The Suspicious Lawyer

tindalldawn-1-e1454075780950Having had rather a busy time of it recently, it is only this week I have had a good chance to read in detail the latest news from the GFSC.  What caught my eye was , not only the new website, but the latest addition to the Frequently Asked Questions issued on the 3rd October which is aimed at lawyers.
In the early 1990’s, I was asked to advise the partners of my law firm on the effect of the requirements brought in under the Money Laundering Regulations 1993 which came into force on 1 April 1994.  These regulations implemented what has become known as the first Money Laundering Directive or 91/308/EEC of 10 June 1991.  There was much confusion at the time as to what was required by way of identification of the firm’s clients. I remember well trying to explain that I did not need to see my client’s passport if I wanted to just prepare their Will.
In the end, because of that confusion, and my view that the requirements of AML/CFT would creep to most of our work, it became a question of whether to differentiate between clients depending on their instructions or have a consistent approach which would ensure all staff were aware of the Rules.  As we know, the number of businesses affected by the AML/CFT legislation generally did increase but, as it turned out, the type of legal work covered is still restricted to five main areas.
So for lawyers, notaries and other independent legal professionals in Guernsey, paragraph 5 of Schedule 2 of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 applies to their business when they prepare for or carry out transactions for a client in relation to the following activities:
  • the acquisition or disposal of an interest in or in respect of real property;
  • the management of client money, securities or other assets;
  • the management of bank, savings or securities accounts;
  • the organisation of contributions for the creation, operation, or management of companies; and
  • the creation, operation, management or administration of legal persons or arrangements, and the acquisition or disposal of business entities. (my emphasis)

Thank you to my colleague and fellow AML/CFT professional for pointing out that the FAQs miss out the activity of administration of legal persons or arrangements.  This may be an error as, when I first saw the FAQs, I noted that the date of the Regulations was also incorrect.  I am pleased to say that the date has been changed in the main body of the FAQs although it has not been amended in the link on the new website.

The FAQs go on to note that the activities, as described in paragraph 5(e) of Schedule 2, if undertaken within the Bailiwick, are regulated activities for the purposes of the Regulation of Fiduciaries, Administration Businesses and Company Directors, etc. ( Bailiwick of Guernsey) Law, 2000 and any legal professional carrying them out by way of business requires a licence to do so.

The activities in Section 2 Paragraph 5(e) are:
“the creation, operation, management or administration of legal persons or arrangements, and the acquisition or disposal of business entities,” (again my emphasis)
It is important to note that, when deciding whether any particular activity constitutes “preparing for or carrying out a transaction” and, therefore, subject to the obligations in the Regulations and Handbook, it must be determined on a case by case basis.
Whilst the information is helpful, the most important aspect of the legislation affecting lawyers was brought out in the last part of the FAQs – I have set this it out in full below:
“Are the reporting obligations under the Disclosure (Bailiwick of Guernsey) Law, 2007 and the Terrorism and Crime (Bailiwick of Guernsey) Law, 2002 applicable in relation to legal services that do not constitute preparing for or carrying out a transaction?
Yes.  The reporting obligations apply to knowledge, suspicion or reasonable grounds for suspicion that a person acquires in the course of any trade, profession or economic activity, irrespective of whether or not that trade, profession or economic activity is covered by the AML/CFT regulatory framework.”
As this was a little confusing – did it cover all relevant employees or just those that are involved in the listed activities? – I wrote the GFSC to obtain clarification and was assured, as I hoped I would be, that this included all relevant employees.
So lawyers must remember that they should train their staff accordingly, including those not preparing for or carrying out a transaction for a client in the five activities listed.

NRA – World Bank or IMF?

fatf-nraNational Risk Assessments have again been the topic of the week for me in the AML/CFT world with presentations and discussions galore.

One of the highlights was listening to Richard Walker at the GACO presentation discussing Guernsey’s NRA in more detail. Richard, who is the Director of Financial Crime and Regulatory Policy for the Policy & Resources Committee and an excellent speaker, was able to provide a very interesting update.  As some of you were not able to attend, I thought I would summarise the bits I found most illuminating.

