Financial Crime Examinations Feedback from 2022 examinations

1 Introduction

As set out in last year’s financial crime examinations feedback, Jersey’s reputation as a sound, well-regulated jurisdiction remains a critical element in continuing to enable the financial services industry to attract legitimate customers with funds and assets that are clean and untainted by criminality.

The key to the prevention and detection of money laundering, terrorist financing and proliferation financing (together financial crime) continues to lie in the implementation of, and strict adherence to, effective systems and controls (including policies and procedures) based on international standards. These standards are implemented in Jersey through legislation and the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism (the Handbook).

Given the critical importance of implementing and complying with effective systems and controls

designed to prevent, detect and report financial crime, we regularly undertake examinations of supervised persons to assess the extent to which statutory and regulatory requirements are being complied with.

This feedback paper summarises the main findings from the 20 financial crime examinations carried out by our financial crime examination unit (FCEU) in 2022. Findings arising from thematic examinations in relation to financial crime have been reported separately.

A number of common themes and detailed findings in this feedback paper are similar to those outlined in our previous financial crime and thematic feedback papers.  The JFSC expects the board and senior management of all supervised persons to:

check for feedback papers and similar guidance notes published by us from time to time

review their own arrangements against the matters outlined in feedback papers

take appropriate and prompt action to remedy deficiencies identified.

Where we identify examination findings that indicate supervised persons, have not considered their own compliance arrangements against the feedback and guidance issued by the JFSC and/or taken steps to remediate identified deficiencies, they can expect us to consider it an aggravating factor when determining our regulatory strategy. 

2 Overview of 2022 financial crime examinations

A population of 20 businesses, comprising 18 carrying on regulated financial services business and two carrying on a business described in Part B of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999 (referred to in this paper as Designated Non-Financial Businesses and Professions (DNFBPs)) (totalling 92 supervised persons) were examined in 2022. The industry sectors represented in our selection were as follows:

Our review of these 20 businesses resulted in our officers highlighting 120 findings. Encouragingly for one business, there were no financial crime findings arising from our examination.

Analysis of the findings highlights that most were in relation to non-compliance or partial non-compliance with the sections of the Handbook that set out statutory and regulatory requirements concerning:

Corporate governance - Section 2

Ongoing monitoring - Section 6

Enhanced and simplified customer due diligence (enhanced CDD and simplified CDD) and exemptions - Section 7

Reporting suspicions of money laundering or the financing or terrorism - Section 8

Screening, awareness and training of employees - Section 9

Of the 120 financial crime examination findings for 2022, 98% fall into four main themes.  The percentage of total findings in each theme remains relatively consistent with 2020 and 2021.

	2020	2021	2022
Corporate governance	40%	46%	39%
CDD measures	30%	23%	28%
Reporting suspicions of financial crime	15%	19%	19%
Screening, awareness and training of employees	10%	8%	13%
Other	5%	4%	2%

3 Findings and conclusions

In 2022, our officers identified findings at a small number of businesses that were similar to those highlighted during previous examinations of those businesses, indicating that action by senior management to address those previous findings had not been effectively implemented or had not fully addressed the root cause of the matter in question.

Additionally, a number of the key themes and detailed findings in this feedback paper are similar in nature to those brought to the attention of boards and senior management in our previous feedback papers published on our website: Examination findings and questionnaires.

Where we identify examination findings that indicate prior remediation has been ineffective, known deficiencies exist and have not been addressed by the board and senior management, or appropriate consideration and action has not been taken following feedback issued by the JFSC post examinations, supervised persons can expect these to be deemed as aggravating factors in determining our entity level regulatory strategy.

We are particularly concerned by the inability of those supervised persons examined to demonstrate full compliance with statutory or regulatory requirements relating to the reporting of suspicions of financial crime that has again featured prominently in examination findings for a third consecutive year. The 20 examinations completed in 2022 resulted in 23 separate findings being raised on this matter.

There were 47 findings relating to corporate governance of which many related to risk management arrangements, with incomplete and/or inadequate assessment of risk identified by the supervised person and documented in the Business Risk Assessment (BRA) being the main findings.

Our 2022 examination activity identified, as was the case in 2021, that employee awareness of key legislation and their personal obligations to report suspicions of financial crime was generally of a high level. However, the awareness of the financial crime risks inherent in a supervised person’s business and how those risks may manifest themselves in day-to-day activities was less well understood.

