New Technologies: FATF Recommendation 15

As we work from home during the second Guernsey lockdown, many of us have been listening to webinars whilst typing away on our laptops. Occasionally, a topic captures the attention and the eyes shift from the screen as the words from the wise speaker resonates. Tuesday was one such day for me during the panel discussion at the AML & FinCrime Tech Forum hosted by RegTech Analyst and FinTech Global.

The comment – or rather a question – which helped me choose the subject for this blog was “can you explain to the regulator how your new tech works?” As the take-up of RegTech and FinTech increases at speed, this question highlights the need for the finance sector to not only embrace the new ways of working but to understand it too.

The FATF Recommendation which covers this topic is, of course, “Recommendation 15: New technologies”. It sets out the need for businesses to identify and assess the ML and FT risks that may arise with the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products. It also refers specifically to how countries should regulate virtual assets service providers for AML/CFT purposes.

The Interpretative Note concentrates on just this last aspect in some detail. The Guernsey National Risk Assessment 2019 (NRA), in paragraphs 3.81 to 3.86 for money laundering risks and 6.54 to 6.57 for terrorist financing risks, also focuses on this one aspect of the Recommendation by covering “transaction and exchange of virtual assets, initial coin offerings and e-money”. There is also great deal of public discussion on the risks of virtual assets including guidance from the FATF.

However, there is surprisingly little public commentary on the use of new technology by firms in the finance sector specifically referencing the Recommendation 15 requirements. Certainly nothing in the NRA about Regtech or Fintech and their risks when used by the finance industry. Perhaps this is because the requirements are a common-sense statement of what a firm should do when purchasing new technology for their own use? I think not.

The Recommendation requires financial institutions to undertake a risk assessment “prior to the launch of the new products, business practices or the use of new or developing technologies.” In November 2015, the GFSC added the Annex entitled “Using Technology for CDD Purposes” introducing the concept of a “Technology Risk Evaluation”. A firm was required to identify and assess risks – and not just money laundering and financing of terrorism risks – when they utilised an electronic method or system in its due diligence process. 

Whilst the 2019 Handbook does not replicate the need for an “evaluation” as such, it does, instead, require the business risk assessments to include an assessment of identified risks arising from the technology’s use or adoption. The Handbook also expands the type of technology that needs to be assessed but reduces the risks that must, as a minimum, be covered to those from money laundering and financing of terrorism.

What it does not do is repeat the useful observation which was included in its 2015 preamble to the introduction to the Annex. The GFSC said “Each annex encompasses new rules stipulating that a firm must understand this technology if it is to use it.” And this is the aspect the speaker on the panel sought to highlight. As with outsourcing, a firm must have the ability in-house to explain to the regulator what the new tech does, how it does it and how it complies with the regulatory requirements. 

Whilst a piece of tech cannot solve every problem faced by a firm, it does allow staff to concentrate on more complex and unusual issues whilst the tech deals with the mundane. However, to enable a firm to reap these benefits, it should ensure that they not only understand the tech’s risks but also the firm’s own risks and risk appetite and that the tech can support that risk appetite. One such risk which is obvious but may not be at the top of the list are red flags as these will have been set by the provider of the tech. As they may not include the red flags that the firm has itself highlighted in its business risk assessments, they will need to be updated. 

To benefit from the advancements in tech, lack of understanding should not be a barrier to its take-up. Nor should the regulator. In Guernsey, we are very lucky to have a regulator who is pro-active in contributing to this space and long may that last. But, for firms to fully appreciate how the compliance function can use the firm’s data and information to maximise productivity, a thorough understanding of the legal and regulatory obligations and how the tech works is an in-house must.

If anyone has any questions on a particular Recommendation or is looking for compliance support – please do get in touch.

In the meantime, keep well – keep safe.

Lockdown Guernsey – Time for a Fresh Look at the FATF Recommendations

Having woken up on Saturday morning to the news that we were back in lockdown, Guernsey is coming to terms with an unexpected change to our freedoms. The loss is a sharp reality check not least because it was immediate but also because we’ve been privileged to have had a near-normal life for months whilst watching the raging worldwide storm from the safety of our Bailiwick.

