LESSONS FROM THOSE NAMED AND SHAMED – PART 3
In Part 1, I noted the three reoccurring themes why the GFSC took enforcement action against these three firms. In Part 2, I discussed the first theme namely risk assessments. In this Part, I will consider the question of ongoing and effective monitoring and enhanced due diligence for high risk relationships.
I will start with enhanced due diligence the meaning of which is set out in Regulation 5. The Regulation contains a list setting out what steps you should take but is it really that simple in practice?
For example, the first two actions require senior management approval for establishing a business relationship or occasional transaction or continuing a PEP relationship. This seems straightforward, however, most businesses involve senior management in approving new relationships so what should they do to demonstrate a different method? It is important that whatever is chosen, perhaps involving more than one member of senior management or a director, provides for a greater scrutiny of the relationship.
If it is important, when taking the extra EDD steps, to have different treatment between high and medium risks then, when it comes to source of wealth (SOW) and source of funds (SOF), why has this recently been blurred? I am, of course, referring again to the recent MoneyVal report and also the GFSC endorsement of the good practice in establishing SOW and SOF for both such risk rated relationships. Perhaps, if a difference is needed, it will be in how the SOW and SOF is evidenced?
The last requirement in Regulation 5 is, I believe, the least understood. As part of CDD, it is only prudent to obtain all necessary identification data, to verify that data and to understand the nature and purpose of the business relationship. So what more can be done? Often this is not obvious but, to comply with the Regulation, it is essential to document what action is appropriate to that business relationship and, most importantly, take that action.
Ongoing and effective monitoring was the third theme and, if EDD applies, it must be undertaken more frequently and extensively. Monitoring includes the review of CDD, transactions or activity. However, no matter how often or to what extent this is undertaken, the relevance of the CDD or whether a transaction is complex or unusual must be understood. The only way to do that is to have given the business relationship the correct risk rating in the first place and kept the risk profile and assessment up to date.
In my view, the cautionary tale of the enforcement action is that it highlights the interdependence of all the policies, procedures and controls required by the Handbooks. It is so important that all are appropriate and they are implemented as how else can they be effective and the Board fulfil its duty?