Unlike the IMF and MoneyVal visits, the NRA is considered to be a different type of evaluation of a country’s AML/CFT risks and controls and it is up to the country to decide how best to complete the task.  Guernsey has chosen to ask the IMF to support the process unlike other jurisdictions who may have chosen to go it alone or use the World Bank.  Richard then proceeded to explain why it had been agreed that either the World Bank or the IMF’s involvement was necessary and then why the decision had been made to chose the IMF.

Whilst there is enough experience in the jurisdiction to decide upon the risks, it was felt that there would be disagreement on the methodology which should be used.  It was also felt that, as we will be under a great deal of external scrutiny to show the NRA was not open to bias, an independent evaluator would do the trick.  So, rather than spend too much time on the question of who does what, it was agreed that either the IMF or the World Bank would be asked to help.

The IMF was chosen despite the extra initial expense because it was felt the World Bank’s methodology was not suited to a jurisdiction like Guernsey but more suited to the bigger countries where corruption was the main concern. Whilst the World Bank model could and was adapting to be relevant to the type of business we have on Guernsey, the IMF’s methodology was already able to deal with trust and company services, cross border issues and e-gaming to name a few.

Richard went on to say that the World Bank’s methodology did not separate the three elements of risk – threat, vulnerability and consequence – so not clearly dealing with the impact.  The IMF methodology is considered much simpler and more structured and we are advised that it already has resulted in the need to spend less time on the work in Guernsey reducing its cost.

Having amassed a great deal of information from many sources such as annual returns, MLAs and STRs, the process moves from the on-island agencies to the completion of a survey by 65 firms.   Those being asked to participate are from a broad cross-section of business and international NPOs whose activity is funded in the Bailiwick.  The surveys are completed on an online platform used by the IMF and anonymous.  The pattern of the responses has been analysed and already the results have proved interesting.  Richard gave the example that the survey is saying that businesses think there is a threat from the UK, US and Russia yet up until now information had only indicated a high level of business from Russia but not an equivalent level of threat.  It is felt that, using the IMF, is showing that an independent evaluation methodology is proving its worth.

The survey is not an easy task – apparently some have said it is impossible to complete.  However, using  Francis Galton’s 1906 proposition of collective wisdom, Richard believed that, overall, the survey will be a useful measure of Guernsey’s AML/CFT risk.

So after the survey and the analysis will be further discussions and IMF workshops with authorities.  It is hoped that there will be two separate NRAs, one looking at the risks of money laundering and one at terrorist financing, and they will be issued in the autumn of 2017.   The reports will also include an annual statistical digest and will need to be reviewed every few years.

To be of value, it is essential that those risks identified in the NRAs filter down into the business and relationship risk assessments completed by firms.  Together with the new combined Handbook due out for consultation later in the year, it will result in a large body of work for you and your compliance teams.  That work can start now as the basis for the changes are already in the public domain.  As I have said, understanding the FATF Recommendations, reading the EU 4MLD and knowing your own business and customers thoroughly will be half, if not most, of the battle.

Risk Assessments – the Importance of Being Thorough

Hello – my name is Dawn Tindall and I am from Triangle Compliance Services and I provide advice and training on anti-money laundering.  Today I am talking about Risk Assessments and the importance of being thorough.

A Risk Assessment is a means of evaluating risks.  It can be an assessment of a single scenario or a set of possibilities.  It should be thorough and based on a fixed method.

Risk Assessments are the back bone of the compliance programme and take various forms.  In this presentation I discuss the types of assessment and also an addition to the armoury – the Compliance Risk Assessment.

There are three main ones for AML/CFT purposes: the National Risk Assessment (NRA), the Business Risk Assessment (BRA) and the Relationship Risk Assessment.  I believe each one builds upon the other.

In the first of FATF’s 2012 Recommendations, it states that “countries should identify, assess and understand the money laundering and terrorist financing risks for the country”.  Whilst the UK issued their NRA in October 2015, Guernsey proposes to issue their NRA this year, having received the IMF’s model and had industry input.

The idea of the NRA is that it informs the next level namely the BRA or business risk assessment.  Guernsey’s Regulations require businesses to “carry out and document a suitable and sufficient money laundering and terrorist financing business risk assessment which is specific to the … business”.  The GFSC issued a detailed answer to FAQs on its website in September 2014 advising that the BRA “should identify the potential financial crime risks to which the business could be exposed”.  They also reiterated that it is best practice to review the BRA whenever changes to the business or financial crime risks occur and at least on an annual basis.  Due to the multitude of changes in these areas, the BRA is, therefore, a living document needing almost constant review.

