Service notice – myRegistry and our Security Interests Register will be unavailable due to scheduled maintenance from 10:00am until 6:00pm on Saturday 29 November and 6:00pm on Tuesday 2 December until 2:00am on Wednesday 3 December.

2023 natural persons undertaking class G trust company business examination feedback

Issued:01 July 2024
2023 natural persons undertaking class G trust company business examination feedback

Glossary

Term	Definition
AML	anti-money laundering
AML/CFT/CPF code	the AML/CFT/CPF code of practice contained in the handbook
CFT	countering the financing of terrorism
class G trust company business	class G is the provision of director services as defined in part 2 of the schedule to the Financial Services (Financial Service Business) (Jersey) Order 2009
CPD	continuous professional development
CPF	countering proliferation financing
financial crime	money laundering, terrorist financing and proliferation financing
FIU	Jersey’s Financial Intelligence Unit
guidance note	The JFSC Guidance Note: Natural Persons carrying on a single class of Trust Company Business
handbook	handbook for the prevention and detection of money laundering, the countering of terrorist financing, and the countering of proliferation financing
licence holder	natural persons holding a class G trust company business licence issued under the Financial Services (Jersey) Law 1998 who is subject to supervision by the JFSC for compliance with the order and AML/CFT/CPF code set out in the handbook pursuant to schedule 2 of the Proceeds of Crime (Jersey) Law 1999
order	Money Laundering (Jersey) Order 2008
supervised person	defined in Article 1 of the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008. Includes persons regulated by the JFSC under one of the regulatory laws (which includes licence holders).
trust company business code	code of practice for trust company business

1 Executive summary

In 2023 we undertook a thematic examination of natural persons regulated to provide director services under the Financial Services (Jersey) Law 1998. The scope of the review assessed licence holders’ compliance with certain key parts of:

the trust company business code

the order

the AML/CFT/CPF code

The purpose of this feedback paper is to:

explain our findings

give examples of best practice

inform licence holders of next steps

During the examination we identified findings related to:

business risk assessments

ongoing monitoring

suspicious activity reporting

sanctions

continuous professional development

insurance arrangements

record keeping

Class G licence holders should now consider the findings and best practice highlighted in this feedback against their own arrangements.

2 Background and methodology

Licence holders’ obligations are set out in the trust company business code, the order and the AML/CFT/CPF code, except where the guidance note or a condition of the licence provides otherwise.

When defining the examination’s scope, we considered the information contained in the Guidance Note: Natural Persons carrying on a single class of Trust Company Business.

We issued a questionnaire to 62 licence holders in Q1 2023. We reviewed and analysed the responses to the questionnaire and then selected a sample of seven respondents to attend a follow-up interview in Q3 2023.

The follow-up interview sample included licence holders who we had further questions for based on their questionnaire responses, alongside those whose responses indicated good practice.

All 62 respondents to the questionnaire received a letter confirming the outcome of the review in Q4 2023.

A breakdown of the content of the letters is shown below:

3 Overall findings and observations

Findings relate to a failure to demonstrate full compliance with obligations. Observations are areas which fall below our expectations or are not in line with the terms or spirit of our published guidance.

In this examination, we identified a total of 35 findings and 135 observations across 9 key areas, as summarised below.

Area	Total number of findings	Total number of observations
Business risk assessments	2	4
Customer acceptance (including risk assessment)	0	12
Ongoing monitoring	4	21
Reporting suspicions of money laundering, terrorist financing, proliferation financing and sanctions reporting	18	33
Record keeping	4	49
Continuous professional development	5	3
Complaints	0	5
Financial resources	0	7
Insurance arrangements	2	1
Total	35	135

4 Detailed findings

We understand that there can be variations in the way a licence holder complies with the obligations set out in the order, the AML/CFT/CPF code and the trust company business code, which were drafted principally from the perspective of corporate businesses rather than natural persons providing services.

As we operate in a principles-based framework, we expect licence holders to interpret the obligations in line with their specific circumstances. This includes considering their customers, the breadth of the director services they provide, and the manner and circumstances in which those services are provided.

