

3.4.4   One Relevant Person advised that the ongoing monitoring of its customer was conducted by the OP. JFSC officers explained this was a legislative obligation placed upon the Relevant Person and it could not place reliance on the OP self-monitoring.

3.4.5   Reliance identification measures are those specified in Articles 3(2)(a), (aa), (b) or (c) of the Order and as such it remains the responsibility of the Relevant Person to complete due diligence measures in respect of Article 3(2)(d), being the purpose and intended nature of the relationship with the Relevant Person. Findings in this regards were noted at three examinations where either the information provided was incorrect and related to the relationship between the mutual customer and the OP or was not explicitly documented.

3.5 Relevant Person’s Internal Control Systems

3.5.1   When assessing the effectiveness of the Relevant Person’s internal control systems (including policies and procedures) the JFSC identified the following findings.

3.5.1.1 It was identified at one Relevant Person that the information provided by the OP on the documents used to establish relationships was absent, of poor quality and in some instances incorrect. The JFSC considers these documents to be a key control and expects quantitative and qualitative information to be gathered as part of effective risk management systems.

3.5.1.2 JFSC officers identified that the risk assessment tool at one Relevant Person produced an incorrect rating when tested, as standard risk answers resulted in a lower risk result. This same tool was open to manipulation due to the lack of restrictions in place. Two examples were also found in which jurisdictional risk was not captured adequately within the risk assessment tool, in one example jurisdictions were not listed individually and were referred to as ‘lower risk countries’ for example.

3.5.1.3 The methodology which supported the risk assessment tool provided by one Relevant Person did not clearly explain the scores attributed to some of the sections which drove the overall customer risk rating.

3.5.1.4 JFSC officers identified findings during eight examinations in respect of the policies and procedures in place. These included policy statements not feeding through into the actions contained in the supporting procedures; details of the review and acceptance process regarding OPs being insufficient or absent; the testing cycle not including how and what to test and the steps to take if negative results were identified; checking the certification of identity documentation provided by the OP; group procedures which did not satisfactorily address local legislative obligations and regulatory requirements; version controls were not maintained as required in the conduct Codes of Practice.

3.5.1.5 Examples of policies and procedures not being maintained in line with changes to the Regulatory Framework were also noted at two Relevant Persons.

3.5.1.6 One Relevant Person was also unable to demonstrate adherence to its own internal controls as it could not demonstrate that financial crime related policies and procedures had been reviewed at all the OPs upon which it placed reliance, and that sufficient due diligence information was obtained in line with its documented process.

3.5.2   Finally the conduct Codes of Practice for all sectors state that Relevant Persons must maintain adequate orderly and up to date records as part of effective internal systems and controls. The JFSC continues to identify findings in this area, in particular during this thematic examples were noted in which checklists were not fully completed, decisions were not clearly annotated on supporting documentation, detail of actions taken as a result of testing was not always evidenced and signatures were absent where required. Examples were also identified at several Relevant Persons where the minutes of the decision making committees meetings, including those of the Board/Senior Management, did not clearly evidence discussion, challenge and decision making on behalf of the Relevant Person. This continues to feature at a large number of examinations conducted and this paper serves as a reminder that evidencing how an organisation is directed and controlled, through well documented minutes, supports the demonstration of a sound corporate governance framework.

4 Conclusion

Examinations were conducted at 11 Relevant Persons and a total of 54 findings within scope of the theme were identified, several of the findings captured multiple areas of non-compliance with the Regulatory Framework. These findings were in respect of the Order and the regulatory requirements (AML/CFT Codes) described in the Handbook as well as the applicable conduct Codes of Practice. Several of the Relevant Persons examined had self-identified where changes were necessary to ensure compliance with the Regulatory Framework and were implementing actions to address this prior to the on-site activity commencing.

A number of the Relevant Persons were largely compliant with Article 16 of the Order and Section 5 of the Handbook, and were required to make relatively minor adjustments to comply with either statutory obligations or regulatory requirements. However, several Relevant Persons were required to make significant changes to internal systems and controls, including policies and procedures, to fully comply with the requirements. The JFSC expects that when conducting remediation, activity issues are not reviewed in isolation, and consideration is given to the wider implications of the findings detailed in individual examinations reports. Supervisors work closely with Relevant Persons to ensure that the steps taken to address findings are appropriate to the breadth of risks identified.

