Appendix I – the Solution to the High Risk Jurisdiction Quandary?

With the further amendment to Appendix I announced by the GFSC this week, I thought I would take a look at the introduction of this Appendix and see if it fulfils the aims articulated when first mooted and the level of assistance it provides to firms in identifying high risk countries.

The idea of the addition to the AML/CFT Handbook of an Appendix which sets out a list of jurisdictions assessed by various respected organisations as high risk was initially welcomed by compliance professionals as it presented a short cut to their identification. However, there are hidden issues with these Appendices* that practitioners need to be wary of: something that we discussed in some detail at the Handbook Review Group when first proposed by the GFSC.

I joined the Group when it was established in 2013 and left shortly before the first draft of the Handbook was issued (as I had just set up Triangle Compliance Services and consultants were not allowed to be part of the Group). During my membership, we had several debates on the continuing use of Appendix C and whether to introduce an equivalent of Jersey’s Appendix D2. Some of us were sceptical of the idea of the high risk list based on our collective experience of the complacent way some firms risk assessed business relationships with a key principal connected to an Appendix C country. I certainly felt those issues could be repeated in the use of any high risk list without suitable caveats in place.

In order to appreciate that concern, we need to look at the purpose of Appendix C. This Appendix provides a list of countries in which the GFSC considers financial services businesses have “in place standards to combat ML and FT consistent with the FATF Recommendations and where such businesses are appropriately supervised for compliance with those requirements.” This list, which has been around for many years, was considered of assistance to firms because it meant that they did not have to identify such countries themselves but could rely on this list. However, there was a catch.

Not only did it state in Appendix C that “it does not provide assurance that a particular overseas business is subject to that legislation, or that it has implemented the necessary measures to ensure compliance with that legislation”, Section 9.6 of the Handbook goes further. It says “The inclusion of a country or territory in Appendix C does not mean that the country or territory in question is intrinsically low risk, nor does it mean that any business relationship or occasional transaction in which the customer or beneficial owner has a connection to such a country is to be automatically treated as a low risk relationship.”

The completion in full of the relationship risk assessment is still required when Appendix C firms are involved in a business relationship.

The concerns over a list of such countries was that it presented the same risk of complacency: a risk some of us felt would be best avoided or at least mitigated. No doubt with that in mind, in June 2020, the GFSC amended the new AML/CFT Handbook and Appendix I was born.

The previous GFSC approach had been to issue Instructions and Business from Sensitive Sources Notices highlighting the thrice yearly FATF statements on the assessments of jurisdictions with weak measures to combat money laundering and terrorist financing. The new Appendix I was to replace such Notices and Instructions as well as provide the information collated by the GFSC on high risk countries.

As the titles suggest, Jersey’s Appendix D 1 and Guernsey’s Appendix H include high risk jurisdictions subject to a call for action by the FATF. However, Guernsey’s Appendix H reminds us of Paragraph 5(1)(c)(i) of Schedule 3 which confirms when a firm shall apply ECDD measures to a business relationship or occasional transaction. This is when the customer or beneficial owner has a relevant connection with a country or territory that –

“(A) provides funding or support for terrorist activities, or does not apply (or insufficiently applies) the FATF Recommendations, or
(B) is a country otherwise identified by the FATF as a country for which such measures are appropriate.”

As Appendix H only identifies those countries and territories in relation to which the FATF has listed as high risk, Appendix I is a useful reference point to identify other countries such as those which fund or support terrorism. However, it is only Jersey that includes Iran and North Korea in their Appendix D2 – an important oversight and worthy to note even if ECDD will apply to these two countries in any event.

As for Appendix I, this includes countries that a variety of groups have identified as presenting certain ML and/or FT risks. Both Crown Dependencies set out the results of assessments of countries by FATF, the OECD, Transparency International, the World Bank, the US government and a US think-tank: Fund for Peace/ Foreign Policy magazine. Interestingly, there are three sources included in Guernsey’s Appendix I which are not in Jersey’s Appendix D2 and vice versa. Not unexpectedly, given these differences, there are countries on the Guernsey list which are not on the Jersey list and vice versa which, in my view, shows that these assessments are still subjective and caution is needed.