The third level of assessment is the relationship risk assessment which is also made up of three stages – the risk profile, the risk assessment and the risk rating.  The risk profile should set out the information regarding the specific relationship with the customer noting all financial crime risk indicators which include those that are compulsory, inherent, high or, if none, low.  The risk assessment is the method by which a business assesses the profile, considering all the risks identified including the accumulation of those risks.  If the high risk indicators are not compulsory ones, the business can decide not to assess the overall risk as high because of strong and compelling mitigating factors which should be identified and documented.

The third step is to give the relationship a risk rating and apply the appropriate level of CDD.

Under the Handbook the Board must take responsibility for the policy on reviewing compliance.  The Compliance Risk Assessment, or compliance monitoring programme, is a means of assessing the appropriateness and effectiveness of compliance.  With the FSB Handbook in its 10th year, a question also which needs to be asked is how mature is your compliance?

The term “maturity” refers to the degree to which an organisation’s processes have been formalised and integrated in the organisation’s operations.

The Director of Enforcement at the GFSC, Simon Gaudion, said in their 2015 Annual Report “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance.”

A well thought through Compliance Risk Assessment should look at whether your compliance policies and procedures have embedded within your firm’s culture.  If it has it will spread the ownership of compliance and result in the increase in effectiveness. Which can only be a good thing.

Thank you for listening to this short presentation.  Please contact me if you wish to know about Risk Assessments or how Triangle Compliance Services can help your firm.

The Regulator’s Regulator?

tindalldawn-1-e1454075780950Next week, the States of Guernsey will be asked to note the annual report and accounts of the Guernsey Financial Services Commission for the year ended 31st December, 2015.  Under Rule 3(24) of the Rules of Procedure this means I will not be asked to agree or disagree with the contents of the Report as “to note” is construed as a neutral motion neither approving or disapproving.  So, having read the Report and wanting to make a few comments on its contents, I thought I’d put some thoughts down in my blog as the role of Regulator is such an important function for our industry.

What struck me initially was not their stated objectives; it was what was not  – the Commission does not seek to run a zero-failure regime. To quote the Director General, William Mason,

“Were we to set ourselves up to run a zero failure regime we would unduly constrain innovation, limit growth and seek to act in a risk averse fashion which would ultimately ensure little other than the impoverishment of the people of the Bailiwick as the financial services sector became a shadow of its former self.”

From an AML perspective, this means that, with the Commission using PRISM’s risk based approach to supervision, there will still be attempts by criminals to misuse the financial system.  Naturally, therefore, it is for businesses to follow the requirements of the legislation and the Handbooks to ensure those attempts fail.

It is good to hear that innovation is very much being encouraged by the GFSC and their open-door policy is often complimented especially when talking FinTech.  However, there is still the grumble in the AML world that there is insufficient consistency in the application of CDD requirements.  So, whilst there is a focus on providing data management to collate a customer’s identification information for KYC and CRS purposes, there is still a lack of clarity of how to get the documents which verify the customer’s identity such that they satisfy not only the different country regimes but the requirements of different institutions within each country.

Some companies seek to comply with the standard which satisfies the most respected country regimes which is a good starting point.  However, I found that, when submitting the documents, the approaches of institutions varied so much that the easiest way was to deal with each institution and get agreement on what they will accept.  Quite often they asked for more than their own country’s requirements resulting in me firmly pointing out that they were not complying with their own country’s legislation, that their policies were not based on that legislation and that they should vary their requirements to accept a consistent standard in line with FATF requirements.  I am pleased to say that this proved successful on all but one occasion and that failure was with a London branch of a Swiss bank with whom I had already had success.  The branch was not for seeing the light!

You might well say – and I would agree with you – that this was a time consuming method of getting a customer’s verification documents accepted.  However, the main theme with the client facing teams I dealt with was they wanted to ask their customers to provide only one set of documents and not to have to keep going back to the client for more information just because each different institution wanted something else.  So whilst you can collate in accordance with the main countries’ requirements, there will always be differences in interpretation until we have common standards for AML.

