Thematic examination programme 2021 feedback - Customer risk assessments

Thematic examination programme 2021 – feedback paper

Customer risk assessments

Issued: 3 February 2022

1 Executive summary

An effective risk assessment process is fundamental in driving the business’ risk-based approach to customer due diligence measures. If the money laundering and terrorist financing risks have not been adequately assessed, the identification measures and ongoing monitoring undertaken based on that risk assessment may not be effective to mitigate the risks presented by a business relationship or one-off transaction. Furthermore, failing to implement an appropriate risk-based approach could have a commercial impact on the business, as resources may not be focused on higher risk areas.

During the second quarter of 2021, we undertook a thematic examination to assess the extent to which supervised businesses had applied a suitable risk-based approach. We also considered whether supervised businesses had adequately assessed the risk that their business relationships, or one-off transactions, would involve money laundering and terrorist financing.

The examinations were conducted at 14 supervised businesses. Each of the businesses was a relevant person as set out in the Money Laundering (Jersey) Order 2008 (Order). For the purposes of this paper:

• a relevant person registered with us under one of the regulatory laws is referred to as a regulated business; and
• a relevant person carrying on a business described in Part B of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999 is referred to as a schedule 2 business.

Risk assessment records for a total of 151 customers were reviewed as part of the examinations.

There were no findings identified for one of the relevant persons examined. For the remaining 13, 47 findings were identified; 44 within and three outside of the scope of the theme. Whilst there were a large number of findings, 18% of the findings within scope were considered to be of a more serious nature.

The findings are summarised in the below chart, which shows that approximately 49% of the findings relate to systems and controls, 19% to customer risk assessment, 11% to business risk assessment, 6% to ongoing monitoring and 4% to politically exposed persons. There was also one finding where the relevant person had failed to notify us of breaches identified. The remaining findings relate to other identification measures which were outside of scope, such as beneficial ownership and control and obtaining evidence of identity. Whilst these were outside of scope, they relate to other key measures used in the prevention and detection of money laundering and terrorist financing.

All relevant persons examined received direct feedback. 13 of the relevant persons were required to submit formal remediation plans setting out actions to be taken and timescales for completion.

In addition, a questionnaire was issued to a further 19 relevant persons, with the responses considered alongside the examination findings. A number of deficiencies were highlighted in response to the questionnaire and as a result, follow-on supervisory engagement will take place.

There were examples of good practice identified during the examinations and in the responses received to the questionnaire. Boards and senior management are encouraged to consider enhancements to systems and controls in line with the good practice described in section 5 of this paper.

2 Background and scope

We regularly undertake thematic examinations to assess the extent to which statutory and regulatory requirements are being complied with in relation to a particular theme. Thematic examinations provide direct feedback to those within scope and a public feedback document which summarises the key findings.

In February 2021, we set out our planned thematic examination programme for Quarter 2 and 3 of 2021. The programme identified the theme of customer risk assessments for Quarter 2 2021.

The theme was chosen as a result of a number of findings which continued to be identified through our broader examination programme. It also linked to observations raised during the compilation of Jersey’s National Risk Assessment, particularly, the trust and company services provider section.

The objectives of the examinations were to review and assess the extent to which:

• relevant persons could demonstrate they had adequately assessed the risk that any business relationship or one-off transaction would involve money laundering and terrorist financing, including obtaining appropriate information for assessing that risk, as required by Article 3(5) of the Order;
• relevant persons could demonstrate that they had applied a suitable risk based approach to determine the extent and nature of the measures taken when undertaking the identification process, as required by 3.3 (27) of the Code of Practice (AML/CFT CoP) contained within the relevant Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism (Handbook); and
• the existence of adequate systems and controls (including policies and procedures) could be demonstrated in relation to the above.

The regulated businesses examined were from the following sectors: fund services business, investment business and trust company business. The schedule 2 business examined was from the legal profession. The selection process was supported by our risk model, information submitted by the businesses and our supervisory knowledge. 