Whilst Guernsey and Jersey’s Financial Services Commissions state clearly that they do not accept responsibility for the findings and conclusions of these sources, they differ in the explanation of their list’s purpose. Guernsey explains that it “does not automatically imply that a business relationship or occasional transaction with a relevant connection to a country or territory on Appendix I is high risk, as the firm can continue to take a risk-based decision on the level of overall risk within a business relationship”. Jersey states “Relevant persons are expected to exercise judgement in relation to how they interpret and use these sources and to reach their own conclusions on risk.” I prefer the language used by Jersey as it more directly reflects the need for caution over the content of the list – or more importantly its omissions.

And that goes to the heart of the concern – if a country is not on the list it does not mean it is not high risk.

So, whether it is a solution to the high risk jurisdiction quandary or simply a helpful tool, it does depend on the way the lists are treated. Ultimately though, the importance of assessing the country is not just about whether it appears on this list but also taking into account all the other factors that make up a business relationship.




*Appendix I – Countries and territories identified as presenting higher risks” and “Appendix H – FATF High Risk Jurisdictions Subject to a Call for Action”

Brexit Sanctions and the Effect of Exit Day

For more than 5 years now, Brexit has been a talking point for many.  As transition ends, it’s no longer words but actions that are needed to adjust the way we work and trade. However, as we live in a third country, this hasn’t affected AML compliance professionals a great deal – that is until we reached “exit day”.  

Ever since the Brexit referendum, the Bailiwick has prepared for the UK leaving the EU by enacting a plethora of legislation which came into force on “exit day”. In a circuitous route via The European Union (Brexit) (Bailiwick of Guernsey) Law, 2018 (“the Brexit Law”) and 2020 Regulations*, “exit day” was appointed as 11 pm on the 31st December 2020. One of the main changes on that day – certainly from a financial crime perspective – was that made to the Sanctions Regime.

As an international finance centre, the Bailiwick has long been committed to the effective implementation of sanctions including those imposed by the EU.  Prior to 2018, EU sanctions required implementation by Ordinance in the three independent legislatures of Guernsey, Alderney and Sark. However, in its report in 2014, MoneyVal noted that there was an unacceptable delay between the introduction of EU sanctions and the enactment of these Ordinances.  So when the Sanctions (Bailiwick of Guernsey), Law 2018 (“the 2018 Law”) was drafted, it enabled EU Sanctions to be brought in Bailiwick-wide by regulations implemented by Guernsey’s Policy & Resources Committee.

As far as the UK leaving the EU was concerned, the importance of remaining aligned with the UK was acknowledged and also incorporated into the 2018 Law.  This was done by including in the definition of a “sanctions measure” regulations made by an “appropriate” UK minister under the Sanctions and Anti-Money Laundering Act 2018.  By doing so, P&R can implement urgent legislation so that regulations made by a UK minister have full force and effect in the Bailiwick at the earliest possible opportunity.
 
And this is exactly what was implemented. By virtue of the Sanction (Implementation of UK Regimes) (Bailiwick of Guernsey) (Brexit) Regulations, 2020, signed off by the President of P&R on the last day of 2020, some 35 UK Regulations come into operation in the Bailiwick. Although having direct effect here, these UK Regs have been fairly extensively “Bailiwick of Guernsey-fied” in the process.  These amendments are only sensible given, for example, we should not apply UK offences, penalties or enforcement proceeding to our regime.

Similarly, the Bailiwick’s transitional provisions in respect of licences should apply rather than that of the UK and, as would be expected, existing licences transfer to the new regime for the rest of their duration retaining their existing conditions. At Schedule 4 of the 2020 Regs, there is also a helpful list of the 94 pieces of Bailiwick legislation under which previous licences were issued and the corresponding UK enactments under which the replacement licences are now deemed to be issued.  Necessarily, pending applications as at “exit day” will be dealt with under the new regime.
 