However, we can feel reassured that the bubble bursting was expected and planned for when we first dealt with the pandemic last March.  As the politicians and hard-working civil servants battle with this latest emergency, this time I watch from the sidelines. I have to admit it does feel strange not being involved in the incessant Teams meetings or reading to prepare for them but, knowing the team, I have every confidence in those making the decisions.

So whilst we wait for the storm clouds to lift, I thought I’d take a look at the 2012 FATF Recommendations. Their importance is clear to those of us who live and breathe AML/CFT compliance but to remind us once more, in December 2020, FATF released their Update-COVID-19-Related-Money-Laundering-and-Terrorist-Financing-Risks which said:

“It continues to be critical for jurisdictions, financial institutions, and designated non-financial business and professions to identify, assess, and understand the particular ML and TF risks they face, and take corresponding mitigating action in line with the FATF Recommendations.”

As I won’t have time to publish a blog on each of the 40 Recommendations before lockdown is lifted, I’m not reviewing them in any particular order. My first choice is Recommendation 28 as I thought this was a good place to start given the reference to it in the latest GFSC consultation on amendments to the AML/CFT Handbook.

As mentioned in my last blog, the consultation amongst other things considers the introduction of reduced customer due diligence for corporate trustees. In its preamble regarding a firm’s decision on whether to apply the new Rule, the GFSC says “In making such determination, the firm should take note of reports and assessments by the FATF and/or FATF-style regional bodies, in particular of findings, recommendations and ratings of compliance with FATF Recommendation 28 and document the conclusions of its assessment.”

Whilst it is essential when considering how to comply with any particular aspect of the AML/CFT regime to go to the source document, on this occasion reference in the consultation to Recommendation 28 may at first be a little confusing. Entitled “Regulation and supervision of DNFBPs”, the Recommendation covers the measures that apply to designated non-financial services businesses and professions (DNFBPs). Despite Guernsey having regulated trust and company service providers for 20 years and the GFSC call them financial services businesses, FATF considers them separately from financial institutions. They put them in the pot with lawyers, accountants and estate agents (aka our Prescribed Businesses) hence the reference to Recommendation 28 when considering the CDD for a corporate trustee.

The Informative Note to Recommendation 28 sets out the need for the supervisory authority to have “a clear understanding of the money laundering and terrorist financing risks .. present in the country” of the DNFBP, “adequate powers to perform their functions (including powers to monitor and sanction), and adequate financial, human and technical resources” and “processes to ensure that the staff of those authorities maintain high professional standards, including standards concerning confidentiality, and should be of high integrity and be appropriately skilled.” It is the assessment of the jurisdiction where the corporate trustee (or its parent) is based or supervised against these requirements which is relevant when deciding whether to apply reduced CDD on corporate trustees.

There are many tools that a compliance team has to identify the risk of countries: the new Appendices H and I and Appendix C to name a few. But there is no complete publicly available list which brings together the rating of jurisdictions which takes note of the reports and assessments by the FATF and/or FATF-style regional bodies. Not that I can find anyway.

There is the FATF’s fourth-round evaluation ratings (this is the excel version – a link to the pdf version is on the GFSC’s Instructions, Notices & Warnings page.) As the title implies, it helpfully lists by Recommendation the latest compliance ratings of evaluated countries as at the 21st January 2021 but, of course, that is not a complete list. The Isle of Man’s rating of Largely Compliant is in the list, but neither Guernsey nor Jersey are mentioned simply because we have not yet had the Mutual Evaluation under the 2012 FATF Recommendations.  And there are, of course, others yet to be evaluated.

The FATF-style regional bodies referred to in the GFSC’s amendment to the Handbook includes MoneyVal and our report and that of our sister isle is on their website. But until the evaluations of all the jurisdictions who aspire to have financial centres of eminence have been done, there will not be a ready means of capturing the compliance with the 2012 Recommendations in one place. However, whilst the Covid-19 pandemic has put Guernsey back into lockdown last Saturday, evaluations do continue elsewhere.  With ours not taking place to a least 2023, whether there’ll ever be a complete list, we will have to wait and see.

Sooner than that though, we should know if a Largely Compliant – or even a Partially Compliant – rating will suffice for a particular corporate trustee being a part of a “standard risk scenario” or whether even the whiff of untoward influence of a beneficial owner trumps the evaluations.