In terms of the objectives of this thematic examination the JFSC expected that Relevant Persons were able to clearly and effectively demonstrate how they comply with the specific requirements of Article 16 of the Order and Section 5 of the Handbook, through conducting an analysis of current processes and ensuring that the specific statutory obligations and regulatory requirements were met. This is particularly important where reliance is placed on OPs in non-equivalent jurisdictions or where there is a higher risk or suspicion of financial crime.

Although Relevant Persons held written assurances in all but one case, some of these did not meet the specific conditions contained within the Order, action must be taken to ensure compliance going forward. Whilst undertaking a thorough assessment of the risk of placing reliance on an OP, consideration and adoption of the guidance contained within Section 5 of the Handbook will support Relevant Persons in managing the potential risks of utilising the reliance regime. The JFSC expects a robust process in place in this regard to manage the heightened risk of money laundering and the financing of terrorism. Findings in respect of assessing the OP were identified in over half of the Relevant Persons examined which the JFSC finds concerning.

Whilst some Relevant Persons were able to demonstrate good oversight of OPs through effective corporate governance, areas for improvements were identified. Ensuring the reliance regime forms part of an exacting business risk assessment process is vital; whilst having a clear understanding of the risk appetite and working practices of OPs will assist Relevant Persons in adopting the relevant measures to ensure any risks posed are managed effectively.

Conducting a rigorous testing programme where outcomes are considered and any actions taken are evidenced is a key factor when placing reliance on OPs. Relevant Persons must be able to demonstrate how this process is effective. Where issues are identified, the JFSC expects Relevant Persons to comply with the legislation and take the required action. This is an additional area in which the JFSC is again concerned at the number of findings identified.

Whilst the JFSC saw examples in which robust customer risk assessments were completed a number of Relevant Persons did not adequately demonstrate that all risk factors presented by mutual customers had been captured and considered. The implication that poor customer risk assessments may be wider than in respect of customers for whom a Relevant Person places reliance on an OP must not be overlooked, and the JFSC expects that consideration is given to reviewing the tools and procedures in place by the supervised community.

In respect of internal systems and controls, Relevant Persons should ensure that these are tested where required to ensure they are fit for purpose. Policies and procedures must meet local legal and regulatory requirements, maintained and updated through a regular review cycle and clear enough so that employees are able to easily apply them to the processes conducted, to obtain the results necessary in managing financial crime risks. Checking that policies and procedures are adhered to through a line of defence model is also vital to Relevant Persons compliance with the Regulatory Framework.

The application of Article 16 of the Order and Section 5 of the Handbook will continue to be reviewed during examinations conducted by the Financial Crime Examination Unit and Pooled Supervision team examinations. The JFSC expects that the Board/Senior Management of Relevant Persons who were not involved in the examination review this paper and consider their own arrangements to ensure strict adherence. Where the findings can be applied to other aspects of the Regulatory Framework conducting a gap analysis to current working practices is also recommended to Industry as a whole.

The JFSC wishes to re-iterate that the management of financial crime risk is non-negotiable and use of the powers under the Financial Services (Jersey) Law 1998 and Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008 will be used where disregard to the Regulatory Framework is apparent.

5   Glossary of Terms

AML

Anti-Money Laundering

AML/CFT Codes

Anti-Money Laundering/Countering the Financing of Terrorism Code of Practice

Board

Board of Directors

BVI

British Virgin Islands

BRA

Business Risk Assessment

conduct Codes of Practice

Means, collectively, the:

›   Code of Practice for Deposit-taking Business;

›   Code of Practice for Fund Services Business;

›   Code of Practice for Investment Business; and

›   Code of Practice for Trust Company Business

Handbook

The Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for Regulated Financial Services Businesses

JFSC

Jersey Financial Services Commission

MLRO

Money Laundering Reporting Officer

Obliged Person or OP

Means a person who is relied upon by the Relevant Person, as defined under Article 16(1) of the Order

Order

Money Laundering (Jersey) Order 2008

Regulatory Framework

The Jersey legislative and regulatory requirements that are relevant to the classes of business the Relevant Person undertakes

Relevant Person

Means a person carrying on financial services business in or from within Jersey; or either (i) a Jersey body corporate, or (ii) other legal person registered in Jersey, carrying on a financial service business in any part of the world (as defined under Article 1(1) of the Money Laundering (Jersey) Order 2008)

SAR

Suspicious Activity Report

SEU

Supervision Examination Unit