New Technologies: FATF Recommendation 15

As we work from home during the second Guernsey lockdown, many of us have been listening to webinars whilst typing away on our laptops. Occasionally, a topic captures the attention and the eyes shift from the screen as the words from the wise speaker resonates. Tuesday was one such day for me during the panel discussion at the AML & FinCrime Tech Forum hosted by RegTech Analyst and FinTech Global.

The comment – or rather a question – which helped me choose the subject for this blog was “can you explain to the regulator how your new tech works?” As the take-up of RegTech and FinTech increases at speed, this question highlights the need for the finance sector to not only embrace the new ways of working but to understand it too.

The FATF Recommendation which covers this topic is, of course, “Recommendation 15: New technologies”. It sets out the need for businesses to identify and assess the ML and FT risks that may arise with the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products. It also refers specifically to how countries should regulate virtual assets service providers for AML/CFT purposes.

The Interpretative Note concentrates on just this last aspect in some detail. The Guernsey National Risk Assessment 2019 (NRA), in paragraphs 3.81 to 3.86 for money laundering risks and 6.54 to 6.57 for terrorist financing risks, also focuses on this one aspect of the Recommendation by covering “transaction and exchange of virtual assets, initial coin offerings and e-money”. There is also great deal of public discussion on the risks of virtual assets including guidance from the FATF.

However, there is surprisingly little public commentary on the use of new technology by firms in the finance sector specifically referencing the Recommendation 15 requirements. Certainly nothing in the NRA about Regtech or Fintech and their risks when used by the finance industry. Perhaps this is because the requirements are a common-sense statement of what a firm should do when purchasing new technology for their own use? I think not.

The Recommendation requires financial institutions to undertake a risk assessment “prior to the launch of the new products, business practices or the use of new or developing technologies.” In November 2015, the GFSC added the Annex entitled “Using Technology for CDD Purposes” introducing the concept of a “Technology Risk Evaluation”. A firm was required to identify and assess risks – and not just money laundering and financing of terrorism risks – when they utilised an electronic method or system in its due diligence process. 

Whilst the 2019 Handbook does not replicate the need for an “evaluation” as such, it does, instead, require the business risk assessments to include an assessment of identified risks arising from the technology’s use or adoption. The Handbook also expands the type of technology that needs to be assessed but reduces the risks that must, as a minimum, be covered to those from money laundering and financing of terrorism.

What it does not do is repeat the useful observation which was included in its 2015 preamble to the introduction to the Annex. The GFSC said “Each annex encompasses new rules stipulating that a firm must understand this technology if it is to use it.” And this is the aspect the speaker on the panel sought to highlight. As with outsourcing, a firm must have the ability in-house to explain to the regulator what the new tech does, how it does it and how it complies with the regulatory requirements. 

Whilst a piece of tech cannot solve every problem faced by a firm, it does allow staff to concentrate on more complex and unusual issues whilst the tech deals with the mundane. However, to enable a firm to reap these benefits, it should ensure that they not only understand the tech’s risks but also the firm’s own risks and risk appetite and that the tech can support that risk appetite. One such risk which is obvious but may not be at the top of the list are red flags as these will have been set by the provider of the tech. As they may not include the red flags that the firm has itself highlighted in its business risk assessments, they will need to be updated. 

To benefit from the advancements in tech, lack of understanding should not be a barrier to its take-up. Nor should the regulator. In Guernsey, we are very lucky to have a regulator who is pro-active in contributing to this space and long may that last. But, for firms to fully appreciate how the compliance function can use the firm’s data and information to maximise productivity, a thorough understanding of the legal and regulatory obligations and how the tech works is an in-house must.

If anyone has any questions on a particular Recommendation or is looking for compliance support – please do get in touch.

In the meantime, keep well – keep safe.

Lockdown Guernsey – Time for a Fresh Look at the FATF Recommendations

Having woken up on Saturday morning to the news that we were back in lockdown, Guernsey is coming to terms with an unexpected change to our freedoms. The loss is a sharp reality check not least because it was immediate but also because we’ve been privileged to have had a near-normal life for months whilst watching the raging worldwide storm from the safety of our Bailiwick.

However, we can feel reassured that the bubble bursting was expected and planned for when we first dealt with the pandemic last March.  As the politicians and hard-working civil servants battle with this latest emergency, this time I watch from the sidelines. I have to admit it does feel strange not being involved in the incessant Teams meetings or reading to prepare for them but, knowing the team, I have every confidence in those making the decisions.

So whilst we wait for the storm clouds to lift, I thought I’d take a look at the 2012 FATF Recommendations. Their importance is clear to those of us who live and breathe AML/CFT compliance but to remind us once more, in December 2020, FATF released their Update-COVID-19-Related-Money-Laundering-and-Terrorist-Financing-Risks which said:

“It continues to be critical for jurisdictions, financial institutions, and designated non-financial business and professions to identify, assess, and understand the particular ML and TF risks they face, and take corresponding mitigating action in line with the FATF Recommendations.”