 

If anyone has any questions on a particular Recommendation or is looking for compliance support – please do get in touch.

In the meantime, keep well – keep safe.

Reaping the Benefits – Clarity for the Corporate Trustee

The AML/CFT Handbook, introduced in March 2019 (how time flies!), was greeted with the expectation that it would be a user-friendly manual containing all that was needed to adhere to the new Schedule 3. It certainly clarified many aspects which had caused confusion in the past and combined the various information sources produced by the GFSC. 

The one thing that we all knew would be tested later was the claim that it could be easily updated to react quickly to the needs of the sector. This was considered essential to enhance Guernsey’s reputation as a jurisdiction open for business.  The latest proposals for changes to the Handbook certainly look like a quick and pragmatic reaction to business needs but do they achieve that aim?

In my last blog, I looked at the proposals to reduce the amount of identification information required for beneficiaries and took a look at some of the issues which may arise without clear guidance. In this blog, I am looking at the changes proposed in respective of the verification – or not – of the beneficial owners of corporate trustees.

When a firm enters a business relationship with a trust where the trustee is a legal person, the firm must identify and take reasonable measures to verify any natural person who is the beneficial owner of that corporate trustee. That is unless the corporate trustee is a “transparent legal person”. This new concept is defined in Schedule 3 and includes a regulated person within the meaning of Section 41(2) of the Beneficial Ownership Law.  In simple terms, this means a trustee which is a company subject to the GFSC Handbook does not need its beneficial owners verified.

However, the definition of transparent legal person – and therefore when those benefits of reduced CDD apply – does not currently extend to a corporate trustee in another jurisdiction which is subject to the same or equivalent provisions of the Handbook. So, when dealing with a non-Guernsey corporate trustee – even one based in an Appendix C country – the identity of the beneficial owners of that company need to be identified and verified.  This is even if they have been through the same rigorous vetting process to be regulated. 

It could be said that this inconvenience of providing such due diligence every time a corporate trustee enters into a business relationship is an occupational hazard. However, when places like Jersey do not require such due diligence under their Money Laundering legislation, it is easy to see why some corporate trustees would consider doing business elsewhere because of this requirement.

So the new proposal means it “may be possible” to rely solely on a summary sheet identifying ownership details of a corporate trustee if it, or its parent, is subject to the same or equivalent provisions of the Handbook in the jurisdiction where it is based and supervised. But this is only in low or standard “risk scenarios” because if it is a high “risk scenario” and neither the corporate trustee nor its parent is based in a jurisdiction with equivalent provisions, then reasonable measures need to be taken to verify its beneficial owners.

These proposals beg four questions:

  • what do the GFSC mean by saying it “may be possible”?
  • what elements need to be taken into account when identifying a “risk scenario”?
  • what verification is needed in a high “risk scenario” if both or only one of the corporate trustee and its parent is based in a jurisdiction with equivalent provisions?
  • what does the new phrase “risk scenario” mean anyway?

It would appear that the first new paragraph, 7.115, is intended to set the scene for when reduced due diligence can be applied to a corporate trustee. It requires a firm to consider the ML and FT risks associated with a particular beneficial owner who has influence over the business and affairs of that corporate trustee. The following two paragraphs, 7.116 and 7.117, talk about the “risk scenarios” and set out when the location of the corporate trustee and its parent is relevant and the means of assessing whether they are in a jurisdiction which has equivalent AML/CFT legislation and supervision.

But does the wording of these new paragraphs mean that a firm has to assess the “risk scenario” of the corporate trustee’s beneficial owners? If so, does it mean if they are considered low or standard risk, then this reduced due diligence applies? Or does it also depend on whether the jurisdiction of the corporate trustee or parent is low or standard risk? In any event, what is clear is that, when making a decision, a firm needs to look into the identity of the corporate trustee’s beneficial owners and consider their influence – no easy task. 

As to the third question, hopefully if either or both corporate trustee and parent are in an equivalent jurisdiction, this will suffice to remove the need for verification of the identify of its beneficial owners and be considered a low or standard “risk scenario”.