Given the findings of the 2020, 2021 and 2022 financial crime examinations, as part of ongoing supervisory engagements, we will continue to:

assess employee awareness of financial crime risks

focus on the adequacy and effectiveness of systems and controls (including policies and procedures) to report suspicions of financial crime.

All businesses examined received direct feedback and were required to submit a formal remediation plan setting out actions to be taken to address findings including timescales for completion.

As demonstrated by the detailed analysis of the findings arising from the 2022 examinations set out in Part 6 of this feedback paper, a number of the businesses examined needed to make comprehensive changes to internal systems and controls (including policies and procedures), to fully comply with the regulatory framework.

Where serious findings were brought to the attention of supervised persons, this will have resulted in escalation. In some cases, further regulatory action has been taken or may still be underway.

Targeted financial sanctions including terrorist financing risk and proliferation financing risk 

The results of the 2022 examinations indicate that systems and controls (including policies and procedures) at some of the businesses visited would have benefited from enhancement to ensure that Terrorist Financing (TF) and Proliferation Financing (PF) risks, including targeted financial sanction, were managed more effectively.

The adequacy of policies and procedures concerning TF, PF and targeted financial sanctions was the main issue identified. In particular, action was required to address policies and procedures that were:

out of date

ineffective

incomplete

not in place

inconsistent with the legal and regulatory framework.

Other weaknesses identified at certain businesses included:

not considering and documenting an assessment of TF, PF or sanctions risks as part of the Business Risk Assessment

a lack of employee awareness of TF, in particular with respect to the differences between TF and money laundering

in one case, a lack of awareness of the requirement to raise a SAR should there be grounds for suspicion or knowledge of TF

client screening issues, relating to higher risk country lists not being up to date

in one instance, a business was unable to explain what customer screening was undertaken by a third party on its behalf

training content lacked sufficient guidance and explanation of the requirements and the business’ and employee obligations in relation to sanctions, TF and PF.

failing to maintain adequate records of customer screening, including the analysis of hits and the rationale for any resultant actions

inadequate review of the Compliance Monitoring Programme (CMP) to ensure that it remained fit for purpose, appropriate for the size and nature of the business and that it tested the effectiveness of the entity’s systems and controls relating to TF and PF.

We strongly recommend that boards and senior management of supervised persons examine their systems and controls associated with targeted financial sanctions, TF and PF risk to identify and remedy any similar deficiencies.

4 Remediation of deficiencies highlighted by examinations

When businesses undertake remedial activities we expect that matters raised in the findings are not considered in isolation and that the wider implications of the detailed findings in individual examination reports should be considered. Additionally, the root cause of the findings should be understood and addressed as this will usually support a business in remediation more effectively and sustainably for the longer term. 

The 2022 examinations identified that in a small number of instances remediation carried out did not conform to the plan submitted to the JFSC nor was any notice given of a change of plan or of the decision not to follow the plan as submitted. In addition, there were cases where remediation had not been completed.

A critical element of regulatory effectiveness is ensuring that remediation addresses all identified deficiencies and is completed by a supervised person in a sustainable way.

Examination findings form part of a supervised person’s regulatory track-record and the manner in which a supervised person addresses the findings and engages with us are key to informing our supervisory strategy. Where appropriate, we may consider the implementation of heightened risk supervisory engagement strategies, the use of statutory powers and the imposition of regulatory sanctions.

Guidance on Remediation Action Plans was published by us on 6 April 2023 and can be found here:

Remediation Action Plans — Jersey Financial Services Commission (jerseyfsc.org)

5 Next steps

We expect boards and senior management of supervised persons to consider the findings highlighted in this paper and their own arrangements to ensure their business is complying with all relevant statutory and regulatory requirements.

Where supervised persons identify deficiencies in their systems and controls, our expectation is that they will:

prepare a remediation plan and discuss this with their supervisor

consider the notification requirements under the AML/CFT/CPF Codes of Practice within Section 2.3 of the Handbook and Principle 6 of the relevant Codes of Practice

remedy any identified matters in the manner set out in the documented remediation plan agreed with their supervisor

discuss and agree with their supervisor any unforeseen but necessary changes to the submitted plan that may come to light from the plan’s practical implementation

consider what assurance activities may provide comfort to the board/senior management that deficiencies identified have been addressed effectively.

In future engagements with the JFSC, supervised persons may be asked to evidence steps taken to address previously identified deficiencies in their control environment.