As I won’t have time to publish a blog on each of the 40 Recommendations before lockdown is lifted, I’m not reviewing them in any particular order. My first choice is Recommendation 28 as I thought this was a good place to start given the reference to it in the latest GFSC consultation on amendments to the AML/CFT Handbook.

As mentioned in my last blog, the consultation amongst other things considers the introduction of reduced customer due diligence for corporate trustees. In its preamble regarding a firm’s decision on whether to apply the new Rule, the GFSC says “In making such determination, the firm should take note of reports and assessments by the FATF and/or FATF-style regional bodies, in particular of findings, recommendations and ratings of compliance with FATF Recommendation 28 and document the conclusions of its assessment.”

Whilst it is essential when considering how to comply with any particular aspect of the AML/CFT regime to go to the source document, on this occasion reference in the consultation to Recommendation 28 may at first be a little confusing. Entitled “Regulation and supervision of DNFBPs”, the Recommendation covers the measures that apply to designated non-financial services businesses and professions (DNFBPs). Despite Guernsey having regulated trust and company service providers for 20 years and the GFSC call them financial services businesses, FATF considers them separately from financial institutions. They put them in the pot with lawyers, accountants and estate agents (aka our Prescribed Businesses) hence the reference to Recommendation 28 when considering the CDD for a corporate trustee.

The Informative Note to Recommendation 28 sets out the need for the supervisory authority to have “a clear understanding of the money laundering and terrorist financing risks .. present in the country” of the DNFBP, “adequate powers to perform their functions (including powers to monitor and sanction), and adequate financial, human and technical resources” and “processes to ensure that the staff of those authorities maintain high professional standards, including standards concerning confidentiality, and should be of high integrity and be appropriately skilled.” It is the assessment of the jurisdiction where the corporate trustee (or its parent) is based or supervised against these requirements which is relevant when deciding whether to apply reduced CDD on corporate trustees.

There are many tools that a compliance team has to identify the risk of countries: the new Appendices H and I and Appendix C to name a few. But there is no complete publicly available list which brings together the rating of jurisdictions which takes note of the reports and assessments by the FATF and/or FATF-style regional bodies. Not that I can find anyway.

There is the FATF’s fourth-round evaluation ratings (this is the excel version – a link to the pdf version is on the GFSC’s Instructions, Notices & Warnings page.) As the title implies, it helpfully lists by Recommendation the latest compliance ratings of evaluated countries as at the 21st January 2021 but, of course, that is not a complete list. The Isle of Man’s rating of Largely Compliant is in the list, but neither Guernsey nor Jersey are mentioned simply because we have not yet had the Mutual Evaluation under the 2012 FATF Recommendations.  And there are, of course, others yet to be evaluated.

The FATF-style regional bodies referred to in the GFSC’s amendment to the Handbook includes MoneyVal and our report and that of our sister isle is on their website. But until the evaluations of all the jurisdictions who aspire to have financial centres of eminence have been done, there will not be a ready means of capturing the compliance with the 2012 Recommendations in one place. However, whilst the Covid-19 pandemic has put Guernsey back into lockdown last Saturday, evaluations do continue elsewhere.  With ours not taking place to a least 2023, whether there’ll ever be a complete list, we will have to wait and see.

Sooner than that though, we should know if a Largely Compliant – or even a Partially Compliant – rating will suffice for a particular corporate trustee being a part of a “standard risk scenario” or whether even the whiff of untoward influence of a beneficial owner trumps the evaluations.

 

If anyone has any questions on a particular Recommendation or is looking for compliance support – please do get in touch.

In the meantime, keep well – keep safe.

Reaping the Benefits – Clarity for the Corporate Trustee

The AML/CFT Handbook, introduced in March 2019 (how time flies!), was greeted with the expectation that it would be a user-friendly manual containing all that was needed to adhere to the new Schedule 3. It certainly clarified many aspects which had caused confusion in the past and combined the various information sources produced by the GFSC. 

The one thing that we all knew would be tested later was the claim that it could be easily updated to react quickly to the needs of the sector. This was considered essential to enhance Guernsey’s reputation as a jurisdiction open for business.  The latest proposals for changes to the Handbook certainly look like a quick and pragmatic reaction to business needs but do they achieve that aim?

In my last blog, I looked at the proposals to reduce the amount of identification information required for beneficiaries and took a look at some of the issues which may arise without clear guidance. In this blog, I am looking at the changes proposed in respective of the verification – or not – of the beneficial owners of corporate trustees.

When a firm enters a business relationship with a trust where the trustee is a legal person, the firm must identify and take reasonable measures to verify any natural person who is the beneficial owner of that corporate trustee. That is unless the corporate trustee is a “transparent legal person”. This new concept is defined in Schedule 3 and includes a regulated person within the meaning of Section 41(2) of the Beneficial Ownership Law.  In simple terms, this means a trustee which is a company subject to the GFSC Handbook does not need its beneficial owners verified.

