Appendix I – the Solution to the High Risk Jurisdiction Quandary?

With the further amendment to Appendix I announced by the GFSC this week, I thought I would take a look at the introduction of this Appendix and see if it fulfils the aims articulated when first mooted and the level of assistance it provides to firms in identifying high risk countries.

The idea of the addition to the AML/CFT Handbook of an Appendix which sets out a list of jurisdictions assessed by various respected organisations as high risk was initially welcomed by compliance professionals as it presented a short cut to their identification. However, there are hidden issues with these Appendices* that practitioners need to be wary of: something that we discussed in some detail at the Handbook Review Group when first proposed by the GFSC.

I joined the Group when it was established in 2013 and left shortly before the first draft of the Handbook was issued (as I had just set up Triangle Compliance Services and consultants were not allowed to be part of the Group). During my membership, we had several debates on the continuing use of Appendix C and whether to introduce an equivalent of Jersey’s Appendix D2. Some of us were sceptical of the idea of the high risk list based on our collective experience of the complacent way some firms risk assessed business relationships with a key principal connected to an Appendix C country. I certainly felt those issues could be repeated in the use of any high risk list without suitable caveats in place.

In order to appreciate that concern, we need to look at the purpose of Appendix C. This Appendix provides a list of countries in which the GFSC considers financial services businesses have “in place standards to combat ML and FT consistent with the FATF Recommendations and where such businesses are appropriately supervised for compliance with those requirements.” This list, which has been around for many years, was considered of assistance to firms because it meant that they did not have to identify such countries themselves but could rely on this list. However, there was a catch.

Not only did it state in Appendix C that “it does not provide assurance that a particular overseas business is subject to that legislation, or that it has implemented the necessary measures to ensure compliance with that legislation”, Section 9.6 of the Handbook goes further. It says “The inclusion of a country or territory in Appendix C does not mean that the country or territory in question is intrinsically low risk, nor does it mean that any business relationship or occasional transaction in which the customer or beneficial owner has a connection to such a country is to be automatically treated as a low risk relationship.”

The completion in full of the relationship risk assessment is still required when Appendix C firms are involved in a business relationship.

The concerns over a list of such countries was that it presented the same risk of complacency: a risk some of us felt would be best avoided or at least mitigated. No doubt with that in mind, in June 2020, the GFSC amended the new AML/CFT Handbook and Appendix I was born.

The previous GFSC approach had been to issue Instructions and Business from Sensitive Sources Notices highlighting the thrice yearly FATF statements on the assessments of jurisdictions with weak measures to combat money laundering and terrorist financing. The new Appendix I was to replace such Notices and Instructions as well as provide the information collated by the GFSC on high risk countries.

As the titles suggest, Jersey’s Appendix D 1 and Guernsey’s Appendix H include high risk jurisdictions subject to a call for action by the FATF. However, Guernsey’s Appendix H reminds us of Paragraph 5(1)(c)(i) of Schedule 3 which confirms when a firm shall apply ECDD measures to a business relationship or occasional transaction. This is when the customer or beneficial owner has a relevant connection with a country or territory that –

“(A) provides funding or support for terrorist activities, or does not apply (or insufficiently applies) the FATF Recommendations, or
(B) is a country otherwise identified by the FATF as a country for which such measures are appropriate.”

As Appendix H only identifies those countries and territories in relation to which the FATF has listed as high risk, Appendix I is a useful reference point to identify other countries such as those which fund or support terrorism. However, it is only Jersey that includes Iran and North Korea in their Appendix D2 – an important oversight and worthy to note even if ECDD will apply to these two countries in any event.

As for Appendix I, this includes countries that a variety of groups have identified as presenting certain ML and/or FT risks. Both Crown Dependencies set out the results of assessments of countries by FATF, the OECD, Transparency International, the World Bank, the US government and a US think-tank: Fund for Peace/ Foreign Policy magazine. Interestingly, there are three sources included in Guernsey’s Appendix I which are not in Jersey’s Appendix D2 and vice versa. Not unexpectedly, given these differences, there are countries on the Guernsey list which are not on the Jersey list and vice versa which, in my view, shows that these assessments are still subjective and caution is needed.

