Supervisory Risk Examinations: Feedback from 2020 examinations

1 Background

The Jersey Financial Services Commission (JFSC) regularly undertakes risk-based examinations (Supervisory Examinations) to assess the extent to which statutory and regulatory requirements are being complied with. Feedback is provided directly to regulated businesses that are examined. This Feedback document summarises key findings from Supervisory Examinations completed during 2020.

After 1 March 2020, Supervisory Examinations were delivered on a fully remote basis in response to the COVID-19 pandemic with face-to-face interaction taking place via video conferencing.

The Supervisory Examinations summarised within this document were carried out by the JFSC at seven regulated financial services businesses, which included Deposit-taking Business (Banking), Fund Services Business, Investment Business, and Trust Company Business licence holders. The seven businesses are each referred to as a Registered Person[1].

The findings of Supervisory Examinations are published with the aim of enabling all Registered Persons to use the information to consider where their own arrangements may require enhancement in order to ensure strict adherence to all relevant statutory and regulatory requirements.

Boards and senior management of Registered Persons have substantial responsibilities in relation to the management of risk. Robust arrangements in respect of a Registered Person’s systems and controls (including policies and procedures) assist boards and senior management in evidencing that risk is being proactively and appropriately managed. Robust systems and controls also ensure consumers, other users of Jersey’s financial services industry and the reputation and integrity of Jersey remain adequately protected by the Island’s regulatory framework.

When considering such arrangements, boards and senior management may refer to previous Feedback Papers issued by the JFSC, particularly those which have highlighted similar themes. These papers are available on the JFSC’s website:

https://www.jerseyfsc.org/industry/visits-and-examinations/on-site-examinations-findings/

2 Scope and Methodology

The scope and methodology for examinations carried out by the JFSC is published on the JFSC website and can be found here:

https://www.jerseyfsc.org/industry/visits-and-examinations/

3 Executive summary

JFSC officers identified 46 findings during the course of the 2020 Supervisory Examinations. The findings highlight that a broad range of statutory or regulatory requirements have either not been complied with, or have only been partially complied with. As a result, Registered Persons examined were unable to evidence a fully effective control environment or in some cases, adequately robust arrangements for meeting the standards and requirements of the regulatory framework.

A significant number of findings mirror those from other recent JFSC examination feedback papers, which is concerning, as it indicates that Registered Persons are not consistently taking account of feedback in order to improve their compliance with statutory and regulatory requirements and demonstrate the ongoing effectiveness of their control frameworks.

The findings are summarised in this chart, which shows that approximately 40% of findings relate to AML/CFT compliance, 24% to board and senior management oversight and 16% of findings specifically relate to compliance with specific requirements for investment businesses. The remaining findings concerned matters such as compliance monitoring plans, outsourcing and the use of technology:

All Registered Persons involved in Supervisory Examinations during 2020 have received direct feedback. Where findings were identified, they were subject to appropriate follow-up action. Such follow-up action may include formal remediation plans setting out actions to be taken and timescales to complete them by. In the case of significant and material findings identified by the JFSC, this may have resulted in further escalation and in some cases further action being taken or, action may be underway.
 

4 Preventing and Detecting Financial Crime

Each Supervisory Examination differs in scope because it focusses on risks that are relevant to the Registered Person. Even so, approximately 40% of the findings highlighted non-compliance or partial non-compliance with the statutory and regulatory requirements set out in the Money Laundering (Jersey) Order 2008 (Order) and the Handbook for the Prevention and Detection of Money Laundering and Financing of Terrorism for Regulated Financial Services Business (Handbook).

The JFSC strongly believes that the key to prevention and detection of money laundering or the financing of terrorism, lies in the implementation of, and strict adherence to, adequate and effective systems and controls (including policies and procedures) that are commensurate with the risks that a Registered Person has identified and assessed in its Business Risk Assessment.

The JFSC is concerned that many of the findings identified were similar to the key themes or detailed findings described in Feedback Papers published by the JFSC in 2019 and 2020 and most recently on 31 March 2021.