However, the definition of transparent legal person – and therefore when those benefits of reduced CDD apply – does not currently extend to a corporate trustee in another jurisdiction which is subject to the same or equivalent provisions of the Handbook. So, when dealing with a non-Guernsey corporate trustee – even one based in an Appendix C country – the identity of the beneficial owners of that company need to be identified and verified.  This is even if they have been through the same rigorous vetting process to be regulated. 

It could be said that this inconvenience of providing such due diligence every time a corporate trustee enters into a business relationship is an occupational hazard. However, when places like Jersey do not require such due diligence under their Money Laundering legislation, it is easy to see why some corporate trustees would consider doing business elsewhere because of this requirement.

So the new proposal means it “may be possible” to rely solely on a summary sheet identifying ownership details of a corporate trustee if it, or its parent, is subject to the same or equivalent provisions of the Handbook in the jurisdiction where it is based and supervised. But this is only in low or standard “risk scenarios” because if it is a high “risk scenario” and neither the corporate trustee nor its parent is based in a jurisdiction with equivalent provisions, then reasonable measures need to be taken to verify its beneficial owners.

These proposals beg four questions:

  • what do the GFSC mean by saying it “may be possible”?
  • what elements need to be taken into account when identifying a “risk scenario”?
  • what verification is needed in a high “risk scenario” if both or only one of the corporate trustee and its parent is based in a jurisdiction with equivalent provisions?
  • what does the new phrase “risk scenario” mean anyway?

It would appear that the first new paragraph, 7.115, is intended to set the scene for when reduced due diligence can be applied to a corporate trustee. It requires a firm to consider the ML and FT risks associated with a particular beneficial owner who has influence over the business and affairs of that corporate trustee. The following two paragraphs, 7.116 and 7.117, talk about the “risk scenarios” and set out when the location of the corporate trustee and its parent is relevant and the means of assessing whether they are in a jurisdiction which has equivalent AML/CFT legislation and supervision.

But does the wording of these new paragraphs mean that a firm has to assess the “risk scenario” of the corporate trustee’s beneficial owners? If so, does it mean if they are considered low or standard risk, then this reduced due diligence applies? Or does it also depend on whether the jurisdiction of the corporate trustee or parent is low or standard risk? In any event, what is clear is that, when making a decision, a firm needs to look into the identity of the corporate trustee’s beneficial owners and consider their influence – no easy task. 

As to the third question, hopefully if either or both corporate trustee and parent are in an equivalent jurisdiction, this will suffice to remove the need for verification of the identify of its beneficial owners and be considered a low or standard “risk scenario”.

As to the introduction of this new phrase “risk scenario”, it has been said that the GFSC, by introducing this phrase, are enabling this reduced verification for all business relationships no matter their overall risk rating. This may seem a practical solution considering the beneficial ownership of a corporate trustee may not be relevant to the overall risk of a business relationship but, if this is the case, this needs to be clarified. This clarification is necessary because, if it is not, it could lead to claims that other elements of the business relationship are also irrelevant to the overall risk and so require less CDD. Whilst this may not be a bad thing, it is a departure from normal practice and one which may confuse rather than assist if its intention is not made clear. 

As I noted in my last blog, in respect of the amendments proposed for the reduction of identification information for certain beneficiaries, the need for clarity is forever present if the benefits are to be reaped.

 

Making Changes – The Importance of Clarity

Just before Christmas, the GFSC issued a consultation on possible changes to the AML/CFT Handbook, the closing date being today at 5pm. Having just managed to send in my four pages of comments to the GFSC by the deadline, I thought I’d cover some aspects of these potential changes in my two blogs this week.

Despite this consultation being described by the GFSC as short, the aspects covered are important. To a certain extent, they indicate a shift in approach firms can take in the way CDD is to be undertaken – a trend which could be beneficial to the finance industry.

The three areas covered by the consultation are a reduction in identification information for some beneficiaries, the removal of the need to verify the beneficial owners of corporate trustees in certain circumstances and additional guidance on when to review a relationship risk assessment. In this first blog, I’m taking a look at the proposed reduction in identification information for beneficiaries.

The GFSC describe these changes as follows: “When establishing a trust or entering into a business relationship or occasional transaction with a trust, the firm is required to identify any beneficiary in a trust (whether his or her interest under the trust is vested, contingent or discretionary). The Commission is proposing rules in sections 7.10.1 and 7.10.2 confirming that a firm must at a minimum identify the beneficiaries’ full name and date of birth, however the extent to which the other identification data is obtained by the firm will depend on the likelihood of that person benefiting from the trust, with such an assessment documented.”

The reduction of the identification information needed for beneficiaries depending on whether they are going to receive a benefit does, on the face of it, seems proportionate. However, linking the need to obtain more than just the name and date of birth of a beneficiary to the possibility of the beneficiary benefitting is, in my view, problematic.

So how should a firm assess when a person is likely to benefit? For all those who remember the previous Handbook and the confusion that arose over the use of this phrase “likely to benefit”, you will also recall the change to the phrase “object of a power” and the consternation that caused. However, the current Handbook uses the phrase “likely to benefit” once more but without the necessary clarity needed to identify precisely what it means. Unfortunately, the proposed changes to the Handbook do not assist either.

