Service notice: Our website, myJFSC and the Securities Interests Register will be unavailable between 18:00 on 13 April and 02:00 on 14 April due to scheduled maintenance.

2020 Financial Crime Examinations Feedback

Introduction

The continuing ability of Jersey’s finance industry to attract legitimate customers with funds and assets that are clean and untainted by criminality depends, in large part, upon the Island’s reputation as a sound, well-regulated jurisdiction.

Jersey’s defences against the laundering of criminal funds and terrorist financing rely heavily on the vigilance and co-operation of the finance sector. Specific financial sector legislation (for example, the Money Laundering (Jersey) Order 2008 (Order)) is in place covering a person carrying on a financial services business in or from within Jersey, and a Jersey body corporate or other legal person registered in Jersey carrying on a financial services business anywhere in the world (a relevant person). In addition, for the purposes of this report, the Order covers a relevant person:

  • registered with, or holds a permit issued by, the Jersey Financial Services Commission (JFSC) under one of the four prudential/conduct of business regulatory laws is referred to as a regulated financial services business; and
  • carrying on a business described in Part B of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999 is referred to as a Schedule 2 business. Typically, Schedule 2 business includes accountants, estate agents, and the legal profession.

The key to the prevention and detection of money laundering and the financing of terrorism lies in the implementation of, and strict adherence to, effective systems and controls (including policies and procedures) based on international standards. Legislation in conjunction with the relevant Handbooks for the Prevention and Detection of Money Laundering and the Financing of Terrorism (Handbook) implements these standards. [i]

Background

The JFSC regularly undertakes examinations to assess the extent to which the statutory and regulatory requirements[ii] are being complied with. The JFSC then provides feedback directly to those within scope and provides a public feedback document, which summarises the key findings of the examinations.

Given the critical nature of the need for relevant persons to implement and comply with effective systems and controls (including policies and procedures) designed to prevent and detect financial crime, the JFSC executes a program of dedicated financial crime examinations. The scope and methodology of these examinations are described below. Financial crime examinations are carried out in respect of all types of relevant person i.e. those that carry on regulated financial services business and those that carry on Schedule 2 business.

Financial crime examinations in 2020 continued to be carried out by JFSC during the COVID-19 pandemic. Examinations that took place after 1 March 2020 were delivered on a fully remote basis, with face-to-face interaction and meetings taking place via video conferencing technology such as Zoom or WebEx.

In addition to the above, persons registered by the JFSC under Article 9 of the Financial Services (Jersey) Law 1998 (FSJL) or Article 9 of the Banking Business (Jersey) Law 1991 (BBJL) must comply with the principles and detailed requirements in the conduct of its business, as set out in the relevant Codes of Practice. Therefore, where relevant, the financial crime examinations also included reference to these requirements.

The information below relating to the findings of financial crime examinations has been published by the JFSC with the aim of enabling relevant persons to review examination findings and use the information to consider where their own arrangements may require enhancement, to ensure strict adherence to the statutory and regulatory requirements.

Each relevant person in Jersey must recognise the role that it must play in protecting itself, and its employees, from involvement in money laundering and the financing of terrorism, and in protecting the Island’s reputation of probity.

Part 1 - Regulated Financial Services Business

a)   Executive summary

In respect of regulated financial services businesses, data held by the JFSC was reviewed and analysed together with the JFSC’s supervisory knowledge of relevant persons and a sample of 15 regulated financial services businesses (86 relevant  persons) was selected to be examined. The following licence types were included: Deposit-taking Business, Fund Services Business, Investment Business, and Trust Company Business.

Financial crime examination activity in 2020 involved 133 employees of relevant persons taking part in 278 meetings with JFSC officers, who reviewed:

  • 4,857 documents
  • 221 randomly-selected customer files
  • 32 files for relationships connected to a politically exposed person (PEP); and
  • 42 sets of records concerning internal suspicious activity reports (iSARs) and/or external suspicious activity reports (eSARs).

The review of the 15 regulated financial services businesses resulted in JFSC officers highlighting 120 findings to those entities in relation to the relevant sections of the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for Regulated Financial Services Business (Regulated Business Handbook). Within those 120 findings, JFSC officers identified 228 instances where statutory or regulatory requirements had not been complied with or were only partially being complied with.

All relevant persons involved in financial crime examinations in 2020 have received direct feedback and where findings have been identified, they are subject to a formal remediation plan. This plan needs to be submitted to and agreed by the JFSC, setting out actions to be taken and timescales to complete them. Where the JFSC identified material and significant findings, this resulted in further escalation and in some cases further action being taken or, action is in the course of being taken.

In a number of instances, JFSC officers identified findings at relevant persons that were similar to those highlighted during previous examinations of the relevant person, indicating that senior management action to address those historic findings had not been fully completed or was ineffective at remedying the matter in question.

Additionally, a number of the key themes and detailed findings in this Feedback Paper are similar in nature to those brought to the attention of boards and senior management in previous Feedback Papers issued by the JFSC. These papers are published on the JFSC’s website:

https://www.jerseyfsc.org/industry/visits-and-examinations/on-site-examinations-findings/

The distribution of the findings arising from the financial crime examinations versus the relevant section of the Regulated Business Handbook was as follows:The chart above highlights that findings most commonly arose as a result of non-compliance or partial non-compliance with the sections of the Regulated Business Handbook that set out the statutory and regulatory requirements concerning:

  • the establishment and maintenance of adequate and effective systems and controls (including policies and procedures);
  • reporting suspicions of money laundering  or the financing or terrorism;
  • the roles of the Money Laundering Compliance Officer (MLCO) and the Money Laundering Reporting Officer (MLRO);
  • Board responsibilities; and
  • Enhanced Customer Due Diligence (ECDD).