Whilst Guernsey and Jersey’s Financial Services Commissions state clearly that they do not accept responsibility for the findings and conclusions of these sources, they differ in the explanation of their list’s purpose. Guernsey explains that it “does not automatically imply that a business relationship or occasional transaction with a relevant connection to a country or territory on Appendix I is high risk, as the firm can continue to take a risk-based decision on the level of overall risk within a business relationship”. Jersey states “Relevant persons are expected to exercise judgement in relation to how they interpret and use these sources and to reach their own conclusions on risk.” I prefer the language used by Jersey as it more directly reflects the need for caution over the content of the list – or more importantly its omissions.

And that goes to the heart of the concern – if a country is not on the list it does not mean it is not high risk.

So, whether it is a solution to the high risk jurisdiction quandary or simply a helpful tool, it does depend on the way the lists are treated. Ultimately though, the importance of assessing the country is not just about whether it appears on this list but also taking into account all the other factors that make up a business relationship.




*Appendix I – Countries and territories identified as presenting higher risks” and “Appendix H – FATF High Risk Jurisdictions Subject to a Call for Action”

Brexit Sanctions and the Effect of Exit Day

For more than 5 years now, Brexit has been a talking point for many.  As transition ends, it’s no longer words but actions that are needed to adjust the way we work and trade. However, as we live in a third country, this hasn’t affected AML compliance professionals a great deal – that is until we reached “exit day”.  

Ever since the Brexit referendum, the Bailiwick has prepared for the UK leaving the EU by enacting a plethora of legislation which came into force on “exit day”. In a circuitous route via The European Union (Brexit) (Bailiwick of Guernsey) Law, 2018 (“the Brexit Law”) and 2020 Regulations*, “exit day” was appointed as 11 pm on the 31st December 2020. One of the main changes on that day – certainly from a financial crime perspective – was that made to the Sanctions Regime.

As an international finance centre, the Bailiwick has long been committed to the effective implementation of sanctions including those imposed by the EU.  Prior to 2018, EU sanctions required implementation by Ordinance in the three independent legislatures of Guernsey, Alderney and Sark. However, in its report in 2014, MoneyVal noted that there was an unacceptable delay between the introduction of EU sanctions and the enactment of these Ordinances.  So when the Sanctions (Bailiwick of Guernsey), Law 2018 (“the 2018 Law”) was drafted, it enabled EU Sanctions to be brought in Bailiwick-wide by regulations implemented by Guernsey’s Policy & Resources Committee.

As far as the UK leaving the EU was concerned, the importance of remaining aligned with the UK was acknowledged and also incorporated into the 2018 Law.  This was done by including in the definition of a “sanctions measure” regulations made by an “appropriate” UK minister under the Sanctions and Anti-Money Laundering Act 2018.  By doing so, P&R can implement urgent legislation so that regulations made by a UK minister have full force and effect in the Bailiwick at the earliest possible opportunity.
 
And this is exactly what was implemented. By virtue of the Sanction (Implementation of UK Regimes) (Bailiwick of Guernsey) (Brexit) Regulations, 2020, signed off by the President of P&R on the last day of 2020, some 35 UK Regulations come into operation in the Bailiwick. Although having direct effect here, these UK Regs have been fairly extensively “Bailiwick of Guernsey-fied” in the process.  These amendments are only sensible given, for example, we should not apply UK offences, penalties or enforcement proceeding to our regime.

Similarly, the Bailiwick’s transitional provisions in respect of licences should apply rather than that of the UK and, as would be expected, existing licences transfer to the new regime for the rest of their duration retaining their existing conditions. At Schedule 4 of the 2020 Regs, there is also a helpful list of the 94 pieces of Bailiwick legislation under which previous licences were issued and the corresponding UK enactments under which the replacement licences are now deemed to be issued.  Necessarily, pending applications as at “exit day” will be dealt with under the new regime.
 