Where action taken is not considered to be adequate or where we identify similar deficiencies to those highlighted in our feedback papers, we will consider our future supervisory strategy and where appropriate, regulatory action.

6 Detailed analysis of key themes identified by examination findings

On completion of financial crime examination activity, the JFSC sets out its findings in detailed reports that are arranged according to the relevant sections of the Handbook. Each finding will detail the circumstances, instances or examples that led to our assessment that the supervised person was unable to demonstrate full compliance with all statutory and regulatory requirements included in the financial crime examination scope.

This section also includes feedback on best practices observed during the examinations and other feedback, which supervised persons may find of assistance in assessing the effectiveness of their own control environment.

6.1 Corporate Governance

There were 47 findings relating to corporate governance, in the main relating to board responsibilities, systems and controls and the role of the Money Laundering Compliance Officer and Money Laundering Reporting Officer.

Board responsibilities

The board of a supervised person must ensure, when documenting its BRA that relevant financial crime risks are assessed ‘in the round’ and that the conclusions of the BRA drive an appropriate and consistent risk-based approach to managing its financial crime risks.  

A prevalent theme identified was that many businesses were unable to evidence that an adequate assessment of those risks and the organisation’s control environment had taken place. The effectiveness of the supervised person’s risk assessment was adversely impacted by one or more of the following:

AML strategy and Risk Appetite Statement not consistent with BRA

no consideration of the cumulative effect of the risks recorded in the BRA

TF, PF and or targeted financial sanctions, not considered in the BRA

effect of customer country risk exposure and product and services risk

mitigating controls not clearly articulated

disparity between individual risk ratings and overall risk ratings

lack of regular review to ensure the BRA remains fit for purpose accurately reflecting the business' assessment of its risk exposure

ineffective assessment of the adequacy of the control environment to determine if residual financial crime risk was within the supervised person's risk appetite.

Examples of best practice and other resources to help firms improve compliance in this area Your BRA requires periodic review to ensure that it records all the risks to the business, the impact new or updated legislation and regulation, the cumulative effect of all the risks and consideration of the control framework for managing those risks. Key control enhancements or plans to deal with the emergence of new or external risk factors should be adequately considered and documented as part of your BRA. Control environment effectiveness may be evidenced by the findings of assurance activities, such as periodic testing and other supporting data. A Feedback paper was published on 22 December 2022 following a thematic examination assessing the extent to which supervised persons had recorded an assessment of their financial crime risk and their resultant strategy to counter this risk. A copy of that feedback paper can be found here: 2022 AML/CFT Business Risk Assessment and formal AML/CFT Strategy Feedback — Jersey Financial Services Commission (jerseyfsc.org)

Some businesses could not effectively demonstrate that the board received reports from the Money Laundering Compliance Officer (MLCO) on compliance matters and the Money Laundering Reporting Officer (MLRO) on suspicious activity reporting, due to:

the nature of consolidated compliance function reports presented at board meetings

off-island report preparation by Head of Compliance on behalf of Jersey-based MLCO and MLRO

the MLCO or MLRO not attending board meetings to present reports

reporting of financial crime matters being made via a regional financial crime risk report, which did not readily identify content relating to the supervised person

lack of documentary evidence of discussion of compliance matters raised by MLCO and reporting matters raised by MLRO.

Examination activity also highlighted:

examples where risk management arrangements were not operating as intended

instances where the board had not carried out an assessment of its effectiveness or had not completed an assessment in line with the frequencies set out in its stated policy

case of corporate governance records not adequately reflecting one or more of the following:

• delegated powers, meeting frequencies, meeting quorums and meetings not taking place
• matters being considered and decisions taken
• clearly distinguishable and/or meaningful reporting on compliance and suspicious activity reporting
• escalation of matters within the governance structure as required by terms of reference
• effective tracking of risk management actions

   that systems and controls to record and manage conflicts of interest:

• were not in place
• records were incomplete or
• did not record how identified conflicts were being managed by the supervised person.

Examples of best practice and other resources to help firms improve compliance in this area Board and senior management meeting records should evidence what was discussed, documents and reports reviewed, items scrutinised and challenged, decisions made and actions arising. Action plans in place to address deficiencies should be comprehensively recorded and should evidence that such plans are overseen to completion. Risk management arrangements such as risk management committees, business acceptance committees and other forums with power to manage risk should be periodically reviewed to confirm that their performance is both effective and as intended. Consideration should be given as to whether issues are being escalated in accordance with the terms of reference and that reporting to the board is adequate. The conflicts of interest register should be regularly updated and reviewed by the board and senior management and steps should be taken to ensure that all employees are fully aware of the business’ arrangements for the management of conflicts of interest.