95% of the findings can also be viewed from the perspective of falling into the following broad categories:

The findings indicate that relevant persons were not able, in many cases, to demonstrate that systems and controls (including policies and procedures) to prevent, detect and report money laundering and the financing of terrorism were adequate and fully effective. Consequently, those relevant persons were not able to demonstrate full compliance with statutory obligations and regulatory requirements.

It is imperative that boards and senior management of relevant persons are able to demonstrate that they have considered the statutory and regulatory requirements set out in the Regulated Business Handbook, and the matters described in this Feedback Paper. Boards and senior management  should review these requirements and the findings in this Feedback Paper against their own arrangements to prevent detect and report money laundering and the financial of terrorism; and take action where necessary to enhance systems and controls (including policies and procedures). 

b) Key themes

Adequate and effective systems and controls (including policies and procedures)

JFSC officers identified 72 instances where policies and procedures relating to various activities had not been established or maintained in a manner that enabled relevant persons to demonstrate compliance with the regulatory framework. This can be categorised as follows:

Robust policies and procedures are key to the implementation of effective systems and controls surrounding the prevention, detection and reporting of money laundering and the financing of terrorism. Procedures must be tailored to the business, mapped against the Jersey statutory and regulatory requirements and be adequately maintained and complied with. In order to avoid barriers to adherence, it is also important that policies and procedures are clear and easy for the relevant person’s employees to understand, use. They must also drive a risk-based approach to the prevention and detection of money laundering and the financing of terrorism.

Reporting knowledge or suspicion

A particular concern to the JFSC is that in 11 of the 15 examinations conducted, relevant persons were unable to demonstrate adequate and fully effective systems and controls (including policies and procedures) in respect of reporting knowledge or suspicion. This resulted in 17 findings being brought to the attention of relevant persons. Those findings included instances of iSARs and eSARs not being submitted as soon as practicable or not at all, in circumstances that suggested that there were reasonable grounds for knowledge or suspicion that another person may be engaged in money laundering or the financing of terrorism. JFSC officers also identified examples of iSARs and eSARs that did not contain all relevant information relating to the matters causing reasonable grounds for knowledge or suspicion.

The JFSC’s 17 findings relating to the reporting of suspicion highlighted 23 instances where relevant persons were unable to demonstrate that the statutory and regulatory requirements had been fully complied with. The 23 instances can be categorised as follows:

Employees must know (i) where to locate a relevant person’s procedure for making an iSAR; (ii) how to make a report; and (iii) the identity of the MLRO or deputy MLRO.

As well as ensuring employees are: (i) alert to money laundering and financing of terrorism risks; and (ii) well trained in the recognition of notable transactions or activity which may indicate money laundering or financing of terrorism activity, relevant persons must also take steps to ensure that employees are cognisant of the importance of submitting iSARs to the MLRO as soon as practicable.

Reporting procedures must be clear and easy for employees to follow, whilst enabling the employee, the MLRO/DMLRO and the relevant person to all meet the statutory and regulatory requirements.

The roles of the MLCO and MLRO

The boards and senior management of relevant persons have substantial responsibilities for the prevention, detection and reporting of money laundering and the financing of terrorism and are assisted in fulfilling these responsibilities by appointed MLCOs and MLROs. There were findings in 80% of the examinations concerning the roles of the MLCO or MLRO. These commonly included relevant persons not ensuring that compliance functions had sufficient resources to fulfil all of the responsibilities required of the function; and the MLCO and MLRO not demonstrating appropriate independence, in particular from customer-facing, business development and system and control development roles.

Board responsibilities

Business Risk Assessments didn’t always include proportionate criteria for assessing the impact of the risks identified or an assessment of the effectiveness of the relevant person’s control environment in mitigating and managing those risks.

As well as documenting its systems and controls (including policies and procedures), a relevant person must check that they are being complied with.

JFSC officers identified similar findings during the financial crime examinations to those highlighted in the JFSC’s feedback paper ‘Compliance Monitoring Plans’ which was published on 17 December 2020.  In nearly 75% of the examinations, the board or senior management of relevant persons could not demonstrate it was actively engaged in the compliance monitoring process. This included not being involved in the scrutiny and approval of a Compliance Monitoring Plan (CMP), ensuring the timely completion of any remedial action arising from CMP activity and senior management demonstrating an understanding of whether action taken to remedy such deficiencies would mitigate the risks identified.

Enhanced customer due diligence (ECDD)

Findings indicated that policies and procedures relating to ECDD were not being maintained in all cases; that entities were not always recognising the need to subject activity in higher risk relationships to enhanced scrutiny; or were not successfully keeping information and documentation up to date in respect of higher risk customers. The JFSC considers that these are key areas in preventing and detecting financial crime and consequently, boards and senior management of relevant persons must ensure that such controls are operating effectively and that actions arising are dealt with promptly.

c)   Detailed findings

1.   Section 2 of the Regulated Business Handbook – Corporate Governance

JFSC officers observed examples of non-compliance with the statutory and regulatory requirements set out in this section of the Regulated Business Handbook in all of the relevant persons that were examined. In some instances, the further guidance described within the Regulated Business Handbook had not been taken into account, which meant that the relevant person was not able to demonstrate how it was complying with statutory or regulatory requirements. In addition, there were findings in respect of the relevant Codes of Practice in the case of relevant persons registered under the FSJL and BBJL.

1.1   Board responsibilities

1.1.1   A relevant person must be able to demonstrate: the existence of adequate and effective systems and controls (including policies and procedures); that it has assessed the effectiveness of its systems and controls; and taken prompt action to resolve any deficiencies.

1.1.2   In over 85% of the organisations examined, minutes of board or other senior management meetings did not reflect that the financial crime matters or risks that were reported by the MLCO were subject to adequate discussion, challenge and scrutiny.  