As a result, designations that have been and will be made under these UK Regs will need to be included in your firm’s screening programme. As most financial institutions rely on external providers for third-party screening and these should already include all UK designations, it would seem that there may be little to do.  However, as with most changes, it is important not only to amend the policies and procedures to refer to this new legislation, it is also important to remove references to the legislation which has been repealed (of which there were 8 Bailiwick-wide and 36 in Guernsey and 34 in each of Sark and Alderney) and to note amendments to the Terrorist Asset-Freezing (Bailiwick of Guernsey) Law, 2011.
 
Interestingly, before any Committee can make regulations such as these under the Brexit Law (as I have called it), it requires a certificate from HM Procureur confirming, amongst other things, that those regulations are necessary or expedient in both the consequence of the withdrawal of the United Kingdom from the EU and the public interest.  That necessity certainly cannot be denied.

Clearly, having a sanctions regime consistent with the UK and one that also ensures EU sanctions are complied with is essential to maintain our international standing. So whilst we have spent many months and years amending our policies and procedures to comply with the requirements of FATF and Europe’s MoneyVal, further amendments are again needed after exit day to cater for the UK’s Brexit.

 

The full details of the changes and the legislation can be found in the three Sanctions Notices on the home page of the GFSC’s website and the Sanctions pages on the website of the States of Guernsey. 

* The European Union (Exit Day and Designated Day) (Brexit) (Bailiwick of Guernsey) Regulations, 2020

 

 

 

 

 

 

 

 

 

Compliance Maturity – Squaring the Circle

In my last blog, I examined the failures of a financial services business where they were at their most basic. In this blog, I am looking at the opposite end of the scale and the maturity of compliance cultures in firms.

Compliance maturity has been around for a long time. In 2009 Thomson Reuters’ Compliance Weekly undertook a compliance maturity survey which included 10.9% from the finance industry. The view at that time was that “Chief compliance officers apparently still have lots of work ahead to turn their compliance efforts into strong, mature programs that can handle the broad range of risks”. In July 2015, members of Cork University in Ireland published in IJBEX* their “financial industry maturity model for anti-money laundering” to help firms be AML/CFT compliant albeit acknowledging their research was still at an early stage.

In Guernsey, the GFSC’s 2015 Annual Report, the Director of Enforcement, Simon Gaudion, made the following comment: “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance. Cases identified this year once again bring into question many of these issues around those areas and we would ask firms to consider whether the right tone and culture is being set from the top of their organisation.”

So where are we in 2021?

It is widely accepted that to ensure staff behave ethically and comply with the law and good corporate governance principles, the board needs to lead by example by living and breathing that culture. A business with such a team approach is not only more likely to adhere to the required legislation, so avoiding any supervisory action, but also reduce costs and increase client satisfaction. 

But how do you know how compliance mature your firm is? One way is to undertake a Compliance Effectiveness Assessment which looks at how people, processes and technology help or hinder the firm in its aim.  

In an effective compliance programme, people are the most important component but also the weakest link. The board needs to be able to support staff by giving them the training they need to promote the right behaviour backed up by a fully resourced compliance function who have a seat at their table. The processes properly documented will support staff to comply with the requirements; success being shown by a good reaction time to new regulatory changes, collaboration between different teams and the right level of evidence of the controls in place. Use of up-to-date technology that is appropriate for the particular business squares the circle. 

Given that the update of the firm’s AML/CFT policies, procedures and controls were required to be approved by the Board by the 30th September 2020, this year would be a good time to identify a firm’s compliance maturity and consider if the right culture is being practised by the firm to ensure that those new policies and procedures are effective. Not only would such an assessment save money in the long run, but it would also comply with the requirements of the AML/CFT Handbook. 

Under Rule 2.18 it states that “the board must consider the appropriateness and effectiveness of its compliance arrangements and its policy for the review of compliance at a minimum annually, or whenever material changes to the business of the firm or the requirements of Schedule 3 or this Handbook occur. A review of compliance is not only applicable to AML/CFT but also to the rules relating to the particular licensee’s business such as the COB Rules and the new Fiduciary and Pension Rules and Guidance and the Code of Corporate Governance which applies to all licensed companies.