As a result, designations that have been and will be made under these UK Regs will need to be included in your firm’s screening programme. As most financial institutions rely on external providers for third-party screening and these should already include all UK designations, it would seem that there may be little to do.  However, as with most changes, it is important not only to amend the policies and procedures to refer to this new legislation, it is also important to remove references to the legislation which has been repealed (of which there were 8 Bailiwick-wide and 36 in Guernsey and 34 in each of Sark and Alderney) and to note amendments to the Terrorist Asset-Freezing (Bailiwick of Guernsey) Law, 2011.
 
Interestingly, before any Committee can make regulations such as these under the Brexit Law (as I have called it), it requires a certificate from HM Procureur confirming, amongst other things, that those regulations are necessary or expedient in both the consequence of the withdrawal of the United Kingdom from the EU and the public interest.  That necessity certainly cannot be denied.

Clearly, having a sanctions regime consistent with the UK and one that also ensures EU sanctions are complied with is essential to maintain our international standing. So whilst we have spent many months and years amending our policies and procedures to comply with the requirements of FATF and Europe’s MoneyVal, further amendments are again needed after exit day to cater for the UK’s Brexit.

 

The full details of the changes and the legislation can be found in the three Sanctions Notices on the home page of the GFSC’s website and the Sanctions pages on the website of the States of Guernsey. 

* The European Union (Exit Day and Designated Day) (Brexit) (Bailiwick of Guernsey) Regulations, 2020

 

 

 

 

 

 

 

 

 

Compliance Maturity – Squaring the Circle

In my last blog, I examined the failures of a financial services business where they were at their most basic. In this blog, I am looking at the opposite end of the scale and the maturity of compliance cultures in firms.

Compliance maturity has been around for a long time. In 2009 Thomson Reuters’ Compliance Weekly undertook a compliance maturity survey which included 10.9% from the finance industry. The view at that time was that “Chief compliance officers apparently still have lots of work ahead to turn their compliance efforts into strong, mature programs that can handle the broad range of risks”. In July 2015, members of Cork University in Ireland published in IJBEX* their “financial industry maturity model for anti-money laundering” to help firms be AML/CFT compliant albeit acknowledging their research was still at an early stage.

In Guernsey, the GFSC’s 2015 Annual Report, the Director of Enforcement, Simon Gaudion, made the following comment: “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance. Cases identified this year once again bring into question many of these issues around those areas and we would ask firms to consider whether the right tone and culture is being set from the top of their organisation.”

So where are we in 2021?

It is widely accepted that to ensure staff behave ethically and comply with the law and good corporate governance principles, the board needs to lead by example by living and breathing that culture. A business with such a team approach is not only more likely to adhere to the required legislation, so avoiding any supervisory action, but also reduce costs and increase client satisfaction. 

But how do you know how compliance mature your firm is? One way is to undertake a Compliance Effectiveness Assessment which looks at how people, processes and technology help or hinder the firm in its aim.  

In an effective compliance programme, people are the most important component but also the weakest link. The board needs to be able to support staff by giving them the training they need to promote the right behaviour backed up by a fully resourced compliance function who have a seat at their table. The processes properly documented will support staff to comply with the requirements; success being shown by a good reaction time to new regulatory changes, collaboration between different teams and the right level of evidence of the controls in place. Use of up-to-date technology that is appropriate for the particular business squares the circle. 

Given that the update of the firm’s AML/CFT policies, procedures and controls were required to be approved by the Board by the 30th September 2020, this year would be a good time to identify a firm’s compliance maturity and consider if the right culture is being practised by the firm to ensure that those new policies and procedures are effective. Not only would such an assessment save money in the long run, but it would also comply with the requirements of the AML/CFT Handbook. 

Under Rule 2.18 it states that “the board must consider the appropriateness and effectiveness of its compliance arrangements and its policy for the review of compliance at a minimum annually, or whenever material changes to the business of the firm or the requirements of Schedule 3 or this Handbook occur. A review of compliance is not only applicable to AML/CFT but also to the rules relating to the particular licensee’s business such as the COB Rules and the new Fiduciary and Pension Rules and Guidance and the Code of Corporate Governance which applies to all licensed companies.

