2023 virtual asset service providers’ suspicious activity reporting systems and controls examination feedback

AML/CFT/CPF

Anti-money laundering, countering the financing of terrorism and countering proliferation financing

Blockchain

Blockchain is a decentralised digital ledger that allows multiple participants to maintain a shared database without the need for a central authority.

Blockchain analytics

Blockchain analytics refers to the process of examining and interpreting data from blockchain networks to gain insights into transaction patterns and user behaviour. It involves leveraging various analytical tools and techniques to understand the flow of virtual assets within a decentralised ledger.

FATF

Financial Action Task Force

AML/CFT/CPF Handbook

Handbook for the prevention and detection of money laundering, the countering of terrorist financing, and the countering of proliferation financing

MLRO

Money Laundering Reporting Officer

ML/TF/PF

Money laundering, terrorist financing and proliferation financing

iSAR/eSAR

Internal Suspicious Activity Report / External Suspicious Activity Report

Supervised Person

As defined in Article 1 of the Proceeds of Crime (Supervisory Bodies) Law 2008. Includes persons regulated by the JFSC under one of the regulatory laws and registered persons including designated non-financial services businesses and professions (DNFBPs).

Supervisory Bodies Law

Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008

VASP

Virtual asset service provider

Virtual asset

A digital representation of value that can be digitally traded, or transferred and can be used for payment or investment purposes

VCEB

Virtual currency exchange business

Board/senior management responsibilities

board/senior management minutes did not sufficiently evidence discussion of the MLRO’s performance and the MLRO’s report

insufficient consideration of the MLRO’s timeliness in acknowledging iSARs

insufficient evaluation of any competing priorities impacting the MLRO function

limited evidence of the board/senior management giving adequate consideration to potential trends, levels, or risks emerging from SAR reporting

minutes referred to a review of MLRO reports but did not evidence discussion and consideration of risks arising from an absence or increase in the level of SAR reporting in the period

limited evidence in minutes of actions considering the MLRO reports, such as a review of training or evaluating any deficiencies in analysing transaction monitoring reports

no record of ownership timeframes, dates for completion or conclusions for actions

demonstrated consideration of the effectiveness of systems and controls and of the quality of the management information being reported

the effectiveness of the MLRO and MLRO functions is assessed, including, but not limited to, whether the MLRO is dealing with SARs in a timely manner

routine assessment of whether the other roles the MLRO fulfils impact their effectiveness, independence, or give rise to conflicts

evidence in minutes of discussion/challenge/scrutiny and conclusions of the SAR information provided in MLRO reports

evidenced consideration of the levels/quality of SARs

resulting action points and owners documented and tracked to completion

reports not only “taken as read” or “noted” but evidence they are being discussed and considered in detail

evidence the board/senior management has undertaken separate training related to its own reporting obligations

evidence the MLRO/DMLRO have been/continue to be trained on handling iSARs/eSARs, liaising with the Joint Financial Crime Unit/law enforcement and how to deal with the risk of tipping off

iSAR/eSAR procedures

not communicating to employees the identity of the MLRO (and any deputy MLROs) to whom an iSAR is made

not highlighting that reporting requirements extend to business relationships and one-off transactions that are declined

not stating that SARs must be made regardless of the amount involved in a transaction or business relationship

not including the requirement for the MLRO to acknowledge any iSARs as soon as possible

not including the requirement to record all iSARs and eSARs in a register

not documenting that the MLRO is required to inform the Jersey Financial Intelligence Unit where relevant information is discovered

no established measures to prevent iSARs from being filtered by line management such that they do not reach the MLRO

not including the requirement to record all eSARs in a register with the date of the report and information to allow supporting evidence to be retrieved quickly

clearly stating that reporting requirements extend to potential business relationships and one-off transactions that are declined

maintaining registers to record all declined business, with a written explanation of the reason

the declined register (and analysis) forms part of the MLRO’s board report

where relevant information is discovered, highlighting the requirement to inform the Jersey Financial Intelligence Unit and also evidencing this in MLRO reporting to the board

