Remediation Action Plans

1 Introduction

1.1   The Jersey Financial Services Commission (JFSC) undertakes Examinations as part of its ongoing supervision of regulated and supervised businesses and professions. Examinations may be undertaken by way of a questionnaire or in-depth Examinations. The latter includes desk-based and on-site activity or a combination of both. Examinations are a key tool in executing our regulatory function.

1.2   The findings of an Examination may lead to registered persons[1] being required to prepare a remediation action plan (a plan), to address deficiencies identified. A plan may also be required to address other regulatory matters. For example, in response to findings of an internal audit which identifies breaches of a Code of Practice.

1.3   In instances where a plan is required, it will be submitted to us for our consideration. We will consider whether the timeframes in which remediation will be delivered appears reasonable, taking into account, amongst other factors, the seriousness of the findings, extent of work to be performed and resourcing required.

1.4   Where a plan is designed to address serious deficiencies, we expect the registered person to commence remediation and implement necessary measures to address control weaknesses as soon as is practicable.  As a guide, we will have a low tolerance for plans extending beyond 12 months. However, we recognise there may be instances where completion of all actions within a plan in 12 months may not be achievable.

1.5   The registered person’s senior management, in particular its board of directors (together, senior management), is responsible for ensuring the plan is designed to deliver effective and sustainable remediation of findings. It is beneficial for the registered person to appoint a board member, or equivalent member of senior management, as the overall lead for ensuring the plan is prepared, implemented and completed in a timely manner.  

1.6   The purpose of this guidance note is to provide information and outline good practice to be considered by the registered person when preparing a plan.

2 Resourcing for Remediation

2.1   The Compliance Function is often viewed as having staff with requisite knowledge and skills to support remediation, where actions relate to demonstrating compliance with regulatory requirements and/or legal obligations. Care must be taken when diverting staff from their existing responsibilities, as it may result in competing priorities, which could have a detrimental impact on day-to-day operations and/or negatively impact the delivery of effective, timely, and sustainable remediation.

2.2   A registered person will benefit from preparing a remediation resourcing schedule. This will assist the registered person to identify, consider and where appropriate address the following:

2.2.1   Whether there are key dependencies on particular staff members;

2.2.2   Whether the personnel required to complete the plan conflicts with other responsibilities;

2.2.3   Whether additional temporary or permanent staff may be required; and

2.2.4   The time frame by which the plan will reasonably be able to be completed.

2.3   Where a registered person decides to engage external third-party resource to perform remediation activities and/or provide project oversight of the plan, the persons engaged must not be conflicted, and should have relevant knowledge and experience of the regulatory requirements and legal obligations.

2.4   Remediation activity may result in associated costs. Developing a remediation budget will aid the registered person’s board of directors and senior management, in determining, and monitoring, the registered person’s financial capacity to support the level of remediation required.

3 Plan Preparation, Format and Content

3.1   The below table details examples of good practice a registered person should consider when preparing a plan.

Pre-Plan Considerations

Good Practice	Description/ Examples
The registered person establishes a project framework under which it will implement and deliver the plan.	Developing a project framework to deliver remediation will support senior management, in its oversight and management of the adequate and timely completion of the plan. This may include, amongst other areas, monitoring remediation resourcing, addressing key man risks, identifying and preparing for any system changes/enhancements, and identifying key milestones to delivering the plan.
The registered person performs a root cause analysis to establish the underlying factors that led to the deficiencies identified.	Addressing root causes should support a registered person in remediating findings effectively and sustainably, for the longer term. For example, a registered person with a finding regarding a backlog of periodic reviews would benefit from determining its root cause, and what actions can be undertaken to stop the issue recurring. A commitment only to clear the backlog, by employing additional resources to do so, is unlikely to prevent recurrence.
The registered person assesses and determines whether the findings are indicative of wider systemic issues within its business.	Where an Examination sample tests information and identifies issues in a high percentage of the samples reviewed, this may indicate there is a systemic issue within the registered person’s business, wider than the samples tested. It is rare for the deficiencies to be limited to only the samples assessed. This may include, but not be limited to, deficiencies in customer records, internal suspicious activity reporting, or board of directors’ minutes. The registered person would benefit from analysing information from which it can make this determination, prior to creating the plan, and include within the plan appropriate actions in address deficiencies on a business wide basis. The registered person should be open and transparent, and where systemic issues are identified inform the JFSC.