 

In addition, a questionnaire was issued to gather information from a wider cross-section of supervised businesses. These included regulated businesses from the following sectors: banks, fund services business, investment business, trust company business and general insurance mediation business. It also included the following schedule 2 businesses: accountants, a lawyer, a casino, an estate agent and a lender.

Information about the examination process is available on our website.

3 Key findings

3.1   Customer risk assessment (CRA)

3.1.1 A relevant person must assess the risk that any business relationship or one-off transaction will involve money laundering and terrorist financing, which includes obtaining appropriate information for assessing risk. The risk assessment of a particular customer will determine the extent of information that will be requested, what evidence of identity will be obtained, the extent to which the resulting relationship will be scrutinised, and how often documents, data or information held will be reviewed.

3.1.2 At ten of the 14 relevant persons, there were findings which demonstrated that some of the risks present for the customers had not always been adequately assessed. This included:

3.1.2.1 at three relevant persons, the CRA system was ineffective at assessing the risks as either:

• it was inappropriate for the risks presented by the customers, given the set of questions within were too narrow. For example, it did not allow for consideration of the risks presented by the activities which generated the funds/assets. In this case a new CRA tool had been adopted ahead of the examination concluding;
• it was inconsistent with the relevant person’s policies and procedures; or
• the CRA scoring system was not aligned to the number of risk factors presented by the customer, therefore, resulting in a reduced risk rating;

3.1.2.2 at one relevant person, incorrect parties had been identified as customers in a total of 16 instances and, therefore, the risk assessments had not been conducted on the customers. Of these 16 instances, six of the customers should have been rated as high risk;

3.1.2.3 at five relevant persons, appropriate information for assessing risk had not been obtained and/or adequately documented in some cases; for example, information in regard to source of funds, types of activities undertaken and geographical sphere (for legal persons);

3.1.2.4 at one relevant person, delivery risk had not been considered where customers had not been met face-to-face;

3.1.2.5 at four relevant persons, there were instances observed where customer specific risks had not been identified and/or considered. In some cases, the CRA resulted in a high risk rating despite the omissions, however, the records did not reflect that all the risks present for the customers had been adequately assessed. For example:

• individuals entrusted with a prominent public function(s);
• relevant connections to jurisdictions presenting higher risk;
• adverse media about the customer;
• sensitive activities generating funds; and
• complex relationships;

3.1.2.6 at one relevant person, multiple errors were identified within the answers entered into the CRA system. In some cases, the CRA resulted in a high risk rating despite the errors, however, the records did not reflect that all the risks present for the customers had been adequately assessed;

3.1.2.7 at one relevant person, there were inappropriate reductions made to the inherent risk rating of customers in a third of the customer files reviewed. For example, high risk ratings were reduced to medium risk ratings following receipt of evidence of identification;

3.1.2.8 at four relevant persons, the decision making process undertaken to accept the customers did not evidence the relevant person’s consideration of all the risks presented and, where applicable, how they were mitigated to a level within the risk appetite; and

3.1.2.9 at one relevant person, there were examples identified where CRAs had not been re-performed following trigger events which affected the risks presented by the customers, such as a change in services provided.

3.2   Ongoing monitoring

3.2.1 A relevant person must apply ongoing monitoring throughout the course of a business relationship. This includes scrutinising transactions/activity and keeping documents, data or information up to date and relevant. As part of its identification measures, a relevant person must prepare and record a customer business and risk profile. This profile is key to enabling transactions/activity to be scrutinised.

3.2.2 At three relevant persons, an understanding of the customer business and risk profiles could not be demonstrated or the profiles were not sufficient due to missing, inaccurate or out of date information.

3.2.3 At one relevant person, there was a significant backlog in periodic reviews; therefore, it could not be demonstrated that information had been kept up to date.

3.2.4 At one relevant person, consideration of changes to risks presented by the customer following a relevant trigger event was not required by its policies and procedures.

