Public statement

Lutea Holdings Limited and Lutea Trustees Limited

1 Action

1.1   The JFSC determined it was necessary and proportionate to issue this public statement having concluded that, between 1 January 2018 and 2 September 2021 (the relevant period), Lutea failed to organise and control its affairs effectively for the proper performance of its business activities and did not operate adequate risk management systems.

1.2   The significant and material nature of Lutea’s corporate governance and internal systems and controls inadequacies led to serious regulatory compliance failings in the conduct of its business, particularly with regard to identifying and managing ML/TF risk.

1.3   Lutea breached requirements of the MLO, the AML/CFT Code, and Principles 2 and 3 and Section 4.5 of the TCB Code. A number of the failings were repeat findings from previous onsite examinations of Lutea, demonstrating Lutea’s failure to prioritise compliance matters and remediate regulatory failings over a period of time.

1.4   The JFSC concluded that the root cause of Lutea’s breaches was the ineffective operation of the Lutea Board during the relevant period, its lack of awareness of regulatory requirements and its engendering of an organisational culture without due regard for compliance.

1.5   Lutea’s failures left it vulnerable to significant ML/TF risk, posing an unacceptable risk to the integrity and stability of Jersey’s financial services industry. The JFSC, therefore, issues this public statement under Articles 25(b) of the FS(J)L and 26(b) of the Supervisory Bodies Law to support its objectives to:

1.5.1   Protect and enhance the reputation and integrity of Jersey in commercial and financial matters; and

1.5.2   Counter financial crime.

1.6   The matters outlined in this public statement were determined to be ineligible for consideration of a civil financial penalty.

1.7   Definitions used in this public statement can be found in the glossary on page eight.

2 Background

2.1   Lutea is registered under the FS(J)L to conduct trust company business in Jersey. During the relevant period, Lutea was part of an international group, certain entities within which provided trust and/or company services in their respective jurisdictions.

2.2   In 2018, Lutea notified the JFSC of a backlog of customer periodic reviews. To deal with the backlog, Lutea implemented a remediation programme, and employed additional file reviewers, with directors providing assistance.

2.3   Owing to concerns about Lutea, the JFSC conducted an on-site examination in 2019, focused on the adequacy of the periodic review remediation and Lutea’s wider compliance with the regulatory framework. The examination identified serious deficiencies and as a result, in 2020, Lutea was placed under investigation.

2.4   The investigation focused on Lutea’s corporate governance arrangements and conduct of business during the relevant period and included a review of nine customer files. The investigation findings also incorporated the conclusions of a corporate governance review conducted by a reporting firm.

3 Detailed findings

Corporate governance arrangements

3.1   Corporate governance is the system by which an entity is directed and controlled.  The JFSC specifically requires registered persons to organise and control its affairs for the proper performance of its business activities through effective corporate governance.

3.2   Robust risk management arrangements are integral to effective corporate governance. Principle 3 of the TCB Code requires registered persons to be able to demonstrate the existence of adequate risk management systems and the AML/CFT Code requires that these systems include mechanisms to prevent and detect ML/TF.

3.3   The detailed findings of the investigation into the adequacy of Lutea’s corporate governance arrangements, including its risk management systems, are set out below.

Business risk assessment

3.4   To facilitate adequate risk management, boards of registered persons are required to conduct, record and maintain a BRA that sets out all of the risks facing their particular business.  The AML/CFT Code sets out specific risk factors that must be considered in relation to ML/TF.

3.5   Previous on-site examinations identified inadequacies in Lutea’s BRA. The investigation also identified inadequacies in that Lutea’s BRA:

3.5.1   was not kept up to date or discussed on an on-going basis;

3.5.2   did not consider all risks relevant to Lutea’s business and, in particular, ML/TF risks specific to its organisational structure, customer base and products and services.

3.6   Lutea had also not established a formal strategy to counter ML/TF risk.

Compliance monitoring

3.7   Taking into account the conclusions of the BRA and strategy, boards must be able to demonstrate the existence of adequate and effective systems and controls to counter identified risks. Controls typically comprise of policies, procedures and oversight activities. Registered persons are required to conduct compliance monitoring to test the effectiveness of these controls and to take prompt action to address any deficiencies.