A Compliance Effectiveness Review not only identifies where the firm is on the journey to compliance maturity but also what may be hindering its progress. The review usually consists of desktop study, surveys and interviews covering various aspects of the firm and, depending on the completeness of the review, can take up to 12 weeks. Whilst this in-depth approach may be suitable for some firms, an overview can be completed in as little as a week to identify the main issues a firm may have to recommend any further investigation that would be beneficial. A third party’s objective consideration of the business’ objectives and risk assessments as well as interviewing the relevant staff can be surprisingly useful in identifying the priorities for review in any compliance monitoring programme.

By believing in the importance of compliance, the board can instill in the business a proactive approach that encourages the identification of opportunities that arise from new regulations – a win-win for all concerned. By knowing the level of the firm’s compliance maturity, the board can identify and prioritise the right doors to open to reap those benefits.

If you wish to have assistance in reviewing how compliance mature your firm is, then please feel free to contact me for a no obligation discussion. 

 

*  International Journal of Business Excellence (IJBEX), Vol. 8, No. 4, 2015

The Politics of Compliance

tindalldawn-1-e1454075780950Sitting here, as proud as punch to be elected as a Deputy and member of Guernsey’s States of Deliberation, the mind starts thinking of the compliance aspects of our success at the polls.

My first thought is AML – of course!  High risk I may be but am I a PEP?  Does the automatic requirement for enhanced due diligence apply to me because I am a Deputy?

For those of you who don’t know PEP stands for politically exposed person. The definition, which is the same in both sets of Regulations that apply in Guernsey, starts by saying that a politically exposed person means “a person who has, or has had at any time, a prominent public function or who has been elected or appointed to such a function in a country or territory other than the Bailiwick …” (My emphasis)

So, having read that, I see that it’s not me then ?  ….. Oh yes it is! Because, as always, it is never as simple as it seems.

As I have been elected to a political position in the Bailiwick, I am considered a “domestic” PEP and the extra due diligence does not automatically apply here.   However, if I want to open a bank account, say, in the UK, I am a “non-domestic” PEP and so caught by their Money Laundering Regulations 2007.  Their Regulation 14(5)(a)(i) states that a PEP “is an individual who is or has, at any time in the preceding year, been entrusted with a prominent public function by ..  a state other than the United Kingdom”.

As we have many banks here that are branches of UK banks or, indeed, branches of other countries’ banks, their approach needs to be considered.  Their policies and procedures may require that the highest standard of AML which applies in the jurisdictions in which they operate is followed or they may not even differentiate between “domestic” and “non-domestic” PEP.   So whilst we are not caught by the legislation which applies to those branches, which is the Guernsey legislation, we are probably caught by the policies imposed on them by “head office”.

As Guernsey intends to update its legislation and the Handbooks to follow the FATF (Financial Action Task Force) Recommendations 2012, that distinction should no longer be as relevant and I will have PEP status both here and abroad … but not yet.

Whether or not we are automatically PEPs does not mean the story ends there.  As I have said, it is highly likely that, if we are not treated as PEPs, the business relationships or occasional transactions we undertake will be assessed as high risk anyway under the firm’s policy and procedures.

However, whilst the definition of PEP in legislation invariably includes the PEP’s immediate family and close associates as it does in Guernsey, what is interesting to note is that the FATF Recommendations do not call these people PEPs.  All that the Recommendations state is that “the requirements for all types of PEP should also apply to family members or close associates of such PEPs.” (My emphasis again).

So whatever you want to call us, come Tuesday, I expect businesses to be queuing up at the doors of new Deputies’ for those extra pieces of information or documentation to comply with the Handbooks.

If you have not checked (or had not even thought to check) your database to see if we (or our family members or close associates) are your clients, then may I politely suggest you contact me.  I can help you review your procedures to make sure you don’t miss anyone’s change of status which results in the need to undertake further enhanced due diligence.