Systems and controls

Supervised persons are required by the Order and the AML/CFT/CPF Codes to establish and maintain appropriate and consistent systems and controls (including policies and procedures) to prevent, detect and report financial crime.

Financial crime examinations in 2022 identified non-compliance or partial non-compliance with the statutory and regulatory requirements relating to systems and controls (including policies and procedures) set out in Sections 2.3 and 2.4 of the Handbook, many of which were similar in nature to those highlighted in previous examination feedback papers published by the JFSC.

Circumstances that were identified by our officers included policies and procedures that:

had not been established

were ineffective

did not capture updates to the regulatory framework or had not been reviewed in line with the supervised person’s policy

did not consider all relevant Jersey regulatory requirements

were not being complied with.

Examples of best practice and other resources to help firms improve compliance in this area The systems and controls that must be established by all supervised persons are set out in the Order and the Handbook. Make certain, as a minimum, that the listed policies and procedures are in place, appropriate and take into account your business and risk profile. Your policies and procedures should be regularly reviewed to make sure that they enable you to demonstrate compliance with the latest regulatory requirements. Should you use policies and procedures generated by your wider group make certain that they enable you to meet all your local statutory and regulatory requirements.

Supervised persons are required to check that systems and controls (including policies and procedures) are operating effectively and test that they are being complied with. Boards and senior management must take prompt action to address any deficiencies.

Our officers observed instances of compliance monitoring arrangements not operating as intended and a number of examples where the board of the supervised person had not fully considered those arrangements.

Examinations identified examples where supervised persons could not evidence that compliance monitoring activity were aligned to their compliance risk assessments of applicable statutory and regulatory requirements.

In a number of cases reporting generated as a result of monitoring and testing activity was ineffective, which meant the supervised persons concerned were not always able to evidence that their board or senior management understood one or more of the following:

the nature and status of monitoring arrangements

deficiencies or risks that were identified by monitoring activity

any impact on the supervised person’s business and risk profile

the effectiveness of action taken to remedy deficiencies or manage risk.

Examples of best practice and other resources to help firms improve compliance in this area Feedback was provided by us on 17 December 2020 following our thematic examination ‘compliance monitoring plans’ which can be found here: Compliance Monitoring Examination Feedback

The Money Laundering Compliance Officer and Money Laundering Reporting Officer

Financial crime examinations undertaken in 2022 identified 14 findings regarding non-compliance or partial non-compliance with the statutory and regulatory requirements relating to Key Persons that are set out in Sections 2.5 and 2.6 of the Handbook. Again, many of those findings were similar in nature to those highlighted in previous feedback papers published by the JFSC.

Circumstances that contributed to examination findings included:

the supervised person being unable to evidence that the compliance function had been provided with sufficient resources to undertake all of its duties

independence of the function or the Key Person(s) could not be demonstrated; and

where the MLRO was not routinely monitoring the activities of the deputy MLRO (DMLRO)

It is a particular concern to the JFSC were instances where DMLRO’s were not aware of all of the responsibilities of the role or were not fully aware of relevant statutory and regulatory requirements.

The examinations also identified examples of where the responsibilities of the DMLRO were not clearly articulated in the DMLRO’s job description.

Further findings relating to DMLROs identified:

the ‘Jersey’ DMLRO not being based in Jersey

the DMLRO not fully understanding the SAR handling process

the DMLRO not being fully aware of the circumstances under which information could be shared with another financial services business in Jersey for the prevention and detection of financial crime

no assistance or guidance available to the DMLRO covering situations where they were unable to reach a conclusion regarding an internal suspicious activity report.

Further information is provided at Section 6.3 regarding the function of the MLRO and DMLRO in the evaluation of internal suspicious activity reports (iSARs) and the submission of external SARs (eSARs) to the Joint Financial Crimes Unit (JFCU).