3.8   Inadequacies in Lutea’s historic compliance monitoring plans were brought to the attention of the Lutea Board during previous examinations. The investigation also identified the following:

3.8.1   there was no formal Board approved compliance monitoring plan for 2018 or 2019;

3.8.2   limited ad-hoc compliance monitoring testing had been conducted but there was no evidence that a risk based approach had been used to select the themes;

3.8.3   documentation of the testing conducted did not adequately demonstrate the seriousness or extent of findings;

3.8.4   there was no evidence of identified deficiencies being discussed by the Lutea Board; and

3.8.5   Prompt action was not taken to address these deficiencies.

On-going monitoring

3.9   Registered persons are also required to conduct on-going monitoring of customer relationships. On-going monitoring consists of scrutinising transactions undertaken throughout the course of a business relationship (through transaction monitoring) and keeping documents, data or information up to date and relevant (through periodic reviews).

3.10   Lutea did not have a transaction monitoring policy or procedure prior to 2019, despite repeat on-site examination findings regarding transaction monitoring. Further, despite inadequacies in Lutea’s periodic review process having been brought to Lutea’s attention in earlier on-site examinations, a significant periodic review backlog developed in 2018, and continued during the relevant period.

3.11   Inadequacies identified in the effectiveness of Lutea’s on-going monitoring activities are set out in the Conduct of Business section below.

Compliance reporting

3.12   The AML/CFT Code and the TCB Code require the MLCO and the Compliance Officer, respectively, to provide regular reports to the board.  The AML/CFT Code requires the MLRO to raise issues directly with the board which will typically be demonstrated through regular reporting.

3.13   Previous on-site examinations identified inadequacies and weaknesses in compliance reporting to the Lutea Board. The investigation found that, while compliance reports were presented to the Lutea Board during the relevant period, board minutes failed to demonstrate any discussion, consideration or challenge on the part of the Lutea Board in relation to the reports presented. Where compliance issues were brought to the Lutea Board’s attention, it often failed to act.

3.14   The investigation also identified that compliance reports lacked sufficient detail and content, including:

3.14.1   lack of focus on Lutea’s management of compliance risk and clear messaging on the most significant risks/issues for the Lutea Board’s consideration;

3.14.2   lack of detailed quantitative data, presented in a consistent manner, to support meaningful comparisons;

3.14.3   MLRO reporting, required by the Lutea Board, lacking sufficient detail for the Lutea Board to have adequate oversight of Lutea’s handling of suspicious activity reports;

3.14.4   MLCO reporting, required by the Lutea Board, being irregular and, when presented, lacking a clear summary of the overall status of compliance monitoring, key findings of any testing and any required remedial action; and

3.14.5   on occasion, no distinction in reporting between Lutea’s Jersey regulated entities and its international group companies.

Conflicts of interest

3.15   Adequate procedures regarding the avoidance and, if necessary, the management of conflicts of interest are required to be maintained by registered persons. Previous on-site examinations identified failures by Lutea in this regard.

3.16   The investigation identified that, until April 2019, Lutea operated without a Lutea Board approved conflicts of interest policy or procedure. Further, when such a policy/procedure was approved in April 2019, the Lutea Board failed to consider whether it was adequate and effectively applied by the business. This resulted in instances where, during the relevant period, Lutea failed to recognise and/or manage conflicts of interest.

Conduct of business

3.17   To counter the risk of financial crime (including ML/TF), the regulatory framework requires, amongst other matters, registered persons to adopt a proportionate, risk based approach to CDD measures and on-going monitoring in respect of customers.

3.18   Further, in the conduct of business with customers, registered persons must act with due skill, care and diligence and be transparent in their business arrangements.

3.19   To assess Lutea’s compliance with the regulatory framework relating to conduct of business, nine customer files were reviewed during the investigation.  Serious deficiencies were identified, certain of which were systematic across the files. Further details of the deficiencies are set out below.

Understanding ownership and control

3.20   Lutea’s procedures did not outline the requirement to obtain an understanding of the wider ownership and control structure of a customer.  As a result, the investigation identified instances where documented understanding of ownership and control was inadequate, including structure charts failing to identify all relevant parties.

3.21   By failing to adequately document its understanding of the ownership and control structure of these customers, Lutea was unable to demonstrate it had identified the individuals who were the customer’s beneficial owners and controllers and, therefore, identify all relevant ML/TF risks.

Finding out and evidencing identity (including EDD)

3.22   Previous examinations identified issues concerning Lutea’s application of CDD measures including, where required, EDD.

3.23   In all customer files reviewed, Lutea failed to conduct sufficient measures to adequately identify and verify all relevant parties to each customer relationship. Failures included a lack of address verification, no CDD measures conducted on controllers, and deficiencies in documented understanding and corroboration of source of funds and source of wealth.