This section explains our findings from the examination and includes some examples of good practice, some of which was seen during the examination. Licence holders can find additional resources and guidance on how to comply with their obligations in the handbook and the trust company business code and guidance note on our website.

We also encourage licence holders to read all published feedback relating to examinations and thematic assessment visits. Licence holders can demonstrate regulatory compliance by reviewing their existing systems and controls against our feedback, completing a gap analysis, and considering the good practice.

The findings we identified in relation to financial crime prevention and detection obligations, as set out in the order and AML/CFT/CPF code, were in the following areas:

business risk assessments

ongoing monitoring

reporting suspicions of money laundering, terrorist financing and/or proliferation financing

sanctions

record keeping

We also identified findings in relation to obligations set out in the trust company business code. These key areas were:

continuous professional development

insurance arrangements

record keeping

4.1 Business risk assessments

Licence holders must conduct and record a business risk assessment. The business risk assessment must be specific to a licence holder’s services and customers. Licence holders must also consider, on an ongoing basis, their risk appetite and the extent of their exposure to financial crime risks from the directorships they hold.

In line with the guidance note, business risk assessments should include:

operational risks

economic and market exposures

geographical risks

the risk of a licence holder’s services being used to facilitate financial crime

The following table sets out our findings on business risk assessments, alongside our expectations of licence holders based on what we saw in the examination:

Obligation	Findings	What we expect
AML/CFT/CPF code set out in section 2.3(13) of the handbook – must conduct and record a business risk assessment.	Licence holders were unable to provide a documented business risk assessment which considered the financial crime risk associated with each of their directorships.	The business risk assessment is documented, kept up to date, and maintained in a manner which demonstrates regular review and updates in response to changes in the licence holder’s risk exposure or the regulatory framework.

Good practice

A business risk assessment should:

record the methodology for how the licence holder manages and mitigates exposure to financial crime risk in the context of the directorships they hold

differentiate, where relevant, between services which are provided in conjunction with another regulated services provider and those which are not

identify the highest risk areas

document the events or triggers which would prompt a review of existing systems and controls

record updates and changes made to the business risk assessment, including the date of changes (for example through tracked changes or version control)

explain what the financial crime risks are and how they are rated (for example high/medium/low) in the context of services provided to customers

For more information on licence holders’ business risk assessment obligations see:

Business risk assessment

2022 AML/CFT business risk assessment and formal AML/CFT strategy feedback

4.2 Ongoing monitoring

Licence holders must scrutinise their business relationships. The licence holder must ensure that their customer’s activity is consistent with the licence holder’s knowledge and understanding of the customer and its intended activities. This scrutiny includes keeping the customer’s business and risk profile under review.

We identified four findings related to failings to adequately monitor or screen customer activity, which spanned:

not undertaking any monitoring or periodic reviews for appointments

over-reliance on personal and business relationships (for example, being too comfortable that associates and/or other board members were well known to licence holders)

not applying any ongoing monitoring measures, such as adverse media screening

In line with provisions set out in the guidance note, licence holders providing services jointly with a JFSC-regulated fund services business or trust company business deferred to the regulated business’s ongoing monitoring processes to meet their own obligations to varying degrees.

The following table sets out our findings on ongoing monitoring, alongside our expectations of licence holders based on what we saw in the examination:

Obligation	Findings	What we expect
AML/CFT/CPF code set out at paragraph 6.2.1 (35) – in addition to the scrutiny of transactions, ongoing monitoring must also involve scrutinising activity in respect of a business relationship to ensure that the activity is consistent with the supervised person’s knowledge of the customer, including the customer’s business and risk profile	No ongoing monitoring was undertaken by the licence holder in relation to the portfolio of directorships.	monitoring the appropriate levels of customer due diligence obtained and retained in relation to their customers in line with the risk profile screening for adverse media and/or changes in circumstances that may increase the risk profile of the customer (for example newly acquired politically exposed person status or criminal convictions) clear documentation of the licence holder’s understanding of the company’s activities and monitoring for any activity which appears unusual clear understanding from licence holders of how much a third-party regulated service provider’s systems and controls extend to them, in line with the guidance note ongoing monitoring applied on a risk-based approach (for example the higher the risk, the more frequently reviews are undertaken)

