1 Action

1.1 On 17 June 2022 the JFSC imposed a civil financial penalty of £803,661.17 on IQ EQ Jersey under the Commission Law.

1.2 IQ EQ Jersey is registered by the JFSC under the FS(J)L to conduct trust company business services. IQ EQ Jersey was formerly known as First Names until March 2019, when it rebranded following a change of ownership in July 2018. Between 2012 and 2016, First Names acquired a number of regulated Jersey trust company businesses. These acquired businesses became participating members of the First Names affiliation.

1.3 Whilst this public statement briefly describes the background to this matter, the civil financial penalty imposed relates only to those breaches arising from the findings of a targeted reporting professional’s review conducted in 2020, which focused on the period from 1 January 2018 to 29 November 2019 (the relevant period). Ten of the 16 customers reviewed originated from the acquired businesses and the same proportion had been exited or were in the process of being exited by IQ EQ Jersey at the time of the review. The majority of the reporting professional’s customer review findings relates to former customers and therefore their origins are largely historic.

1.4 On the basis of the reporting professional’s review, the JFSC determined it necessary and proportionate to impose the civil financial penalty under the Commission Law, having concluded that IQ EQ Jersey negligently breached requirements of the AML/CFT Code and the TCB Code by, in certain circumstances, failing to:

1.4.1 Conduct and record an up-to-date AML/CFT BRA (AML/CFT Code 2.3.10);
1.4.2 Assess the effectiveness of, and compliance with, systems and controls (including policies and procedures), and take prompt action necessary to address identified deficiencies with its systems and controls (AML/CFT Code 2.3.14);
1.4.3 Establish and maintain appropriate and consistent systems and controls to prevent and detect financial crime (AML/CFT Code 2.4.29);
1.4.4 Apply a risk-based approach to determine the extent and nature of the measures required when carrying out CDD (AML/CFT Code 3.3.27);
1.4.5 Keep adequate and orderly CDD records (AML/CFT Code 10.4.2.28);
1.4.6 Act with due skill, care and diligence to fulfil the responsibilities it has undertaken (Section 2.1 of the TCB Code);
1.4.7 Take all reasonable steps to obtain sufficient information so that it could exercise discretion or other powers in a proper manner, where it was responsible for exercising discretion for its customers (Section 2.2 of the TCB Code);
1.4.8 Ensure that it implemented adequate procedures to conduct detailed and robust reviews of its customers at appropriate intervals (Section 2.7 of the TCB Code);
1.4.9 Have its business affairs adequately monitored and controlled at senior management and board level (Section 3.1.1.5 of the TCB Code);
1.4.10 Comply with all AML/CFT legislation and guidance, including the AML/CFT Handbook by virtue of the breaches of the AML/CFT Code set out above (Section 3.2.1.4 of the TCB Code); and
1.4.11 Supply customers with confirmation, in writing, of the services that it was providing (Section 4.5 of the TCB Code).

1.5 IQ EQ Jersey agreed to settle at an early stage of the process and therefore qualified for a 50% (Stage One) discount under the JFSC’s settlement procedure . Were it not for this discount, IQ EQ Jersey may have been liable to a civil financial penalty of £1,607,322.34.

1.6 The JFSC issues this public statement under Article 25(ba) of the FS(J)L and Article and 26(ba) of the Supervisory Bodies Law and does so to support its guiding principles:

1.6.1 To protect and enhance the reputation and integrity of Jersey in commercial and financial matters; and
1.6.2 The need to counter financial crime.

1.7 In determining the quantum of the civil financial penalty, the JFSC took into account: the fact that no customer suffered losses from the matters identified; the IQ EQ Jersey Board engaged the services of a regulatory consulting firm to help address the findings of the reporting professional and support a remediation exercise; the commencement and operation of the remediation exercise was fully supported by the wider IQ EQ group; and IQ EQ Jersey’s cooperation with the JFSC during the reporting professional process.
1.8 Definitions used in this public statement can be found in the glossary on page eight.

2 Background

2.1 IQ EQ Jersey is registered by the JFSC under the FS(J)L to conduct trust company business services. IQ EQ Jersey was formerly known as First Names until March 2019, when it rebranded following  a change of ownership in July 2018.

