FSB Examination Feedback 2015 Issued 13 May 2016

Introduction

This paper sets out the summary findings from the Jersey Financial Services Commission’s (“the Commission’s”) programme of on-site examinations conducted during the calendar year 2015. The purpose, objective and process of the programme remain unchanged. For further details, please see the 2014 Summary Findings Document published at the address below.

http://www.jerseyfsc.org/pdf/FSB-2014-Examination-Findings-June-2015.pdf

Please note that references to the Codes of Practice for Fund Services Business (the “FSB Codes”) relate to the FSB Codes which were effective from 14 November 2007 and last revised 1 July 2014. References to the Codes of Practice for Certified Funds (the “CIF Codes”) related to the CIF Codes which were issued 2 April 2012 and last updated 22 July 2013.

Scope

The Commission conducted 19 examinations during 2015, which fell into the following categories.

• Supervision Examinations – 14
• Themed – SAR Reporting & The MLRO – 5
• Total – 19

Some of the examinations were cross sector involving fund services business with trust company business and/or the investment business division.

The principal theme for 2015 was the SAR process and the Role of the MLRO.

Outcome

Of the 19 examinations conducted, one of the registered persons did not receive an examination report as there were no findings. The remaining entities received an examination report identifying areas where they had not been able to demonstrate full compliance with the regulatory framework together with recommendations on how to remediate the findings as well as a Post Examination Monitoring Schedule (“PEMS”) to track the remediation.

Findings

The examination findings are broken down into three key areas:

– Internal systems and controls;
– Anti-money laundering/countering the financing of terrorism (“AML/CFT”); and
– Corporate governance.

The percentage breakdown of the 2015 examination findings in respect of the key areas is as follows:

Internal systems and controls – 48%
AML/CFT – 23%
Corporate governance – 29%
Total – 100%

Internal Systems and controls

As the above table illustrates, the highest percentage of findings are in relation to internal systems and controls, covering four key areas:

Policies and Procedures

As in previous years, findings relate to either an absence of a relevant policy and/ or procedure or inaccurate and/ or incomplete policies and procedures that do not reflect key regulatory requirements and/ or business practice.

Examples include:

• Lack of a policy or procedure to monitor a fund’s investment management restrictions in line with the Jersey Listed Fund Guide;
• Lack of a policy or procedure in relation to third party payments, in circumstances were a third party payment had been made; and
• Inaccurate payment procedure that did not reflect the actual practice/ process undertaken by the registered person which could create a potential risk of fraud.

Policies and Procedures provide the link between the registered person’s business strategy/ model and its day-to-day operations. It is therefore crucial that registered persons have adequate policies and procedures in place to provide an effective framework to meet their business and regulatory obligations. Clear and up to date policies and procedures also assist employees in understanding and discharging their roles and responsibilities. This is an important area and likely to continue to be a focus for the Commission as part of the on-site examination process.

Operational Risk

Findings relate to either a lack of a Business Continuity Plan (“BCP”) or failure to regularly test the BCP to ensure it is effective.

Delegation/Outsourcing

There was only one instance noted relating to the outsourcing of a fund’s administration to an associated group company where the registered person could not demonstrate sufficient oversight. Whilst the Commission takes some comfort when the outsourced function is to a group entity subject to the same policies and procedures, there is still an expectation that the registered person should maintain oversight and monitor the outsourced activity as per the requirement of the Commission’s Outsourcing Policy.

Compliance Function

An effective compliance function should have the necessary status within the registered person as well as sufficient resources to properly discharge its responsibilities, including the compliance monitoring programme (“CMP”). The Commission’s expectation is that the structure and number of compliance personnel should be proportionate to the nature, scale and complexity of a registered person’s business.

Findings in this area continue to be primarily in relation to compliance resources and the CMP as follows:

• Inadequate compliance resource in circumstances where the registered person had significantly increased its business activity but did not consider a subsequent increase in compliance resource to support the business growth;
• Effectiveness of the CMP questioned as the plan did not seek to test the controls around the key risks identified by the registered person.
• No correlation between the business risk assessment and the CMP;
• CMP did not include any monitoring of the registered person’s outsourced activities;
• No CMP in place for a Fund which is a requirement of the CIF Codes;
• A dual licensed entity did not incorporate fund service business into its CMP but focused solely on its other regulated activity and registration;
• No testing conducted of the registered person’s compliance with the FSB Codes and legislation; and

A detailed CMP was in place but there was constant slippage on delivery dates which resulted in key parts of the plan not being carried out.

