The Suspicious Lawyer

tindalldawn-1-e1454075780950Having had rather a busy time of it recently, it is only this week I have had a good chance to read in detail the latest news from the GFSC.  What caught my eye was , not only the new website, but the latest addition to the Frequently Asked Questions issued on the 3rd October which is aimed at lawyers.
In the early 1990’s, I was asked to advise the partners of my law firm on the effect of the requirements brought in under the Money Laundering Regulations 1993 which came into force on 1 April 1994.  These regulations implemented what has become known as the first Money Laundering Directive or 91/308/EEC of 10 June 1991.  There was much confusion at the time as to what was required by way of identification of the firm’s clients. I remember well trying to explain that I did not need to see my client’s passport if I wanted to just prepare their Will.
In the end, because of that confusion, and my view that the requirements of AML/CFT would creep to most of our work, it became a question of whether to differentiate between clients depending on their instructions or have a consistent approach which would ensure all staff were aware of the Rules.  As we know, the number of businesses affected by the AML/CFT legislation generally did increase but, as it turned out, the type of legal work covered is still restricted to five main areas.
So for lawyers, notaries and other independent legal professionals in Guernsey, paragraph 5 of Schedule 2 of the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 applies to their business when they prepare for or carry out transactions for a client in relation to the following activities:
  • the acquisition or disposal of an interest in or in respect of real property;
  • the management of client money, securities or other assets;
  • the management of bank, savings or securities accounts;
  • the organisation of contributions for the creation, operation, or management of companies; and
  • the creation, operation, management or administration of legal persons or arrangements, and the acquisition or disposal of business entities. (my emphasis)

Thank you to my colleague and fellow AML/CFT professional for pointing out that the FAQs miss out the activity of administration of legal persons or arrangements.  This may be an error as, when I first saw the FAQs, I noted that the date of the Regulations was also incorrect.  I am pleased to say that the date has been changed in the main body of the FAQs although it has not been amended in the link on the new website.

The FAQs go on to note that the activities, as described in paragraph 5(e) of Schedule 2, if undertaken within the Bailiwick, are regulated activities for the purposes of the Regulation of Fiduciaries, Administration Businesses and Company Directors, etc. ( Bailiwick of Guernsey) Law, 2000 and any legal professional carrying them out by way of business requires a licence to do so.

The activities in Section 2 Paragraph 5(e) are:
“the creation, operation, management or administration of legal persons or arrangements, and the acquisition or disposal of business entities,” (again my emphasis)
It is important to note that, when deciding whether any particular activity constitutes “preparing for or carrying out a transaction” and, therefore, subject to the obligations in the Regulations and Handbook, it must be determined on a case by case basis.
Whilst the information is helpful, the most important aspect of the legislation affecting lawyers was brought out in the last part of the FAQs – I have set this it out in full below:
“Are the reporting obligations under the Disclosure (Bailiwick of Guernsey) Law, 2007 and the Terrorism and Crime (Bailiwick of Guernsey) Law, 2002 applicable in relation to legal services that do not constitute preparing for or carrying out a transaction?
Yes.  The reporting obligations apply to knowledge, suspicion or reasonable grounds for suspicion that a person acquires in the course of any trade, profession or economic activity, irrespective of whether or not that trade, profession or economic activity is covered by the AML/CFT regulatory framework.”
As this was a little confusing – did it cover all relevant employees or just those that are involved in the listed activities? – I wrote the GFSC to obtain clarification and was assured, as I hoped I would be, that this included all relevant employees.
So lawyers must remember that they should train their staff accordingly, including those not preparing for or carrying out a transaction for a client in the five activities listed.

Risk Assessments – the Importance of Being Thorough

Hello – my name is Dawn Tindall and I am from Triangle Compliance Services and I provide advice and training on anti-money laundering.  Today I am talking about Risk Assessments and the importance of being thorough.

A Risk Assessment is a means of evaluating risks.  It can be an assessment of a single scenario or a set of possibilities.  It should be thorough and based on a fixed method.

Risk Assessments are the back bone of the compliance programme and take various forms.  In this presentation I discuss the types of assessment and also an addition to the armoury – the Compliance Risk Assessment.

There are three main ones for AML/CFT purposes: the National Risk Assessment (NRA), the Business Risk Assessment (BRA) and the Relationship Risk Assessment.  I believe each one builds upon the other.

In the first of FATF’s 2012 Recommendations, it states that “countries should identify, assess and understand the money laundering and terrorist financing risks for the country”.  Whilst the UK issued their NRA in October 2015, Guernsey proposes to issue their NRA this year, having received the IMF’s model and had industry input.

The idea of the NRA is that it informs the next level namely the BRA or business risk assessment.  Guernsey’s Regulations require businesses to “carry out and document a suitable and sufficient money laundering and terrorist financing business risk assessment which is specific to the … business”.  The GFSC issued a detailed answer to FAQs on its website in September 2014 advising that the BRA “should identify the potential financial crime risks to which the business could be exposed”.  They also reiterated that it is best practice to review the BRA whenever changes to the business or financial crime risks occur and at least on an annual basis.  Due to the multitude of changes in these areas, the BRA is, therefore, a living document needing almost constant review.