As to the introduction of this new phrase “risk scenario”, it has been said that the GFSC, by introducing this phrase, are enabling this reduced verification for all business relationships no matter their overall risk rating. This may seem a practical solution considering the beneficial ownership of a corporate trustee may not be relevant to the overall risk of a business relationship but, if this is the case, this needs to be clarified. This clarification is necessary because, if it is not, it could lead to claims that other elements of the business relationship are also irrelevant to the overall risk and so require less CDD. Whilst this may not be a bad thing, it is a departure from normal practice and one which may confuse rather than assist if its intention is not made clear. 

As I noted in my last blog, in respect of the amendments proposed for the reduction of identification information for certain beneficiaries, the need for clarity is forever present if the benefits are to be reaped.

 

Making Changes – The Importance of Clarity

Just before Christmas, the GFSC issued a consultation on possible changes to the AML/CFT Handbook, the closing date being today at 5pm. Having just managed to send in my four pages of comments to the GFSC by the deadline, I thought I’d cover some aspects of these potential changes in my two blogs this week.

Despite this consultation being described by the GFSC as short, the aspects covered are important. To a certain extent, they indicate a shift in approach firms can take in the way CDD is to be undertaken – a trend which could be beneficial to the finance industry.

The three areas covered by the consultation are a reduction in identification information for some beneficiaries, the removal of the need to verify the beneficial owners of corporate trustees in certain circumstances and additional guidance on when to review a relationship risk assessment. In this first blog, I’m taking a look at the proposed reduction in identification information for beneficiaries.

The GFSC describe these changes as follows: “When establishing a trust or entering into a business relationship or occasional transaction with a trust, the firm is required to identify any beneficiary in a trust (whether his or her interest under the trust is vested, contingent or discretionary). The Commission is proposing rules in sections 7.10.1 and 7.10.2 confirming that a firm must at a minimum identify the beneficiaries’ full name and date of birth, however the extent to which the other identification data is obtained by the firm will depend on the likelihood of that person benefiting from the trust, with such an assessment documented.”

The reduction of the identification information needed for beneficiaries depending on whether they are going to receive a benefit does, on the face of it, seems proportionate. However, linking the need to obtain more than just the name and date of birth of a beneficiary to the possibility of the beneficiary benefitting is, in my view, problematic.

So how should a firm assess when a person is likely to benefit? For all those who remember the previous Handbook and the confusion that arose over the use of this phrase “likely to benefit”, you will also recall the change to the phrase “object of a power” and the consternation that caused. However, the current Handbook uses the phrase “likely to benefit” once more but without the necessary clarity needed to identify precisely what it means. Unfortunately, the proposed changes to the Handbook do not assist either.

This lack of clarification, therefore, begs many questions on this proposed change. Not least as to what period should be identified as o when the person is likely to benefit. Is it in the next 12 months or is it longer than that? Is it a subjective length of time which depends on the circumstances of the business relationship and the personal circumstances of the individuals concerned? And does the firm need to clarify the position with the settlor especially if the letter of wishes is not specific about what is to happen in the next 12 months or, indeed, at all? If a firm decides to only obtain two pieces of information, do they have to reconsider that decision on a regular basis? And when should the settlor’s views be sought again – at each regular and ad hoc review?

Also, the proposed change does not, in my view, take proper account of other risks posed by beneficiaries. For example, under Schedule 3 paragraph 4(3)(f), the firm needs to make a determination of whether the beneficiary is a PEP. This determination will be more difficult without the person’s residence, place of birth and nationality. Whilst a determination can be made, it becomes problematic if a positive match to a PEP arises but the lack of information means it cannot be identified as a false positive. It would be unfortunate if the client relationship team have to request this after take-on as clients always prefer the totality of information to be collected from the outset.

More importantly, these changes may mean the reliability of the relationship risk assessment could be questioned. If the full information on the beneficiaries is not obtained, how can this assessment be relied upon to accurately reflect the risks? This conclusion may seem excessively cautious given the information in issue but it is possible: a beneficiary not properly identified and a high risk factor missed poses a risk to the business.

Whilst the risk of money laundering or the financing of terrorism increases when money flows through a structure, the risk itself only arises on that payment and not at the time the assessment is made of whether a beneficiary will be benefitting from the trust. The risk of a poor assessment of whether someone is likely to benefit, therefore, seems to pale into insignificance compared to missing a connection with a high risk individual due to the lack of information. 

