The Jersey Financial Supervision Commission (the JFSC) has recently (June 2020) published a feedback paper for industry on the results of its examinations of compliance with the financial crime requirements across a number of financial services businesses. Given the similarity of the Jersey and Isle of Man prevention of financial crime frameworks, the paper provides a number of useful learning points for Isle of Man regulated entities and designated businesses.
The JSFC identified findings across the headings of:
- Corporate Governance;
- Business Risk Assessment;
- Systems and controls;
- MLRO/DMLRO;
- Customer Due Diligence;
- Suspicious Transaction Reports; and
- Screening, awareness and training of employees.
Corporate Governance
The JFSC noted the following weaknesses in respect of the corporate governance aspects of financial crime compliance:
- Minutes of board or other senior management meetings did not reflect that the financial crime matters or risks that were reported to the meeting had been subject to adequate discussion, challenge or scrutiny;
- There was a lack of documented actions arising from such meetings meaning that senior management were unable to demonstrate that they had taken timely action to remedy deficiencies brought to their attention; and
- Financial crime risk wasn’t always included in the risk management framework.
Business Risk Assessment
In terms of the Business Risk Assessment (BRA), the following issues were identified:
- The BRA had not been kept up to date or was not being monitored for its continued relevance;
- There had not been adequate participation by senior management in the development of the BRA and there was no evidence of it being reviewed, challenged or scrutinised by the Board; and
- In some cases, senior management could not describe how they had participated in the BRA and could not explain the key risks identified within it.
Systems and controls
Key matters arising in respect of systems and controls were:
- Policies and procedures quoting large parts of the regulation or guidance and not being tailored to the organisation’s own policies and procedures;
- Policies and procedures not being kept up to date with responsibilities for such updates not having been formally allocated; and
- Deficiencies in compliance monitoring programmes such as the programmes not being kept up to date or not having been executed in some time.
MLRO/DMLRO
The issues identified in relation to the MLRO/DMLRO role were:
- A lack of Board reporting from the MLRO/DMLRO;
- Responsibilities of the role not being clearly set out in a job description;
- A lack of formal appointment of the DMLRO; and
- A lack of resources to enable the role to be properly carried out.
Customer Due Diligence
Quite a number of findings were identified by the JFSC in relation to Customer Due Diligence including:
- A lack of Source of Funds or Source of Wealth information;
- No documentary evidence of how possible screening matches had been resolved;
- Issues in relation to periodic reviews such as incomplete reviews or reviews not taking place despite a trigger event or review date having been reached; and
- Enhanced due diligence not always being obtained in accordance with procedures.
Suspicious Transaction Reports
Matters identified in relation to Suspicious Transaction Reports (STRs) included:
- Inaccurate and out of date information in relation to the reporting procedure for STRs;
- Non-compliance of the registers required to be held by the MLRO with the legislative requirements;
- Timeliness of reporting not always being evidenced; and
- A lack of documentation as to how the MLRO was to be kept advised of any significant developments in the customer relationship after an external STR has been made.
Screening, awareness and training of employees
The JSFC commented on the following in relation to the screening, awareness and training of employees:
- Training did not always include everything that it is required to under the legislation;
- AML/CFT training not being provided on a frequency required by the legislation; and
- A lack of records to evidence that AML/CFT training had been provided.
DQ’s Regulatory & Compliance Advisory team has often noted similar findings to the above in compliance reviews or when assisting clients with the outcome of supervisory visits. We have significant experience in assisting clients to meet their AML/CFT responsibilities which includes the provision of training, conducting compliance monitoring and reviewing current procedures and controls. Contact details for the team of Sinead O’Connor, Mike Nudd and Kathryn Sharman are available from our web site.