Examples of best practice and other resources to help firms improve compliance in this area Periodically review the responsibilities of the compliance function to ensure that your MLCO and MLRO are sufficiently resourced to carry out all required tasks in a timely manner. Evaluate whether tasks undertaken by the MLCO or MLRO form part of customer day-to-day activities such as on-boarding processes, payment or other transactional processes, the ability to commit the business to risk or compliance function assurance activities that could impact the ability of the MLCO or MLRO to demonstrate and maintain their independence. Make sure that there is separate, appropriately detailed, board reporting from the MLCO on compliance matters and the MLRO on reporting. Where a consolidated reporting format is used there should be clear demarcation between MLCO and MLRO content and analysis so that the board can readily differentiate between the two reports and their subject matter. DMLROs should be formally appointed and the responsibilities of the role fully understood by the individual. DMLROs should be trained and supported to ensure that they are fully aware of their relevant statutory and regulatory obligations.   Avoid creating processes that inadvertently may cause the MLRO to fail to comply with their statutory and regulatory obligations such as iSAR policies and procedures that require the MLCO to review eSARs prior to submission to the JFCU which may potentially delay the eSAR submission.

6.2 CDD measures

There were 33 findings arising from the 20 examinations conducted in 2022 concerning CDD measures, as follows:

The Order requires supervised persons to apply CDD measures and goes on to set out that CDD measures involve identification measures and ongoing monitoring. Sections 3, 4, 5, 6, and 7 of the Handbook set out statutory and regulatory requirements relating to CDD measures which must be complied with. These sections of the Handbook also provide guidance notes that present ways in which a supervised person may demonstrate that it has complied with the regulatory framework. 

Identification measures (Sections 3 and 4 of the Handbook)

There were five findings relating to identification measures and one that related to the verification of identity.

The five findings relating to identification measures, in the main related to issues concerning customer risk assessments that included:

source of funds (SoF) and source of wealth (SoW) not being adequately documented

an absence of controls to prevent a customer risk rating from being overridden

high risk indicators not being taken into account

not reassessing a customer risk assessment following a SAR

customer risk assessments not being updated following the addition of the customers’ country of association to the FATF “grey list” (an indicator of inadequate or deficient AML/CFT measures)

instances of incomplete customer risk assessments

failing to document the rationale for discounting potentially negative open source information

failing to document the rationale for applying an exemption to the business’ policies and procedures.

Examples of best practice and other resources to help firms improve compliance in this area Your CDD policies and procedures, including those for SoF, SoW and beneficial ownership and control (the Three-Tier Test) should be well understood by employees in customer facing roles, those undertaking business development and those tasked with customer on-boarding. Customer records should provide supporting information demonstrating alignment with your risk-based approach to the application of CDD measures. Review if and how effectively your customer risk assessment captures and reflects the cumulative impact of multiple risk factors. A single customer relationship may, for example, have exposure to multiple countries in a variety contexts. Consider your own arrangements against prior feedback provided by us, including the paper published on 3 February 2022 following our thematic examination ‘customer risk assessments’ which can be found here: Customer Risk Assessment Examination Feedback

Reliance on obliged persons (Section 5 of the Handbook)

In some strictly limited cases the Order and the AML/CFT Codes allow a supervised person to place reliance on measures that have been applied by an ‘obliged person’ or ‘external person’ to find out the identity of a mutual customer and to obtain evidence of identity. Reliance on an obliged person or external person is subject to a number of conditions that are set out in the Order and Section 5 of the Handbook. Supervised persons must also carry out testing that establishes whether the use of reliance identification measures enables the supervised person to meet its statutory and regulatory obligations.

In five of the examinations, businesses were unable to evidence that all the conditions necessary for placing reliance on an obliged person or an external person had been fully met, due to one or more of the following circumstances:

no risk assessment had been carried out concerning the use of reliance identification measures

lack of established appropriate and effective governance, systems and controls (including policies and procedures) and risk management arrangements concerning the use of reliance identification measures

assurance letters had not been obtained or did not enable the supervised person to evidence compliance with regulatory requirements

policies and procedures did not detail the obliged person acceptance process nor how required testing was to be conducted or

testing had not been carried out or was seriously overdue.

Examples of best practice and other resources to help firms improve compliance in this area Consider your reliance arrangements to ensure that you meet the six conditions laid out in the Order and in section 5 of the Handbook that provides guidance on how supervised persons may demonstrate they have met the six ‘reliance’ conditions. Consider prior feedback provided by us, including the paper published on 10 August 2020 following our thematic examination ‘reliance on obliged persons’ which can be found here:  Reliance on Obliged Persons Examination Feedback

Ongoing Monitoring (Section 6 of the Handbook)

The Order sets out that on-going monitoring is to involve scrutinising transactions and activity. Supervised persons must implement policies and procedures to monitor transactions and activity. They are also required to recognise and examine notable transactions and activity to ensure that they are consistent with the supervised person’s knowledge of the customer, including the customer’s business and risk profile. As part of its examination of such transactions and activity, a supervised person must examine their background and purpose and record its findings in writing.

