The Regulator’s Regulator?

tindalldawn-1-e1454075780950Next week, the States of Guernsey will be asked to note the annual report and accounts of the Guernsey Financial Services Commission for the year ended 31st December, 2015.  Under Rule 3(24) of the Rules of Procedure this means I will not be asked to agree or disagree with the contents of the Report as “to note” is construed as a neutral motion neither approving or disapproving.  So, having read the Report and wanting to make a few comments on its contents, I thought I’d put some thoughts down in my blog as the role of Regulator is such an important function for our industry.

What struck me initially was not their stated objectives; it was what was not  – the Commission does not seek to run a zero-failure regime. To quote the Director General, William Mason,

“Were we to set ourselves up to run a zero failure regime we would unduly constrain innovation, limit growth and seek to act in a risk averse fashion which would ultimately ensure little other than the impoverishment of the people of the Bailiwick as the financial services sector became a shadow of its former self.”

From an AML perspective, this means that, with the Commission using PRISM’s risk based approach to supervision, there will still be attempts by criminals to misuse the financial system.  Naturally, therefore, it is for businesses to follow the requirements of the legislation and the Handbooks to ensure those attempts fail.

It is good to hear that innovation is very much being encouraged by the GFSC and their open-door policy is often complimented especially when talking FinTech.  However, there is still the grumble in the AML world that there is insufficient consistency in the application of CDD requirements.  So, whilst there is a focus on providing data management to collate a customer’s identification information for KYC and CRS purposes, there is still a lack of clarity of how to get the documents which verify the customer’s identity such that they satisfy not only the different country regimes but the requirements of different institutions within each country.

Some companies seek to comply with the standard which satisfies the most respected country regimes which is a good starting point.  However, I found that, when submitting the documents, the approaches of institutions varied so much that the easiest way was to deal with each institution and get agreement on what they will accept.  Quite often they asked for more than their own country’s requirements resulting in me firmly pointing out that they were not complying with their own country’s legislation, that their policies were not based on that legislation and that they should vary their requirements to accept a consistent standard in line with FATF requirements.  I am pleased to say that this proved successful on all but one occasion and that failure was with a London branch of a Swiss bank with whom I had already had success.  The branch was not for seeing the light!

You might well say – and I would agree with you – that this was a time consuming method of getting a customer’s verification documents accepted.  However, the main theme with the client facing teams I dealt with was they wanted to ask their customers to provide only one set of documents and not to have to keep going back to the client for more information just because each different institution wanted something else.  So whilst you can collate in accordance with the main countries’ requirements, there will always be differences in interpretation until we have common standards for AML.

To compliment my approach, I always thought it best to advise our clients on the expense of certain relationships before willingly embarking on a painful account opening process.  Instead, client relationship managers should recommend going with those institutions which take a pragmatic approach with whom the firm has had a good relationship and saving their client’s money (and your time!).  I also believe a comprehensive checklist covering all the information and verification required which is fully complied with, checked for accuracy and, most importantly, not signed-off until it is complete in all respects should do the trick.

Some also say that the GFSC does not adhere to such common standards quoting other countries’ different rules as being more lenient.  My response is always that, in my experience, other countries apply the FATF common standards (almost) but do not enforce those standards to the same extent the GFSC does.  So results this misunderstanding. People believe the GFSC requires higher standards than others, higher than required by FATF but actually I believe it just has the right standards (well almost) but the difference is that they are fully enforced.  As such enforcement means we received a superb MoneyVal evaluation which brings in business, the argument that we should be more lax with those requirements is, in my mind, counter-productive.

The review of the Handbooks should iron out some of those annoying differences and should bring clarity to ambiguities that exist but leniency in respect of the requirements I do not agree with as, after all, getting it right is not that difficult if you are conversant with all the legislation and guidance and take advice as appropriate.