This lack of clarification, therefore, begs many questions on this proposed change. Not least as to what period should be identified as o when the person is likely to benefit. Is it in the next 12 months or is it longer than that? Is it a subjective length of time which depends on the circumstances of the business relationship and the personal circumstances of the individuals concerned? And does the firm need to clarify the position with the settlor especially if the letter of wishes is not specific about what is to happen in the next 12 months or, indeed, at all? If a firm decides to only obtain two pieces of information, do they have to reconsider that decision on a regular basis? And when should the settlor’s views be sought again – at each regular and ad hoc review?

Also, the proposed change does not, in my view, take proper account of other risks posed by beneficiaries. For example, under Schedule 3 paragraph 4(3)(f), the firm needs to make a determination of whether the beneficiary is a PEP. This determination will be more difficult without the person’s residence, place of birth and nationality. Whilst a determination can be made, it becomes problematic if a positive match to a PEP arises but the lack of information means it cannot be identified as a false positive. It would be unfortunate if the client relationship team have to request this after take-on as clients always prefer the totality of information to be collected from the outset.

More importantly, these changes may mean the reliability of the relationship risk assessment could be questioned. If the full information on the beneficiaries is not obtained, how can this assessment be relied upon to accurately reflect the risks? This conclusion may seem excessively cautious given the information in issue but it is possible: a beneficiary not properly identified and a high risk factor missed poses a risk to the business.

Whilst the risk of money laundering or the financing of terrorism increases when money flows through a structure, the risk itself only arises on that payment and not at the time the assessment is made of whether a beneficiary will be benefitting from the trust. The risk of a poor assessment of whether someone is likely to benefit, therefore, seems to pale into insignificance compared to missing a connection with a high risk individual due to the lack of information. 

It, therefore, seems sensible if this new Rule had the caveat that the firm must look at the relationship in the round and not take a blanket approach when implementing this change.

Many other questions arose in my mind as I read the proposed changes: you’ll be pleased to know that I don’t intend to set them out in this blog.  We shall see when the final version is released if my concerns were taken onboard and no doubt I’ll do another blog on the subject if they are not.

Whilst any change to our AML/CFT rules and guidance which reduces the work required to be done is a good thing, this must come with the clarity of when the new requirements apply. Without clarity, the ways in which they can be applied multiply and consistency is lost and errors occur. That is why the old Handbook, and in particular the FAQs published to help clarify its contents, required an overhaul. It would be a shame that any changes to the new Handbook meant we were heading on the same path of the inconsistency of application of the rules because of this lack of clarity.

 

Appendix I – the Solution to the High Risk Jurisdiction Quandary?

With the further amendment to Appendix I announced by the GFSC this week, I thought I would take a look at the introduction of this Appendix and see if it fulfils the aims articulated when first mooted and the level of assistance it provides to firms in identifying high risk countries.

The idea of the addition to the AML/CFT Handbook of an Appendix which sets out a list of jurisdictions assessed by various respected organisations as high risk was initially welcomed by compliance professionals as it presented a short cut to their identification. However, there are hidden issues with these Appendices* that practitioners need to be wary of: something that we discussed in some detail at the Handbook Review Group when first proposed by the GFSC.

I joined the Group when it was established in 2013 and left shortly before the first draft of the Handbook was issued (as I had just set up Triangle Compliance Services and consultants were not allowed to be part of the Group). During my membership, we had several debates on the continuing use of Appendix C and whether to introduce an equivalent of Jersey’s Appendix D2. Some of us were sceptical of the idea of the high risk list based on our collective experience of the complacent way some firms risk assessed business relationships with a key principal connected to an Appendix C country. I certainly felt those issues could be repeated in the use of any high risk list without suitable caveats in place.

In order to appreciate that concern, we need to look at the purpose of Appendix C. This Appendix provides a list of countries in which the GFSC considers financial services businesses have “in place standards to combat ML and FT consistent with the FATF Recommendations and where such businesses are appropriately supervised for compliance with those requirements.” This list, which has been around for many years, was considered of assistance to firms because it meant that they did not have to identify such countries themselves but could rely on this list. However, there was a catch.

Not only did it state in Appendix C that “it does not provide assurance that a particular overseas business is subject to that legislation, or that it has implemented the necessary measures to ensure compliance with that legislation”, Section 9.6 of the Handbook goes further. It says “The inclusion of a country or territory in Appendix C does not mean that the country or territory in question is intrinsically low risk, nor does it mean that any business relationship or occasional transaction in which the customer or beneficial owner has a connection to such a country is to be automatically treated as a low risk relationship.”

The completion in full of the relationship risk assessment is still required when Appendix C firms are involved in a business relationship.

The concerns over a list of such countries was that it presented the same risk of complacency: a risk some of us felt would be best avoided or at least mitigated. No doubt with that in mind, in June 2020, the GFSC amended the new AML/CFT Handbook and Appendix I was born.

The previous GFSC approach had been to issue Instructions and Business from Sensitive Sources Notices highlighting the thrice yearly FATF statements on the assessments of jurisdictions with weak measures to combat money laundering and terrorist financing. The new Appendix I was to replace such Notices and Instructions as well as provide the information collated by the GFSC on high risk countries.