2.2 In 2015 and 2016, two on-site examinations identified significant issues relating to First Names’ AML/CFT corporate governance. After two further independent reviews were undertaken, the JFSC was not satisfied that First Names was in full compliance with the requirements of the regulatory framework. In January 2018, the JFSC commenced an investigation into First Names’ conduct for the period 1 January 2015 to 31 December 2017 (the 2018 investigation).

2.3 The JFSC concluded the 2018 investigation in November 2019, by which time First Names was now IQ EQ Jersey. The 2018 investigation identified regulatory failings by First Names between 2015 and 2017. IQ EQ Jersey acknowledged historical operational and cultural challenges due to past acquisitions of regulated businesses but did not accept the 2018 investigation findings.

2.4 IQ EQ Jersey was required to appoint an independent reporting professional to assess the effectiveness of IQ EQ’s processes, systems and controls and compliance with the regulatory framework during the relevant period by reference to a targeted review of 16 customer structures. As stated previously, ten of the 16 customers reviewed by the reporting professional originated from previous regulated business acquisitions.

2.5 In July 2020, the independent reporting professional produced a report which identified non-compliance by IQ EQ Jersey with the regulatory framework during the relevant period.

3 Summary of findings

3.1 The JFSC has concluded that during the relevant period, IQ EQ Jersey’s specific systems, controls and corporate governance arrangements as noted below were inadequate to mitigate financial crime risk by reference to the 16 customer structures reviewed. IQ EQ Jersey negligently breached certain sections of Principles 2 and 3 of the TCB Code, section 4.5 of the TCB Code and certain sections of the AML/CFT Code.

3.2 IQ EQ Jersey’s breaches are considered to be significant and material because they left the business open to the risk of being used to further financial crime both domestically and internationally during the relevant period. These matters are of serious concern to the JFSC and can significantly undermine the integrity and stability of Jersey’s financial services industry.

3.3 The JFSC has determined the root causes of the breaches can be attributed to the boards of First Names and, from March 2019 to November 2019, IQ EQ Jersey, failing to exercise robust oversight and control in ensuring adequate and timely remediation of financial crime weaknesses. The JFSC considers the boards also failed to sufficiently recognise the risks and increased complexity arising from the business and customers following various acquisitions of regulated businesses, and to ensure commensurate and robust controls were in place to mitigate such risks.

3.4 Further detail concerning IQ EQ Jersey’s breaches is outlined below.

Board oversight

3.5 The TCB Code requires senior management and the board to adequately monitor and control the business and affairs of a trust company business. This includes keeping adequate, orderly and up-to-date records of board and management minutes.

3.6 The AML/CFT Code requires boards to demonstrate the existence of adequate and effective systems and controls to counter financial crime. It further requires boards to assess both the effectiveness of, and compliance with, systems and controls (including policies and procedures), and take prompt action where necessary to address any deficiencies.

3.7 As detailed below, the reporting professional identified that in certain circumstances during the relevant period, IQ EQ Jersey failed to maintain adequate systems and controls to mitigate financial crime risk.

3.8 During the relevant period, the IQ EQ Jersey Board delegated authority to a Risk and Compliance Committee to consider, attend to or make recommendations to the IQ EQ Jersey Board on risk and compliance matters. The IQ EQ Jersey Board considered reports from the Risk and Compliance Committee at its quarterly meetings. During the relevant period, the IQ EQ Jersey Board considered four of the 16 customers selected for review as they had been escalated to it due to significant risk and compliance matters being identified.

3.9 The JFSC expects robust discussion of risk and compliance matters at board meetings and for this to be adequately recorded in board minutes. However, the reporting professional identified from IQ EQ Jersey Board minutes, the IQ EQ Jersey Board failed to address the ‘root cause’ of the issues presented by the four customers it considered and, rather, focused on the particular circumstances of the matters raised.

3.10 The JFSC considers that had more robust oversight been exercised by the IQ EQ Jersey Board and had it recognised and responded to issues being raised both internally and by the JFSC, the matters outlined below could have been mitigated.