 

Plan Format and Content

Good Practice	Description/ Examples
The plan is created in a structured format.	The registered person will benefit from producing its plan within a structured format such as a spreadsheet. Microsoft Excel for example can provide for easy useability, navigation and production of data to support reporting to senior management.
The plan details the findings alongside related actions.	The registered person will need to ensure all actions are clearly linked to relevant findings, and associated root causes of the findings. The registered person should refrain from using the plan to capture other remedial work unrelated to the findings and associated root causes. Doing so may result in the diversion of resource and a loss of focus by senior management in remediating the findings and root causes in a timely manner.
Actions are segregated.	It is beneficial to segregate individual actions into individual lines on a plan. This provides clarity around each component of work to be undertaken to address a finding. Grouping together multiple actions can make it challenging to track each of these to completion.
The plan uses referencing for each action.	The plan will benefit from assigning reference numbers to findings and individual actions. This provides for a manageable way in which to produce reporting and track completion, for example: Finding Action 1 1.1   1.2 2 2.1
Actions are sufficiently detailed, demonstrating the extent and nature of the action, and how it will address the finding(s).	A registered person would benefit from using the plan to demonstrate how its actions will adequately address the findings. For example, an action stating, ‘the Business Risk Assessment will be reviewed and updated. This will include consideration of cultural barriers and sanctions risk which the Examination identified as being omitted…’ provides a comprehensive level of detail and directly links to deficiencies identified by the Examination.
Actions are assigned reasonable timeframes for completion.	Each action has its own allocated timeframe for completion, taking into account, amongst other points, the seriousness of the related finding and extent of work required to be undertaken.
The plan reflects a risk-based approach to the completion of actions.	Actions should be prioritised to address findings presenting the most serious conduct, prudential and financial crime risks.
Actions are aligned in terms of order and timeframes, where these are connected.	Registered persons should take care when considering the order of actions. There may be instances where an action cannot be started or completed, as it is dependent on another action being completed first. For example, client file remediation may be dependent upon a registered person having first completed enhancement of client due diligence (CDD) policies and procedures. This is because client file remediation will be performed using the enhanced policies and procedures. The registered person should consider whether the time taken between one action completing and another starting is reasonable. For example, where material enhancements are made to CDD policies and procedures related training of staff on those changes should follow in short order.
The plan details the systems and controls a registered person will implement, to ensure remediation is sustainable in the longer term.	Remediation actions stipulate how the registered person will prevent re-occurrence of the findings in the future, i.e. how re-occurrence will be prevented. This will likely be through the use of systems and controls. For example, where a registered person updates its CDD policies and procedures to remediate a finding it should consider how it will ensure those policies and procedure will be kept up-to-date. This may include allocating the policies and procedures to an owner and diarising a cycle of reviews.
The plan details the output expected from each action.	The registered person considers what evidence will be produced, to demonstrate that each action has been completed effectively. This is the evidence senior management will consider, and from which it will determine whether an action can be considered as complete.
The plan demonstrates the assignment of actions to individuals for oversight of completion.	The registered person should assign a lead to each action. The lead will be responsible for overseeing the completion of the actions assigned, and be accountable to senior management for timely and effective completion. The lead may or may not be the staff member who will be undertaking the remediation work. It is appropriate for the lead to have an understanding of the underlying legal obligations or regulatory requirements relevant to the related actions assigned to them.
The plan is used to actively monitor completion, applying a clear methodology to demonstrate action status.	The registered person uses a clear methodology to demonstrate the status of actions. For example, marking an action in the plan as ‘In progress’, or ‘Overdue’, or using a RAG rating system (red, amber, green). The status of actions should be subject to regular review by senior management. The action status would benefit from being captured as part of the plan, which is regularly updated in support of on-going remediation monitoring.