It, therefore, seems sensible if this new Rule had the caveat that the firm must look at the relationship in the round and not take a blanket approach when implementing this change.

Many other questions arose in my mind as I read the proposed changes: you’ll be pleased to know that I don’t intend to set them out in this blog.  We shall see when the final version is released if my concerns were taken onboard and no doubt I’ll do another blog on the subject if they are not.

Whilst any change to our AML/CFT rules and guidance which reduces the work required to be done is a good thing, this must come with the clarity of when the new requirements apply. Without clarity, the ways in which they can be applied multiply and consistency is lost and errors occur. That is why the old Handbook, and in particular the FAQs published to help clarify its contents, required an overhaul. It would be a shame that any changes to the new Handbook meant we were heading on the same path of the inconsistency of application of the rules because of this lack of clarity.

 

Appendix I – the Solution to the High Risk Jurisdiction Quandary?

With the further amendment to Appendix I announced by the GFSC this week, I thought I would take a look at the introduction of this Appendix and see if it fulfils the aims articulated when first mooted and the level of assistance it provides to firms in identifying high risk countries.

The idea of the addition to the AML/CFT Handbook of an Appendix which sets out a list of jurisdictions assessed by various respected organisations as high risk was initially welcomed by compliance professionals as it presented a short cut to their identification. However, there are hidden issues with these Appendices* that practitioners need to be wary of: something that we discussed in some detail at the Handbook Review Group when first proposed by the GFSC.

I joined the Group when it was established in 2013 and left shortly before the first draft of the Handbook was issued (as I had just set up Triangle Compliance Services and consultants were not allowed to be part of the Group). During my membership, we had several debates on the continuing use of Appendix C and whether to introduce an equivalent of Jersey’s Appendix D2. Some of us were sceptical of the idea of the high risk list based on our collective experience of the complacent way some firms risk assessed business relationships with a key principal connected to an Appendix C country. I certainly felt those issues could be repeated in the use of any high risk list without suitable caveats in place.

In order to appreciate that concern, we need to look at the purpose of Appendix C. This Appendix provides a list of countries in which the GFSC considers financial services businesses have “in place standards to combat ML and FT consistent with the FATF Recommendations and where such businesses are appropriately supervised for compliance with those requirements.” This list, which has been around for many years, was considered of assistance to firms because it meant that they did not have to identify such countries themselves but could rely on this list. However, there was a catch.

Not only did it state in Appendix C that “it does not provide assurance that a particular overseas business is subject to that legislation, or that it has implemented the necessary measures to ensure compliance with that legislation”, Section 9.6 of the Handbook goes further. It says “The inclusion of a country or territory in Appendix C does not mean that the country or territory in question is intrinsically low risk, nor does it mean that any business relationship or occasional transaction in which the customer or beneficial owner has a connection to such a country is to be automatically treated as a low risk relationship.”

The completion in full of the relationship risk assessment is still required when Appendix C firms are involved in a business relationship.

The concerns over a list of such countries was that it presented the same risk of complacency: a risk some of us felt would be best avoided or at least mitigated. No doubt with that in mind, in June 2020, the GFSC amended the new AML/CFT Handbook and Appendix I was born.

The previous GFSC approach had been to issue Instructions and Business from Sensitive Sources Notices highlighting the thrice yearly FATF statements on the assessments of jurisdictions with weak measures to combat money laundering and terrorist financing. The new Appendix I was to replace such Notices and Instructions as well as provide the information collated by the GFSC on high risk countries.

As the titles suggest, Jersey’s Appendix D 1 and Guernsey’s Appendix H include high risk jurisdictions subject to a call for action by the FATF. However, Guernsey’s Appendix H reminds us of Paragraph 5(1)(c)(i) of Schedule 3 which confirms when a firm shall apply ECDD measures to a business relationship or occasional transaction. This is when the customer or beneficial owner has a relevant connection with a country or territory that –

“(A) provides funding or support for terrorist activities, or does not apply (or insufficiently applies) the FATF Recommendations, or
(B) is a country otherwise identified by the FATF as a country for which such measures are appropriate.”