1.1.3   In seven of the 15 examinations, boards of the relevant persons had delegated powers to senior management committees such as a ‘risk management committee’ or ‘policies and procedures committee’. While such arrangements are commonplace, JFSC officers identified the following weaknesses in the risk management arrangements of the relevant persons concerned:

  • Terms of reference setting out management committee responsibilities were not always consistent with the responsibilities apportioned by the board;
  • Committees approving the adoption of systems and controls (including policies and procedures) where that power had not been granted by the board;
  • ‘Committee registers’ were used by some organisations to demonstrate how matters dealt with by the management committee were communicated to the board. However, in some instances there was no demonstrable evidence that those registers had been presented to the board, subjected to scrutiny or challenged by the board of the relevant person. In addition, boards of relevant persons were unable to demonstrate in all cases what action had been taken by the board, in respect of committee register action items that had been outstanding for some time.

1.1.4   In a smaller number of cases, chairpersons of management committees or Key Persons[iii] provided verbal updates to the board on a quarterly basis. The content of these verbal updates was not recorded in board minutes with sufficient detail to determine what update was provided to the board or what action was taken as a result.

1.2   The Business Risk Assessment (BRA) and Strategy

1.2.1   A relevant person must conduct and record a business risk assessment (BRA). The BRA must be kept up to date. Similarly, the relevant person must document a formal strategy to counter money laundering and the financing of terrorism

1.2.2   All of the relevant persons within the sample had carried out and documented a BRA and in only two cases was the BRA found to have not been kept up to date or monitored in accordance with the relevant persons’ stated internal policy.

1.2.3   However, in nearly half of the relevant persons examined, BRAs required further development as the document did not fully consider the effectiveness of the relevant person’s control environment in managing and mitigating the risks identified; or key risks were not considered in any detail; or barriers to the effective operation of systems and controls (such as cultural barriers) were not considered.

1.2.4   In two instances, senior management were unable to articulate the proportionate criteria that had been used to assess the impact of risks on the organisation described, amongst other things, as ‘severe’, ‘high’, ‘within tolerance’, and ‘moderate’.

1.2.5   In addition, some relevant persons were unable to demonstrate participation in the BRA by the board or other senior management, or that the conclusions of the BRA were subject to adequate challenge and scrutiny.

1.2.6   In some instances, senior management were unable to explain what their input into the BRA process had been and/or describe the key risks detailed in the most recent BRA.

Good Practice – The BRA

The BRA contained an Appendix that set out who had participated in the BRA, their area of specialism or expertise and when meetings had taken place.

Standing agenda items at quarterly board meetings concerning the presentation of the BRA for review by the board. Documented output included whether or not new risks had been identified and needed to be considered as part of the BRA, or the rationale for changes in the board’s assessment of risks already documented within its BRA.

The BRA included an assessment of the effectiveness of the organisation’s control environment to manage and mitigate the key risks identified. The assessment included action plans where the control environment was found to be less effective than originally envisaged by senior management and deliberations on the re-quantification of residual risk.

1.3   Systems and controls (including policies and procedures)

1.3.1   The Regulated Business Handbook should not be used as a policy and procedure manual but should be used to develop the relevant person’s own systems and controls (including policies and procedures) that are adequate, effective and tailored to the relevant person’s financial crime risks.

1.3.2   A relevant person must establish and maintain systems and controls (including policies and procedures) that are designed to prevent and detect money laundering and the financing of terrorism. A relevant person must also test that they are effective and are being complied with. A relevant person must take timely action to resolve any deficiencies identified.

1.3.3   There were 21 findings concerning systems and controls (including policies and procedures) arising from the 15 examinations.

1.3.4   JFSC officers identified 72 instances where policies and procedures relating to various activities linked to the prevention and detection of financial crime had not been established and maintained. This included:

  • 13 instances where an effective policy or procedure relating to an activity had not been established;
  • 29 occasions where the policy or procedure contained inaccurate guidance to employees or information that was not consistent with the statutory and regulatory requirements;
  • 26 cases where policies or procedures had not been updated in accordance with the organisation’s stated internal policy and/or did not take account of recent regulatory developments; and
  • Four instances where the policy or procedure provided guidance to employees by quoting content of the Regulated Business Handbook or merely provided employees with a hyperlink to a version published on the JFSC website.

1.3.5   In two examinations, the relevant person was relying on CDD procedures that had not been updated for over 10 years.

1.3.6   In one case, the relevant person was unable to reconcile whether or not it had made available to the JFSC all of its policies and procedures relating to the prevention and detection of financial crime, when asked to do so.

1.3.7   JFSC officers observed similar deficiencies in organisations’ CMP to those that were highlighted by the JFSC’s thematic examination ‘Compliance Monitoring Plans’ carried out in 2020. The JFSC’s feedback on its findings relating to the thematic examination were published on 17 December 2020[iv].

1.3.8   In summary, there were 11 instances where relevant persons were not able to demonstrate that the CMP had:

  • been mapped to the statutory and regulatory requirements;
  • been reviewed following an annual Compliance Risk assessment;
  • taken a risk-based approach to testing; or
  • been subjected to the scrutiny and approval of the board or senior management of the relevant person.

1.3.9   In two cases, monitoring activity had not taken place within the period of the examination. In one of those cases, the relevant person had not made sufficient resources available to the compliance function to enable it to perform all of its responsibilities.

1.3.10   Group resources outside of Jersey were utilised by four relevant persons to perform CMP activity either in whole or in part, but those CMP had not fully taken account of the Jersey statutory and regulatory requirements.

1.4   The roles of the Money Laundering Compliance Officer (MLCO), the Money Laundering Reporting Officer (MLRO) and the Deputy MLRO (DMLRO).

1.4.1   A relevant person must appoint a MLCO; MLRO and if needed a DMLRO. Relevant persons must ensure that the MLCO and MLRO are appropriately senior, act with independence and are provided with adequate resources to fulfil their responsibilities.

