Appendix I – the Solution to the High Risk Jurisdiction Quandary?

With the further amendment to Appendix I announced by the GFSC this week, I thought I would take a look at the introduction of this Appendix and see if it fulfils the aims articulated when first mooted and the level of assistance it provides to firms in identifying high risk countries.

The idea of the addition to the AML/CFT Handbook of an Appendix which sets out a list of jurisdictions assessed by various respected organisations as high risk was initially welcomed by compliance professionals as it presented a short cut to their identification. However, there are hidden issues with these Appendices* that practitioners need to be wary of: something that we discussed in some detail at the Handbook Review Group when first proposed by the GFSC.

I joined the Group when it was established in 2013 and left shortly before the first draft of the Handbook was issued (as I had just set up Triangle Compliance Services and consultants were not allowed to be part of the Group). During my membership, we had several debates on the continuing use of Appendix C and whether to introduce an equivalent of Jersey’s Appendix D2. Some of us were sceptical of the idea of the high risk list based on our collective experience of the complacent way some firms risk assessed business relationships with a key principal connected to an Appendix C country. I certainly felt those issues could be repeated in the use of any high risk list without suitable caveats in place.

In order to appreciate that concern, we need to look at the purpose of Appendix C. This Appendix provides a list of countries in which the GFSC considers financial services businesses have “in place standards to combat ML and FT consistent with the FATF Recommendations and where such businesses are appropriately supervised for compliance with those requirements.” This list, which has been around for many years, was considered of assistance to firms because it meant that they did not have to identify such countries themselves but could rely on this list. However, there was a catch.

Not only did it state in Appendix C that “it does not provide assurance that a particular overseas business is subject to that legislation, or that it has implemented the necessary measures to ensure compliance with that legislation”, Section 9.6 of the Handbook goes further. It says “The inclusion of a country or territory in Appendix C does not mean that the country or territory in question is intrinsically low risk, nor does it mean that any business relationship or occasional transaction in which the customer or beneficial owner has a connection to such a country is to be automatically treated as a low risk relationship.”

The completion in full of the relationship risk assessment is still required when Appendix C firms are involved in a business relationship.

The concerns over a list of such countries was that it presented the same risk of complacency: a risk some of us felt would be best avoided or at least mitigated. No doubt with that in mind, in June 2020, the GFSC amended the new AML/CFT Handbook and Appendix I was born.

The previous GFSC approach had been to issue Instructions and Business from Sensitive Sources Notices highlighting the thrice yearly FATF statements on the assessments of jurisdictions with weak measures to combat money laundering and terrorist financing. The new Appendix I was to replace such Notices and Instructions as well as provide the information collated by the GFSC on high risk countries.

As the titles suggest, Jersey’s Appendix D 1 and Guernsey’s Appendix H include high risk jurisdictions subject to a call for action by the FATF. However, Guernsey’s Appendix H reminds us of Paragraph 5(1)(c)(i) of Schedule 3 which confirms when a firm shall apply ECDD measures to a business relationship or occasional transaction. This is when the customer or beneficial owner has a relevant connection with a country or territory that –

“(A) provides funding or support for terrorist activities, or does not apply (or insufficiently applies) the FATF Recommendations, or
(B) is a country otherwise identified by the FATF as a country for which such measures are appropriate.”

As Appendix H only identifies those countries and territories in relation to which the FATF has listed as high risk, Appendix I is a useful reference point to identify other countries such as those which fund or support terrorism. However, it is only Jersey that includes Iran and North Korea in their Appendix D2 – an important oversight and worthy to note even if ECDD will apply to these two countries in any event.

As for Appendix I, this includes countries that a variety of groups have identified as presenting certain ML and/or FT risks. Both Crown Dependencies set out the results of assessments of countries by FATF, the OECD, Transparency International, the World Bank, the US government and a US think-tank: Fund for Peace/ Foreign Policy magazine. Interestingly, there are three sources included in Guernsey’s Appendix I which are not in Jersey’s Appendix D2 and vice versa. Not unexpectedly, given these differences, there are countries on the Guernsey list which are not on the Jersey list and vice versa which, in my view, shows that these assessments are still subjective and caution is needed.