3.24   Lutea’s EDD procedures were inadequate.  In particular, Lutea did not have any formal policies and procedures for the identification and management of PEPs.  The investigation identified a number of instances where EDD measures were not identified as being required or were not performed. Documentation of any discussions or considerations relating to the application of EDD in these instances was also absent. Issues identified included:

3.24.1   No evidence of consideration of the most appropriate EDD measures to be performed or whether EDD conducted was proportionate and commensurate with the specific risks posed;

3.24.2   Three customer files where, for over 10 years, EDD was absent or inadequate; and

3.24.3   One instance where Lutea failed to recognise and investigate a high risk factor at customer take on. An independent EDD report was subsequently commissioned but there was no evidence that Lutea reviewed the report or assessed the risks presented by the customer.

3.25   By failing to conduct and obtain sufficient identification measures, including routinely failing to identify customer relationships where the application of EDD measures was required, Lutea failed to identify and manage ML/TF risks arising from the customers reviewed and did not subject higher risk customers to the appropriate level of scrutiny.

Nature and purpose of the business relationship

3.26   In six of the nine customer files reviewed, Lutea failed to document adequate information on the nature and purpose of the business relationship and the rationale for Jersey as the chosen jurisdiction for establishment.

Assessing customer risk

3.27   Previous on-site examinations identified issues with Lutea’s customer risk assessments. The investigation found deficiencies in the risk assessments in eight of the nine customers files reviewed. Potential red flags which were not appropriately responded to by Lutea included:

3.27.1   A customer rated as low risk for over 10 years despite the presence of higher risk factors;

3.27.2   A customer where connections to high risk jurisdictions and activities were identified. Two risk assessments conducted in 2018 failed to consider these factors;

3.27.3   A customer risk assessment that stated there was no negative news and/or litigation despite the periodic review performed at the same time identifying beneficiaries that had been fined by tax authorities for falsifying records;

3.27.4   Two high risk customers where no annual customer risk assessments were conducted in 2018, as required by Lutea’s internal policies and procedures; and

3.27.5   A number of instances of customer risk assessments which were incomplete and/or not signed off or reviewed in a timely manner.

3.28   Lutea failed to demonstrate that it obtained sufficient information to effectively assess risk, including information regarding the ownership structure of its customers, jurisdictions of activities and assets, source of funds and the type, volume and value of activity expected.  By failing to conduct adequate risk assessments, Lutea could not evidence it applied a risk-based approach to identification measures for its customers or that it applied appropriate levels of scrutiny.

Customer business and risk profiles

3.29   None of the nine customer files reviewed had an adequate customer profile in place prior to 2020. In 2020, Lutea began to prepare customer profiles as part of its remediation programme. However, the profiles subsequently prepared for the nine customer files reviewed lacked sufficient information and detail to demonstrate a full understanding of the customer and its associated risks.

3.30   Lutea’s failure to create and maintain adequate customer profiles impacted its ability to carry out effective on-going monitoring, identify unusual customer transactions or activity and consequently, mitigate ML/TF risk.

Letters of engagement

3.31   In six of the nine customer files reviewed, Lutea failed to either provide or adequately provide confirmation, in writing, of the services provided, or a contract, agreement or other written form setting out its terms of business. Consequently, for these customers, Lutea failed to act transparently in its business arrangements as it was not always possible to clearly identify which customer entity Lutea was engaged with or the nature and terms of services provided and, accordingly, the extent of Lutea’s fiduciary obligations.

On-going monitoring

3.32   The requirements relating to on-going monitoring are set out earlier in this public statement.

3.33   In terms of Lutea’s scrutiny of customer transactions, transaction checklists could not always be located on the customer files reviewed, or where they were in place, were not always completed or formally signed off. 

3.34   No evidence was held on the customer files reviewed of Lutea scrutinising transactions to ensure it was comfortable with the activity. For example, in one instance, Lutea failed to document an investigation into why a payment was received from a bank account that differed from the one stated in the transaction corroboration provided by the customer.

3.35   In terms of keeping documents, data or information up to date and relevant, deficiencies were identified in periodic reviews performed by Lutea during the relevant period in the customer file reviews. These included:

3.35.1   The frequency of reviews not being conducted in line with Lutea’s internal periodic review policy;

3.35.2   Failures in identifying deficiencies such as absent CDD/EDD, no customer profiles, or inadequate customer risk assessments.