1.4.2   The MLCO must regularly report to the Board.

1.4.3   Where the relevant person has appointed a DMLRO, all of the statutory and regulatory requirements that apply to the MLRO also apply to the DMLRO.

1.4.4   12 findings that related to the roles of the MLCO; MLRO and DMLRO were identified in the 15 examinations.

1.4.5   In five cases, the MLCO and/or MLRO were not able to demonstrate that they had appropriate independence from customer facing and business development roles. In addition, the MLCO or MLRO in those organisations often executed key control activities in business processes such as new business acceptance or customer transactional activity, whilst being responsible for monitoring compliance with systems and controls relating to such activities.

1.4.6   Six relevant persons were unable to demonstrate that it routinely assessed the effectiveness of its compliance function, including the MLRO function.

1.4.7   In three cases, an individual was acting as DMLRO, but had not been formally appointed and did not have a job description that reflected their DMLRO responsibilities.  

1.4.8   In one case, a DMLRO was not able to demonstrate full understanding of the Tipping Off Regulations.

1.4.9   In eight instances, the relevant person was unable to demonstrate that the MLRO routinely monitored the activities of the DMLRO.

1.4.10   In three cases, the MLCO and/or the relevant person’s wider Compliance department had not been provided with adequate resources to enable them to carry out all of their duties.

2.   Sections 3, 4, 5 & 7 of the Regulated Business Handbook – Customer Due Diligence

JFSC officers observed examples of non-compliance with the statutory and regulatory requirements in relation to approaches to Customer Due Diligence. The findings were, however, varied.

2.1   Customer Risk Assessment (CRA)

2.1.1   A relevant person is required to gather information that enables it to assess the risks of money laundering and the financing of terrorism. Relevant persons must take a risk-based approach when considering what appropriate CDD measures are to be applied in relation to its customers.

2.1.2   There were three findings arising from the 15 examinations that directly related to Customer Risk Assessment (CRA). Whilst this may be considered to be a low number, the JFSC considers a sound and robust CRA to be fundamental in demonstrating effective risk-based approaches to identification measures and ongoing monitoring.

2.1.3   The CRA process used by one of the relevant persons was not considered fit for purpose as:

  • the tools used only sought a limited amount of information;
  • questions asked as part of the CRA were not sufficiently detailed to gather adequate information that was commensurate with the risks inherent in the business and risk profiles of the customers that made up the relevant person’s customer base; 
  • the CRA did not consider the cumulative level of risk beyond the sum of each individual risk element; and
  • customer file reviews carried out as part of the examination identified higher risk factors that had not been taken account of by the relevant person, resulting in a CRA outcome that wasn’t consistent with that suggested by the customer’s business and risk profile.

2.1.4   There were three examples where CRA scores generated by the automated systems could be over-ridden by employees without oversight or compensating controls.

2.2   Keeping information up to date

2.2.1   A relevant person must keep documents, data and information obtained under identification measures up to date, particularly in relation to higher risk customers.

2.2.2   In many of the relevant persons examined, a periodic review process was used to achieve this and/or a process was in place to update customer information and documentation following the occurrence of a trigger event.

2.2.3   In five of the examinations, periodic reviews had not been completed in line with the agreed schedule and action plans to clear backlogs were either not risk-based, or relied on temporary resources to complete the outstanding reviews.

2.2.4   At one relevant person, multiple periodic reviews had not identified that a customer was a PEP and that another customer was making regular contributions to charities based in Egypt and Sudan.

2.2.5   Customer files that were reviewed as part of examination samples recorded events or activity that had triggered a review, however, documents and information had not been updated, or the review had commenced and had not been completed.

2.3   Enhanced Customer Due Diligence (ECDD)

2.3.1   A relevant person must apply ECDD in certain circumstances set out in the Order and in any circumstance where there is a higher risk of money laundering. Such ECDD should include measures that are over and above those applied to standard risk customers.

2.3.2   There were 13 findings relating to ECDD.

2.3.3   JFSC officers noted 15 examples where policies and procedures adopted by relevant persons:

  • did not include all of the guidance needed by employees to ensure compliance with the regulatory framework; or
  • included information that was inconsistent with the statutory and regulatory requirements or had not been updated to include changes made to Section 7 of the Regulated Business Handbook in 2019 and 2020; or
  • were not tailored to the relevant person’s business as they quoted large sections of the Regulated Business Handbook or merely provided the employee with a link to Section 7 of the version published on the JFSC website.

2.3.4   In three instances, relevant persons had adopted processes for declassifying PEPs that did not comply with the Jersey regulatory framework.

2.3.5   In one instance, a relevant person’s definition of a PEP did not include the need to consider the risks posed by individuals that were close associates of a PEP.

2.3.6   Two relevant persons, whose customer base consisted primarily of Jersey resident customers, had not fully considered whether to implement additional CDD measures in respect of the small number of non-resident customers or customers that had not been met face-to-face, which existed within their customer bases.

2.4   Obliged Persons

2.4.1   A relevant person who has placed reliance on an obliged person to have carried out identification measures must carry out testing to ensure that the obliged person has appropriate policies and procedures in place relating to identification measures, keeps the evidence it has gathered in respect of the customer’s identity and will provide that evidence on demand and without delay.

2.4.2   Where a relevant person’s testing does not provide assurance that the obliged person has appropriate policies and procedures in place, keeps evidence and is able to provide information on request and without delay, then the relevant person must apply identification measures immediately.

2.4.3   In three examinations, policies and procedures adopted by the relevant person were not in full compliance with the statutory and regulatory requirements. In one of those instances, minutes of the senior management meeting reflected that the MLCO did not consider the need to update procedures relating to the use of obliged persons to be a priority. The BRA reflected that customers where the relevant person was placing reliance on an obliged person represented 35% of the relevant person’s customer base.