Business risk assessment

3.11 The AML/CFT Code requires the board of a regulated trust company business, like IQ EQ Jersey, to conduct and record a BRA and keep it up-to-date. The board of a dynamic and growing business can demonstrate its BRA is up-to-date by reviewing it annually or as and when events occur that could materially change its financial crime risks, for example, the acquisition of another business.

3.12 The AML/CFT Code further requires the assessment to consider the cumulative effect of risks identified, which may exceed the sum of each individual risk element. As detailed in the JFSC’s published guidance on compliance monitoring , the JFSC considers a BRA should detail the impact and probability of these risks and consider the risk of non-compliance before (inherent) and after controls have been applied (residual).

3.13 From 2012, whilst it was First Names, IQ EQ Jersey’s business rapidly grew in terms of size and governance. As a result, both the JFSC and reporting professional consider its BRA should have been updated, at least, on an annual basis. Although IQ EQ Jersey’s BRA was discussed by the IQ EQ Jersey Board numerous times at varying intervals during the relevant period, at the time of the reporting professional’s review, it had not been updated and formally adopted by the IQ EQ Jersey Board since June 2018. As the BRA had not formally been updated for an 18 month period, there was an increased risk that the BRA did not adequately reflect the current risks pertaining to IQ EQ Jersey’s business.

3.14 The JFSC considers IQ EQ Jersey’s BRA during the relevant period could have been improved by:

3.14.1 Referencing the impact and probability of risk;
3.14.2 Clearly identifying inherent risks;
3.14.3 Containing key data on relevant topics, such as revenue, complaints, breaches, operational incidences, previous compliance monitoring, audit reports and concerns of senior management;
3.14.4 Considering the effectiveness of the controls said to be in place; and
3.14.5 Referencing how the results of compliance monitoring plans informed the information contained within the BRA.

3.15 By failing to maintain and record an up-to-date BRA, the IQ EQ Jersey Board could not evidence it was sufficiently sighted on IQ EQ Jersey’s financial crime risks.

Customer risk assessments

3.16 The MLO requires appropriate and risk-sensitive policies and procedures to be maintained relating to risk assessment and management. The MLO further states that an assessment must be conducted of the risk that any customer relationship will involve money laundering and obtain appropriate information for assessing that risk. Properly recognising and recording the potential for financial crime risk ensures appropriate, enhanced controls are in place to mitigate any risks identified including EDD and, where appropriate, more frequent periodic reviews.

3.17 IQ EQ Jersey developed its own internal risk rating system to ensure key risks were identified, rated and documented for each customer to which it provides services. However, the definition of risk within IQ EQ Jersey’s customer risk assessment policy placed greater emphasis upon the commercial risks posed to IQ EQ Jersey, rather than financial crime risks. This increased the risk that IQ EQ Jersey’s customers were inappropriately risk-rated for financial crime purposes.

3.18 In certain circumstances, the reporting professional identified IQ EQ Jersey’s customer risk assessment process resulted in the application of a “standard” risk rating by default, without evidence of sufficient documented consideration being given to financial crime risk factors. The assignment of a “standard” risk rating led to IQ EQ Jersey being unable to demonstrate it appropriately risk-rated six customers reviewed by the reporting professional for financial crime purposes. This impacted the level of CDD undertaken and the frequency of on-going monitoring. It was noted by the reporting professional, however, that IQ EQ Jersey planned enhancements to IQ EQ’s risk management system, including the revalidation of the standard risk-rating.

3.19 The reporting professional also found the risk rating applied by IQ EQ Jersey related specifically to IQ EQ Jersey’s customer for business (i.e. the entity with which it has a contract for services).  Although IQ EQ Jersey’s policies and guidance required consideration to be given to the wider relationship when assessing the overall financial crime risk, in practice, the reporting professional found instances where IQ EQ Jersey’s policy had not been complied with. The risk assessment and narrow focus solely on the ‘customer for business’ led to deficiencies in CDD and EDD, increasing financial crime risk.