Whilst Guernsey and Jersey’s Financial Services Commissions state clearly that they do not accept responsibility for the findings and conclusions of these sources, they differ in the explanation of their list’s purpose. Guernsey explains that it “does not automatically imply that a business relationship or occasional transaction with a relevant connection to a country or territory on Appendix I is high risk, as the firm can continue to take a risk-based decision on the level of overall risk within a business relationship”. Jersey states “Relevant persons are expected to exercise judgement in relation to how they interpret and use these sources and to reach their own conclusions on risk.” I prefer the language used by Jersey as it more directly reflects the need for caution over the content of the list – or more importantly its omissions.

And that goes to the heart of the concern – if a country is not on the list it does not mean it is not high risk.

So, whether it is a solution to the high risk jurisdiction quandary or simply a helpful tool, it does depend on the way the lists are treated. Ultimately though, the importance of assessing the country is not just about whether it appears on this list but also taking into account all the other factors that make up a business relationship.




*Appendix I – Countries and territories identified as presenting higher risks” and “Appendix H – FATF High Risk Jurisdictions Subject to a Call for Action”

Brexit Sanctions and the Effect of Exit Day

For more than 5 years now, Brexit has been a talking point for many.  As transition ends, it’s no longer words but actions that are needed to adjust the way we work and trade. However, as we live in a third country, this hasn’t affected AML compliance professionals a great deal – that is until we reached “exit day”.  

Ever since the Brexit referendum, the Bailiwick has prepared for the UK leaving the EU by enacting a plethora of legislation which came into force on “exit day”. In a circuitous route via The European Union (Brexit) (Bailiwick of Guernsey) Law, 2018 (“the Brexit Law”) and 2020 Regulations*, “exit day” was appointed as 11 pm on the 31st December 2020. One of the main changes on that day – certainly from a financial crime perspective – was that made to the Sanctions Regime.

As an international finance centre, the Bailiwick has long been committed to the effective implementation of sanctions including those imposed by the EU.  Prior to 2018, EU sanctions required implementation by Ordinance in the three independent legislatures of Guernsey, Alderney and Sark. However, in its report in 2014, MoneyVal noted that there was an unacceptable delay between the introduction of EU sanctions and the enactment of these Ordinances.  So when the Sanctions (Bailiwick of Guernsey), Law 2018 (“the 2018 Law”) was drafted, it enabled EU Sanctions to be brought in Bailiwick-wide by regulations implemented by Guernsey’s Policy & Resources Committee.

As far as the UK leaving the EU was concerned, the importance of remaining aligned with the UK was acknowledged and also incorporated into the 2018 Law.  This was done by including in the definition of a “sanctions measure” regulations made by an “appropriate” UK minister under the Sanctions and Anti-Money Laundering Act 2018.  By doing so, P&R can implement urgent legislation so that regulations made by a UK minister have full force and effect in the Bailiwick at the earliest possible opportunity.
 
And this is exactly what was implemented. By virtue of the Sanction (Implementation of UK Regimes) (Bailiwick of Guernsey) (Brexit) Regulations, 2020, signed off by the President of P&R on the last day of 2020, some 35 UK Regulations come into operation in the Bailiwick. Although having direct effect here, these UK Regs have been fairly extensively “Bailiwick of Guernsey-fied” in the process.  These amendments are only sensible given, for example, we should not apply UK offences, penalties or enforcement proceeding to our regime.

Similarly, the Bailiwick’s transitional provisions in respect of licences should apply rather than that of the UK and, as would be expected, existing licences transfer to the new regime for the rest of their duration retaining their existing conditions. At Schedule 4 of the 2020 Regs, there is also a helpful list of the 94 pieces of Bailiwick legislation under which previous licences were issued and the corresponding UK enactments under which the replacement licences are now deemed to be issued.  Necessarily, pending applications as at “exit day” will be dealt with under the new regime.
 
As a result, designations that have been and will be made under these UK Regs will need to be included in your firm’s screening programme. As most financial institutions rely on external providers for third-party screening and these should already include all UK designations, it would seem that there may be little to do.  However, as with most changes, it is important not only to amend the policies and procedures to refer to this new legislation, it is also important to remove references to the legislation which has been repealed (of which there were 8 Bailiwick-wide and 36 in Guernsey and 34 in each of Sark and Alderney) and to note amendments to the Terrorist Asset-Freezing (Bailiwick of Guernsey) Law, 2011.
 