Obligation

Findings

What we expect

AML/CFT/CPF code set out at paragraph 6.2.1 (35) – in addition to the scrutiny of transactions, ongoing monitoring must also involve scrutinising activity in respect of a business relationship to ensure that the activity is consistent with the supervised person’s knowledge of the customer, including the customer’s business and risk profile

No ongoing monitoring was undertaken by the licence holder in relation to the portfolio of directorships.

monitoring the appropriate levels of customer due diligence obtained and retained in relation to their customers in line with the risk profile

screening for adverse media and/or changes in circumstances that may increase the risk profile of the customer (for example newly acquired politically exposed person status or criminal convictions)

clear documentation of the licence holder’s understanding of the company’s activities and monitoring for any activity which appears unusual

clear understanding from licence holders of how much a third-party regulated service provider’s systems and controls extend to them, in line with the guidance note

ongoing monitoring applied on a risk-based approach (for example the higher the risk, the more frequently reviews are undertaken)

Good practice

set up Google alerts or other notification alerts in relation to beneficial owners and/or controllers of the companies for which director services are provided

where viable, subscribe to an automated screening tool

understand what “red flags” to look out for and what search terms to use for any open-source searches

where you rely on a regulated service provider’s systems and controls, have a clear, documented agreement in place which articulates what is and is not included in the services agreement, in line with the guidance note

For more information on licence holders’ ongoing monitoring obligations, see page 14 of our financial crime examinations feedback from 2022 examinations.

4.3 Reporting suspicions or knowledge of money laundering, terrorist financing, proliferation financing

Licence holders have an obligation to report knowledge or suspicion of money laundering, terrorist financing and/or proliferation financing under the Proceeds of Crime (Jersey) Law 1999 and the Terrorism (Jersey) Law 2002.

Licence holders who fail to report knowledge or suspicion of money laundering, terrorist financing and/or proliferation financing are liable to imprisonment of a term not exceeding five years and/or a fine.

The order sets out the obligations for a licence holder to establish and maintain procedures for complying with their reporting obligations, which include reporting the knowledge or suspicion to the Financial Intelligence Unit, Jersey (FIU) as soon as practicable.

The following table sets out our findings on reporting suspicions of money laundering, terrorist financing and/or proliferation financing, alongside our expectations of licence holders based on what we saw in the examination:

Obligation	Findings	What we expect
Article 11(1)(b) and 21 of the order – adequate and maintained procedures relating to the reporting of knowledge or suspicion of money laundering, terrorist financing and proliferation financing to the FIU.	No documented policies or procedures relating to reporting obligations.	Licence holders have policies and procedures in place relating to their personal obligations to report knowledge or suspicion of money laundering, terrorist financing and/or proliferation financing. These personal obligations are in addition to those of: the company for whom the licence holder acts as director (e.g. the customer) the regulated service provider the licence holder works alongside to provide the director services (e.g. an administrator)
AML/CFT/CPF code set out at paragraph 8.3.2 (87) of the handbook requires a licence holder to maintain procedures which require them to: document the basis for submitting a report to the FIU record all reports sent to the FIU in a register which includes the date of the report, the name of the person submitting the report and information to allow supporting documentation to be retrieved in a timely manner	Inadequate procedures relating to the licence holder’s reporting obligations	Licence holders must have adequate procedures in place covering their reporting obligations, including a suspicious activity report register. A copy of the handbook is not a substitute for a licence holder maintaining their own procedures.

Obligation

Findings

What we expect

Article 11(1)(b) and 21 of the order – adequate and maintained procedures relating to the reporting of knowledge or suspicion of money laundering, terrorist financing and proliferation financing to the FIU.

No documented policies or procedures relating to reporting obligations.

Licence holders have policies and procedures in place relating to their personal obligations to report knowledge or suspicion of money laundering, terrorist financing and/or proliferation financing.