procedures and training include the requirement that the MLRO or (or Deputy MLRO) acknowledge iSARs as soon as possible

timescales for acknowledging iSARs form part of the MLRO board report and are analysed to ensure acknowledgements are made as soon as possible

iSARs are made in a set format

iSARs fully explain the information or matter which gave rise to knowledge, suspicion or reasonable grounds for knowledge or suspicion

iSARs include the date that the information or matter came to the employee’s attention

iSARs include the date of submission of the iSAR

iSARS include full details of the customer, transaction or activity that the supervised person holds on its records

tipping off provisions are covered in detail in procedures and written in a way that is easily understood for employees

Training

materials not tailored to the activities and risks of the supervised person

failing to adequately cover relevant Jersey AML/CFT/CPF obligations including relevant mandatory sanctions legislation and obligations, and requirements about relevant connection to an enhanced risk state

adequate arrangements not in place to test the effectiveness of employee training and employee awareness

procedures incorrectly interpreting Article 4 of the Money Laundering (Jersey) Order 2008, and therefore incorrectly waiving due diligence for one-off transactions which do not exceed 15,000 euros  

where third party training providers is used, instances of inaccurate references not reflecting Jersey’s AML/CFT/CPF regime

relevant to entity with specific examples of ML/TF/PF case studies, red flag warnings, examples of unusual activity, and customer profiling to identify unusual transactions

separately covering TF and PF as well as ML risks and prevention, with explanations of the differences between the three

including case studies to highlight the obligation of employees to report, the potential consequences of failing to report, and the importance each employee has in preventing and detecting financial crime

explaining risk appetite, business risk assessment and financial crime strategy and how these link to risk mitigation procedures

where a third-party training solution is used, assessing it to ensure it complies with the statutory and regulatory regime in Jersey, including a gap analysis to identify and address any deficiencies or inaccuracies

including financial sanctions in the training plan, with those who fail to achieve a minimum pass score in this area provided with additional training and reassessed

analysing test answers to identify any areas with a lower level of understanding, which then informs future training

considering the guidance notes provided in Section 9 of the Handbook and referencing JFSC examination feedback papers

Transaction monitoring

procedures not referencing monitoring to determine relevant connections to an enhanced risk state

no reference to the monitoring tool’s (Blockchain analytics or similar) coverage, including how often the system is updated, or any limitations

policy not fully demonstrating compliance with the Money Laundering (Jersey) Order 2008

policy not reflecting the Handbook’s requirement of appropriate and consistent policies and procedures for the identification and scrutiny of transactions

lack of procedures for identifying complex or unusually large transactions, unusual patterns of transactions with no apparent economic or visible lawful purpose, and any other activity which may be related to the risk of ML/TF/PF

insufficient evidence that transactions are scrutinised for notable or unusual activity

insufficient evidence of the measures in place to identify notable or unusual activity

insufficient evidence of the extent of examination and analysis of the monitoring outputs, exception reports and alerts

detailed transaction monitoring procedures maintained which show the blockchain analytics solution used

documented evidence of understanding how the system works, including any limitations (and how these are managed)

systems tailored to the business

systems facilitate users applying additional judgement and experience in recognising unusual transactions and activity - particularly important when transactions are being made in virtual assets

procedures reference the monitoring undertaken to determine a relevant connection to an enhanced risk state and the associated training required for employees

and facilitates the application of additional judgement and experience to the recognition of unusual transactions and activity. This is particularly important when transactions are being made in VAs.

transaction monitoring procedures reference the monitoring undertaken to determine a relevant connection to an enhanced risk state and the associated training required for employees.

evidence exists detailing how the transaction monitoring system works

assessments are undertaken when the system is changed

detailing the extent of the coverage/any limitations

detailing who or what is monitored, including details of the external data sources

detailing how the system is used to identify unusual activity

detailing how the outputs, exceptions reports and alerts are analysed