Customer due diligence

3.20 The MLO requires that CDD is conducted for a business relationship or one-off transaction. CDD should be performed by way of a three stage approach, (i) obtain information; (ii) risk assess; and (iii) obtain evidence according to its risk assessment of the customer. To understand the ownership and control structure (and determine the ultimate beneficial owners and/or controllers) and to make an informed risk assessment, information should be obtained in relation to all persons (natural and legal) in a customer structure.

3.21 For the 16 customers reviewed, IQ EQ Jersey’s CDD measures were found by the reporting professional to be principally focussed on the ‘customer for business’ and, in some cases, failed to give sufficient consideration to the wider customer relationship, such as beneficial owners/controllers. This meant, on occasion, IQ EQ Jersey failed to obtain sufficient CDD for customers, increasing the possibility that financial crime risks arising via ownership or control may not have been identified or mitigated.

3.22 In one instance, the reporting professional identified that IQ EQ Jersey had initially relied upon confirmation from a regulated third-party insurance firm as to the beneficial owner of a customer.  It was subsequently determined that the information relied upon was incorrect, leading to CDD deficiencies in that regard.

Enhanced due diligence

3.23 The MLO requires EDD to be carried out in any situation which presents a higher risk of money laundering. EDD must be in addition to the measures undertaken in circumstances presenting lower or standard risk and must address the particular risk presented. The AML/CFT Handbook provides non-exhaustive examples as to how a business, like IQ EQ Jersey, can apply EDD measures.

3.24 The reporting professional identified that while various IQ EQ Jersey policies and procedures contemplated some form of EDD, they lacked sufficient detail for the increasing size and complexity of IQ EQ Jersey’s business and customer base. The policies and procedures did not assist IQ EQ Jersey staff by providing a bespoke and clear reference point to understand when and how to apply EDD measures, which resulted in an inconsistent application of EDD to IQ EQ Jersey’s customers.

3.25 While instances were identified where IQ EQ Jersey could demonstrate appropriate EDD was undertaken, in three cases reviewed by the reporting professional, IQ EQ Jersey correctly assessed the customers as high risk but failed to undertake EDD as required. By failing to consistently apply EDD measures, IQ EQ Jersey was exposed to an increased risk that financial crime might not be detected.

Source of funds and source of wealth

3.26 The CDD and EDD performed by IQ EQ Jersey did not sufficiently take into account source of funds and source of wealth information. Source of funds and source of wealth was populated by IQ EQ Jersey within a single field in its system, despite being two clear and distinct matters. Source of funds information for all customers and source of wealth for high risk customers must be clearly and separately recorded and articulated to manage financial crime risk effectively.

3.27 For one customer that was dissolved in 2018, the description for the customer’s source of funds/source of wealth detailed the history of the beneficial owner’s businesses. It did not make reference to the overlying trust from where monies may have derived for the customer, ultimately failing to clearly identify source of funds information.

Customer profiles and on-going monitoring

3.28 The MLO requires on-going monitoring of a customer relationship which includes scrutinising transactions and ensuring that data or information, including CDD, is kept up to date and relevant. For effective on-going monitoring to take place and to identify any unusual or suspicious transactions/activity, an up-to-date and accurate customer business risk profile must be recorded and maintained.

3.29 The reporting professional identified IQ EQ Jersey’s documented customer business profiles were limited to transactional considerations only. In one instance identified by the reporting professional, this hindered IQ EQ Jersey’s ability to carry out effective monitoring to identify unusual transactions/activity. The JFSC also considers this increased the risk of IQ EQ Jersey failing to comply with its suspicious activity reporting obligations under the POC(J)L.

3.30 The reporting professional also identified matters suggesting that during the relevant period, IQ EQ Jersey’s periodic review process was not as sufficiently robust as it should be.

3.31 For example, for certain customers reviewed, periodic reviews were identified by the reporting professional which had failed to identify inadequate CDD and missing service agreements (outlined below). The reporting professional also identified periodic reviews which, on occasion, were “closed off” without issues being addressed and three breaches of IQ EQ Jersey’s periodic review policy where matters identified from two periodic reviews were not remediated within the timeframe set out in the review policy.