AML/CFT

SAR Process and the MLRO

A thematic review was carried out on five registered persons focusing on the SAR process and the effectiveness of the MLRO.

The review resulted in the following findings:

• Lack of independence of the MLRO, where the person holding the key person registration was also a principal person and could not demonstrate sufficient independence and management of conflicts in the discharge of both roles;
• Failure to give consideration to submitting a SAR in respect of declined and or terminated business; and
• Inadequate policy and procedure for the submission of both internal and external SARs.

Ensuring effective reporting is an essential component of the AML/CFT regulatory framework. The SAR process and the effectiveness of the MLRO role in the discharge of the reporting function will continue to be an area of focus for the Commission.

Reliance on Obliged Persons

Article 16(4) of the Money Laundering (Jersey) Order 2008 (“MLO”) permits Registered Persons to place reliance on obliged persons to carry out customer due diligence (“CDD”) subject to a number of conditions being met. Before reliance is placed, a registered person must first assess the risk of doing so and make a written record as to the reason why it is appropriate to place reliance, having regard to the money laundering/ terrorist financing risks and the risk that evidence of identity is not provided when requested.

There were a small number of findings in this area in relation to:

• Where the registered person had updated its policy and procedure when the MLO was revised but had not reviewed its obliged person relationships in light of the new regulatory requirements; and
• Reliance was placed on an obliged person to undertake due diligence of underlying investors to a fund where the registered person acted as administrator to that fund. However, the obliged person further delegated this function to another entity whom the registered person had not risk assessed as required under the MLO.
• Inadequate enhanced CDD

Whilst the number of findings in this category is small, it is of concern that a registered person failed to apply enhanced CDD on investors in a fund that were risk rated as high despite this being a requirement of the MLO and the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism (the “Handbook”).

Corporate Governance

Effectiveness of Governance

Effective corporate governance is essential for registered persons to be able to demonstrate compliance with applicable legislation and the Codes of Practice. The Commission continues to see a number of findings in this area. In 2015, there was the following:

• Infrequent board meetings for both the managed entity and fund where directors were provided by the MoME;
• Failure to adequately identify and manage actual and potential conflicts of interest, particularly where the registered person provided directors and the compliance function to the managed entity and the funds;
• Inadequate board minutes. Deficiencies included lack of discussion and recording of key risk areas. For example, oversight of outsourced arrangements not discussed at the board of a registered person where outsourcing was a fundamental part of its business model;
• Infrequent or non-attendance by directors at board meetings. One registered person did not take any action when a director failed to attend board meetings for a period of at least two years; and
• Inadequate MI to the board.

Risk Assessment

The Commission is still finding that some registered persons are not adequately assessing their business risks which is a concern, although the number of findings has decreased in the past few years. The following findings were noted in respect of business risk assessment (“BRA”):

• The BRA was in draft and not tabled at the board for final approval;
• Failure to include key business risks. For example, one service provider who provides MoME services to a number of managed entities did not consider the risks arising as a result of the activities of the managed entities to which it provides services;
• BRA not reviewed periodically and/ or when the risks changed;
• Controls designed to mitigate risks were not clearly defined.

Culture

Assessing the culture of a registered person is an important part of the Commission’s supervisory role. Effective compliance and conduct is dependent on the right culture and ‘tone at the top’ from the board and senior management of a registered person. The Commission assesses culture through a variety of ways, one of which is how the registered person interacts with the regulator. In particular, the need for the registered person to be transparent in its business arrangements and to be open and cooperative.

For example, the Commission has found that a small number of registered persons are overly legalistic in their approach. There are also a number who do not notify the Commission of material issues in a timely manner which is a requirement of the FSB Codes.

During the on-site examinations for 2015 there was one specific finding in relation to culture that related to failure by the registered person to notify the Commission of a late filing breach with another regulator that should have been brought to the Commission’s attention as lead regulator.

Conclusion

The foregoing is not intended as formal regulatory guidance, nor should it to be taken to cover all aspects of the subjects touched upon. The Commission recognised the efforts of the majority of registered persons to improve and upgrade their systems and controls on a continuing basis. By their very nature, the examination reports set out findings where registered persons have been unable to demonstrate full compliance with the relevant codes of practice, the Handbook and the applicable statutory legislation. This report is therefore a commentary of such findings with the objective of providing registered persons with analysis and context for internal assessment.