As the titles suggest, Jersey’s Appendix D 1 and Guernsey’s Appendix H include high risk jurisdictions subject to a call for action by the FATF. However, Guernsey’s Appendix H reminds us of Paragraph 5(1)(c)(i) of Schedule 3 which confirms when a firm shall apply ECDD measures to a business relationship or occasional transaction. This is when the customer or beneficial owner has a relevant connection with a country or territory that –

“(A) provides funding or support for terrorist activities, or does not apply (or insufficiently applies) the FATF Recommendations, or
(B) is a country otherwise identified by the FATF as a country for which such measures are appropriate.”

As Appendix H only identifies those countries and territories in relation to which the FATF has listed as high risk, Appendix I is a useful reference point to identify other countries such as those which fund or support terrorism. However, it is only Jersey that includes Iran and North Korea in their Appendix D2 – an important oversight and worthy to note even if ECDD will apply to these two countries in any event.

As for Appendix I, this includes countries that a variety of groups have identified as presenting certain ML and/or FT risks. Both Crown Dependencies set out the results of assessments of countries by FATF, the OECD, Transparency International, the World Bank, the US government and a US think-tank: Fund for Peace/ Foreign Policy magazine. Interestingly, there are three sources included in Guernsey’s Appendix I which are not in Jersey’s Appendix D2 and vice versa. Not unexpectedly, given these differences, there are countries on the Guernsey list which are not on the Jersey list and vice versa which, in my view, shows that these assessments are still subjective and caution is needed.

Whilst Guernsey and Jersey’s Financial Services Commissions state clearly that they do not accept responsibility for the findings and conclusions of these sources, they differ in the explanation of their list’s purpose. Guernsey explains that it “does not automatically imply that a business relationship or occasional transaction with a relevant connection to a country or territory on Appendix I is high risk, as the firm can continue to take a risk-based decision on the level of overall risk within a business relationship”. Jersey states “Relevant persons are expected to exercise judgement in relation to how they interpret and use these sources and to reach their own conclusions on risk.” I prefer the language used by Jersey as it more directly reflects the need for caution over the content of the list – or more importantly its omissions.

And that goes to the heart of the concern – if a country is not on the list it does not mean it is not high risk.

So, whether it is a solution to the high risk jurisdiction quandary or simply a helpful tool, it does depend on the way the lists are treated. Ultimately though, the importance of assessing the country is not just about whether it appears on this list but also taking into account all the other factors that make up a business relationship.




*Appendix I – Countries and territories identified as presenting higher risks” and “Appendix H – FATF High Risk Jurisdictions Subject to a Call for Action”

Brexit Sanctions and the Effect of Exit Day

For more than 5 years now, Brexit has been a talking point for many.  As transition ends, it’s no longer words but actions that are needed to adjust the way we work and trade. However, as we live in a third country, this hasn’t affected AML compliance professionals a great deal – that is until we reached “exit day”.  

Ever since the Brexit referendum, the Bailiwick has prepared for the UK leaving the EU by enacting a plethora of legislation which came into force on “exit day”. In a circuitous route via The European Union (Brexit) (Bailiwick of Guernsey) Law, 2018 (“the Brexit Law”) and 2020 Regulations*, “exit day” was appointed as 11 pm on the 31st December 2020. One of the main changes on that day – certainly from a financial crime perspective – was that made to the Sanctions Regime.

As an international finance centre, the Bailiwick has long been committed to the effective implementation of sanctions including those imposed by the EU.  Prior to 2018, EU sanctions required implementation by Ordinance in the three independent legislatures of Guernsey, Alderney and Sark. However, in its report in 2014, MoneyVal noted that there was an unacceptable delay between the introduction of EU sanctions and the enactment of these Ordinances.  So when the Sanctions (Bailiwick of Guernsey), Law 2018 (“the 2018 Law”) was drafted, it enabled EU Sanctions to be brought in Bailiwick-wide by regulations implemented by Guernsey’s Policy & Resources Committee.

As far as the UK leaving the EU was concerned, the importance of remaining aligned with the UK was acknowledged and also incorporated into the 2018 Law.  This was done by including in the definition of a “sanctions measure” regulations made by an “appropriate” UK minister under the Sanctions and Anti-Money Laundering Act 2018.  By doing so, P&R can implement urgent legislation so that regulations made by a UK minister have full force and effect in the Bailiwick at the earliest possible opportunity.
 
And this is exactly what was implemented. By virtue of the Sanction (Implementation of UK Regimes) (Bailiwick of Guernsey) (Brexit) Regulations, 2020, signed off by the President of P&R on the last day of 2020, some 35 UK Regulations come into operation in the Bailiwick. Although having direct effect here, these UK Regs have been fairly extensively “Bailiwick of Guernsey-fied” in the process.  These amendments are only sensible given, for example, we should not apply UK offences, penalties or enforcement proceeding to our regime.