As Appendix H only identifies those countries and territories in relation to which the FATF has listed as high risk, Appendix I is a useful reference point to identify other countries such as those which fund or support terrorism. However, it is only Jersey that includes Iran and North Korea in their Appendix D2 – an important oversight and worthy to note even if ECDD will apply to these two countries in any event.

As for Appendix I, this includes countries that a variety of groups have identified as presenting certain ML and/or FT risks. Both Crown Dependencies set out the results of assessments of countries by FATF, the OECD, Transparency International, the World Bank, the US government and a US think-tank: Fund for Peace/ Foreign Policy magazine. Interestingly, there are three sources included in Guernsey’s Appendix I which are not in Jersey’s Appendix D2 and vice versa. Not unexpectedly, given these differences, there are countries on the Guernsey list which are not on the Jersey list and vice versa which, in my view, shows that these assessments are still subjective and caution is needed.

Whilst Guernsey and Jersey’s Financial Services Commissions state clearly that they do not accept responsibility for the findings and conclusions of these sources, they differ in the explanation of their list’s purpose. Guernsey explains that it “does not automatically imply that a business relationship or occasional transaction with a relevant connection to a country or territory on Appendix I is high risk, as the firm can continue to take a risk-based decision on the level of overall risk within a business relationship”. Jersey states “Relevant persons are expected to exercise judgement in relation to how they interpret and use these sources and to reach their own conclusions on risk.” I prefer the language used by Jersey as it more directly reflects the need for caution over the content of the list – or more importantly its omissions.

And that goes to the heart of the concern – if a country is not on the list it does not mean it is not high risk.

So, whether it is a solution to the high risk jurisdiction quandary or simply a helpful tool, it does depend on the way the lists are treated. Ultimately though, the importance of assessing the country is not just about whether it appears on this list but also taking into account all the other factors that make up a business relationship.




*Appendix I – Countries and territories identified as presenting higher risks” and “Appendix H – FATF High Risk Jurisdictions Subject to a Call for Action”

Brexit Sanctions and the Effect of Exit Day

For more than 5 years now, Brexit has been a talking point for many.  As transition ends, it’s no longer words but actions that are needed to adjust the way we work and trade. However, as we live in a third country, this hasn’t affected AML compliance professionals a great deal – that is until we reached “exit day”.  

Ever since the Brexit referendum, the Bailiwick has prepared for the UK leaving the EU by enacting a plethora of legislation which came into force on “exit day”. In a circuitous route via The European Union (Brexit) (Bailiwick of Guernsey) Law, 2018 (“the Brexit Law”) and 2020 Regulations*, “exit day” was appointed as 11 pm on the 31st December 2020. One of the main changes on that day – certainly from a financial crime perspective – was that made to the Sanctions Regime.

As an international finance centre, the Bailiwick has long been committed to the effective implementation of sanctions including those imposed by the EU.  Prior to 2018, EU sanctions required implementation by Ordinance in the three independent legislatures of Guernsey, Alderney and Sark. However, in its report in 2014, MoneyVal noted that there was an unacceptable delay between the introduction of EU sanctions and the enactment of these Ordinances.  So when the Sanctions (Bailiwick of Guernsey), Law 2018 (“the 2018 Law”) was drafted, it enabled EU Sanctions to be brought in Bailiwick-wide by regulations implemented by Guernsey’s Policy & Resources Committee.

As far as the UK leaving the EU was concerned, the importance of remaining aligned with the UK was acknowledged and also incorporated into the 2018 Law.  This was done by including in the definition of a “sanctions measure” regulations made by an “appropriate” UK minister under the Sanctions and Anti-Money Laundering Act 2018.  By doing so, P&R can implement urgent legislation so that regulations made by a UK minister have full force and effect in the Bailiwick at the earliest possible opportunity.
 
And this is exactly what was implemented. By virtue of the Sanction (Implementation of UK Regimes) (Bailiwick of Guernsey) (Brexit) Regulations, 2020, signed off by the President of P&R on the last day of 2020, some 35 UK Regulations come into operation in the Bailiwick. Although having direct effect here, these UK Regs have been fairly extensively “Bailiwick of Guernsey-fied” in the process.  These amendments are only sensible given, for example, we should not apply UK offences, penalties or enforcement proceeding to our regime.