4.1   The Business Risk Assessment (BRA)

As well as having robust systems and controls (including policies and procedures), a Registered Person must establish effective AML/CFT governance arrangements to be able to demonstrate that it has assessed the risks inherent in its business and that the Registered Person’s control environment is effective on an ongoing basis. At one Registered Person the BRA did not assess exposure to money laundering and financing of terrorism risks “in the round” or as a whole, because the BRA excluded one segment of its customer base and the products and services utilised by that segment.

4.2   Customer Risk Assessment (CRA) and Customer Due Diligence (CDD) Measures

The JFSC considers that an adequate and effective CRA is fundamental in driving a Registered Person’s risk-based approach to CDD measures. As well as ensuring that appropriate identification measures are applied, an effective CRA determines the Registered Person’s risk-based approach to ongoing monitoring, which may involve the degree of scrutiny given to transactions and other activity and keeping information concerning a customer’s business and risk profile up to date.

• In one instance, relevant risk factors had not been identified as part of the CRA and considered in a timely manner, or where they were considered, the outcome of those factors were not documented in the Registered Person’s customer records.
• At another Registered Person, the input and output of the CRA tool could be altered and/or over-ridden by employees, without oversight or additional systems and controls to identify such instances.

There were a number of instances where Registered Persons were unable to demonstrate that adequate and effective risk-based CDD measures had been applied. These included:

• One instance where a customer’s records did not reflect that CDD measures had been applied and evidence obtained at the time of customer onboarding in 2006;
• In the same case, policies and procedures relating to the ongoing monitoring of a segment of the Registered Person’s customer base that had been provided with products and services for nearly 15 years, had not been established until 2020;
• Rationale for changes in the beneficial ownership and control of customers was not always documented in the customer’s record;
• Information, particularly in respect of high risk customers, was not being kept up to date in all cases;
• The reasons for the delay in the provision of requested CDD documentation was not always documented;
• The difference between ‘source of funds’ (SOF) and ‘source of wealth’ (SOW) was not always described or differentiated in policies and procedures and customer documentation;
• In one case, SOF for a relationship was not recorded in the customer records reviewed by JFSC officers;
• Information had not been retained in every case to evidence that a customer was entitled to benefit from an exemption from the need to apply identification measures; and
• One Registered Person had not documented the rationale for continuing to apply exemptions from the application of identification measures, having rated its customer as higher risk and having highlighted matters in a CRA that were outside of its stated risk appetite.

4.3   Monitoring transactions and customer business and risk profiles

Monitoring transactions, activity and customer business and risk profiles is a crucial activity in a Registered Person’s systems and controls to prevent and detect money laundering or the financing of terrorism. There were a number of findings relating to processes in this area, leading to a heightened risk at those Registered Persons that unusual activity or changes in customer business and risk profiles may not be identified:

• In one case, transaction monitoring tools had not been tailored to suit all business segments, products and services;
• In another case, procedures for subjecting higher value transactions to scrutiny from senior management had not been complied with;
• In one instance, automated customer screening had not been completed for two months, resulting in a backlog of potential matches, which the Registered Person had not fully investigated at the time of the examination;
• In several cases, Registered Persons were not able to demonstrate that policies and procedures for keeping customer information and documentation up to date, were adequate, effective and were being complied with;
• At one Registered Person, systems and controls (including policies and procedures) to oversee a third party carrying out customer screening were not fully effective, as those systems and controls had not identified shortcomings in the service provider’s performance. In addition, minutes of board and other senior management meetings did not reflect that the matter had been escalated and that appropriate action was taken by senior management; and
• The control environment at two Registered Persons was not adequately robust, which allowed material changes to a customer’s business and risk profile to take place without the escalation and scrutiny by senior management that was mandated by the Registered Person’s stated policy.

4.4   Training

There were findings at two of the Registered Persons:

• In one case, training had not been provided to two individuals that routinely attended the Registered Person’s board meetings; and
• In the other instance, the frequency of delivery of the Registered Person’s anti-money laundering training was inconsistently set out in its policies and procedures.

5 Board Responsibilities

The boards and senior management of Registered Persons have substantial responsibilities for the management of risk. Robust governance and risk management arrangements, including the clear apportionment of responsibilities and the establishment of adequate and effective systems and controls (including policies and procedures) are essential for meeting the obligations and requirements of the regulatory framework. In addition, boards and senior management need to maintain and test compliance with policies and procedures and take timely action to remedy any deficiencies brought to their attention.