To compliment my approach, I always thought it best to advise our clients on the expense of certain relationships before willingly embarking on a painful account opening process.  Instead, client relationship managers should recommend going with those institutions which take a pragmatic approach with whom the firm has had a good relationship and saving their client’s money (and your time!).  I also believe a comprehensive checklist covering all the information and verification required which is fully complied with, checked for accuracy and, most importantly, not signed-off until it is complete in all respects should do the trick.

Some also say that the GFSC does not adhere to such common standards quoting other countries’ different rules as being more lenient.  My response is always that, in my experience, other countries apply the FATF common standards (almost) but do not enforce those standards to the same extent the GFSC does.  So results this misunderstanding. People believe the GFSC requires higher standards than others, higher than required by FATF but actually I believe it just has the right standards (well almost) but the difference is that they are fully enforced.  As such enforcement means we received a superb MoneyVal evaluation which brings in business, the argument that we should be more lax with those requirements is, in my mind, counter-productive.

The review of the Handbooks should iron out some of those annoying differences and should bring clarity to ambiguities that exist but leniency in respect of the requirements I do not agree with as, after all, getting it right is not that difficult if you are conversant with all the legislation and guidance and take advice as appropriate.

 

Link to the annual report and accounts of the Guernsey Financial Services Commission for the year ended 31st December, 2015 is   https://www.gov.gg/CHttpHandler.ashx?id=102816&p=0

The Importance of Being Trained

tindalldawn-1-e1454075780950After a very busy couple of months dealing with political issues – some good, some bad and some very sad – I turn my attention back to my interest in all things AML.  The 8th June saw the publication of the Commission’s report on its thematic review on training which they undertook in 2015.   Whilst I am pleased to note that the GFSC concluded firms broadly had good awareness, there were some interesting findings worth further consideration.

The basic aim of the Review was to look at the who, what, when and why of AML/CFT Training as required by the Regulations; the first question being who needs the training. This is usefully set out in the Glossary to the Report namely the definition of a relevant employee which is:

  • member of the Board
  • member of the management of a firm
  • employees whose duties relate to the regulated business of a firm; or
  • other employees who are exposed to the risk of money laundering and terrorist financing.

I have found that people often mistake this to exclude employees who don’t “get involved” in client business, those who are not client-facing.  However, many such employees should “receive training as they may be in positions whereby they see or review information which could lead to them forming a suspicion about activity within the business.”  My preference is to train all staff in some type of AML/CFT training to ensure they feel included, so they take an interest in the work of the firm and are prepared if they do spot something suspicious.

To me, the content of the training (or the “what”) is probably the most important of the four as there is little point teaching the wrong stuff.  The list of the what includes

  • the CDD requirements;
  • the requirements for the internal and external reporting of suspicion;
  • the criminal and regulatory sanctions in place for failing to report information in accordance with policies, procedures and controls; and
  • the principal vulnerabilities of the Firm’s products and services.

On the face of it, some generic training provided on-line, in-house or by external consultants can satisfy the requirements. However, the Commission point out that the content must be relevant both to the business of the firm and the wider environment in which the firm operates.  The staff must also be “cognisant of both the risks posed to the business and the controls established by the firm to counter the threat of financial crime.”

To be able to provide quality, targeted training, it must, therefore, be informed by the firm’s business risk assessment with the risks identified flowing through into the training.  The trainer should also be familiar with the policies and procedures used by the firm so they can train the staff on the means identified for preventing the risks.

When training should take place is another important aspect which seems to be misunderstood.  The Handbooks require regular training to take place at least biannually but, as the Report notes, some firms acknowledge the need to provide training when there are changes to the regulatory regime, new trends and typologies emerge specific to the business of the firm or new procedures are implemented by the firm.  As this happens often, regular training should really just be a refresher.

It is also quite clear that the Handbooks require the introductory AML/CFT training be “delivered prior to an employee becoming involved in the day-to-day operations of the firm”.

The Report states that

“In this regard, 65% of firms surveyed indicated that they provide induction training within a fortnight of an individual commencing employment, with 34% providing said training within the first week. Conversely, 14% of the firms sampled provide induction training within three months of an employee starting.”

In my experience, most employees are involved in the day-to-day operations of a firm fairly quickly, even if supervised, and certainly in some small way within the first week.    I, personally, like to set up a meeting between the employee and the MLRO and Compliance Officer on Day One to introduce them to each other, discuss the employee’s role, their understanding of AML/CFT and their previous training.  This will inform the remainder of the employee’s Induction programme and ensure that, in the unlikely event they do see something suspicious in those first few days, they know who to report to and feel able to do so.  I also ensure that the employee’s supervisor knows what training is required before their staff member begins their proper job.