A Compliance Effectiveness Review not only identifies where the firm is on the journey to compliance maturity but also what may be hindering its progress. The review usually consists of desktop study, surveys and interviews covering various aspects of the firm and, depending on the completeness of the review, can take up to 12 weeks. Whilst this in-depth approach may be suitable for some firms, an overview can be completed in as little as a week to identify the main issues a firm may have to recommend any further investigation that would be beneficial. A third party’s objective consideration of the business’ objectives and risk assessments as well as interviewing the relevant staff can be surprisingly useful in identifying the priorities for review in any compliance monitoring programme.

By believing in the importance of compliance, the board can instill in the business a proactive approach that encourages the identification of opportunities that arise from new regulations – a win-win for all concerned. By knowing the level of the firm’s compliance maturity, the board can identify and prioritise the right doors to open to reap those benefits.

If you wish to have assistance in reviewing how compliance mature your firm is, then please feel free to contact me for a no obligation discussion. 

 

*  International Journal of Business Excellence (IJBEX), Vol. 8, No. 4, 2015

NRA – further delay

tindalldawn-1-e1454075780950I haven’t written a blog on this site for a while but feel compelled to do so with regard to the latest delay in the publication of Guernsey’s National Risk Assessment (NRA).

Firstly, I should say that I am not involved as a politician with the NRA although, as most of you know, I was deeply involved in the scrutiny of the legislation introducing the new AML/CFT regime.  One aspect of that was my suggestion that, as the NRA should be taken into account as part of a firm’s review of its business risk assessment (BRA) and, therefore, its procedures, the clock for the production of the BRA and procedures should not start ticking until after the NRA has been issued.

So we hear this week that the NRA has been delayed until the end of June 2019.  This is, of course, most disappointing and the reasons for this delay are yet unknown.  However, why have we had to hear about this through the grapevine?  Why has there not been a public notification of its delay?  Again, the decision was to notify industry bodies and they notify their members – yet why should those who are not members of such bodies have to hear it second hand?  Needless to say, I have made it clear that this should have been announced by the GFSC on their website or on gov.gg.

That said, I thought I would, therefore, let you know what I have heard.  So far, this means that the BRA needs to be approved by the Board by the end of October 2019 and procedures rolled out by the end of January 2020.  We are also advised that firms are strongly encouraged to update procedures which are not dependent on the NRA such as PEPs and the changes made to beneficial ownership.

Hope that helps!

 

 

The Suspicious Lawyer

tindalldawn-1-e1454075780950Having had rather a busy time of it recently, it is only this week I have had a good chance to read in detail the latest news from the GFSC.  What caught my eye was , not only the new website, but the latest addition to the Frequently Asked Questions issued on the 3rd October which is aimed at lawyers.
In the early 1990’s, I was asked to advise the partners of my law firm on the effect of the requirements brought in under the Money Laundering Regulations 1993 which came into force on 1 April 1994.  These regulations implemented what has become known as the first Money Laundering Directive or 91/308/EEC of 10 June 1991.  There was much confusion at the time as to what was required by way of identification of the firm’s clients. I remember well trying to explain that I did not need to see my client’s passport if I wanted to just prepare their Will.
In the end, because of that confusion, and my view that the requirements of AML/CFT would creep to most of our work, it became a question of whether to differentiate between clients depending on their instructions or have a consistent approach which would ensure all staff were aware of the Rules.  As we know, the number of businesses affected by the AML/CFT legislation generally did increase but, as it turned out, the type of legal work covered is still restricted to five main areas.
So for lawyers, notaries and other independent legal professionals in Guernsey, paragraph 5 of Schedule 2 of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 applies to their business when they prepare for or carry out transactions for a client in relation to the following activities:
  • the acquisition or disposal of an interest in or in respect of real property;
  • the management of client money, securities or other assets;
  • the management of bank, savings or securities accounts;
  • the organisation of contributions for the creation, operation, or management of companies; and
  • the creation, operation, management or administration of legal persons or arrangements, and the acquisition or disposal of business entities. (my emphasis)

Thank you to my colleague and fellow AML/CFT professional for pointing out that the FAQs miss out the activity of administration of legal persons or arrangements.  This may be an error as, when I first saw the FAQs, I noted that the date of the Regulations was also incorrect.  I am pleased to say that the date has been changed in the main body of the FAQs although it has not been amended in the link on the new website.