The third level of assessment is the relationship risk assessment which is also made up of three stages – the risk profile, the risk assessment and the risk rating.  The risk profile should set out the information regarding the specific relationship with the customer noting all financial crime risk indicators which include those that are compulsory, inherent, high or, if none, low.  The risk assessment is the method by which a business assesses the profile, considering all the risks identified including the accumulation of those risks.  If the high risk indicators are not compulsory ones, the business can decide not to assess the overall risk as high because of strong and compelling mitigating factors which should be identified and documented.

The third step is to give the relationship a risk rating and apply the appropriate level of CDD.

Under the Handbook the Board must take responsibility for the policy on reviewing compliance.  The Compliance Risk Assessment, or compliance monitoring programme, is a means of assessing the appropriateness and effectiveness of compliance.  With the FSB Handbook in its 10th year, a question also which needs to be asked is how mature is your compliance?

The term “maturity” refers to the degree to which an organisation’s processes have been formalised and integrated in the organisation’s operations.

The Director of Enforcement at the GFSC, Simon Gaudion, said in their 2015 Annual Report “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance.”

A well thought through Compliance Risk Assessment should look at whether your compliance policies and procedures have embedded within your firm’s culture.  If it has it will spread the ownership of compliance and result in the increase in effectiveness. Which can only be a good thing.

Thank you for listening to this short presentation.  Please contact me if you wish to know about Risk Assessments or how Triangle Compliance Services can help your firm.

The Art of Training (and not just GFAS)

Award in Education and Trainingtindalldawn-1-e1454075780950I passed!!

For those of you who don’t know, I have passed the exam “Award in Education and Training” and very pleased I am too.  I took the Award because I felt it was a great way of confirming my abilities to provide training on Anti-Money Laundering (amongst other compliance subjects) but it proved to be more valuable than I thought.  As well as giving me an insight into the way people learn, it also taught me a lot about the roles and responsibilities of teachers – a very topical subject.

When I mean topical I do not mean the Education Debate which is currently raging in Guernsey.  As this post is on my business website, I am looking at the subject from the perspective of the Commission’s training requirements.

As I am sure you noticed, the Commission’s Guidance on Training and Competency paper (originally issued on 11th November 2014) was amended again on the 16th May 2016.  The paper observes that, since 1st January 2015, Investment licensees, Insurance Managers and Intermediaries have been required to have a training and competency scheme for each employee.  It is made absolutely clear that these Schemes are not just for their Financial Advisers and Authorised Insurance Representatives but all of their employees.  Interestingly though, having trawled through the Commission’s website, I have not been able to find the same requirements for Banking and Fiduciary licensees although I am sure you would be roundly endorsed if you treated all your employees in the same way.

Each Scheme should be an easy to use means of assessing and monitoring an employee’s ongoing competence in their respective roles and identify individual training needs.   More importantly the licensee, the employee and the Commission should be able to clearly understand its aims and outcomes and, as usual, the Board is responsible for the effectiveness of any Scheme and have sufficient management information for effective monitoring and supervision.

The requirement for supervision of employees brings its own issues of course.  As well as a Scheme for their own role in the business, the person appointed as supervisor must also have a Scheme for this second role which ensures they have all the necessary skills to act as a competent supervisor.   This, of course, means that the individual needs to be technically knowledgeable with the required experience in both the subject and in the art of supervision.   

But how does a licensee work out the criteria and procedures for assessing whether an individual is competent in their respective role?  How do you make an initial assessment of a new employee’s level of competence?  How do you supervise the performance of employees?  More importantly, how do you deal with an employee who does not achieve the level of competence identified as required for the job?  As well as being a big ask, it also begs the question who assesses the assessor?  Also, after putting a great deal of effort into these Schemes, don’t forget to review all the policies and procedures regularly and when roles and people change.  We all know that a role changes depending on who is filling it.

Luckily there is some help at hand (and not just me or your HR team) – the Guernsey Training Agency have produced Training Matrices which can be found on their Services page under Advisory Groups and Qualification Pathways.  It is worth noting that the matrices deal mainly with qualifications and specifically do not cover experience.  Although the matrices (other than Investment) include a need for new entrants to have compliance knowledge, I am a little surprised they do not indicate that employees need an increasing level of knowledge of AML as their career progresses.  The preamble states that the matrix does not include compliance updates and one-off courses in anti-money laundering, but I would have thought a qualification in AML would be recommended for other employees not just those in the Compliance Department?  But then again that may be because of the nature of the qualifications available.

As to AML, the Regulations and Handbooks are clear on the requirements for training and so this will be part of a well-documented Scheme.  However, to finish with a warning, I understand that the Commission’s PRISM visits have shown that one area of concern is the lack of adequate AML training.  I suspect this is not just a reference to the standard annual update or one-off courses in anti-money laundering but also adequate training on your in-house procedures.   If I may, I suggest you check that this training is part of your Schemes and then review its content, its relevance, its effectiveness  ……..