So why do we have to provide training?  The Report starts by stating that one of the most important tools to fight financial crime is to have staff who are alert to the potential risks and identifiers of suspicious activity.

Staff can only be alert to these risks and identifiers if they know them, they know what to do when they see them and they know what happens if they don’t.

Therefore, in my mind, the responsibility of the Board to assess the training to ensure it is appropriate and effective is paramount.  However, in order to do so, the Board must have timely and complete information not only on what training has been given and to whom but also whether it is relevant in the light of its risks and its policies.

It is also worth noting that a member of the Board would find it difficult to make such an assessment without being fully versed in all aspects of the regulatory requirements and the external environment in which the firm is trading. In other words, they need to be a fit and proper person.

The training requirements set out in the Handbooks are, therefore, yet another example of how all the cogs in the regulatory machine need to be well-oiled in order to ensure a firm is fully compliant.  In my view, it also means that, if suitably oiled, the benefits can and will be reflected in a firm’s Balance Sheet.

 

Bordeaux – Minded To Do What?

Orange man pondering and question mark.

When I heard about the Bordeaux case I thought I would be writing the fourth installment of my series of articles about the reasons for enforcement action being taken by the Commission.  To my surprise, upon reading the judgment, I realise that my concern was with the quality of the decision making instead: a theme close to my heart.

For those of you who don’t know, on May 16th this year, the judgment of the Royal Court was handed down in respect of the appeal by the three directors of Bordeaux Services (Guernsey) Limited against their 5 year prohibition orders.  It also dealt with the amount of the fine leveled at Bordeaux itself by the Commission.

After the judgment was issued, the Commission, on the 6th June, published a summary setting out the basis for the enforcement action and the findings of the Royal Court and will be following this up with a seminar on the 20th June.  As the summary sets out perfectly the issues at the heart of the action, I have chosen instead to deal with why some of the original orders made were set aside on appeal.

In July 2015, the Senior Decision Maker, who was acting on behalf of the Commission, issued a written statement [or Decision] setting out the fines and prohibition orders imposed against Bordeaux and its directors together with the findings of fact in the case and the reasons for the enforcement action taken.  The job of the Deputy Bailiff on hearing the appeal was to decide, on the basis of the contents of the Decision, whether Bordeaux’s fine and the prohibition orders imposed against the directors were reasonable.  As the appeal was partly successful, it is clear something went wrong but what was at fault?

Before looking at the outcome, the Deputy Bailiff looked at the level of review the Decision deserved.  He explained that “the availability of discretionary financial penalties as one of the sanctions that can be imposed raises such cases to a level where the process is quasi-criminal” concluding that “the Decision can properly be subjected to a level of review that would not otherwise be appropriate for a more obviously “lay” administrative decision affecting another sector of activity.”

Then, after confirming that the Decision Maker was able to make prohibition orders even though there was no proof of some lack of integrity, the Deputy Bailiff considered the appeal against those orders made under the full suite of regulatory Laws.  Whilst he found that the reasons for such orders were adequately argued in respect of the POI Law and the Fiduciaries Law, the remaining three prohibition orders were set aside.  But why?  Because, quite simply, the Senior Decision Maker did not include reasons for making prohibition orders under the other three Laws.  Without reasons, the Deputy Bailiff had to set aside those prohibition orders because:-

“[a]lthough it would only have taken a paragraph or so to make the connection between the various findings of non-fulfilment under the POI Law and the Fiduciaries Law and findings that there have similarly been failings that could be leveled against each of the Bordeaux Directors under the other Laws, this has not been done.”

It is interesting to note that the original Decision issued to Bordeaux on the 28th July 2015 omitted to mention all the regulatory Laws, only referencing the POI Law and, when spotted the next day, an amended and final Decision was issued on the 31st July 2015.  However, despite the Decision now extending the prohibition orders so that they were made under all the regulatory Laws, as can be seen, the reasons in the Decision for making such orders were not.