These personal obligations are in addition to those of:

the company for whom the licence holder acts as director (e.g. the customer)

the regulated service provider the licence holder works alongside to provide the director services (e.g. an administrator)

AML/CFT/CPF code set out at paragraph 8.3.2 (87) of the handbook requires a licence holder to maintain procedures which require them to:

document the basis for submitting a report to the FIU

record all reports sent to the FIU in a register which includes the date of the report, the name of the person submitting the report and information to allow supporting documentation to be retrieved in a timely manner

Inadequate procedures relating to the licence holder’s reporting obligations

Licence holders must have adequate procedures in place covering their reporting obligations, including a suspicious activity report register. A copy of the handbook is not a substitute for a licence holder maintaining their own procedures.

Good practice

policies and procedures clearly articulate how and when knowledge or suspicion of financial crime should be reported to the FIU, along with a documented register of any filings clearly noting the date on which the knowledge or suspicion came about and the date the report was filed.

For more information on licence holders’ obligations to report knowledge or suspicion of money laundering, terrorist financing and/or proliferation financing see:

Our financial crime webpage

Additional information sources – ML / PF / TF

AML/CFT/CPF Handbook - Section 8

States of Jersey Police - Suspicious activity reports

4.4 Reporting in relation to sanctions

Licence holders are required to comply with specific reporting obligations in relation to sanctions under the Sanctions and Asset-Freezing (Jersey) Law 2019. In particular, they must report any attempts to breach or circumvent sanctions to the Minister for External Relations.

It is important to be aware that these reporting obligations are in addition to the obligations to file suspicious activity reports with the FIU.

A person guilty of an offence under the sanctions law is liable on conviction to imprisonment and/or a fine.

The following table sets out our findings on sanctions reporting, alongside our expectations of licence holders based on what we saw in the examination:

Obligation	Findings	What we expect
Article 11(1)(b) and 21 of the Order – adequate and maintained procedures relating to the reporting of sanctions matches to the Minister of External Relations	No documented policies or procedures relating to reporting sanctions.	Licence holders have policies and procedures in place relating to their personal obligations to report sanctions matches. These personal obligations are in addition to those of: the company for whom the licence holder acts as director (e.g. the customer) the regulated service provider the licence holder works alongside to provide the director services (for example an administrator)

Obligation

Findings

What we expect

Article 11(1)(b) and 21 of the Order – adequate and maintained procedures relating to the reporting of sanctions matches to the Minister of External Relations

No documented policies or procedures relating to reporting sanctions.

Licence holders have policies and procedures in place relating to their personal obligations to report sanctions matches.

These personal obligations are in addition to those of:

the company for whom the licence holder acts as director (e.g. the customer)

the regulated service provider the licence holder works alongside to provide the director services (for example an administrator)

Good practice

policies and procedures clearly articulate how and when sanctions breaches should be reported to the Minister of External Relations, along with a documented register of any filings

For more information on licence holders’ obligations to report sanctions matches see:

AML/CFT/CPF Handbook - Section 8

our sanctions webpage

the Government of Jersey’s sanctions webpage

4.5 Continuous professional development

Licence holders are registered and therefore not considered to be trust company business employees for the purpose of the trust company business code. However, the guidance note makes it clear that licence holders are still subject to the same obligations in relation to CPD as trust company business employees.

The following table sets out our findings on CPD, alongside our expectations of licence holders based on what we saw in the examination:

Obligation	Finding	What we expect
Paragraph 3.4.2 of the trust company business code – licence holders are required to maintain CPD records.	Lack of documentation evidencing CPD undertaken.	Licence holders should keep a record of all CPD undertaken over the course of each year and, where possible, maintain evidence of the CPD undertaken (for example certificates of attendance).
Paragraph 3.4.4 of the trust company business code – licence holders are required to undertake a minimum of 25 hours of CPD (with no more than 5 hours being attributed to relevant reading).	Failure to undertake the required annual number of CPD hours.	Licence holders should keep their professional knowledge up-to-date and include CPD relevant to the services provided and/or the activities of the companies for whom they provide director services.