3.3   Business risk assessment (BRA) and strategy

3.3.1 A relevant person must conduct (and keep up to date) a BRA, which considers the business’ risk appetite, activities and structure and concludes on the business’ exposure to money laundering and terrorist financing risk. This BRA enables a relevant person to determine its initial approach to the first stage of the identification processes, depending on the type of customer, product or service involved. On the basis of the BRA, the board/senior management must then establish a formal strategy to counter money laundering and terrorist financing risk.

3.3.2 At five relevant persons, the BRA and/or strategy was inadequate. This included:

3.3.2.1 at two relevant persons, the BRAs had not been kept up to date, either in line with the relevant person’s own policy or following substantial changes affecting the business’ operating environment, such as Covid-19;

3.3.2.2 at three relevant persons, the BRAs did not contain adequate detail to demonstrate consideration of the risks present in the relevant person’s customer base and the products and services it offered. For example, the risks presented where limited services were provided by trust company businesses; or the risks presented where customers were connected to jurisdictions presenting a higher risk;

3.3.2.3 at one relevant person, the BRA lacked detail of the key controls in place to manage and mitigate the risks identified;

3.3.2.4 at one relevant person, there was no formal AML/CFT strategy in place for the local business. An AML/CFT strategy had been documented ahead of the examination concluding and prior to this reliance was placed on a group AML/CFT policy; and

3.3.2.5 at two relevant persons, development of the BRA and/or consideration of ongoing risks could not be evidenced.

3.4   Systems and controls

3.4.1 A relevant person must have adequate and effective systems and controls (including policies and procedures) to counter money laundering and terrorist financing. This includes maintenance and testing of the systems and controls in place.

3.4.2 At 12 relevant persons, adequate and effective systems and controls could not be fully demonstrated in relation to customer due diligence measures and the assessment of customer risk. This included:

3.4.2.1 at one relevant person, whilst there was a policy in place, there was no formally documented procedure for conducting a CRA;

3.4.2.2 at two relevant persons, there was no policy and/or procedure for trigger events, to include consideration of changes to risks presented by the customer;

3.4.2.3 at ten relevant persons, there were instances where policies and procedures either:

• lacked sufficient detail;
• were inaccurate or inconsistent;
• had not been updated following changes to the regulatory framework; or
• contained content from the Handbook which had not been tailored to the business;

3.4.2.4 at five relevant persons, the controls in place were insufficient or ineffective, as non-adherence to policies and procedures and errors observed by our officers (as detailed in the findings described in this paper) had not been identified;

3.4.2.5 at one relevant person, the relevant person advised of breaches of the Order and AML/CFT CoP in response to the information request sent ahead of the examination, however, the breaches had not been recorded on its breaches register or notified to us when they were identified. The breaches resulted from the incorrect parties having been identified as the customers; and

3.4.2.6 a number of record keeping issues were identified throughout the examinations including those in relation to higher risk customers. This comprised of: incomplete or inconsistent data within the relevant person’s records; missing evidence of screening conducted; and incomplete or inaccurate checklists.

4 Questionnaire

All respondents to the CRA questionnaire confirmed they conducted risk assessments on customers. Nearly half of the participants used a spreadsheet solution, with roughly a third using a systems-based methodology and the remainder recording risk assessments manually (e.g. paper based).

A number of deficiencies were identified within the responses provided by relevant persons:

• three respondents indicated that the CRA did not take into account the effect of a combination of a number of factors;
• four respondents did not review the CRA methodology/system as a result of a trigger event, such as changes to Appendix D2 of the Handbook;
• two respondents did not refresh the CRA for the customer at periodic review, and one respondent did not conduct a CRA following relevant trigger events;
• six respondents had backlogs in respect of periodic reviews of its customers;
• five respondents indicated there were deficiencies in their policies and procedures;
• one respondent indicated that delays in conducting CRAs were not reported to the board/senior management;
• one respondent did not perform any monitoring to test that systems and controls in relation to whether CRAs were effective and being complied with; and
• two respondents did not include customers and how they were risk assessed within its BRA.

