Dealing with customers who present a higher risk of Money Laundering, the Financing of Terrorism and the Financing of Proliferation (together Financial Crime)
The recent invasion of Ukraine by Russia has resulted in an increased Supervisory focus on ensuring that relevant persons with exposure to jurisdictions that present higher risks, such as Russia and Belarus (see Appendix D2 of the AML/CFT Handbook), have the appropriate governance and internal systems and controls in place for dealing with higher risk customer relationships.
This note is intended to remind relevant persons of the JFSC’s expectations when dealing with customer relationships that present higher Financial Crime risks, and to prompt relevant persons to consider and assess the adequacy of their own individual arrangements for identifying and mitigating existing, or increased, risks arising within their customer bases.
Senior Management, including the board of directors or equivalent, is responsible for the effective management of a relevant person’s risk, and as such should be actively involved in ensuring that risk management systems continue to be fit for purpose.
AML/CFT Business Risk Assessment (BRA) and Compliance Monitoring Plan (CMP)
The JFSC’s expectation is that relevant persons will periodically, and as a result of trigger events, review, assess and document the adequacy of their BRA. This should be done in a timely manner in order to ensure that the Financial Crime risks associated with relevant persons’ customer bases, and the associated mitigating controls, are accurately reflected and are adapted to take into account any changes in the risk profile of the customer base. Relevant persons should therefore consider whether there is a particular need to update their BRA due to the ongoing situation in Ukraine.
The CMP, which should be clearly mapped to a relevant person’s BRA, should also be reviewed on a periodic basis and adapted in response to any changes in a relevant person’s risk profile.
New and existing customer relationships involving specific exposure to Russia and Belarus
Customer relationships with exposure to Russia and Belarus will at this time present significantly increased Financial Crime risks, including sanctions evasion, and these increased risks must be appropriately managed. In light of the material increase in risk, and the fluid sanctions situation, the Government of Jersey and the JFSC are of the view that it may not currently be possible to adequately manage the risks associated with the taking on of new business associated with Russia or Belarus. Relevant persons should consider whether the risks presented by any existing exposure that they may have to Russian and Belarussian customers remain manageable.
Relevant persons should notify their supervisors of any concerns they may have regarding new or existing Russia or Belarus related business.
New business take-on for customers presenting a higher Financial Crime risk and CDD requirements
A key element of the new business take-on process is identifying whether or not customer relationships should be subject to the application of Enhanced Due Diligence (EDD) measures in accordance with the requirements of the Money Laundering Order.
EDD measures are required in any instance where it is determined that there is a higher risk of Financial Crime and in a number of specific scenarios, as set out in Section 7 of the AML/CFT Handbook, including:
- Where a customer has a connection to an enhanced risk state
- Where a customer is a PEP
Robust, easily accessible policies and procedures should be in place enabling employees to understand how those customers requiring EDD are identified and how EDD measures, which are proportionate and commensurate with the risks presented, are to be applied. Such measures should be over and above those applied to standard risk customers, and should be tailored to the specific risks associated with each customer.
New business take-on procedures should be tailored to the business of each relevant person, and mapped against the Jersey statutory and regulatory requirements.
Should relevant persons be in any doubt as to whether a particular customer relationship presents a higher risk, they should consider seeking third-party advice in this regard.
Customer Risk Assessment (CRA)
An effective CRA process is fundamental in driving a risk-based approach to customer due diligence measures and ongoing monitoring. The CRA should consider all risk factors which are appropriate to the relevant person, its customer base and the products and services offered and should be updated in the event of changes in these risk factors.
In order to be able to demonstrate that the Financial Crime risk has been adequately assessed, and that suitable identification measures have been applied, relevant persons should be undertaking and documenting a CRA.
Relevant persons should have a documented CRA procedure and methodology that are periodically reviewed and assessed to ensure that they are appropriate for their business and risk profile.
Other ongoing monitoring and Periodic Reviews
The CRA should drive the levels of ongoing monitoring which are to be applied to new and existing customer relationships.
Ongoing monitoring, of both customer transactions and their activity should be undertaken routinely throughout the course of a business relationship to enable the identification and scrutiny of complex or unusually large transactions, unusual patterns of transactions and any other activity that might by its nature present an increased risk of Financial Crime including the urgent re-structuring of structures associated with customer relationships.
The frequency and intensity of ongoing monitoring should be driven by the level of Financial Crime risk presented by an individual customer, with transactions associated with higher risk customer relationships being the subject of enhanced scrutiny.
Ongoing monitoring should be the subject of up to date and consistent policies and procedures and should set out the steps to be taken by employees where higher risk transactions or activities are identified.
Should any part of ongoing monitoring be outsourced to a third party, including within the same group of companies, appropriate due diligence should be undertaken of the outsourcing provider to ensure that the services are carried out to the required standard.
Periodic reviews are a key control for the oversight of customer relationships. Relevant persons should consider any backlogs that might exist in the periodic review cycle, and where relevant take steps to ensure that those customer relationships involving higher risks of Financial Crime are prioritised for review.
Employee training and awareness
Given the importance of having effective Financial Crime controls in place, it is imperative that all relevant staff are provided with regular Financial Crime training, including raising awareness of relevant persons’ own bespoke internal arrangements for dealing with higher risk customers. The JFSC would therefore encourage relevant persons to assess the adequacy and accuracy of Financial Crime related training and awareness arrangements that are in place.