Similarly, the Bailiwick’s transitional provisions in respect of licences should apply rather than that of the UK and, as would be expected, existing licences transfer to the new regime for the rest of their duration retaining their existing conditions. At Schedule 4 of the 2020 Regs, there is also a helpful list of the 94 pieces of Bailiwick legislation under which previous licences were issued and the corresponding UK enactments under which the replacement licences are now deemed to be issued.  Necessarily, pending applications as at “exit day” will be dealt with under the new regime.
 
As a result, designations that have been and will be made under these UK Regs will need to be included in your firm’s screening programme. As most financial institutions rely on external providers for third-party screening and these should already include all UK designations, it would seem that there may be little to do.  However, as with most changes, it is important not only to amend the policies and procedures to refer to this new legislation, it is also important to remove references to the legislation which has been repealed (of which there were 8 Bailiwick-wide and 36 in Guernsey and 34 in each of Sark and Alderney) and to note amendments to the Terrorist Asset-Freezing (Bailiwick of Guernsey) Law, 2011.
 
Interestingly, before any Committee can make regulations such as these under the Brexit Law (as I have called it), it requires a certificate from HM Procureur confirming, amongst other things, that those regulations are necessary or expedient in both the consequence of the withdrawal of the United Kingdom from the EU and the public interest.  That necessity certainly cannot be denied.

Clearly, having a sanctions regime consistent with the UK and one that also ensures EU sanctions are complied with is essential to maintain our international standing. So whilst we have spent many months and years amending our policies and procedures to comply with the requirements of FATF and Europe’s MoneyVal, further amendments are again needed after exit day to cater for the UK’s Brexit.

 

The full details of the changes and the legislation can be found in the three Sanctions Notices on the home page of the GFSC’s website and the Sanctions pages on the website of the States of Guernsey. 

* The European Union (Exit Day and Designated Day) (Brexit) (Bailiwick of Guernsey) Regulations, 2020

 

 

 

 

 

 

 

 

 

Compliance Maturity – Squaring the Circle

In my last blog, I examined the failures of a financial services business where they were at their most basic. In this blog, I am looking at the opposite end of the scale and the maturity of compliance cultures in firms.

Compliance maturity has been around for a long time. In 2009 Thomson Reuters’ Compliance Weekly undertook a compliance maturity survey which included 10.9% from the finance industry. The view at that time was that “Chief compliance officers apparently still have lots of work ahead to turn their compliance efforts into strong, mature programs that can handle the broad range of risks”. In July 2015, members of Cork University in Ireland published in IJBEX* their “financial industry maturity model for anti-money laundering” to help firms be AML/CFT compliant albeit acknowledging their research was still at an early stage.

In Guernsey, the GFSC’s 2015 Annual Report, the Director of Enforcement, Simon Gaudion, made the following comment: “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance. Cases identified this year once again bring into question many of these issues around those areas and we would ask firms to consider whether the right tone and culture is being set from the top of their organisation.”

So where are we in 2021?

It is widely accepted that to ensure staff behave ethically and comply with the law and good corporate governance principles, the board needs to lead by example by living and breathing that culture. A business with such a team approach is not only more likely to adhere to the required legislation, so avoiding any supervisory action, but also reduce costs and increase client satisfaction. 

But how do you know how compliance mature your firm is? One way is to undertake a Compliance Effectiveness Assessment which looks at how people, processes and technology help or hinder the firm in its aim.  

In an effective compliance programme, people are the most important component but also the weakest link. The board needs to be able to support staff by giving them the training they need to promote the right behaviour backed up by a fully resourced compliance function who have a seat at their table. The processes properly documented will support staff to comply with the requirements; success being shown by a good reaction time to new regulatory changes, collaboration between different teams and the right level of evidence of the controls in place. Use of up-to-date technology that is appropriate for the particular business squares the circle. 

Given that the update of the firm’s AML/CFT policies, procedures and controls were required to be approved by the Board by the 30th September 2020, this year would be a good time to identify a firm’s compliance maturity and consider if the right culture is being practised by the firm to ensure that those new policies and procedures are effective. Not only would such an assessment save money in the long run, but it would also comply with the requirements of the AML/CFT Handbook. 

Under Rule 2.18 it states that “the board must consider the appropriateness and effectiveness of its compliance arrangements and its policy for the review of compliance at a minimum annually, or whenever material changes to the business of the firm or the requirements of Schedule 3 or this Handbook occur. A review of compliance is not only applicable to AML/CFT but also to the rules relating to the particular licensee’s business such as the COB Rules and the new Fiduciary and Pension Rules and Guidance and the Code of Corporate Governance which applies to all licensed companies.

A Compliance Effectiveness Review not only identifies where the firm is on the journey to compliance maturity but also what may be hindering its progress. The review usually consists of desktop study, surveys and interviews covering various aspects of the firm and, depending on the completeness of the review, can take up to 12 weeks. Whilst this in-depth approach may be suitable for some firms, an overview can be completed in as little as a week to identify the main issues a firm may have to recommend any further investigation that would be beneficial. A third party’s objective consideration of the business’ objectives and risk assessments as well as interviewing the relevant staff can be surprisingly useful in identifying the priorities for review in any compliance monitoring programme.