2.4.4   In one instance, an obliged person had not been able to provide information on request and without delay on a number of occasions when requested to do so as part of testing. As a result, the relevant person had ceased placing reliance on the obliged person, but had failed to apply identification measures in respect of the impacted historic relationships.

2.5   Exemptions from CDD requirements

2.5.1   Section 7 of the Regulated Business Handbook describes, in limited circumstances where there is little risk of money laundering, exemptions from the need to apply identification measures are available to relevant persons.

2.5.2   In four examinations, JFSC officers identified examples during the review of customer files where documentation had not been retained to evidence that the customer was entitled to take advantage of an exemption by virtue of their regulated status or being owned by shares traded on a regulated market.

2.5.3   In two of those instances, procedures that provided guidance to employees did not contain information consistent with the statutory and regulatory requirements set out in the Regulated Business Handbook.

Good Practice - ECDD

Many relevant persons used a specific committee to consider and approve business relationships with higher risk customers. Some used this process as part of their ongoing monitoring of such customers, to ensure that relationships remain within risk appetite and that senior management were aware of the ongoing risk profile of those customers.

3.   Section 6 of the Regulated Business Handbook – Ongoing Monitoring: scrutiny of transactions and activity

JFSC officers observed that all of the relevant person’s examined used one or more automated systems to monitor either transactions or customer profiles.

3.1   Transaction monitoring

3.1.1One relevant person used a group solution to monitor customer transactions. However, the relevant person had not carried out an assessment of whether the parameters utilised by the tool to monitor customer transactions were effective for the Jersey business’ customer base.

3.2   Automated systems used for customer screening

3.2.1   One relevant person was unable to demonstrate that it had carried out a risk assessment prior to implementation of a new customer screening tool to ensure that senior management understood how it worked and when it would be updated or changed; its coverage; and any limitations.

3.2.2   Two instances were identified where relevant persons were unable to evidence that all customers, beneficial owners and controllers were included in data feeds received by screening tools and were subsequently screened by the system.

3.2.3   In another two cases, relevant persons were unable to confirm the data sources that were included in screening tools utilised by the firms.

3.2.4  In a small number of cases, policies and procedures did not include guidance to employees on the steps to take where a relevant connection was identified to sanctions and other measures implemented under law applicable in Jersey.

4 Section 8 of the Regulated Business Handbook – Reporting money laundering and terrorist financing activity

17 findings were raised relating to section 8 of the Handbook. A particular concern was iSARs and eSARs not being raised as soon as practicable or not being raised at all where there were reasonable grounds for suspicion of money laundering or the financing of terrorism.

JFSC officers also noted several instances of Good Practices employed by experienced MLROs.

4.1   Policies and procedures for reporting

4.1.1   Relevant persons must establish systems and controls (including policies and procedures) to ensure that employees know the identity of the MLRO to whom to make a report and how to make a report as soon as practicable.

4.1.2   During the 15 examinations, JFSC officers identified 12 instances where policies and procedures relating to reporting suspicions of money laundering and the financing of terrorism contained out of date information or provided inaccurate guidance to employees.

4.1.3   In two instances, SAR Registers maintained by MLROs did not contain all of the information set out as regulatory requirements in Section 8 of the Regulated Business Handbook.

4.2   Internal Suspicious Activity Reports (iSARs)

4.2.1   As a result of a review of customer files, JFSC officers identified two instances where no iSAR was submitted by an employee to the relevant person’s MLRO and information held on the customer’s file may have provided reasonable grounds for knowledge or suspicion of money laundering or the financing of terrorism.

4.2.2   In eight cases records held by MLROs did not enable the MLRO or the relevant person to demonstrate in all cases that:

  • the iSAR included as full a statement as possible of the information or matters giving rise to the knowledge or suspicion; or
  • the iSAR made by the employee was raised as soon as practicable after the information that caused the employee to be suspicious came to their attention.

4.2.3   In six instances, the relevant person’s records did not evidence that the receipt of the iSAR had been acknowledged by the MLRO as soon as is practicable or in a small number of those six cases, whether it had been acknowledged at all.

4.3   External Suspicious Activity Reports (eSARs)

4.3.1   A relevant  person must ensure that the MLRO documents all enquiries made, the basis on which an external report is made, keeps the Joint Financial Crimes Unit (JFCU) up to date and that the MLRO submits eSARs to the JFCU as soon as is practicable.

4.3.2   During two examinations, JFSC officers identified information known to the relevant person’s MLRO that may have provided reasonable grounds for knowledge or suspicion of money laundering or the financing of terrorism. In both cases, records did not enable the MLRO to demonstrate the rationale for not submitting an eSAR to the JFCU.

4.3.3   In three instances, records relating to SARs did not enable the MLRO to demonstrate that eSARs had been raised as soon as was practicable and contained all of the relevant information that had been documented in the iSAR.

4.3.4   In some cases, it was not clear what steps MLROs had taken to ensure that they were made aware of new information or activity (including the termination of a business relationship), during the ongoing management of a customer who had been the subject of an eSAR.

Good Practice by MLROs

Some MLROs had created an MLRO evaluation template document that set out steps they would need to take to evaluate an iSAR and to record the rationale for their decision on whether or not to make an eSAR.

Within their evaluation template, the MLRO documented a detailed timeline of activity from the date the iSAR was received until the conclusion of their evaluation, in order to clearly demonstrate any reasons for delays.

The MLRO actively tracked relationships that continued to be maintained after an eSAR had been made to ensure any action that had been communicated to the JFCU was successfully completed, or to ensure that continuation reports were submitted when new information was discovered.

Good Practice - SAR Registers

SAR Registers contained sufficient information to allow the relevant person to be able to create a synopsis of each iSAR from the time the matter came to the employees attention, to closure of the MLRO’s case or the exit of the relationship.