Over half of the participants (58%) stated they had identified deficiencies and/or areas for development concerning the approach to CRAs, and almost two thirds (63%) of participants confirmed that there were outstanding action points in relation to CRAs emanating from the BRA. These included:

• moving from a manual approach to a systemised approach;
• changes to customer classifications;
• integration of the CRA tool with other systems;
• increasing the number of risk factors;
• implementing a number of additional sources of higher risk indicators;
• enhancing analytics generated by the system;
• general improvements to the risk assessment process, procedures and methodology; and
• enhancements to the compliance monitoring programme.

5 Good practice

There were a number of examples of good practice identified during the examinations and in the responses received from the questionnaire. Boards and senior management are encouraged to consider enhancements to systems and controls, where appropriate, in line with the good practice described in this section.

BRA

• The BRA takes into account the guidance provided in Section 2 of the Handbook and it clearly determines the relevant person’s initial approach to identification measures depending on the type of customer, product or service involved.
• The relevant person considers the risk factors detailed in the guidance provided in Section 3 of the Handbook, and any other appropriate factors in the context of its customer base and the products and services that it provides. It considers and documents its business and risk profile including these factors, to enable the creation of an effective CRA methodology.

CRA

• The CRA methodology is documented and sophisticated. It is appropriate for the relevant person’s business and risk profile.
• The CRA methodology considers all relevant risk factors appropriate to the relevant person, its customer base and the products and services it offers. It takes into account a combination of a number of factors in calculating the risk rating for the customer.
• The CRA methodology is periodically reviewed, as well as being reviewed following trigger events, such as changes to Appendix D2 of the Handbook. Where there are changes to the methodology, consideration is given to the impact on the customer base and whether updated CRAs should be completed for those where the risk rating could be affected by the change.
• Any amendments to the CRA methodology are appropriately authorised and the impact of amendments are understood by the board/senior management.
• There are controls in place to ensure that the outcome of the CRA cannot be overridden, unless appropriate rationale and authorisation is obtained. Where overrides occur, this is recorded and the number of times the CRA has been overridden is periodically considered by the board/senior management to ensure that the CRA methodology is fit for purpose.
• The information gathered to assess customer risk takes into account the guidance provided in Section 3 of the Handbook and any other information the relevant person considers to be relevant for its assessment of risk. The information gathered is clearly documented in the customer business and risk profile and any higher risk factors are easily identifiable.
• The information used to conduct the CRA is detailed on the CRA, for example, it details the country connections that were considered when determining the country risk present. It clearly demonstrates how the outcome was determined and what the higher risk factors are (if any).
• The CRA requires at least a ‘four-eye’ check. Consideration is provided as to whether the outcome appears to be appropriate and the process allows for discussion, challenge and any mitigating circumstances to be recorded.
• The CRA is conducted prior to customer acceptance discussions, to ensure that the risks present for the customer are fully considered and recorded.
• The outcome of the CRA is documented in the customer business and risk profile.

Ongoing monitoring

• Where there is a change in the risks presented by a customer, a new CRA is conducted. This may be identified when conducting a periodic review or following a trigger event. The rationale for the change is clearly documented and consideration is given to whether the customer is still within the risk appetite of the business.
• The customer business and risk profile is updated following any changes to the risks presented by the customer.

Systems and controls

• There are clear, up to date operational procedures for employees to follow when conducting a CRA.
• The relevant person monitors changes to the regulatory framework and publications in respect of the level of risk identified in national or sector specific risk assessments conducted in Jersey. Any matter which impacts on the relevant person’s approach to CRA are considered and implemented into policies and procedures as soon as practicable.
• Any delays or issues in conducting CRAs in line with the relevant person’s policies and procedures, are reported to the board/senior management.
• Compliance monitoring of systems and controls relevant to CRA is conducted independently and at an appropriate frequency. The results of the testing are considered by the board/senior management and prompt action taken to address deficiencies.
• Information in regard to the risks present within the relevant person’s customer base is provided to the board/senior management for consideration on a periodic basis, and the BRA updated if necessary.