Good practice

use of professional standards bodies’ websites, applications and/or portals to adequately record CPD

documenting an appropriate level of detail relating to the content of the training undertaken

4.6 Insurance arrangements

Licence holders are required to maintain and demonstrate the existence of adequate insurance arrangements. Licence holders need to have and maintain adequate insurance cover commensurate with their business activities at all times.

Professional indemnity insurance must cover negligence, errors and omissions by the licence holder from wherever they are providing their services. Section 5.2.4 of the trust company business code provides further information on the required terms of this insurance.

The guidance note states the limits of professional indemnity insurance cover required by licence holders, which differs to the limits set out in the trust company business code. It confirms that licence holders should have:

directors and officers insurance cover – this can be through their own policy, as an extension of another’s policy (for example a regulated service provider’s policy or the customer’s own policy), or a combination of both

professional indemnity insurance cover when exercising an executive function (such as being a signatory to a bank account belonging to the customer) – this can be through their own policy or as an extension of another’s policy covering the services provided by the licence holder

Licence holders need to ensure the protection meets requirements set out in the guidance note regarding the minimum level of cover (£1,000,000) and the maximum permitted excess (£20,000). Licence holders must notify us of any excess over £20,000.

The following table sets out our findings on insurance arrangements, alongside our expectations of licence holders based on what we saw in the examination:

Obligation	Finding	What we expect
Trust company business code: 5.2.1 - a licence holder must have and maintain adequate insurance cover at all times, commensurate with its business activities. Trust company business code: 5.2.1.1 - such cover must include professional indemnity insurance extended to include fidelity guarantee (employee dishonesty or fraud), insurance and directors insurance, and officers insurance.	No professional indemnity insurance in place despite being a signatory over bank accounts containing client assets.	Licence holders have adequate insurance arrangements in place for the services they provide. Licence holders have a clear understanding of the insurance arrangements both: taken out personally extended to the services provided by them because of the directorships they hold
Guidance note: where a person personally meets the professional indemnity insurance requirements, the JFSC would accept a level of PII cover calculated on the same basis as in the trust company business code, but with minimum cover reduced to £1million.	Inadequate level of professional indemnity insurance cover held.	Licence holders ensure that the services provided to each customer are adequately covered by the insurance arrangements and that the cover taken out is: not less than the minimum amount of cover provided for in the guidance note is, at all times, commensurate with the risks associated with the services provided

Obligation

Finding

What we expect

Trust company business code: 5.2.1 - a licence holder must have and maintain adequate insurance cover at all times, commensurate with its business activities.

Trust company business code: 5.2.1.1 - such cover must include professional indemnity insurance extended to include fidelity guarantee (employee dishonesty or fraud), insurance and directors insurance, and officers insurance.

No professional indemnity insurance in place despite being a signatory over bank accounts containing client assets.

Licence holders have adequate insurance arrangements in place for the services they provide.

Licence holders have a clear understanding of the insurance arrangements both:

taken out personally

extended to the services provided by them because of the directorships they hold

Guidance note: where a person personally meets the professional indemnity insurance requirements, the JFSC would accept a level of PII cover calculated on the same basis as in the trust company business code, but with minimum cover reduced to £1million.

Inadequate level of professional indemnity insurance cover held.

Licence holders ensure that the services provided to each customer are adequately covered by the insurance arrangements and that the cover taken out is:

not less than the minimum amount of cover provided for in the guidance note

is, at all times, commensurate with the risks associated with the services provided

Good practice

licence holders document that insurance arrangements are adequate to cover each directorship they hold

licence holders review on an annual basis (for example, at the point of renewal) the scope of the insurance arrangements to ensure the total cover remains commensurate with the services being provided

4.7 Record-keeping

Record-keeping obligations are included in the order, the AML/CFT/CPF code and the trust company business code.

The order requires a retention period of five years from the termination of a business relationship for all documentation, data and evidence in relation to applied customer due diligence measures and transaction records.

The handbook sets out specific obligations for record-keeping relating to evidence of identity (customer due diligence measures), transaction records, corporate governance, identification measures and ongoing monitoring, suspicious activity reports, screening and access to records.