Similarly, the Bailiwick’s transitional provisions in respect of licences should apply rather than that of the UK and, as would be expected, existing licences transfer to the new regime for the rest of their duration retaining their existing conditions. At Schedule 4 of the 2020 Regs, there is also a helpful list of the 94 pieces of Bailiwick legislation under which previous licences were issued and the corresponding UK enactments under which the replacement licences are now deemed to be issued.  Necessarily, pending applications as at “exit day” will be dealt with under the new regime.
 
As a result, designations that have been and will be made under these UK Regs will need to be included in your firm’s screening programme. As most financial institutions rely on external providers for third-party screening and these should already include all UK designations, it would seem that there may be little to do.  However, as with most changes, it is important not only to amend the policies and procedures to refer to this new legislation, it is also important to remove references to the legislation which has been repealed (of which there were 8 Bailiwick-wide and 36 in Guernsey and 34 in each of Sark and Alderney) and to note amendments to the Terrorist Asset-Freezing (Bailiwick of Guernsey) Law, 2011.
 
Interestingly, before any Committee can make regulations such as these under the Brexit Law (as I have called it), it requires a certificate from HM Procureur confirming, amongst other things, that those regulations are necessary or expedient in both the consequence of the withdrawal of the United Kingdom from the EU and the public interest.  That necessity certainly cannot be denied.

Clearly, having a sanctions regime consistent with the UK and one that also ensures EU sanctions are complied with is essential to maintain our international standing. So whilst we have spent many months and years amending our policies and procedures to comply with the requirements of FATF and Europe’s MoneyVal, further amendments are again needed after exit day to cater for the UK’s Brexit.

 

The full details of the changes and the legislation can be found in the three Sanctions Notices on the home page of the GFSC’s website and the Sanctions pages on the website of the States of Guernsey. 

* The European Union (Exit Day and Designated Day) (Brexit) (Bailiwick of Guernsey) Regulations, 2020

 

 

 

 

 

 

 

 

 

Compliance Maturity – Squaring the Circle

In my last blog, I examined the failures of a financial services business where they were at their most basic. In this blog, I am looking at the opposite end of the scale and the maturity of compliance cultures in firms.

Compliance maturity has been around for a long time. In 2009 Thomson Reuters’ Compliance Weekly undertook a compliance maturity survey which included 10.9% from the finance industry. The view at that time was that “Chief compliance officers apparently still have lots of work ahead to turn their compliance efforts into strong, mature programs that can handle the broad range of risks”. In July 2015, members of Cork University in Ireland published in IJBEX* their “financial industry maturity model for anti-money laundering” to help firms be AML/CFT compliant albeit acknowledging their research was still at an early stage.

In Guernsey, the GFSC’s 2015 Annual Report, the Director of Enforcement, Simon Gaudion, made the following comment: “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance. Cases identified this year once again bring into question many of these issues around those areas and we would ask firms to consider whether the right tone and culture is being set from the top of their organisation.”

So where are we in 2021?

It is widely accepted that to ensure staff behave ethically and comply with the law and good corporate governance principles, the board needs to lead by example by living and breathing that culture. A business with such a team approach is not only more likely to adhere to the required legislation, so avoiding any supervisory action, but also reduce costs and increase client satisfaction. 

But how do you know how compliance mature your firm is? One way is to undertake a Compliance Effectiveness Assessment which looks at how people, processes and technology help or hinder the firm in its aim.  

In an effective compliance programme, people are the most important component but also the weakest link. The board needs to be able to support staff by giving them the training they need to promote the right behaviour backed up by a fully resourced compliance function who have a seat at their table. The processes properly documented will support staff to comply with the requirements; success being shown by a good reaction time to new regulatory changes, collaboration between different teams and the right level of evidence of the controls in place. Use of up-to-date technology that is appropriate for the particular business squares the circle. 

Given that the update of the firm’s AML/CFT policies, procedures and controls were required to be approved by the Board by the 30th September 2020, this year would be a good time to identify a firm’s compliance maturity and consider if the right culture is being practised by the firm to ensure that those new policies and procedures are effective. Not only would such an assessment save money in the long run, but it would also comply with the requirements of the AML/CFT Handbook. 