The FAQs go on to note that the activities, as described in paragraph 5(e) of Schedule 2, if undertaken within the Bailiwick, are regulated activities for the purposes of the Regulation of Fiduciaries, Administration Businesses and Company Directors, etc. ( Bailiwick of Guernsey) Law, 2000 and any legal professional carrying them out by way of business requires a licence to do so.

The activities in Section 2 Paragraph 5(e) are:
“the creation, operation, management or administration of legal persons or arrangements, and the acquisition or disposal of business entities,” (again my emphasis)
It is important to note that, when deciding whether any particular activity constitutes “preparing for or carrying out a transaction” and, therefore, subject to the obligations in the Regulations and Handbook, it must be determined on a case by case basis.
Whilst the information is helpful, the most important aspect of the legislation affecting lawyers was brought out in the last part of the FAQs – I have set this it out in full below:
“Are the reporting obligations under the Disclosure (Bailiwick of Guernsey) Law, 2007 and the Terrorism and Crime (Bailiwick of Guernsey) Law, 2002 applicable in relation to legal services that do not constitute preparing for or carrying out a transaction?
Yes.  The reporting obligations apply to knowledge, suspicion or reasonable grounds for suspicion that a person acquires in the course of any trade, profession or economic activity, irrespective of whether or not that trade, profession or economic activity is covered by the AML/CFT regulatory framework.”
As this was a little confusing – did it cover all relevant employees or just those that are involved in the listed activities? – I wrote the GFSC to obtain clarification and was assured, as I hoped I would be, that this included all relevant employees.
So lawyers must remember that they should train their staff accordingly, including those not preparing for or carrying out a transaction for a client in the five activities listed.

Risk Assessments – the Importance of Being Thorough

Hello – my name is Dawn Tindall and I am from Triangle Compliance Services and I provide advice and training on anti-money laundering.  Today I am talking about Risk Assessments and the importance of being thorough.

A Risk Assessment is a means of evaluating risks.  It can be an assessment of a single scenario or a set of possibilities.  It should be thorough and based on a fixed method.

Risk Assessments are the back bone of the compliance programme and take various forms.  In this presentation I discuss the types of assessment and also an addition to the armoury – the Compliance Risk Assessment.

There are three main ones for AML/CFT purposes: the National Risk Assessment (NRA), the Business Risk Assessment (BRA) and the Relationship Risk Assessment.  I believe each one builds upon the other.

In the first of FATF’s 2012 Recommendations, it states that “countries should identify, assess and understand the money laundering and terrorist financing risks for the country”.  Whilst the UK issued their NRA in October 2015, Guernsey proposes to issue their NRA this year, having received the IMF’s model and had industry input.

The idea of the NRA is that it informs the next level namely the BRA or business risk assessment.  Guernsey’s Regulations require businesses to “carry out and document a suitable and sufficient money laundering and terrorist financing business risk assessment which is specific to the … business”.  The GFSC issued a detailed answer to FAQs on its website in September 2014 advising that the BRA “should identify the potential financial crime risks to which the business could be exposed”.  They also reiterated that it is best practice to review the BRA whenever changes to the business or financial crime risks occur and at least on an annual basis.  Due to the multitude of changes in these areas, the BRA is, therefore, a living document needing almost constant review.

The third level of assessment is the relationship risk assessment which is also made up of three stages – the risk profile, the risk assessment and the risk rating.  The risk profile should set out the information regarding the specific relationship with the customer noting all financial crime risk indicators which include those that are compulsory, inherent, high or, if none, low.  The risk assessment is the method by which a business assesses the profile, considering all the risks identified including the accumulation of those risks.  If the high risk indicators are not compulsory ones, the business can decide not to assess the overall risk as high because of strong and compelling mitigating factors which should be identified and documented.

The third step is to give the relationship a risk rating and apply the appropriate level of CDD.

Under the Handbook the Board must take responsibility for the policy on reviewing compliance.  The Compliance Risk Assessment, or compliance monitoring programme, is a means of assessing the appropriateness and effectiveness of compliance.  With the FSB Handbook in its 10th year, a question also which needs to be asked is how mature is your compliance?