Supervised persons are also required to keep documents, data or information up to date and relevant, particularly in relation to higher risk categories of customer.

Ongoing monitoring of customer relationships and changes to a customer’s business and risk profile are critical to ensure:

indicators of increasing risk are recognised and examined

financial crime risks are managed appropriately by supervised persons on an ongoing basis.

There were 13 findings in respect of ongoing monitoring that included one or more of the following circumstances:

screening related issues that included:

• client related parties not being screened;
• untested data feeds and screening tool
• ‘fuzzy logic’ not being used in screening resulting in adverse media being missed;
• incomplete sanctioned countries list
• senior management oversight and understanding of screening process lacking
• internet searches too simplistic and/or not undertaken in line with policies and procedures

reviews of Politically Exposed Persons (PEPs) were either outstanding, not undertaken or not conducted in line with policies and procedures

periodic review processes were behind schedule or there was a backlog in action point clearance

remediation was ineffective or only partially effective

instances relating to transaction monitoring highlighted areas for improvement, including:

• inadequate or lack of review of unusually large or complex transactions
• ineffective oversight, monitoring and control of exemptions to policy and procedures.

Examples of best practice and other resources to help firms improve compliance in this area With regard to transaction monitoring, consider: whether systems and controls ensure transactions are not executed without appropriate review/enquiry and/or approval whether the level of scrutiny applied to large or unusually complex transactions is adequate whether senior management’s review, approval of and rationale for any exemptions is documented accordingly the testing of transaction monitoring to ensure that it is being conducted appropriately.  In relation to customer screening consideration should be given to: the integrity and completeness of data being screened and the age of the database (e.g. country list) being screened against the effectiveness and sophistication (e.g. fuzzy logic) of tools and processes employed to screen customers and scrutinise transactions and activity regular testing of the effectiveness of screening tools and processes to ensure they are up to date and fit for purpose whether processes allow for timely escalation of potential matches or transactions and activity not in keeping with the customer’s business and risk profile whether senior management understand any limitations in the tools or procedures used and whether these are documented, together with any mitigating actions. Check your trigger event and periodic review processes are operating effectively and policies and procedures are being complied with. Where there are backlogs concerning document retention or the updating of information and data then a managed, clearly documented risk-based remediation plan should be initiated and tracked to completion.

Enhanced and simplified CDD measures and exemptions (Section 7 of the Handbook)

The Order requires supervised persons to apply enhanced CDD measures on a risk-sensitive basis in a number of circumstances, including any situation which by its nature can present a higher risk of money laundering.

The Order also provides for a number of exemptions from CDD requirements that apply in some strictly limited circumstances. These include, for example, exemptions from the need to apply third party identification measures in relation to the underlying customers of certain regulated businesses. In addition, specified exemptions from CDD requirements are provided, for example, in respect of regulated business or persons acting on behalf of a regulated business as part of their employment.

There were nine findings in relation to this section of the Handbook that varied in nature, with the circumstances that contributed to findings including:

PEPs were either not identified, incorrectly assessed as not having PEP status or Enhanced CDD measures were not undertaken

exemptions applied being incorrectly recorded on the register of exemptions

no documented evaluation of whether a stock exchange could be considered as an IOSCO-compliant market, such that an exemption to identification measures could be applied to a customer with securities listed on it

other exemption related issues identified were:

• CDD exemptions remediation plan not completed
• policies and procedures failed to explain when exemptions may or may not be applied.

Other areas for improvement highlighted by our examination were:

• the risk-based approach not being applied or incorrectly applied, for example, all customers being rated and treated as high risk
• insufficient or lack of evidence to support risk decisions
• SoW and SoF records did not meet supervised person’s SoW/SoF requirements as outlined in their policies and procedures
• incorrect recording of the origins of SoW and SoF.

Examples of best practice and other resources to help firms improve compliance in this area Make sure that enhanced CDD, simplified CDD and exemptions policies and procedures are in place, appropriate, operating effectively and being complied with. Regular review of policies and procedures should be undertaken to ensure legislative and regulatory developments and changes are captured and implemented as required and to confirm that you are able to demonstrate compliance with statutory and regulatory obligations. Review your arrangements against prior feedback from us, including the paper published on 20 September 2021 following our thematic examination ‘ECDD, SCDD and exemptions’ which can be found here: ECDD SCDD and Exemptions Examination Feedback

6.3 Reporting suspicions of financial crime

There were 23 findings arising from the examinations conducted in 2022 concerning reporting suspicions of money laundering or terrorist financing.