3.35.3   Reviews not signed off in accordance with Lutea’s policies and procedures and/or not signed off in a timely manner;

3.35.4   Incorrect information being documented in the reviews; and

3.35.5   Reviews being incorrectly signed off as complete when remedial actions remained outstanding.

Record-keeping

3.36   Lutea’s customer record-keeping was very poor and customer records were not kept in an adequate, orderly or up to date manner. For all nine customers files reviewed there was a lack of key documentation (as outlined above), including risk assessments, customer profiles and CDD/EDD.  There was no central storage system for Lutea’s customer records, meaning there was an inconsistent approach to the filing of customer data and directors regularly stored customer records in personal folders.

Acting with due skill, care and diligence

3.37   For one customer file reviewed, Lutea failed to act with due skill care and diligence as required by the TCB Code.

3.38   Whilst performing a periodic review in 2020, Lutea identified that the assets of its customer, a trust, had been resettled in December 2019, into a newly established trust. The resettlement was strictly prohibited by the trust deed.

3.39   The resettlement of assets was initiated to enable an additional beneficiary to benefit from assets that, had they remained within the original trust, they may have been unable to benefit from.

3.40   By suggesting and supporting the resettlement, Lutea failed to demonstrate how it considered the impact, and acted to avoid any detriment to, the best interests of its customer and, accordingly, to exercise due skill, care and diligence.

Additional findings

3.41   During the relevant period, Lutea facilitated unauthorised financial service business in Jersey by Lutea group companies. The Lutea Board failed to identify this activity as being an issue, despite certain Lutea Board members being directors of the group entities.

3.42   Lutea also failed to fully comply with directions[1] issued by the JFSC during the relevant period due to a failure to implement adequate controls to ensure compliance.

4 Root causes

4.1   The JFSC has concluded that the root cause of Lutea’s regulatory and compliance failures was the ineffective operation of the Lutea Board, its lack of awareness of regulatory requirements and its engendering of an organisational culture without due regard for compliance.

4.2   Factors contributing to the JFSC’s conclusion include the following issues identified by the investigation:

4.2.1   The Lutea Board lacked diversity of skillset in its composition and, in particular, had insufficient understanding of requirements and best practice in governance, risk and compliance matters;

4.2.2   The Lutea Board failed to adequately consider any potential conflicts, independence issues or cultural barriers at Lutea Board level;

4.2.3   New appointments to the Lutea Board were typically internal appointments and/or were accepting their first board position and had little impact in improving diversity of skillset;

4.2.4   New Lutea Board members received no formal induction on appointment, lacked personal development plans and were not provided with training to meet their development needs;

4.2.5   Lutea Board members had significant customer facing responsibilities and worked in silos within the business;

4.2.6   Lutea’s culture was customer led. Risk and compliance matters were not prioritised by the Lutea Board and there was a lack of cohesive and collective responsibility from the Lutea Board in this regard. The Lutea Board considered compliance matters to ultimately be the responsibility of its compliance function;

4.2.7   The Lutea Board failed to recognise compliance reporting as being inadequate to enable it to exercise appropriate oversight of compliance matters;

5 Conclusion

5.1   The JFSC is committed to working with firms to resolve issues whenever possible and appropriate. In the JFSC’s view, the issues highlighted in this public statement may not have occurred had Lutea and, in particular, the Lutea Board:

5.1.1   Carried out effective and sustainable remediation following previous examinations; and

5.1.2   Embedded and operated a culture that had due regard for regulatory compliance.

Glossary

AML/CFT

Anti-money laundering/countering the financing of terrorism

AML/CFT Code

The AML/CFT Code of Practice as set out in the AML/CFT Handbook dated 31 May 2021

AML/CFT Handbook

Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for Regulated Financial Service Business dated 31 May 2021

BRA

Business risk assessment and strategy

CDD

Customer due diligence

Customer profiles

Customer business and risk profiles

EDD

Enhanced due diligence

FS(J)L

Financial Services (Jersey) Law 1998

JFSC

Jersey Financial Services Commission

Lutea

Collectively, Lutea Holdings Limited, Lutea Trustees Limited and participating members

Lutea Board

Collectively, the board of directors of Lutea Holdings Limited and Lutea Trustees Limited

ML

Money laundering

MLCO

Money Laundering Compliance Officer

MLO

Money Laundering (Jersey) Order 2008

MLRO

Money Laundering Reporting Officer

PEP

Politically exposed person

Regulatory framework

Collectively, the FS(J)L, Code of Practice for Trust Company Business, MLO, Proceeds of Crime (Supervisory Bodies) (Jersey) Law and AML/CFT Codes

Supervisory Bodies Law

Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008

TCB Code

Code of Practice for Trust Company Business

TF

Terrorist financing

[1] Issued under Article 23(1) of the FS(J)L.