By believing in the importance of compliance, the board can instill in the business a proactive approach that encourages the identification of opportunities that arise from new regulations – a win-win for all concerned. By knowing the level of the firm’s compliance maturity, the board can identify and prioritise the right doors to open to reap those benefits.

If you wish to have assistance in reviewing how compliance mature your firm is, then please feel free to contact me for a no obligation discussion. 

 

*  International Journal of Business Excellence (IJBEX), Vol. 8, No. 4, 2015

Safehaven – a Question of Red and Blue

With the end of 2020 when we look forward to a better 2021, the GFSC released another stark reminder of the consequences of not adhering to the AML/CFT requirements. Usually I shake my head when reading such a public statement but this time, quite frankly, my jaw dropped.

On the whole, the findings of such statements over the years generally remind us of the importance of taking note of the observations made after a GFSC’s site visit – and make sure that the concerns raised are rectified before the next such visit. But the saga of the failures of Safehaven and its directors and MLRO are such that they were so severe when first identified, I am not suprised the firm was not given a second chance.

Safehaven International was a typical small business set up in the 1980s having one shareholder who was also the managing director. In 2002, it obtained a full fiduciary licence, its primary business being administering companies owning aircraft and yachts for ultra-high net worths. In every sense of the words, these were high risk relationships. Failure to follow a firm’s own manual in this business is one thing, not adhering to the law is another but when it involves such risky clients, the outcome seriously endangers Guernsey’s reputation.

Yet, whilst the catalogue of failures include the familiar three: lack of source of wealth and funds information, poor quality client risk assessments and missing ECDD, this report lists even more egregious errors than that. There was poor transaction monitoring, the failure to comply with the 2009 Instruction 6 requiring the remedy of CDD deficiencies by 31st March 2010 and even the suspicious activity procedures were inadequate.

A particular example which highlights the lack of oversight is not identifying one client as a PEP for more than 10 years despite four seperate risk reviews noting material information on the client’s status. Another involved basic company administration failures as well as a lack of AML checks as the proceeds from the charters of the administered company’s yacht and its sale at an undervalue was paid into the client’s personal bank account. In 2018 these errors came home to roost not just for the firm but this Island – the client was convicted of fraud and Guernsey named as a location for their bank accounts.

Whilst the outcome of this enforcement action can be traced back to an October 2016 GFSC site visit, it is interesting to note that a 2017 employment tribunal involving Safehaven concluded that “The [AML] training received was limited, generic and relatively infrequent.“ It may even be no coincidence that the event which sparked the successful unfair dismissal claim regarding an unfounded accusation of bribery occured late in September 2016 as preparations for a site visit always clarifies the mind on what the AML Framework requires.

Quality training for employees as we all know is important but this public statement illustrates much more than that. It shows that there are still board members in Guernsey who expect their staff to know what is expected under the AML legislation yet they themselves do not know what it means to be a fit and proper person and what is required to comply with the AML Framework. Indeed, in this case, it appears they didn’t know the very basics required to run a high risk financial services business.

It is interesting that the directors – including non-executive directors – are again held to higher account than the MLRO by virtue of the penalties imposed: penalties which no doubt would have been higher if under the current penalty system and if the indidivuals involved had not co-operated with the GFSC. The directors are, of course, ultimately responsible but it does beg the question at what point should an MLRO or indeed any member of staff notify the GFSC of a serious concern. Whilst there is guidance in the Handbook on when the board is required to notify the GFSC under Rule 2.49, having been at a recent GACO discussion on this topic, it is clear that it would be useful to have more detail on the MLRO and now also the MLCO’s responsibilities in this regard.

That said, it is clear that, in this case, not only was the archetypal dominant individual present but his fellow directors appear to have been in the dark about the overworked and inexperienced MLRO. Blame does lie with the MLRO to some extent but more especially with each member of the Board, one of whom was an ex-MLRO. They did not take their responsibilities seriously or indeed heed the warnings of external compliance advisors during the 2014 remediation project.

Some may say that, even though there was a failure rate of 70%, this was by virtue of a review of only 13 files of which 9 were deficient. But how can the level of files reviewed be criticised when the severity of the failures found included the likelihood that Safehaven International may have been used for transactions involving the proceeds of crime? This would appear to be a staggering example of how a culture of compliance was totally lacking within a board when all the signs were there – not just the red flags but the blue lights too.

Over-egging the Pudding – the Home Affairs Policy Letter on the Terrorism Law

TINDALLDAWN-1

Whilst no longer part of the States of Deliberation, I could not help but take a look at the Home Affairs Policy Letter submitted for debate by the new Assembly tomorrow, 4th November. How could I not when my interest in the AML/CFT framework remains as great as ever?