 Good Practice - Managing Relationships after SAR

As well as procedures for reporting of suspicions, some relevant persons also provide written guidance to employees on how to manage a customer relationship after an employee has made an iSAR.

5 Section 9 of the Regulated Business Handbook – Screening, awareness and training of employees

The scope of financial crime examinations includes an assessment of employees awareness of their personal obligations, policies and procedures and of money laundering and terrorist financing risks facing the business. JFSC officers met with a number of employees ranging from junior employees to the board members and noted that while awareness of personal obligations and policies and procedures was high, awareness of risks faced by the relevant person was less well embedded.

5.1   Obligation to train relevant employees

5.1.1   A relevant person must make its employees aware of its policies and procedures to prevent, detect and report money laundering and terrorist financing. In addition, employees need to be aware of their own and the relevant person’s obligations under the statutory and regulatory requirements.

5.1.2   12 Findings in relation to employee awareness and training were identified. In half of the relevant persons examined, the training did not contain or contained incomplete information relating to the enactments in Jersey and relevant regulatory requirements.

5.1.3   In one example, mandatory training had not been completed by three of the relevant person’s board members in the 24 months predating the examination.

5.1.4   In one case, the relevant person did not keep records of which employees had been provided with its training in relation to money laundering and the financing of terrorism. In a small number of other cases, records relating to mandatory training did not enable relevant persons to readily demonstrate that all employees had completed mandatory training, or that appropriate action had been taken by management where training had not been completed within timeframes set by the stated policy.

5.1.5   In three instances, relevant persons were not able to evidence what training had been provided to non-relevant employees.

Good Practice –Training and Awareness

Training included practical examples or case studies aligned to the business model and customer base.

Employees were able to provide examples of money laundering typologies or unusual activities that were relevant to their day-to-day roles, even in the case of junior positions.

Part 2 - Schedule 2 business

a)   Executive summary

In respect of Schedule 2 businesses, a random sample of 12 relevant persons were examined representing accountants, estate agents, lawyers and lenders. The review of the 12 Schedule 2 businesses resulted in JFSC officers highlighting 71 findings where statutory and regulatory requirements set out in the relevant Schedule 2 Handbook[v] had not been complied with or were only partially being complied with.

The findings of the Schedule 2 business examinations mirrored those identified in the financial crime examinations undertaken at regulated financial services businesses that are detailed in the sections above. Relevant persons undertaking Schedule 2 business should assess the key themes, detailed findings and good practice detailed above, in conjunction with the specific data and analysis in this section, against their own arrangements to prevent detect and report money laundering and the financing of terrorism; and take action where necessary to enhance systems and controls (including policies and procedures).

The number and percentage of relevant persons carrying on Schedule 2 business that participated in the 12 examinations in each sector was as follows:

Financial crime examination activity at Schedule 2 businesses involved 19 employees of relevant persons taking part in 32 meetings with JFSC officers, who reviewed:

  • 319 documents;
  • 54 randomly-selected customer files;

Within the 71 findings noted above, JFSC officers identified 25 instances where the statutory obligations in respect of the Proceeds of Crime (Jersey) Law 1999 or the Order had not been complied with or were only partially being complied with.

The distribution of the findings arising from the Schedule 2 business financial crime examinations versus the relevant section of the relevant Schedule 2 Handbook was as follows:

The charts above highlight the findings in relation to Schedule 2 business financial crime examinations most commonly arose as a result of non-compliance or partial non-compliance with the statutory and regulatory requirements concerning:

  • Reporting suspicions of money laundering  or the financing or terrorism;
  • senior management and board responsibilities;
  • the establishment and maintenance of adequate and effective systems and controls (including policies and procedures);
  • ongoing monitoring; and
  • identification measures.

The findings indicated that relevant persons were not able, in the majority of cases, to demonstrate that systems and controls (including policies and procedures) to prevent, detect and report money laundering and the financing of terrorism were adequate and fully effective. Consequently, the relevant persons were unable to demonstrate full compliance with statutory and regulatory requirements.

In particular, financial crime examinations of Schedule 2 businesses highlighted:

  • Inadequate Business Risk Assessments (BRA);
  • Ineffective Customer Risk Assessments (CRA) and weaknesses generally in customer on boarding processes;
  • Failure to document policies and procedures (systems and controls);
  • Failure to document decision making and evidencing outcomes;
  • Absence of the testing of effectiveness of systems and controls;
  • Inadequate policies and procedures relating to Politically Exposed Persons (PEP); and
  • Inadequate Suspicious Activity Reporting (SAR) processes

It is imperative that boards and senior management of relevant persons are able to demonstrate that they have considered, documented and tested compliance with the statutory and regulatory requirements set out in the relevant Schedule 2 Handbook and the matters described in this Feedback Paper against their own arrangements to prevent detect and report money laundering and the financing of terrorism and have taken action where necessary to enhance systems and controls (including policies and procedures).

b) Key themes

Senior management responsibilities

JFSC officers identified that at 10 of the 12 relevant persons examined, senior management had not established and documented a formal strategy to counter money laundering and terrorist financing. Senior Management had not in all cases maintained appropriate and consistent policies and procedures in order to prevent and detect money laundering and terrorist financing and did not demonstrate an adequate regard for the degree of risk of money laundering and terrorist financing when considering types of clients, business relationships, products and or transactions with which the relevant person was concerned.

At all of the 12 relevant persons examined, BRAs required further development as the document did not fully consider the effectiveness of the relevant person’s control environment in managing and mitigating the risks identified. Key risks were not considered in any detail nor were barriers to the effective operation of systems and controls (such as cultural barriers).