There were a number of findings relating to the governance or risk management arrangements in place at the seven Registered Persons. As a result, boards and senior management of those Registered Persons may not have been able to demonstrate that such arrangements were adequate and effective in ensuring that the business and affairs of the Registered Person were being adequately monitored and controlled, or that risks inherent in the Registered Person’s business were being managed appropriately. 

5.1   Board Effectiveness

• At two Registered Persons, the Board was unable to demonstrate that an adequate assessment of the effectiveness of its compliance function had taken place;
• In another case, there had been no regular assessment of the Board’s effectiveness; and
• The responsibilities of the Principal and Key Persons at two of the Registered Persons had not been clearly apportioned.

5.2   Records of Meetings

• In several cases, minutes of board or other senior management meetings did not evidence the content of discussions, nor adequate challenge and scrutiny of the matter being discussed;
• Records of board and other senior management meetings did not always evidence decisions taken or that outstanding actions arising from those meetings, or other items being brought to the attention of senior management, were being resolved in a timely manner;
• In one case, records did not enable the Registered Person to demonstrate that repeat matters being raised by the compliance function were being effectively escalated and managed;
• In one instance, compliance reports indicated via a traffic light system that the operation of  certain systems and controls was rated red or amber, but records of the meetings did not evidence that there was any discussion regarding the cause of the ratings or whether any action was to be taken to remedy deficiencies; and
• Financial crime matters such as reports from the Registered Person’s Money Laundering Compliance Officer or Money Laundering Reporting Officer, were not included in the standing agenda of the Board at one Registered Person.

5.3   Systems and Controls

• In one case there was no formal process in place to establish, maintain and adopt policies and procedures;
• The Boards of two Registered Persons were not being provided with sufficient data to assess whether policies and procedures were adequate and effective and being complied with.

6 Compliance Monitoring Plans (CMP)

Findings concerning CMP largely reflected the findings of the JFSC’s thematic examination ‘Compliance Monitoring Plans’. The JFSC published its findings relating to that thematic examination on 17 December 2020. In summary, there were a number of instances where Registered Persons were not able to demonstrate that the CMP had:

• Been mapped to relevant statutory and regulatory requirements;
• Been reviewed following an annual Compliance Risk Assessment;
• Taken a risk-based approach to testing; or
• Been subjected to the scrutiny and approval of the board or senior management of the Registered Person.

In two cases, monitoring activity had not taken place within the period subject to examination. In both of those cases, the Registered Person had not made sufficient resources available to the compliance function to enable it to perform all of its responsibilities.

Effective compliance monitoring is an invaluable process that enables boards and senior management of Registered Persons to demonstrate that they have implemented and maintained adequate and effective systems and controls (including policies and procedures), that they are being complied with, and that timely action is being taken to remedy any deficiencies brought to their attention.

7 Outsourcing

Where outsourcing arrangements at Registered Persons were in scope of Supervisory Examinations, findings were similar to those highlighted in the JFSC’s Feedback Paper published on 17 July 2019. In summary:

• Records did not always allow Registered Persons to demonstrate that adequate due diligence had been carried out on service providers;
• Contingency planning and termination arrangements were not fully documented in all cases;
• Registered Persons were not always able to demonstrate that ongoing oversight of service providers was fully effective; and
• In one instance, outstanding service provider questionnaires relating to information and cyber security had not been addressed by the Registered Person.

8 Use of technology

The implementation of alternative methods of communication with customers was observed in a number of Supervisory Examinations. Registered Persons contemplating the use of communication methods such as Zoom, Teams, Messenger or WhatsApp in their financial services businesses, should carefully consider and document the risks and establish effective systems and controls (including policies and procedures) to manage those risks and ensure ongoing compliance with the regulatory framework:

• JFSC officers identified that Registered Persons were in some instances using WhatsApp, Zoom and Messenger for client communications, but systems and controls (including policies and procedures) concerning the use of the applications by employees had not been established or were ineffective. In addition, policies and procedures did not enable the Registered Persons to demonstrate that record keeping arrangements were in full compliance with the regulatory framework.
• Inappropriate use of technology to carry on financial services business may expose consumers of those services to heightened or unacceptable levels of risk. In addition, ineffective or incomplete business records relating to a Registered Person’s interaction with its clients may result in the Registered Person being unable to demonstrate that it has acted with the highest regard for the interests of its clients.
• In another instance, client consent had not been obtained before video calls were recorded by the Registered Person.