The next error was in relation to the length of the prohibition orders imposed on all three directors.  The problem here was not that there were no reasons given in the final Decision but the lack of cohesion between the “Minded To Notice” and the final Decision issued in July.  A “Minded To Notice” is a draft decision setting out what the Decision Maker is, literally, minded to impose.  It is intended to give an opportunity to put forward objections against the proposed penalties and this is what happened.  However, whilst some of the objections were accepted, the problem arose because the arguments set out in the “Minded To Notice” did not flow through to the final Decision.

In the “Minded To Notice” the imposition of 15 years prohibition for the directors, Mr Radford and Mr Meader, and a 5 year prohibition for Mr Tostevin were mooted.  In the final Decision, the 15 year orders were reduced to 5 years but Mr Tostevin’s 5 year order remained the same.  The error was not considered to be in this reduction but because there was no arguments put forward as to why the length of Mr Tostevin’s prohibition order was not also proportionately reduced.  This change of heart was not explained and, therefore, the Deputy Bailiff felt there “was insufficient reasoning given for 5 years.”

Lastly, the £150,000 fine imposed on Bordeaux was reviewed and again there was a paucity of reasons given.  One aspect was the comparison of other judgments and the Deputy Bailiff states

“The fact that the Decision is silent as to how the GFSC took into consideration the penalties imposed by it in other cases (para. (f)) is troubling.  Where there is a statutory obligation on the GFSC to take this factor into consideration, it is clearly desirable for it to demonstrate that it has done so.”

So back it must go for reconsideration as to the amount of the fine to be imposed on Bordeaux as well as the review of the prohibition orders which weren’t upheld on appeal.  Not only does this mean there is more work for the Commission to do to impose the penalties it wanted, but also some of the costs of the appeal are to be met by the Commission because the Appellants were, to a certain extent, successful.

So, whilst some reassurance can be taken to know that, despite the poor record of decisions made, those who do fail the fit and proper test will not slip through the net, one must ask at what cost?

 

The Art of Training (and not just GFAS)

Award in Education and Trainingtindalldawn-1-e1454075780950I passed!!

For those of you who don’t know, I have passed the exam “Award in Education and Training” and very pleased I am too.  I took the Award because I felt it was a great way of confirming my abilities to provide training on Anti-Money Laundering (amongst other compliance subjects) but it proved to be more valuable than I thought.  As well as giving me an insight into the way people learn, it also taught me a lot about the roles and responsibilities of teachers – a very topical subject.

When I mean topical I do not mean the Education Debate which is currently raging in Guernsey.  As this post is on my business website, I am looking at the subject from the perspective of the Commission’s training requirements.

As I am sure you noticed, the Commission’s Guidance on Training and Competency paper (originally issued on 11th November 2014) was amended again on the 16th May 2016.  The paper observes that, since 1st January 2015, Investment licensees, Insurance Managers and Intermediaries have been required to have a training and competency scheme for each employee.  It is made absolutely clear that these Schemes are not just for their Financial Advisers and Authorised Insurance Representatives but all of their employees.  Interestingly though, having trawled through the Commission’s website, I have not been able to find the same requirements for Banking and Fiduciary licensees although I am sure you would be roundly endorsed if you treated all your employees in the same way.

Each Scheme should be an easy to use means of assessing and monitoring an employee’s ongoing competence in their respective roles and identify individual training needs.   More importantly the licensee, the employee and the Commission should be able to clearly understand its aims and outcomes and, as usual, the Board is responsible for the effectiveness of any Scheme and have sufficient management information for effective monitoring and supervision.

The requirement for supervision of employees brings its own issues of course.  As well as a Scheme for their own role in the business, the person appointed as supervisor must also have a Scheme for this second role which ensures they have all the necessary skills to act as a competent supervisor.   This, of course, means that the individual needs to be technically knowledgeable with the required experience in both the subject and in the art of supervision.   

But how does a licensee work out the criteria and procedures for assessing whether an individual is competent in their respective role?  How do you make an initial assessment of a new employee’s level of competence?  How do you supervise the performance of employees?  More importantly, how do you deal with an employee who does not achieve the level of competence identified as required for the job?  As well as being a big ask, it also begs the question who assesses the assessor?  Also, after putting a great deal of effort into these Schemes, don’t forget to review all the policies and procedures regularly and when roles and people change.  We all know that a role changes depending on who is filling it.