The examinations highlighted the following:

  • BRAs did not consider all key financial crime risks or exposure to financial crime risks in the round or as a whole. Consideration was not given to organisational structure, the financing of terrorism, bribery and corruption, fraud (internal and external), targeted financial sanctions and cyber-security related crimes.
  • BRAs did not consider the cumulative effect of risks identified, nor did the BRAs include a consideration of cultural barriers such as actual and potential conflicts of interests arising out of performing multiple business functions, such as being an owner or undertaking a customer-facing role whilst acting as the relevant person’s MLCO and/or MLRO.
  • BRAs were often undated, out of date and without version control.
  • All 12 relevant persons examined considered their risk appetite to be low but had not, in all cases, documented a risk appetite statement. Findings of customer file reviews undertaken by JFSC officers were not always aligned with the relevant person’s view of the customer’s business and risk profile.
  • BRAs did not assess the risk of utilising exemptions from applying identification measures nor the risks inherent in placing reliance on obliged persons.
  • There was no evidence of measures undertaken to assess the effectiveness of the relevant person’s control environment at managing financial crime risks and compliance with the statutory obligations and regulatory requirements described in the relevant Handbook.

Adequate and effective systems and controls (including policies and procedures)

JFSC officers identified numerous instances where policies and procedures relating to various activities linked to the prevention and detection of financial crime had not been established and maintained, including the following:

  • No monitoring plan had been established to monitor and test the effectiveness of policies and procedures.
  • Policies and procedures were too generic and failed to adequately meet the statutory and regulatory requirements set out in the relevant Schedule 2 Handbook.
  • CRA were often not fully effective, as risk ratings were overly subjective with no consistent format for assessing and recording of the CRA.
  • Several cases were observed where policies or procedures had not been updated in accordance with the organisation’s stated internal policy and/or did not take account of recent regulatory developments. Most frequently this related to the updated definition of a local PEP.
  • Policies and procedures did not always provide adequate guidance to employees concerning relevant connections to enhanced risk states, countries where enhanced CDD measures may need to be applied by the relevant person or steps to be taken in the event that a connection was identified to financial sanctions or other measures implemented to prevent and detect financial crime.

Reporting knowledge or suspicion

The JFSC is particularly concerned that at all of the 12 relevant persons examined, findings highlighted that those relevant persons were unable to demonstrate that systems and controls (including policies and procedures) in respect of reporting knowledge or suspicion of money laundering and the financing of terrorism were adequate and effective. Consequently, in all 12 examinations relevant persons were unable to fully evidence that the relevant person, or employees of the relevant person, would be able to demonstrate that the statutory and regulatory requirements set out in the relevant Schedule 2 Handbook had been fully complied with.

In a high proportion of the Schedule 2 businesses examined, the MLRO and/or MLCO were also undertaking customer-facing roles. Relevant persons were unable to demonstrate how appropriate independence from customer-facing or business development roles was ensured and how such arrangements were subjected to appropriate independent scrutiny. Low levels or absence of SARs observed at the 12 relevant persons also indicated ineffective staff training and awareness, inadequate policy and procedures or potential cultural barriers.

The 12 examinations highlighted the following:

Internal SARs (iSARs)

  • Policies and procedures did not include the importance attached to making an iSAR as soon as is practicable nor the requirement for iSARs to be acknowledged by the MLRO as soon as is practicable
  • Policies and procedures did not require the MLRO to record all iSARs in a register.
  • No consideration or reference to the reporting requirements under the Terrorism (Jersey) Law 2002.
  • SAR procedures did not extend to business relationships and one-off transactions that are declined.

External SARs (eSARs)

  • A number of relevant persons did not have eSAR reporting procedures.
  • A number of relevant persons did not document all enquiries made by the MLRO in relation to iSARs.
  • MLROs were not able to demonstrate in all cases the rationale for not submitting an eSAR to the JFCU.
  • In some instances records did not enable MLROs to demonstrate that the eSARs were raised as soon as practicable.

Employees must know (i) where to locate a relevant person’s procedure for making a SAR and (ii) how to make a report. As well as ensuring employees are: (i) alert to money laundering and financing of terrorism risks; and (ii) well trained in the recognition of notable transactions or activity which may indicate money laundering or financing of terrorism activity, relevant persons must also take steps to ensure that employees are cognisant of the importance of submitting SARs to the MLRO as soon as practicable.

Reporting procedures must be clear and easy for employees to follow, whilst enabling the employee, the MLRO/DMLRO and the relevant person to all meet the statutory and regulatory requirements.

Ongoing monitoring

JFSC officers identified that nine relevant persons were not fulfilling the obligation to perform on-going monitoring. In the majority of relevant persons examined, it was identified that policies and procedures did not take into account the Jersey regime for the implementation, and compliance with, international financial sanctions and other measures for the prevention and detection of money laundering or the financing of terrorism.

In addition, findings including the following:

  • Relevant persons’ policies and procedures contained no reference to requirements concerning reporting suspected sanctions breaches to the Jersey Minister for External Relations.
  • JFSC officers were advised that on-going monitoring was not performed as the majority of transactions were ‘one-off’. However, the customer files reviewed demonstrated that the relevant persons concerned had ongoing business relationships with the customer.

Obligations to promote awareness and to train

Seven of the 12 relevant persons had failed to provide or to undertake any AML/CFT training and JFSC officers considered that training and awareness was generally inadequate at all 12 relevant persons examined.

Relevant persons had not established adequate policies and procedures on effective and structured delivery of AML/CFT training and were not able to demonstrate that staff were kept up-to-date with money laundering techniques, methods and trends and on the financing of terrorism.

No testing to assess the effectiveness of training received by employees had been carried out.

Identification Measures

Two-thirds of the relevant persons examined had not adequately maintained appropriate policies and procedures relating to the application of an effective risk based approach to CDD measures. 