The term “maturity” refers to the degree to which an organisation’s processes have been formalised and integrated in the organisation’s operations.

The Director of Enforcement at the GFSC, Simon Gaudion, said in their 2015 Annual Report “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance.”

A well thought through Compliance Risk Assessment should look at whether your compliance policies and procedures have embedded within your firm’s culture.  If it has it will spread the ownership of compliance and result in the increase in effectiveness. Which can only be a good thing.

Thank you for listening to this short presentation.  Please contact me if you wish to know about Risk Assessments or how Triangle Compliance Services can help your firm.

The Art of Training (and not just GFAS)

Award in Education and Trainingtindalldawn-1-e1454075780950I passed!!

For those of you who don’t know, I have passed the exam “Award in Education and Training” and very pleased I am too.  I took the Award because I felt it was a great way of confirming my abilities to provide training on Anti-Money Laundering (amongst other compliance subjects) but it proved to be more valuable than I thought.  As well as giving me an insight into the way people learn, it also taught me a lot about the roles and responsibilities of teachers – a very topical subject.

When I mean topical I do not mean the Education Debate which is currently raging in Guernsey.  As this post is on my business website, I am looking at the subject from the perspective of the Commission’s training requirements.

As I am sure you noticed, the Commission’s Guidance on Training and Competency paper (originally issued on 11th November 2014) was amended again on the 16th May 2016.  The paper observes that, since 1st January 2015, Investment licensees, Insurance Managers and Intermediaries have been required to have a training and competency scheme for each employee.  It is made absolutely clear that these Schemes are not just for their Financial Advisers and Authorised Insurance Representatives but all of their employees.  Interestingly though, having trawled through the Commission’s website, I have not been able to find the same requirements for Banking and Fiduciary licensees although I am sure you would be roundly endorsed if you treated all your employees in the same way.

Each Scheme should be an easy to use means of assessing and monitoring an employee’s ongoing competence in their respective roles and identify individual training needs.   More importantly the licensee, the employee and the Commission should be able to clearly understand its aims and outcomes and, as usual, the Board is responsible for the effectiveness of any Scheme and have sufficient management information for effective monitoring and supervision.

The requirement for supervision of employees brings its own issues of course.  As well as a Scheme for their own role in the business, the person appointed as supervisor must also have a Scheme for this second role which ensures they have all the necessary skills to act as a competent supervisor.   This, of course, means that the individual needs to be technically knowledgeable with the required experience in both the subject and in the art of supervision.   

But how does a licensee work out the criteria and procedures for assessing whether an individual is competent in their respective role?  How do you make an initial assessment of a new employee’s level of competence?  How do you supervise the performance of employees?  More importantly, how do you deal with an employee who does not achieve the level of competence identified as required for the job?  As well as being a big ask, it also begs the question who assesses the assessor?  Also, after putting a great deal of effort into these Schemes, don’t forget to review all the policies and procedures regularly and when roles and people change.  We all know that a role changes depending on who is filling it.

Luckily there is some help at hand (and not just me or your HR team) – the Guernsey Training Agency have produced Training Matrices which can be found on their Services page under Advisory Groups and Qualification Pathways.  It is worth noting that the matrices deal mainly with qualifications and specifically do not cover experience.  Although the matrices (other than Investment) include a need for new entrants to have compliance knowledge, I am a little surprised they do not indicate that employees need an increasing level of knowledge of AML as their career progresses.  The preamble states that the matrix does not include compliance updates and one-off courses in anti-money laundering, but I would have thought a qualification in AML would be recommended for other employees not just those in the Compliance Department?  But then again that may be because of the nature of the qualifications available.

As to AML, the Regulations and Handbooks are clear on the requirements for training and so this will be part of a well-documented Scheme.  However, to finish with a warning, I understand that the Commission’s PRISM visits have shown that one area of concern is the lack of adequate AML training.  I suspect this is not just a reference to the standard annual update or one-off courses in anti-money laundering but also adequate training on your in-house procedures.   If I may, I suggest you check that this training is part of your Schemes and then review its content, its relevance, its effectiveness  ……..