Luckily there is some help at hand (and not just me or your HR team) – the Guernsey Training Agency have produced Training Matrices which can be found on their Services page under Advisory Groups and Qualification Pathways.  It is worth noting that the matrices deal mainly with qualifications and specifically do not cover experience.  Although the matrices (other than Investment) include a need for new entrants to have compliance knowledge, I am a little surprised they do not indicate that employees need an increasing level of knowledge of AML as their career progresses.  The preamble states that the matrix does not include compliance updates and one-off courses in anti-money laundering, but I would have thought a qualification in AML would be recommended for other employees not just those in the Compliance Department?  But then again that may be because of the nature of the qualifications available.

As to AML, the Regulations and Handbooks are clear on the requirements for training and so this will be part of a well-documented Scheme.  However, to finish with a warning, I understand that the Commission’s PRISM visits have shown that one area of concern is the lack of adequate AML training.  I suspect this is not just a reference to the standard annual update or one-off courses in anti-money laundering but also adequate training on your in-house procedures.   If I may, I suggest you check that this training is part of your Schemes and then review its content, its relevance, its effectiveness  ……..

 

Compliance – the Trusted Partner

tindalldawn-1-e1454075780950

As we all know, the Compliance function is now one of the most important tools in a firm’s fight to minimise risk.   It has been a bit of a battle to get Boards to realise that the Compliance Department should be treated as a trusted partner but, if its objectives are successfully integrated into all processes, it can be a partner which helps do business.  This is not least because of the possible reputational damage that can arise if there is non-compliance but also because there are, for example, benefits of having a smooth, efficient and speedy CDD collection service as it can enhance customer relationships.

However, as there are more and more areas a Compliance Department should be looking at, what is the role of Compliance now?

Compliance is defined as “the conformity in fulfilling official requirements” but considering the vast array of official requirements this could be so many things.  When I started my career in law in the late 1980’s, we did not think of compliance as a distinct department but just a general responsibility.  We had to comply with all necessary legislation no matter what law we were advising on and that included compliance in respect of, amongst other things, confidentiality and data protection, insurance, health and safety and employment.  It wasn’t until April 1994 when it started to be a question of whether we needed to see a client’s passport or not and that’s when to me the Compliance Department became a reality.

More than 20 years later, the Compliance Department has evolved from just looking at the AML requirements to looking at the many new threats and concerns which need to be addressed daily.  To mention a few issues, we have the EU General Data Protection Regulations, the OECD Common Reporting Standard for the exchange of tax information, and all the changes that may come along after the 23rd June with a possible BREXIT.

The EU General Data Protection Regulations come into force in 2018 and bring in the new concepts of the right to be forgotten, data portability and data breach notification.  As to the CRS, so far 55 countries have committed for the first exchange of information by 2017 and, of course, this includes the Crown Dependencies; Guernsey’s regulations came into force on the 1st December 2015.  If the UK decides to leave the EU, then Protocol 3 will need to be renegotiated and this may not be on such favourable terms.

But should it be the Compliance Department that is responsible or should other departments be dealing with the issues?  I think that depends on the model in your firm and the resources you have but, whatever they be, clear lines should be drawn to ensure each person and each department knows their responsibilities so nothing falls between the cracks.

To me, the most pressing and important area which must not fall foul of blurry lines of responsibility is the EU General Data Protection Regulations.  Whilst 2018 seems a long time away, due to the extent of its coverage, work must begin now.  Firms need to review their operations, risks and controls to be ready not only to protect themselves from threats but to stand out from the crowd.  The role of Compliance as a trusted partner, in my mind, is to get together as many other Departments as possible to discuss your firm’s response.   That’s, of course, if it hasn’t happened already.

There are opportunities and work has already begun in earnest to put Guernsey in a great position.  As PWC said in its 2015 report – let’s establish the Island as a ‘Trusted Location’ for international data.  Why not?  By having the right components in place it will enable the finance industry and Guernsey to embrace these opportunities.  And if successful, we will all see the benefits.

 

The Politics of Compliance

tindalldawn-1-e1454075780950Sitting here, as proud as punch to be elected as a Deputy and member of Guernsey’s States of Deliberation, the mind starts thinking of the compliance aspects of our success at the polls.

My first thought is AML – of course!  High risk I may be but am I a PEP?  Does the automatic requirement for enhanced due diligence apply to me because I am a Deputy?