The trust company business code sets out obligations in relation to business records, customer records and provisions which cover all records.

During the examination, we asked licence holders about their record-keeping arrangements. We asked about:

the testing arrangements for access to records held by a third party

how long records were retained after termination of the business relationship

the arrangements in place to access records held by a third-party following termination of a business relationship

The following table sets out our findings on record-keeping, alongside our expectations of licence holders based on what we saw in the examination:

Obligation	Finding	What we expect
Paragraph 3.7.3 of the trust company business code – a licence holder must have a clearly documented policy and procedure regarding record retention that includes periodic review of the accessibility and condition of paper and electronic records.	Where records are in part held by a licence holder and in part held by another regulated service provider, no testing was undertaken to ensure records retained by the regulated service provider could be accessed.	Licence holders consider each directorship’s record-keeping processes separately and understand how to access each specific appointment’s records for the duration of the relevant retention period. Licence holders, from time to time, test their access to relevant records.
Paragraph 3.7.6.3 – where records relate to significant corporate governance matters, such as management meeting minutes or risk assessment matters, or are records relating to requirements established by the code, these must be retained for ten years from the date of the record.	Retention periods were set at five years for all documentation.	Licence holders are aware of all provisions relating to record-keeping in the order, the handbook and the trust company business code, and apply the relevant timeframe to the right category of documentation.

Obligation

Finding

What we expect

Paragraph 3.7.3 of the trust company business code – a licence holder must have a clearly documented policy and procedure regarding record retention that includes periodic review of the accessibility and condition of paper and electronic records.

Where records are in part held by a licence holder and in part held by another regulated service provider, no testing was undertaken to ensure records retained by the regulated service provider could be accessed.

Licence holders consider each directorship’s record-keeping processes separately and understand how to access each specific appointment’s records for the duration of the relevant retention period.

Licence holders, from time to time, test their access to relevant records.

Paragraph 3.7.6.3 – where records relate to significant corporate governance matters, such as management meeting minutes or risk assessment matters, or are records relating to requirements established by the code, these must be retained for ten years from the date of the record.

Retention periods were set at five years for all documentation.

Licence holders are aware of all provisions relating to record-keeping in the order, the handbook and the trust company business code, and apply the relevant timeframe to the right category of documentation.

Good practice

engagement letters or service agreements with customers or other regulated service providers expressly state the retention periods for documentation and an agreement that the licence holder will continue to have access to the information and documentation throughout that retention period.

5 Feedback on the areas with observations

5.1 Customer acceptance (including risk assessments)

Licence holders must undertake a customer risk assessment before accepting a directorship, and they must periodically review this risk assessment. There are many factors which could affect a customer’s risk rating over the course of the relationship, which is why it is not a one-off exercise at the engagement stage.

There is no prescribed format for this assessment and a licence holder may wish to work with another regulated service provider to get comfortable with the level of risk posed by a directorship.

5.2 Financial resources

The guidance note states that licence holders must have and maintain personal unencumbered net liquid assets amounting to at least £25,000.

During the examination, we identified instances where the liquidity of the assets held was questionable. The guidance note states that, in most circumstances, a copy of a bank statement would evidence that the obligation is being met.

5.3 Complaints

We expect licence holders to have a process in place on how to handle a complaint they receive about their services.

The guidance note states that an exhaustive documented procedure may not be required. However, a licence holder must still be able to satisfy their supervisor that a complaint would be recorded in a way that complies with the requirements on the treatment of complaints. It must also be recorded in a way that enables the relevant recorded information to be reviewed (for example, through a complaints register).

6 Next steps

We have given direct feedback to all licence holders subject to this thematic examination. Where we identified findings, the licence holder was required to submit a remediation plan setting out the actions to be taken and timescales for completion.

When conducting remediation activity, we expect licence holders to consider the wider implications of the findings, rather than reviewing them in isolation.

It is important for regulatory effectiveness that a licence holder who has completed remediation activity does so in a way that is not only effective, but also sustainable. This ensures that they can demonstrate compliance with the statutory and regulatory requirements on an ongoing basis.