Interestingly, before any Committee can make regulations such as these under the Brexit Law (as I have called it), it requires a certificate from HM Procureur confirming, amongst other things, that those regulations are necessary or expedient in both the consequence of the withdrawal of the United Kingdom from the EU and the public interest.  That necessity certainly cannot be denied.

Clearly, having a sanctions regime consistent with the UK and one that also ensures EU sanctions are complied with is essential to maintain our international standing. So whilst we have spent many months and years amending our policies and procedures to comply with the requirements of FATF and Europe’s MoneyVal, further amendments are again needed after exit day to cater for the UK’s Brexit.

 

The full details of the changes and the legislation can be found in the three Sanctions Notices on the home page of the GFSC’s website and the Sanctions pages on the website of the States of Guernsey. 

* The European Union (Exit Day and Designated Day) (Brexit) (Bailiwick of Guernsey) Regulations, 2020

 

 

 

 

 

 

 

 

 

Compliance Maturity – Squaring the Circle

In my last blog, I examined the failures of a financial services business where they were at their most basic. In this blog, I am looking at the opposite end of the scale and the maturity of compliance cultures in firms.

Compliance maturity has been around for a long time. In 2009 Thomson Reuters’ Compliance Weekly undertook a compliance maturity survey which included 10.9% from the finance industry. The view at that time was that “Chief compliance officers apparently still have lots of work ahead to turn their compliance efforts into strong, mature programs that can handle the broad range of risks”. In July 2015, members of Cork University in Ireland published in IJBEX* their “financial industry maturity model for anti-money laundering” to help firms be AML/CFT compliant albeit acknowledging their research was still at an early stage.

In Guernsey, the GFSC’s 2015 Annual Report, the Director of Enforcement, Simon Gaudion, made the following comment: “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance. Cases identified this year once again bring into question many of these issues around those areas and we would ask firms to consider whether the right tone and culture is being set from the top of their organisation.”

So where are we in 2021?

It is widely accepted that to ensure staff behave ethically and comply with the law and good corporate governance principles, the board needs to lead by example by living and breathing that culture. A business with such a team approach is not only more likely to adhere to the required legislation, so avoiding any supervisory action, but also reduce costs and increase client satisfaction. 

But how do you know how compliance mature your firm is? One way is to undertake a Compliance Effectiveness Assessment which looks at how people, processes and technology help or hinder the firm in its aim.  

In an effective compliance programme, people are the most important component but also the weakest link. The board needs to be able to support staff by giving them the training they need to promote the right behaviour backed up by a fully resourced compliance function who have a seat at their table. The processes properly documented will support staff to comply with the requirements; success being shown by a good reaction time to new regulatory changes, collaboration between different teams and the right level of evidence of the controls in place. Use of up-to-date technology that is appropriate for the particular business squares the circle. 

Given that the update of the firm’s AML/CFT policies, procedures and controls were required to be approved by the Board by the 30th September 2020, this year would be a good time to identify a firm’s compliance maturity and consider if the right culture is being practised by the firm to ensure that those new policies and procedures are effective. Not only would such an assessment save money in the long run, but it would also comply with the requirements of the AML/CFT Handbook. 

Under Rule 2.18 it states that “the board must consider the appropriateness and effectiveness of its compliance arrangements and its policy for the review of compliance at a minimum annually, or whenever material changes to the business of the firm or the requirements of Schedule 3 or this Handbook occur. A review of compliance is not only applicable to AML/CFT but also to the rules relating to the particular licensee’s business such as the COB Rules and the new Fiduciary and Pension Rules and Guidance and the Code of Corporate Governance which applies to all licensed companies.

A Compliance Effectiveness Review not only identifies where the firm is on the journey to compliance maturity but also what may be hindering its progress. The review usually consists of desktop study, surveys and interviews covering various aspects of the firm and, depending on the completeness of the review, can take up to 12 weeks. Whilst this in-depth approach may be suitable for some firms, an overview can be completed in as little as a week to identify the main issues a firm may have to recommend any further investigation that would be beneficial. A third party’s objective consideration of the business’ objectives and risk assessments as well as interviewing the relevant staff can be surprisingly useful in identifying the priorities for review in any compliance monitoring programme.