For those of you who don’t know PEP stands for politically exposed person. The definition, which is the same in both sets of Regulations that apply in Guernsey, starts by saying that a politically exposed person means “a person who has, or has had at any time, a prominent public function or who has been elected or appointed to such a function in a country or territory other than the Bailiwick …” (My emphasis)

So, having read that, I see that it’s not me then ?  ….. Oh yes it is! Because, as always, it is never as simple as it seems.

As I have been elected to a political position in the Bailiwick, I am considered a “domestic” PEP and the extra due diligence does not automatically apply here.   However, if I want to open a bank account, say, in the UK, I am a “non-domestic” PEP and so caught by their Money Laundering Regulations 2007.  Their Regulation 14(5)(a)(i) states that a PEP “is an individual who is or has, at any time in the preceding year, been entrusted with a prominent public function by ..  a state other than the United Kingdom”.

As we have many banks here that are branches of UK banks or, indeed, branches of other countries’ banks, their approach needs to be considered.  Their policies and procedures may require that the highest standard of AML which applies in the jurisdictions in which they operate is followed or they may not even differentiate between “domestic” and “non-domestic” PEP.   So whilst we are not caught by the legislation which applies to those branches, which is the Guernsey legislation, we are probably caught by the policies imposed on them by “head office”.

As Guernsey intends to update its legislation and the Handbooks to follow the FATF (Financial Action Task Force) Recommendations 2012, that distinction should no longer be as relevant and I will have PEP status both here and abroad … but not yet.

Whether or not we are automatically PEPs does not mean the story ends there.  As I have said, it is highly likely that, if we are not treated as PEPs, the business relationships or occasional transactions we undertake will be assessed as high risk anyway under the firm’s policy and procedures.

However, whilst the definition of PEP in legislation invariably includes the PEP’s immediate family and close associates as it does in Guernsey, what is interesting to note is that the FATF Recommendations do not call these people PEPs.  All that the Recommendations state is that “the requirements for all types of PEP should also apply to family members or close associates of such PEPs.” (My emphasis again).

So whatever you want to call us, come Tuesday, I expect businesses to be queuing up at the doors of new Deputies’ for those extra pieces of information or documentation to comply with the Handbooks.

If you have not checked (or had not even thought to check) your database to see if we (or our family members or close associates) are your clients, then may I politely suggest you contact me.  I can help you review your procedures to make sure you don’t miss anyone’s change of status which results in the need to undertake further enhanced due diligence.

The Finance Industry – Confidence in Money?

tindalldawn-1-e1454075780950

As you know, I have been out canvassing and talking to people about the future of Guernsey. During these chats I have been hit by one particular message – a lack of confidence.  This is not just in the finance sector but in most aspects of life.  Whilst this is disappointing, it is not that surprising and something clearly needs to be done.

An upturn in the world economy will, of course, increase confidence as perhaps will a new set of Deputies but what can be done about confidence in the finance industry?

James Madison, Jr., the fourth President of the United States and political theorist, once said “the circulation of confidence is better than the circulation of money” – however in our industry we need both.

Diversification is at the top of most people’s agenda – we’ve seen the introduction of an aircraft registry and image rights legislation.  Also, the Digital Greenhouse, in my view, is a beacon of light for innovation having hosted some fascinating discussions on how we can promote Guernsey.

William Mason, Director General of the Guernsey Financial Services Commission, in his speech to the Industry in November 2015, having analysed other financial centres, concluded “that we match the most competitive countries in a large number of areas and that we still possess many key success factors.”  I agree.

Having worked in the Fiduciary sector, I was also pleased to see KPMG’s Strategic Review of the Guernsey fiduciary industry which confirms that “[t]he fiduciary industry is a material contributor to the local economy and island.” However, as my interest is in the AML/CFT perspective, the report discusses the need to investigate centralising and streamlining the CDD and KYC processes for on-boarding of clients across Guernsey.  KPMG concluded that “any opportunity to make this easier from a client perspective would be welcomed.”  I think this is really important although, in my view, if we can get clients and certifiers to follow the certification instructions first time it would be a massive bonus.

The Report goes on to say “[m]eeting these challenges will require clear direction and monitoring”.  Direction can come from a variety of sources: the Board, the management, the customers and the politicians and our regulator.

If elected, I hope to be one of those politicians providing clear direction and monitoring to increase the circulation of both confidence and money.