3.32 For three out of the 16 customers reviewed, the reporting professional found that not all relevant parties associated with IQ EQ Jersey’s customer for business were populated within its customer database and therefore not subject to IQ EQ Jersey’s daily automated screening processes. This meant IQ EQ Jersey could not readily identify potential adverse information about connected parties to its customer to consider potential financial crime risks.

3.33 Due to the above deficiencies, in certain instances, IQ EQ Jersey was unable to undertake effective on-going monitoring in a timely manner and to adequately re-assess the customer relationships as they developed over time, leaving it under-informed of potential financial crime risk.

Other matters

3.34 While general terms of business were in place, in five out of the 16 customers reviewed, IQ EQ Jersey failed to have or put in place, or execute in a timely manner, service agreements with its customers (section 4.5 of the TCB Code).

3.35 The reporting professional identified in eight out of 16 customer files reviewed, IQ EQ Jersey’s corporate governance for its customers (principally as corporate directors and, occasionally, in its fiduciary capacity) was focussed on the wishes of the beneficial owner or ultimate client. Consequently, attention was insufficiently focussed on the business of its customers (Principle 2 of the TCB Code).

4 Aggravating factors

4.1 The regulatory compliance record of First Names, as evidenced by the findings of the 2015 and 2016 on-examinations and the 2018 investigation.

4.2 Instances where IQ EQ Jersey failed to comply with its own financial crime policies and procedures.

4.3 An absence of one clear policy relating to EDD (although there were various policies and procedures contemplating some form of EDD).

4.4 The JFSC has published guidance on the steps businesses can take to reduce their financial crime risk, including the AML/CFT Handbook, guidance notes, examination feedback papers and public statements. Despite having access to this documentation, IQ EQ Jersey failed to comply with elements of the AML/CFT Code therefore increasing its financial crime risk.

5 Mitigating factors

5.1 No customer suffered losses from the matters identified.

5.2 The IQ EQ Jersey Board engaged the services of a regulatory consulting firm to help address the findings of the reporting professional and support a remediation exercise. This included:

5.2.1 Devising an improved financial crime training programme for all IQ EQ Jersey staff;
5.2.2 Undertaking further reviews to prevent recurrence of the issues identified; and
5.2.3 Making changes to the IQ EQ Jersey Board composition, including the appointment of a non-executive director.
5.3 The commencement and operation of the remediation exercise was fully supported by the wider IQ EQ group, which included de-risking the business that was acquired as a result of the acquisitions.
5.4 IQ EQ Jersey cooperated with the JFSC during the reporting professional process.

6 Sanction

6.1 On 17 June 2022, the JFSC imposed a civil financial penalty of £803,661.17 on IQ EQ Jersey, under the Commission Law.

6.2 IQ EQ Jersey agreed to settle at an early stage of the process and therefore qualified for a 50% (Stage One) discount under the JFSC’s settlement procedures.

For further enquiries, contact the Enforcement team.

Glossary

AML/CFT	Anti-money laundering/countering the financing of terrorism
AML/CFT Code	AML/CFT Code of Practice as set out in the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for Regulated Financial Services Business
AML/CFT Handbook	Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for Regulated Financial Services Business
BRA	Business risk assessment and strategy
CDD	Customer due diligence
Commission Law	Financial Services Commission (Jersey) Law 1998
EDD	Enhanced due diligence
Financial crime	Financial crime, includes money laundering and terrorist financing.
First Names	First Names (Jersey) Limited (now IQ EQ (Jersey) Limited)
FS(J)L	Financial Services (Jersey) Law 1998
IQ EQ Jersey	IQ EQ (Jersey) Limited
IQ EQ Jersey Board	IQ EQ’s board of directors
JFSC	Jersey Financial Services Commission
MLO	Money Laundering (Jersey) Order 2008
POC(J)L	Proceeds of Crime (Jersey) Law 1999
Regulatory framework	Collectively, the FS(J)L, Code of Practice for Trust Company Business, POC(J)L, MLO, Supervisory Bodies Law and AML/CFT Code.
Supervisory Bodies Law	Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008
TCB Code	Code of Practice for Trust Company Business