Employees must know (i) where to locate a supervised person’s procedure for making an iSAR; (ii) how to make a report; and (iii) the identity of the MLRO or DMLRO.

As well as ensuring employees are: (i) alert to financial crime risks; and (ii) well trained in the recognition of notable transactions or activity which may indicate money laundering or TF activity, supervised persons must also take steps to ensure that employees are aware of the importance of submitting an iSAR to the MLRO as soon as practicable.

Reporting procedures must be clear and easy for employees to follow, whilst enabling the employee, the MLRO/DMLRO and the supervised person to all meet their statutory and regulatory requirements.

Supervised persons also need to ensure that robust procedures are in place concerning iSARs and eSARs handled by MLROs. This includes the retention of records regarding the steps taken by the supervised person’s MLRO to determine whether an eSAR is required to be submitted to the JFCU. Procedures are also required for the ongoing management of relationships, including the need to submit ‘continuation reports’ to the JFCU when further information is identified.

The 23 examination findings relating to the reporting of suspicions of financial crime included issues concerning one or more of the following:

policies and procedures did not adequately ensure that information required to be retained or recorded was collected or consistently recorded

an absence of SAR reporting guidance to assist employees in the event of financial crime related suspicions or concerns

guidance did not make it clear that iSARs are to be made regardless of activity/transaction value or where the activity/transaction may involve tax matters

no documented SAR handling process to be followed by the MLRO and DMLRO

no guidance concerning the circumstances in which information sharing was permissible for the prevention and detection of money laundering or the financing of terrorism or how one would go about sharing information

in one instance the reporting policy stated that it was appropriate for an iSAR to be submitted within 60 days. The assessment of “as soon as practicable” needs to be assessed on a case-by- case basis rather than the application of a general threshold

examples of where policies and procedures had not been complied with

being unable to locate all necessary records relating to iSARs and eSARs

supervised persons being unable to evidence that iSARs or eSARs were submitted as soon as practicable

records relating to iSARs or eSARs did not evidence one or more of the following:

• the identity of the reporter or the date of the iSAR
• all enquiries made by the MLRO
• the rationale for making or deciding not to make a report or continuation report to the JFCU
• whether all parties connected with the customer or proposed transactions had been considered as part of the MLRO or DMLRO’s enquiries
• guidance provided to customer facing employees by the MLRO on how to manage a relationship after an eSAR had been submitted
• the reasons why certain relevant information included in an iSAR had not been included in the eSAR submitted to the JFCU.

Examples of best practice and other resources to help firms improve compliance in this area Policies, procedures and guidance should reflect current SAR reporting requirements and be readily available and easy for all employees to understand. Records relating to iSARs and eSARs should be retained and record (this list is not exhaustive): the submission date of the iSAR identity of reporter date acknowledgement of iSAR sent to reporter details of enquiries made by the MLRO actions taken by the MLRO rationale for submitting or not submitting an eSAR to JFCU eSAR submission date number of days from receipt of iSAR to the conclusion of the MLRO’s investigation reason(s) for any delays MLRO oversight/ review of SARs and SAR related issues handled by DMLRO should be clearly documented. Records should also be kept of ongoing communication with customer-facing employees regarding future customer activity. Review your arrangements against prior feedback from us, including the paper published on 21 February 2020 following our thematic examination ‘the role of the MLRO’ which can be found here: Role of Money Laundering Reporting Officer Examination Feedback

6.4 Screening, Awareness and Training of Employees

There were 15 findings relating to the screening, awareness and training of employees.

Supervised persons are required to screen the competence and probity of certain employees at the time of recruitment and where there is a subsequent change of role. However a small number of supervised persons did not have procedures in place to ensure that employees were re-screened, where it was appropriate to do so when their role changed.

The Order and the AML/CFT/CPF Codes require supervised persons to promote the awareness of procedures to prevent, detect and report financial crime and to provide training at appropriate frequencies. Such training must be tailored to the supervised person and be relevant to the employees to whom it is delivered. Training must cover key aspects of legislation, key policies and procedures and the recognition and handling of transactions, activity and other conduct that indicates that a person is or appears to be engaged in financial crime.