Under Rule 2.18 it states that “the board must consider the appropriateness and effectiveness of its compliance arrangements and its policy for the review of compliance at a minimum annually, or whenever material changes to the business of the firm or the requirements of Schedule 3 or this Handbook occur. A review of compliance is not only applicable to AML/CFT but also to the rules relating to the particular licensee’s business such as the COB Rules and the new Fiduciary and Pension Rules and Guidance and the Code of Corporate Governance which applies to all licensed companies.

A Compliance Effectiveness Review not only identifies where the firm is on the journey to compliance maturity but also what may be hindering its progress. The review usually consists of desktop study, surveys and interviews covering various aspects of the firm and, depending on the completeness of the review, can take up to 12 weeks. Whilst this in-depth approach may be suitable for some firms, an overview can be completed in as little as a week to identify the main issues a firm may have to recommend any further investigation that would be beneficial. A third party’s objective consideration of the business’ objectives and risk assessments as well as interviewing the relevant staff can be surprisingly useful in identifying the priorities for review in any compliance monitoring programme.

By believing in the importance of compliance, the board can instill in the business a proactive approach that encourages the identification of opportunities that arise from new regulations – a win-win for all concerned. By knowing the level of the firm’s compliance maturity, the board can identify and prioritise the right doors to open to reap those benefits.

If you wish to have assistance in reviewing how compliance mature your firm is, then please feel free to contact me for a no obligation discussion. 

 

*  International Journal of Business Excellence (IJBEX), Vol. 8, No. 4, 2015

The Politics of Compliance

tindalldawn-1-e1454075780950Sitting here, as proud as punch to be elected as a Deputy and member of Guernsey’s States of Deliberation, the mind starts thinking of the compliance aspects of our success at the polls.

My first thought is AML – of course!  High risk I may be but am I a PEP?  Does the automatic requirement for enhanced due diligence apply to me because I am a Deputy?

For those of you who don’t know PEP stands for politically exposed person. The definition, which is the same in both sets of Regulations that apply in Guernsey, starts by saying that a politically exposed person means “a person who has, or has had at any time, a prominent public function or who has been elected or appointed to such a function in a country or territory other than the Bailiwick …” (My emphasis)

So, having read that, I see that it’s not me then ?  ….. Oh yes it is! Because, as always, it is never as simple as it seems.

As I have been elected to a political position in the Bailiwick, I am considered a “domestic” PEP and the extra due diligence does not automatically apply here.   However, if I want to open a bank account, say, in the UK, I am a “non-domestic” PEP and so caught by their Money Laundering Regulations 2007.  Their Regulation 14(5)(a)(i) states that a PEP “is an individual who is or has, at any time in the preceding year, been entrusted with a prominent public function by ..  a state other than the United Kingdom”.

As we have many banks here that are branches of UK banks or, indeed, branches of other countries’ banks, their approach needs to be considered.  Their policies and procedures may require that the highest standard of AML which applies in the jurisdictions in which they operate is followed or they may not even differentiate between “domestic” and “non-domestic” PEP.   So whilst we are not caught by the legislation which applies to those branches, which is the Guernsey legislation, we are probably caught by the policies imposed on them by “head office”.

As Guernsey intends to update its legislation and the Handbooks to follow the FATF (Financial Action Task Force) Recommendations 2012, that distinction should no longer be as relevant and I will have PEP status both here and abroad … but not yet.

Whether or not we are automatically PEPs does not mean the story ends there.  As I have said, it is highly likely that, if we are not treated as PEPs, the business relationships or occasional transactions we undertake will be assessed as high risk anyway under the firm’s policy and procedures.

However, whilst the definition of PEP in legislation invariably includes the PEP’s immediate family and close associates as it does in Guernsey, what is interesting to note is that the FATF Recommendations do not call these people PEPs.  All that the Recommendations state is that “the requirements for all types of PEP should also apply to family members or close associates of such PEPs.” (My emphasis again).

So whatever you want to call us, come Tuesday, I expect businesses to be queuing up at the doors of new Deputies’ for those extra pieces of information or documentation to comply with the Handbooks.

If you have not checked (or had not even thought to check) your database to see if we (or our family members or close associates) are your clients, then may I politely suggest you contact me.  I can help you review your procedures to make sure you don’t miss anyone’s change of status which results in the need to undertake further enhanced due diligence.