 

Link to the annual report and accounts of the Guernsey Financial Services Commission for the year ended 31st December, 2015 is   https://www.gov.gg/CHttpHandler.ashx?id=102816&p=0

The Finance Industry – Confidence in Money?

tindalldawn-1-e1454075780950

As you know, I have been out canvassing and talking to people about the future of Guernsey. During these chats I have been hit by one particular message – a lack of confidence.  This is not just in the finance sector but in most aspects of life.  Whilst this is disappointing, it is not that surprising and something clearly needs to be done.

An upturn in the world economy will, of course, increase confidence as perhaps will a new set of Deputies but what can be done about confidence in the finance industry?

James Madison, Jr., the fourth President of the United States and political theorist, once said “the circulation of confidence is better than the circulation of money” – however in our industry we need both.

Diversification is at the top of most people’s agenda – we’ve seen the introduction of an aircraft registry and image rights legislation.  Also, the Digital Greenhouse, in my view, is a beacon of light for innovation having hosted some fascinating discussions on how we can promote Guernsey.

William Mason, Director General of the Guernsey Financial Services Commission, in his speech to the Industry in November 2015, having analysed other financial centres, concluded “that we match the most competitive countries in a large number of areas and that we still possess many key success factors.”  I agree.

Having worked in the Fiduciary sector, I was also pleased to see KPMG’s Strategic Review of the Guernsey fiduciary industry which confirms that “[t]he fiduciary industry is a material contributor to the local economy and island.” However, as my interest is in the AML/CFT perspective, the report discusses the need to investigate centralising and streamlining the CDD and KYC processes for on-boarding of clients across Guernsey.  KPMG concluded that “any opportunity to make this easier from a client perspective would be welcomed.”  I think this is really important although, in my view, if we can get clients and certifiers to follow the certification instructions first time it would be a massive bonus.

The Report goes on to say “[m]eeting these challenges will require clear direction and monitoring”.  Direction can come from a variety of sources: the Board, the management, the customers and the politicians and our regulator.

If elected, I hope to be one of those politicians providing clear direction and monitoring to increase the circulation of both confidence and money.

Willow, Confiànce and Provident – what lessons can we learn?

guernsey-compliance-services

LESSONS FROM THOSE NAMED AND SHAMED – PART 3

In Part 1, I noted the three reoccurring themes why the GFSC took enforcement action against these three firms.  In Part 2, I discussed the first theme namely risk assessments.  In this Part, I will consider the question of ongoing and effective monitoring and enhanced due diligence for high risk relationships.

I will start with enhanced due diligence the meaning of which is set out in Regulation 5. The Regulation contains a list setting out what steps you should take but is it really that simple in practice?

For example, the first two actions require senior management approval for establishing a business relationship or occasional transaction or continuing a PEP relationship.  This seems straightforward, however, most businesses involve senior management in approving new relationships so what should they do to demonstrate a different method? It is important that whatever is chosen, perhaps involving more than one member of senior management or a director, provides for a greater scrutiny of the relationship.

If it is important, when taking the extra EDD steps, to have different treatment between high and medium risks then, when it comes to source of wealth (SOW) and source of funds (SOF), why has this recently been blurred?  I am, of course, referring again to the recent MoneyVal report and also the GFSC endorsement of the good practice in establishing SOW and SOF for both such risk rated relationships.  Perhaps, if a difference is needed, it will be in how the SOW and SOF is evidenced?

The last requirement in Regulation 5 is, I believe, the least understood.  As part of CDD, it is only prudent to obtain all necessary identification data, to verify that data and to understand the nature and purpose of the business relationship.  So what more can be done?  Often this is not obvious but, to comply with the Regulation, it is essential to document what action is appropriate to that business relationship and, most importantly, take that action.

Ongoing and effective monitoring was the third theme and, if EDD applies, it must be undertaken more frequently and extensively.  Monitoring includes the review of CDD, transactions or activity.  However, no matter how often or to what extent this is undertaken, the relevance of the CDD or whether a transaction is complex or unusual must be understood.  The only way to do that is to have given the business relationship the correct risk rating in the first place and kept the risk profile and assessment up to date.

In my view, the cautionary tale of the enforcement action is that it highlights the interdependence of all the policies, procedures and controls required by the Handbooks.  It is so important that all are appropriate and they are implemented as how else can they be effective and the Board fulfil its duty?