6 Conclusion

The examinations took place at 14 relevant persons and questionnaire responses were received from 19 relevant persons. The key results were:

• 71% of the relevant persons examined received findings which demonstrated that some of the risks present for the customers had not always been adequately assessed;
• 86% of the relevant persons examined could not fully demonstrate adequate and effective systems and controls in relation to customer due diligence measures and the assessment of risk;
• 58% of the questionnaire respondents stated that they had identified deficiencies and/or areas for development concerning the approach to CRAs; and
• 63% of the questionnaire respondents confirmed that there were outstanding action points in relation to CRAs emanating from the BRA.

Whilst the relevant persons were from a variety of sectors and the sample size could not be representative of specific sectors or industry as a whole, there were also a number of similar findings in relation to CRA detailed within our examination feedback papers issued during 2020 and 2021. The number and extent of examination findings indicates that work is required by relevant persons to ensure full compliance with the requirements of the Order and AML/CFT CoP. We expect relevant persons to be able to demonstrate full compliance with the regulatory framework and will take necessary action where any significant and material breaches are identified.

Next steps

All relevant persons examined have received direct feedback and the 13 businesses who received findings were required to submit a formal remediation plan setting out actions to be taken and timescales for completion.

When conducting remediation activity, we expect that issues are not reviewed in isolation, and consideration is given to the wider implications of the findings detailed in individual examination reports. Supervisors work closely with relevant persons to ensure that the steps taken to address findings are appropriate to the breadth of risks identified.

A key component of regulatory effectiveness is to ensure that where a relevant person has completed remediation activity, they have done so in a way that is sustainable and addresses the breaches of statutory and regulatory requirements identified. We will, therefore, undertake a programme of remediation effectiveness testing on a risk-based approach, following confirmation of completion from relevant persons.

Examination findings form part of a regulatory track record and the manner in which a relevant person addresses the findings and engages with us are key to informing our supervisory strategy. Where appropriate, we may consider the implementation of higher risk supervisory engagement strategies, the use of statutory powers and the imposition of regulatory sanctions.

In response to the questionnaire, a number of deficiencies were highlighted by relevant persons and as a result, follow-on supervisory engagement will take place. This may also include formal remediation plans being agreed.

We expect that the board/senior management of relevant persons who were not involved in the examination review this paper and consider their own arrangements. Where the findings can be applied to other aspects of the regulatory framework, conducting a gap analysis to current working practices is also recommended to industry as a whole.

CRA will continue to be reviewed as part of our ongoing examination programme. Should similar findings be identified, where the board/senior management have not considered the findings set out in this and other feedback papers, we will consider those similar findings and our regulatory strategy in the ongoing management of a relevant persons money laundering and terrorist financing risks.

We will consider repeating this thematic examination in due course, to test whether industry have taken on-board this feedback paper and whether the outcomes have improved.

7   Glossary of terms

AML	Anti-money laundering
AML/CFT CoP	Codes of practice contained within the Handbook
Board	Board of directors
BRA	Business risk assessment
CFT	Countering the financing of terrorism
CRA	Customer risk assessment
Handbook	Handbook/s for the Prevention and Detection of Money Laundering and the Financing of Terrorism
JFSC	Jersey Financial Services Commission
Order	Money Laundering (Jersey) Order 2008
Regulated business	A person that is registered with, or holds a permit issued by us under one of the regulatory laws
Regulatory laws	Collectively the: Banking Business (Jersey) Law 1991; Collective Investment Funds (Jersey) Law 1988; Financial Services (Jersey) Law 1998; and Insurance Business (Jersey) Law 1996
Relevant person	Means a person carrying on financial services business in or from within Jersey as defined under Article 1(1) of the Order
Schedule 2 business	A business described in Part B of Schedule 2 to the Proceeds of Crime (Jersey) Law 1999. Schedule 2 businesses include accountants, estate agents, the legal profession, dealers in high value goods and other businesses such as those involved in lending