3.2   The registered person should consider what information it requires in a plan, including the elements which enable the plan to be used as a tool to monitor and evidence progress of remediation. The following are regarded as relevant pieces of information to include in a plan, prepared in response to an Examination:

3.2.1   Finding reference – This is the reference number associated with the finding. This information will be detailed in the Examination report.

3.2.2   Finding – Clear details or a summary of the findings to be remediated.

3.2.3   Action Reference Number – The reference number the registered person has assigned to each action to address the findings. It is noted there may be multiple actions required to address each finding.

3.2.4   Action Details or Description – Details of each action which will be taken by the registered person, aligned to the finding.

3.2.5   Action Lead – The name or initials of the person who is responsible for overseeing the completion of each action.

3.2.6   Start Date – The date upon which the registered person will start each action.

3.2.7   Due Date – The date by which the registered person intends to complete each action.

3.2.8   Action Status – To be populated with a description of the status of each action. For example, ‘In progress’, ‘Overdue’, or alternatively this may be through the use of a RAG rating.

3.2.9   Evidence – Details of the evidence which will be produced to demonstrate each action is complete.

3.2.10   Date approved – The date upon which senior management have approved completion of each action.

3.3   During the course of remediation, where relevant to do so, the registered person should set out clearly how any identified control weaknesses will be mitigated in the immediate, pending full remediation.

4 Post Remediation Monitoring

4.1   Throughout the course of performing remediation, senior management should take steps to assure itself the changes implemented are operating in the manner expected. Remediation actions should be effective from the point upon which they are implemented. On completion, senior management should arrange for its appointed remediation lead to provide an attestation to the JFSC confirming remediation has been implemented and is, in senior management’s view, operating sustainably.

4.2   A period of business as usual will need to pass before the registered person will be able to fully assess whether the measures implemented have been effective and sustainable. We consider six months of business as usual, post-remediation, to be the minimum time before assessing effectiveness and sustainability.

4.3   This period is intended to provide sufficient time for a registered person’s updated systems and controls to be fully embedded, and be used to demonstrate, outside of remediation, the enhancements made are effective in preventing issues or deficiencies re-emerging. There may be instances where we require a registered person to appoint a reporting professional to perform post remediation effectiveness testing.

4.4   The registered person will need to determine how it will assess, and monitor in the longer term, effectiveness and sustainability of its remediation. This may involve the following:

4.4.1   engaging a reporting professional or having internal audit perform an independent review, focusing on the registered person’s ability to demonstrate compliance with regulatory requirements and legal obligations, relevant to the findings which led to remediation; and/or

4.4.2   incorporating relevant testing into the registered person’s compliance monitoring programme.

4.5   Where post remediation effectiveness testing reveals remediation to have been ineffective, or not sustainable, the JFSC will consider an appropriate response. This may include, but not be limited to, escalation to our Enforcement division and/or imposing safeguarding directions on the registered person to manage and mitigate any on-going risks arising from ineffective remediation.

5 Conclusion

5.1   It is the responsibility of senior management to ensure the registered person operates in compliance with regulatory requirements and legal obligations.

5.2   Where deficiencies are identified within a registered person’s business which may lead to, amongst others, financial crime risk, client detriment or damage to the reputation of Jersey, we regard it as senior management, and in particular the board of directors, duty to restore the registered person to a compliant state as soon as possible.

[1] For the purposes of this Guidance Note, the term ‘registered person’ refers to a person registered or holding a permit (as applicable) under: the Collective Investment Funds (Jersey) Law 1988; the Banking Business (Jersey) Law 1991; the Insurance Business (Jersey) Law 1996; the Financial Services (Jersey) Law 1998, and to a person supervised by the JFSC - using powers in the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008 - for compliance with the JFSC’s AML/CFT/CPF Codes of Practice and related legislation.