Effective Business Risk Assessments
Under the various Codes of Practice issued by the Jersey Financial Services Commission (the “JFSC”) the Boards of regulated businesses are required to undertake and keep an up to date Business Risk Assessment (“Risk Assessment”). Based on the Risk Assessment the Board must consider, on an ongoing basis, its risk appetite, and the extent of its exposure to money laundering, the financing of terrorism and the financing of proliferation risks “in the round” or as a whole, taking into account its organisational structure, its customers, the countries and territories with which its customers are connected, its products and services and how it delivers those products and services. It may also be beneficial for your money laundering, terrorism and proliferation risks and controls each to be considered separately. The Risk Assessment must also consider the cumulative effects of the risks identified. It must be kept up to date and subject to review in response to changing internal or external events. Failing to compile a Risk Assessment or neglecting to keep it up to date places the business and/or its principal or key persons at a very real risk of regulatory sanction.
The Risk Assessment should be regarded as the foundation stone that needs to be put in place before a business strategy can be built around the Risk Assessment to counter the money laundering, the financing of terrorism and the financing of proliferation risks. As with any building work, inadequate foundations places all that follows in jeopardy. Effective policies and procedures provide the detail of how the risk of money laundering, the financing of terrorism and/or the financing of proliferation will be managed. Poor policies and procedures or failing to follow your own policies and procedures increasingly places your principal persons, key persons and any person who performs or performed a senior management function at risk of a civil penalty, regulatory sanction, and/or a public statement.
The Codes of Practice require (not optional) Boards to undertake the following in relation to its Risk Assessment.
- Organise and control its affairs in a way that mitigates the risks that it has identified, including areas that are complex.
- Be able to demonstrate the existence of adequate and effective systems and controls (including policies and procedures) to counter money laundering, the financing of terrorism and the financing of proliferation.
- The Board must document its systems and controls and clearly apportion responsibilities for countering money laundering, the financing of terrorism and the financing of proliferation, particularly the role of the Money Laundering Reporting Officer (the “MLRO”) and the Money Laundering Compliance Officer (the “MLCO).
- The Board must assess both the effectiveness of and compliance with systems and controls (including policies and procedures) and take prompt action necessary to address any deficiencies.
- The Board must consider what barriers (including cultural barriers) exist to prevent the operation of effective systems and controls and must take effective measures to address them.
Cultural barriers to achieving effective compliance
The JFSC has helpfully set out examples of what they regard as cultural barriers that might hinder the effective operation of AML systems and controls including:
- An unwillingness on the part of employees to subject high value customers to effective CDD measures for commercial reasons
- Pressure applied by management or customer relationship managers outside Jersey upon employees in Jersey to transact without first conducting all relevant CDD
- Undue influence exerted by relatively large customers in order to circumvent CDD measures
- Excessive pressure applied on employees to meet aggressive revenue-based targets, or where employee or management renumeration or bonus schemes are exclusively linked to revenue-based targets
- An excessive desire on the part of employees to provide a confidential and efficient customer service
- Where the customer risk classification system has been designed in such a way that it avoids rating any customer as higher risk
- The inability of employees to understand the commercial rational for a business relationship, resulting in a failure to identify non-commercial and therefore potential money laundering, terrorist financing or proliferation financing activity
- Negative handling by managerial staff or queries raised by more junior employees, regarding unusual, complex or higher risk activity and transactions
- An assumption on the part of more junior employees that their concerns or suspicions are of no consequence
- A tendency for line managers to discourage employees from raising concerns due to a lack of time and/or resources, preventing such concerns from being addressed satisfactorily
- A dismissal of information concerning allegations of criminal activities on the grounds that the customer has not been successfully prosecuted or simply a lack of information to verify the allegations
- The familiarity of employees with certain customers resulting in unusual or higher risk activity and transactions not being questioned or correctly identified as suspicious
- Little weight or significance is attributed to the role of the MLCO or MLRO, and little cooperation between these post-holders and customer-facing employees
- Actual practices applied by employees that do not align with policies and procedures
- Employee feedback on problems encountered when applying policies and procedures is ignored
- Non-attendance of senior employees at AML training sessions on the basis of a mistaken belief that they cannot learn anything new or because they have too many other competing demands on their time
The culture of the business will dictate how successful the business is in managing its AML/CFT/CPF, Regulatory and Reputational risks
From the annual reports published by the JFSC it is very clear that whistle-blowers troubled by the culture within a firm, are prepared to reach out to the regulator and provide a valuable insight into a troubled culture within a firm. Such information inevitably prompts the regulator to take a closer look at such a business often leading to the formal appointment of a reporting professional.
Board reporting on the effectiveness of AML/CFT/CPF systems and controls can be demonstrated by the following:
- Frequency and quality of AML/CFT/CPF reports presented to the Board together with actions arising from such reports.
- Reports to the Board from the MLRO and MLCO.
- Reports to the Board on any JFSC publication, for example a feedback paper from themed examinations or lessons learnt from a JFSC public statement combined with a gap analysis.
- The number and percentage of clients that have been assessed as presenting a higher AML/CFT/CPF risk.
- The number of existing customers terminated due to CDD issues, along with reasons.
- The number of existing clients that remain to be remediated.
- Details of obliged persons or customers who fail to provide information or evidence on demand and without delay.
- The number of alerts generated by automated ongoing monitoring systems.
- The number of internal SARs made to the MLRO and the number of SARs externalised to the JFIU.
- Enquiries made or production orders received by either the JFSC, ECCU or JFIU.
- Results from testing employee awareness with AML/CFT/CPF policies and procedures.
- The number of exemptions granted to policies and procedures including at branches and subsidiaries along with reasons.
- The number or type of employees who have received AML training and the nature of any significant issues arising from such training.
The above list is by no means exhaustive and should be regarded as the bare minimum level of reporting.
Baker Regulatory Services has the experience to review and enhance your Business Risk Assessments and your AML/CFT/CPF Board reporting. Allowing you to effectively manage the risk of breaching the Money Laundering (Jersey) Order 2008 and/or the relevant JFSC Codes of Practice.
Baker Regulatory Services can also assist you in assessing your firms AML Culture and the effectiveness of your systems and controls designed to mitigate your AML/CFT/CPF risk. The Baker Regulatory Services AML 360° Assessment is based on best practice, multi-jurisdictional laws, regulatory rules, and disciplinary actions. Our assessment findings are analysed and then discussed with your Board to identify current strengths and areas which require attention. Awareness of your firm’s AML culture and the effectiveness of your AML controls is essential in protecting yourself, your firm, your Board and your colleagues from civil penalties and regulatory sanction.
AML 360° Assessment | Baker Regulatory Services
Barry Faudemer, CEO