The Policy Letter was finalised as long ago as the 10th July 2020 by the previous Committee but not submitted until October. It is entitled “Amendments to the Terrorism and Crime (Bailiwick of Guernsey) Law, 2002” so not really giving any clues away and neither do the Propositions for approval by the States. The Policy Letter at paragraph 3.1, however, contains the detail of the extension proposed to the Bailiwick’s Law Enforcement powers exercised at our border in relation to terrorism. Something which is particularly pertinent this week with the awful crimes committed in France and Austria.

Some of the recommendations are straightforward as they include the extension of the existing right to inspect documents to include checking those specifically used for travel and create new ones such as the issuance of Codes of Practice. I say straightforward but it is interesting to note that our Law Enforcement feels that, if these powers had been in place, they could have assisted them in satisfactorily determining the purpose of visits to the Bailiwick of the occasional suspicious national from a hostile state. Whilst these incidents may be rare, it does bring home that we are a backdoor to the UK and we need to be able to conduct lawful searches or interviews when the need arises to protect us and our friends on the mainland.

Of wider interest because of their ambiguity, the proposals also include extending powers in relation to the commission of “hostile acts” that do not fall within the definition of terrorism. These “hostile acts” are both described vaguely and expansively and include threatening either national security or the economic well-being of the British Islands and also acts of serious crime.

The introduction of these powers are no doubt sensible and I am sure the draft Ordinance containing them will be scrutinised by States’ Members when it is considered by the Assembly. However, what strikes me about the Policy Letter is not the proposals that it recommends but the very clear message of our inability to keep up with the ever changing legislative environment around anti-money laundering, countering the financing of terrorism and weapons proliferation.

At this point, I would normally lurch into a political rant over the lack of sufficient resourcing of the Law Officers’ Chambers to enable them to recruit lawyers to draft legislation and so enable Guernsey to keep up with the production of legislation more generally. I won’t because I feel that is best left to the current politicians who take an interest in this deficiency in Guernsey.

What I will say though is that we, as practitioners, need to continue to scrutinise such legislation both through consultations but also as and when the drafts are lodged on Gov.gg for approval by States’ Members. Whilst the States’ Legislation Review Panel reviews such legislation for compliance with the resolutions previously passed by our government, these resolutions are often vague as they are in this case. We, therefore, need to be alive to the need to inform States’ Members of any changes we feel are appropriate and ask/persuade them to lay amendments for consideration by the States if appropriate.

With the MoneyVal visit due in 2023 and the professed view of some States Members against regulation no matter how proportionate and appropriate, we as practitioners need to keep our finger on the pulse. We need to ensure the Bailiwick has regulation that maintains our status in the international community whilst not over-egging the pudding.

Exiting the Scene

TINDALLDAWN-1Much has gone on since I lost wrote a blog, but today I saw some news  which stirred me into action. The GFSC have announced a new initiative for MLROs and MLCOs to attend exit interviews with them – a great idea in my view and one I am sure will be a success.

The six month pilot initiative was announced by the Guernsey Financial Services Commission on the 8th January in respect of MLROs and MLCOs who leave a Fiduciary or Bank licensee this year. It is envisaged that “the regulators, by undertaking these interviews, will develop a deeper understanding of their MLRO/MLCO role(s), responsibilities and challenges faced.”

However, it is not absolutely clear from the press release as to whether the interviews are compulsory.  In my view that would be necessary as it ensures that the employee will not be under any form of pressure to decide whether to attend or not – it simply won’t be up to them or for that matter their employer.

Whilst the idea of this interview is said to be for learning purposes there are other factors at play here.  Employment contracts are often said to have ended by mutual agreement, however, this doesn’t mean that both parties are happy to part company. This may seem contradictory but actually “by mutual agreement” is a euphemism for several scenarios. This could be “please leave and we will pay you to go” or “that was unfair dismissal – see you in court [or rather tribunal]”.

These disputes can result in compromise agreements which establish the basis for the end of the employment contract and usually involve a financial incentive. These private agreements allow the employee to move on to another role without blemish and employers to replace them without besmirching their business. Because Guernsey is a small place and rumours abound, this can be useful to both sides but, like non-disclosure agreements, they can occasionally hide a deeper rift which could involve a professional or regulatory concern.

Or it may simply indicate something basic went wrong which any good employer would want to know in order to help in future to keep their staff.

This is why exit interviews, run by impartial individuals, can be very useful for all involved. For those firms which do these as a matter of course, the fact the GFSC are running such exit interviews will be of no concern. However, for those who don’t, perhaps now is the time to introduce their own exit interviews – they may be surprised by what they hear.

In my experience, the GFSC will probably benefit more than they envisaged – not because they get the anticipated discussion but because they get feedback they did not expect to receive. As well as giving insight to the GFSC, I expect the individual will be pleased at how helpful the interview is for them. The GFSC may even feel at some point that it is appropriate to publish anonymised versions of the discussions for the edification of us all. 

I for one hope not only that the pilot becomes a permanent exercise but that it is extended to other Prescribed Positions. In particular, it should apply to directors who are considered one of the two “four eyes”.

However, if the GFSC have made the interview compulsory, MLROs and MLCOs who attend can also take the opportunity to have that confidential chat they may never otherwise have felt able to have. So not just education for the regulators but food for thought for employers too?