Findings in this area included the following:

  • Relevant persons had not obtained appropriate information for assessing the risk that a business relationship or one-off transaction would involve money laundering or the financing of terrorism.
  • Source of funds was often detailed as the bank account the funds were being paid from and not the activity that generated the funds for the relationship, such as the customer’s occupation or business.
  • Source of wealth was often confused with source of funds. Source of wealth is defined in the relevant Schedule 2 Handbook as being distinct from source of funds and describes the activities that have generated a customer’s funds and property.

Customer risk assessment (CRA)

In eight of the 12 examinations, JFSC officers identified inadequate CRA or failure to undertake a CRA.

The examinations highlighted the following:

  • CRAs did not consider all the potential risks relevant to the customer when considering the risk of whether a relationship may involve money laundering or the financing of terrorism.
  • Policies and procedures did not distinguish between foreign and domestic PEPs.
  • Policies and procedures did not include the risk that a client may subsequently acquire PEP status in all cases.
  • Relevant persons did not always consider the risks inherent in relationships with prominent persons or high profile individuals.
  • There was no documented methodology used (such as a risk matrix) to consistently consider risk factors associated with customer relationships. Policies and procedures did not take into account the risk of non-face-to-face relationships.
  • Relevant persons did not consider the factors listed in Appendix D2 to the relevant Schedule 2 Handbook.
  • Policies and procedures did not provide guidance to employees concerning customers that may have a relevant connection with an enhanced risk state.

Simplified CDD measures and exemptions

In many cases, relevant persons were unable to demonstrate full compliance with the statutory and regulatory requirements set out in the relevant Schedule 2 Handbook. Findings indicated that relevant persons did not fully understand the circumstances in which exemptions from applying identification measures may be utilised by relevant persons.

c)   Conclusion

Of the 12 Schedule 2 businesses examined, the cohort was assessed to be only partially complying with statutory and regulatory requirements and that systems and controls to prevent and detect money laundering and the financing of terrorism were largely inadequate or ineffective. The Schedule 2 businesses were required to submit and agree remediation plans to address the findings in a timely manner. 

A key component of regulatory effectiveness is to ensure that where a business has completed the remediation activity, they have done so in a way that is sustainable and addresses the breaches of statutory obligations identified. The JFSC will undertake a programme of control testing of all 12 examined entities later in 2021 to ensure the remediation has been completed and is appropriately embedded.

Scope and Methodology

The scope and methodology for visits and examinations carried out by the JFSC is published on the JFSC website and can be found here:

https://www.jerseyfsc.org/industry/visits-and-examinations/

In addition, the archive of other feedback papers published by the JFSC with content relevant to some of the themes discussed in this paper such as ‘Compliance Monitoring Plans’; ‘Reliance on Obliged Persons’; ‘Q4 2019-Q1-2020 Financial Crime Examinations Feedback’; and ‘the Role of the Money Laundering Reporting Officer’ can be found in the same location.

Glossary of Terms

AML

Anti-Money Laundering

BBJL

Banking Business (Jersey) Law 1991

Board

Board of Directors the function described in Section 2.1 of the Handbook

BRA

Business Risk Assessment

CDD

Customer Due Diligence

CDD Measures

Measures set out in Article 3 of the Order

CFT

Countering the Financing of Terrorism

CMP

Compliance Monitoring Programme

CRA

Customer Risk Assessment

Customer

Means a customer of a relevant person as defined in the Order and the Handbook.

DMLRO

Deputy Money Laundering Reporting Officer

ECDD

Measures described in the Order at Article 15 “Enhanced customer due diligence”

eSAR

External Suspicious Activity Report

Guidance

The Guidance provided to relevant persons in the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism.

iSAR

Internal Suspicious Activity Report

JFCU

The Joint Financial Crimes Unit (Officers of the JFCU are the designated police and customs officers for the purposes of the Order).

JFSC

Jersey Financial Services Commission

MLCO

Money Laundering Compliance Officer

MLRO

Money Laundering Reporting Officer

Order

Money Laundering (Jersey) Order 2008

PEP

Politically Exposed Person as described in Article 1 and 15A of the Order

Person

Means any natural or legal person (including a body of persons corporate or unincorporated)

Regulatory laws

Collectively the:

Banking Business (Jersey) Law 1991;

Collective Investment Funds (Jersey) Law 1988;

Financial Services (Jersey) Law 1998, and

Insurance Business (Jersey) Law 1996.

Regulated Business Handbook

Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for Regulated Financial Services Business

Regulated financial services business

A person that is registered with, or holds a permit issued by, the JFSC under one of the four prudential/conduct of business regulatory laws.

Regulatory requirements

The AML/CFT Codes of Practice contained within the Regulated Business Handbook and relevant Schedule 2 Handbooks

Relevant person

Means a person carrying on financial services business in or from within Jersey as defined under Article 1(1) of the Order

Relevant Schedule 2 Handbook

Means, the relevant handbook from the following list:

Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for the Legal Sector

Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for the Accountancy Sector

Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for Estate Agents and High Value Dealers

SAR

Suspicious Activity Report

Schedule 2 business

In this report:

a business described in Part B of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999

SoF

Source of Funds

SoW

Source of Wealth

[i] The JFSC has issued four Handbooks which include statutory requirements text, set regulatory requirements in the form of a Code of Practice and provide guidance on how to comply with the statutory and regulatory requirements. The four Handbooks cover regulated businesses, the legal sector, accountants, estate agents and high value goods dealers.              

[ii] Regulatory requirements are established using Article 22 of the Proceeds of Crime (Supervisory Bodies) Law 2008 and form part of the Handbooks.

[iii] Compliance Officer, MLRO or MLCO

[iv] Q4 2019 – Q1 2020 Compliance Monitoring Plans (CMP) thematic review

[v] Three Handbooks have been published in respect of the following Schedule 2 business: the legal sector, accountants; estate agents and high value dealers.