9 Investment Business

There were a number of findings that were specific to the Investment Businesses that were examined in 2020.

9.1   Investment Advice and Suitability

Robust arrangements concerning investment advice and exercise of discretion are critical to ensure that consumers are not exposed to investments that are not aligned with their risk tolerance or ability to bear losses. Such arrangements also enable Registered Persons to effectively demonstrate that advice or the exercise of discretion is suitable for clients.

• At one Registered Person, recommendations did not always contain adequate and complete information that was sufficient to enable the client to make an informed investment decision;
• In one case, suitability reports referred to telephone conversations with clients, but file notes relating to the matters discussed could not be located in all instances;
• In another case, the basis of the relationship with the client (for example execution only, limited advice etc.) was not recorded;
• Full information on the client’s financial circumstances was not always documented in a number of client records that were sampled.

9.2   Systems and Controls

• In one instance, the Registered Person’s policies and procedures relating to execution only services did not fully document the Registered Person’s responsibilities;
• The requirements of the Financial Services (Advertising) (Jersey) Order 2008 were not captured adequately in policies and procedures relating to marketing and advertising reviewed during one of the examinations;
• At another Registered Person, record keeping arrangements did not fully comply with the Code of Practice for Investment Business; and
• One Registered Person’s policies and procedures in respect of individuals that may be considered to be vulnerable, were not fully aligned with the JFSC’s guidance note concerning the provision of investment business services to vulnerable persons that was published on 31 October 2019. Consequently, there may have been an increased risk that the Registered Person might not afford appropriate protection to a vulnerable client as set out in paragraph 2.5 of the Code of Practice for Investment Business.

10   Trust Company Business

10.1   Trustee Decisions

In one case, the rationale to support the trustee’s decision to remove a beneficiary was not documented.

Glossary of Terms

AML	Anti-Money Laundering
Board	Board of Directors or the function described in Section 2.1 of the Handbook
BBJL	Banking Business (Jersey) Law 1991
BRA	Business Risk Assessment
CDD	Customer Due Diligence
CDD Measures	Measures set out in Article 3 of the Order
CFT	Countering the Financing of Terrorism
CMP	Compliance Monitoring Programme
CRA	Customer Risk Assessment
Customer	Means a customer of a relevant person as defined in the Order and the Handbook.
FSJL	Financial Services (Jersey) Law 1998
Handbook	Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for Regulated Financial Services Business
JFSC	Jersey Financial Services Commission
Order	Money Laundering (Jersey) Order 2008
Registered Person	A person registered by the JFSC under Article 9 of the FSJL to carry on financial services business as defined under Article 2 of the FSJL; or a person registered by the JFSC under Article 9 of the BBJL to carry on deposit-taking business as defined under Article 3 of the BBJL. Within this report, Registered Persons are also Relevant Persons with the term Registered Persons being used for readability.
Relevant Person	Means a person carrying on financial services business in or from within Jersey as defined at Article 1(1) of the MLO. Within this report, relevant persons are also Registered Persons with the term Registered Persons being used for readability.
Regulatory laws	Collectively the: Banking Business (Jersey) Law 1991; Collective Investment Funds (Jersey) Law 1988; Financial Services (Jersey) Law 1998, and Insurance Business (Jersey) Law 1996.
Regulated financial services business	A person that is registered with, or holds a permit issued by, the JFSC under one of the four prudential/conduct of business regulatory laws
Regulatory requirements	The Codes of Practice within the AML Handbook or Codes of Practice issued in accordance with one or more of the Regulatory laws.
SoF	Source of Funds
SoW	Source of Wealth

[1] Registered Persons are also relevant persons, see Glossary.