 

Willow, Confiànce and Provident – what lessons can we learn?

guernsey-compliance-services

LESSONS FROM THOSE NAMED AND SHAMED – PART 2

In Part 1, I noted there seemed to be three reoccurring themes why the GFSC took enforcement action against these three firms namely:

  • risk assessments
  • ongoing and effective monitoring
  • enhanced due diligence for high risk relationships.

 

In this Part, I am looking at risk assessments.Pyramid

Assessments come in various forms but there are three main ones for AML/CFT purposes: the National Risk Assessment (NRA), the Business Risk Assessment (BRA) and the Relationship Risk Assessment.  I believe each one builds upon the other.

In the first of FATF’s 2012 Recommendations, it states that “countries should identify, assess and understand the money laundering and terrorist financing risks for the country”.  Whilst the UK issued their NRA in October 2015, Guernsey proposes to issue their NRA this year, having received the IMF’s model and had industry input.

The idea of the NRA is that it informs the next level namely the BRA or business risk assessment.  Guernsey’s Regulations require businesses to “carry out and document a suitable and sufficient money laundering and terrorist financing business risk assessment which is specific to the … business”.  The GFSC issued a detailed answer to FAQs on its website in September 2014 advising that the BRA “should identify the potential financial crime risks to which the business could be exposed”.  They also reiterated that it is best practice to review the BRA whenever changes to the business or financial crime risks occur and at least on an annual basis.  Due to the multitude of changes in these areas, the BRA is, therefore, a living document needing almost constant review.

The third level of assessment is the relationship risk assessment which is also made up of three stages – the risk profile, the risk assessment and the risk rating.  The risk profile should set out the information regarding the specific relationship with the customer noting all financial crime risk indicators which include those that are compulsory, inherent, high or, if none, low.  The risk assessment is the method by which a business assesses the profile, considering all the risks identified including the accumulation of those risks.  If the high risk indicators are not compulsory ones, the business can decide not to assess the overall risk as high because of strong and compelling mitigating factors identified and documented.

The third step is to give the relationship a risk rating and apply the appropriate level of CDD.

MoneyVal (sorry to mention them again!) reiterated the problem highlighted by the IMF that, because non-resident customers, private banking and trusts and companies holding personal assets are not compulsory high risks in Guernsey, insufficient CDD in some instances is applied.  Whilst the GFSC noted the evaluation recommendation for these new compulsory high risks, they pointed out that many businesses already include them as best practice.

Do you?  Are your risk ratings correct?  Without effective CDD and EDD will you fall into the trap of Willow, Confiànce and Provident?

In Part 3, I will consider the question of ongoing and effective monitoring and enhanced due diligence for high risk relationships.

Willow, Confiànce and Provident – what lessons can we learn?

guernsey-compliance-services

LESSONS FROM THOSE NAMED AND SHAMED – PART 1

When reading the summaries issued by the GFSC on the enforcement action taken against these three firms, there are three reoccurring themes that jump out at you.   These are failures in respect of:

  • risk assessments
  • ongoing and effective monitoring
  • enhanced due diligence for high risk relationships.

These failures were compounded for Confiance and Provident as the issues had been raised by the GFSC at a previous visit and had not been effectively rectified.

It is very important to ensure the remediation identified by the GFSC has been implemented and I am sure much effort has been put into doing so but is it appropriate and effective?  Sometimes you can read and re-read the GFSC’s letters from the last visit and hope you’ve understood what they mean.  Although you have considered the remedial action identified, you’ve reviewed your procedures and you think it has all been covered, how can you be sure the changes will be effective?

It’s never too late, either, to ensure those Instructions have been followed. Like all compliant firms, you will have reviewed your files when the Instructions where issued in 2009 and 2010.  However, having taken on many business relationships since then, why not take this opportunity to review your files to ensure you could confirm once again that you have continued to apply the requirements in those Instructions?

You know where I am if you need help.

In Part 2, I will look at the three themes in more detail.