By believing in the importance of compliance, the board can instill in the business a proactive approach that encourages the identification of opportunities that arise from new regulations – a win-win for all concerned. By knowing the level of the firm’s compliance maturity, the board can identify and prioritise the right doors to open to reap those benefits.

If you wish to have assistance in reviewing how compliance mature your firm is, then please feel free to contact me for a no obligation discussion. 

 

*  International Journal of Business Excellence (IJBEX), Vol. 8, No. 4, 2015

Safehaven – a Question of Red and Blue

With the end of 2020 when we look forward to a better 2021, the GFSC released another stark reminder of the consequences of not adhering to the AML/CFT requirements. Usually I shake my head when reading such a public statement but this time, quite frankly, my jaw dropped.

On the whole, the findings of such statements over the years generally remind us of the importance of taking note of the observations made after a GFSC’s site visit – and make sure that the concerns raised are rectified before the next such visit. But the saga of the failures of Safehaven and its directors and MLRO are such that they were so severe when first identified, I am not suprised the firm was not given a second chance.

Safehaven International was a typical small business set up in the 1980s having one shareholder who was also the managing director. In 2002, it obtained a full fiduciary licence, its primary business being administering companies owning aircraft and yachts for ultra-high net worths. In every sense of the words, these were high risk relationships. Failure to follow a firm’s own manual in this business is one thing, not adhering to the law is another but when it involves such risky clients, the outcome seriously endangers Guernsey’s reputation.

Yet, whilst the catalogue of failures include the familiar three: lack of source of wealth and funds information, poor quality client risk assessments and missing ECDD, this report lists even more egregious errors than that. There was poor transaction monitoring, the failure to comply with the 2009 Instruction 6 requiring the remedy of CDD deficiencies by 31st March 2010 and even the suspicious activity procedures were inadequate.

A particular example which highlights the lack of oversight is not identifying one client as a PEP for more than 10 years despite four seperate risk reviews noting material information on the client’s status. Another involved basic company administration failures as well as a lack of AML checks as the proceeds from the charters of the administered company’s yacht and its sale at an undervalue was paid into the client’s personal bank account. In 2018 these errors came home to roost not just for the firm but this Island – the client was convicted of fraud and Guernsey named as a location for their bank accounts.

Whilst the outcome of this enforcement action can be traced back to an October 2016 GFSC site visit, it is interesting to note that a 2017 employment tribunal involving Safehaven concluded that “The [AML] training received was limited, generic and relatively infrequent.“ It may even be no coincidence that the event which sparked the successful unfair dismissal claim regarding an unfounded accusation of bribery occured late in September 2016 as preparations for a site visit always clarifies the mind on what the AML Framework requires.

Quality training for employees as we all know is important but this public statement illustrates much more than that. It shows that there are still board members in Guernsey who expect their staff to know what is expected under the AML legislation yet they themselves do not know what it means to be a fit and proper person and what is required to comply with the AML Framework. Indeed, in this case, it appears they didn’t know the very basics required to run a high risk financial services business.

It is interesting that the directors – including non-executive directors – are again held to higher account than the MLRO by virtue of the penalties imposed: penalties which no doubt would have been higher if under the current penalty system and if the indidivuals involved had not co-operated with the GFSC. The directors are, of course, ultimately responsible but it does beg the question at what point should an MLRO or indeed any member of staff notify the GFSC of a serious concern. Whilst there is guidance in the Handbook on when the board is required to notify the GFSC under Rule 2.49, having been at a recent GACO discussion on this topic, it is clear that it would be useful to have more detail on the MLRO and now also the MLCO’s responsibilities in this regard.

That said, it is clear that, in this case, not only was the archetypal dominant individual present but his fellow directors appear to have been in the dark about the overworked and inexperienced MLRO. Blame does lie with the MLRO to some extent but more especially with each member of the Board, one of whom was an ex-MLRO. They did not take their responsibilities seriously or indeed heed the warnings of external compliance advisors during the 2014 remediation project.

Some may say that, even though there was a failure rate of 70%, this was by virtue of a review of only 13 files of which 9 were deficient. But how can the level of files reviewed be criticised when the severity of the failures found included the likelihood that Safehaven International may have been used for transactions involving the proceeds of crime? This would appear to be a staggering example of how a culture of compliance was totally lacking within a board when all the signs were there – not just the red flags but the blue lights too.