The findings relating to screening, awareness and training of employees included issues concerning one or more of the following:

policies and procedures had not been complied with

training had not been delivered to new employees in a timely manner

improvements required regarding the nature and content of training, including:

• no Jersey-specific training provided to employees who transferred to Jersey from another part of a group
• no TF or PF training provided
• training content not tailored to employees’ roles
• insufficient guidance and explanations of the business’ and individual’s obligations

one business had engaged a third party to provide training to its employees, but had not retained records relating to due diligence carried out on the third-party provider, nor concerning any assessment of the content of the training delivered by the third-party provider to ensure that it met the Jersey requirements, nor did it maintain a record of the training undertaken by the employees

businesses being unable to evidence that employees of third-party service providers had received Jersey specific information or training on procedures to prevent, detect and report financial crime, when it was appropriate for them to have receive it.

Examples of best practice and other resources to help firms improve compliance in this area Section 9 (Screening, Awareness and Training of Employees) of the Handbook contains guidance on how firms may demonstrate compliance with applicable statutory and regulatory obligations. In particular, review your arrangements to consider whether: policies and procedures are in place, effective and complied with employee screening is undertaken at or prior to employment and there is re-screening following a role change AML/CFT/CPF training and refresher training is provided to all employees as least annually non-relevant employees provide annual declarations of their reading and understanding of the financial crime policies and procedures, obligations and implications of a failure to make an iSAR training content is relevant to an employee’s role, experience and seniority, is Jersey specific, addresses money laundering, TF and PF, and provides sufficient, clear, explanation and guidance and interpretation of obligations and requirements comprehensive training records are maintained for all employees. In addition, consider our prior feedback, including that issued on 24 March 2022 regarding the responses provided to our thematic questionnaire ‘AML/CFT Training’: AML/CFT-training-questionnaire-feedback

6.5 Record Keeping

There were two findings relating to record keeping that identified one or more of the following matters:

the document retention period defined in the business' Financial Crime Policy and the Risk Management Policy differed which created the risk that necessary documents may not be retained for the correct period

Board and Risk Committee minutes did not clearly articulate whether any challenge, scrutiny or discussion had taken place concerning key matters raised in the MLCO and MLRO reports

hand-written notes formed part of the board pack and in some cases these handwritten notes were illegible rendering the board pack an incomplete record of the board’s business

 

Examples of best practice and other resources to help firms improve compliance in this area In the interests of good record keeping policies and procedures need to be clear and consistent in their definition of retention periods. Board discussion, scrutiny, challenge and decisions reached need to be clearly recorded.  This includes relevant written communications between board members and the businesses’ key persons outside of board meetings, where it relates to their reports presented to the board. Additional guidance that may assist businesses demonstrate their compliance with statutory and regulatory requirements can be found in Section 10 of the handbook.

Scope and Methodology

The scope and methodology for visits and examinations carried out by the JFSC is published on our website and can be found here:

https://www.jerseyfsc.org/industry/visits-and-examinations/

7 Glossary

Board	Board of Directors or similar function described in Section 2.1 of the Handbook
BRA	Business Risk Assessment- a document that helps protect your business from being exposed to money laundering, terrorist and proliferation financing.
AML/CFT/CPF Codes	The AML/CFT/CPF Codes of Practice contained in the Handbook
Customer	Means a customer of a supervised person as defined in the Order and the Handbook.
DNFBPs	Designated Non-Financial Businesses and Professions as defined in the FATF glossary. Refers to activities/operations specified in Part 3 of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999.
FATF	The Financial Action Task Force
Guidance	The Guidance provided to supervised persons in the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism.
Handbook	Means the Handbook for the Prevention and Detection of Money Laundering, the countering of terrorism and the countering of proliferation financing.
IOSCO	The International Organisation of Securities Commissions
JFCU	Jersey Financial Crimes Unit, an arm of the States of Jersey Police and the body designated as the financial crimes intelligence unit (FIU)
Key Person	Has the same meaning as provided in Article 1 of the Financial Services (Jersey) Law 1998.
Non-relevant employee	An employee whose duties do not relate to the provision of a financial services business
Order	The Money Laundering (Jersey) Order 2008
Person	Means any natural or legal person (including a body of persons corporate or unincorporated)
Principal Person	Has the same meaning as provided in Article 1 of the Financial Services (Jersey) Law 1998.
Supervised person	Means a person carrying on financial services business in or from within Jersey as defined under Article 1(1) of the Order