21st of December 2022 - The JFSC has issued an enforcement public statement about Lutea Holdings Limited and Lutea Trustees Limited

On the 21^st of December 2022, The JFSC reported that it had concluded that the root cause of Lutea's regulatory and compliance failures was:-

• The ineffective operation of the Lutea Board,
• Its lack of awareness of regulatory requirements and
• It's engendering an organisational culture without due regard for compliance.

The reasons for the public statement

The JFSC outlined many Factors contributing to the JFSC's conclusion, including the following issues identified by the investigation:

1. The Lutea Board lacked diversity of skillset in its composition and, in particular, had an insufficient understanding of requirements and best practices in governance, risk and compliance matters;
2. The Lutea Board failed to adequately consider any potential conflicts, independence issues or cultural barriers at the Lutea Board level;
3. New appointments to the Lutea Board were typically internal appointments and/or were accepting their first board position and had little impact in improving the diversity of skillset;
4. New Lutea Board members received no formal induction on an appointment, lacked personal development plans and were not provided with training to meet their development needs;
5. Lutea Board members had significant customer-facing responsibilities and worked in silos within the business;
6. Lutea's culture was customer-led.
7. The Lutea Board did not prioritise risk and compliance matters, and there was a lack of cohesive and collective responsibility from the Lutea Board in this regard.
8. The Lutea Board considered compliance matters to be the responsibility of its compliance function ultimately;
9. The Lutea Board failed to recognise compliance reporting as being inadequate to enable it to exercise appropriate oversight of compliance matters;

BACKGROUND

1. In 2018, Lutea notified the JFSC of a backlog of periodic customer reviews. Lutea implemented a remediation programme to deal with the backlog and employed additional file reviewers, with directors providing assistance.
2. Owing to concerns about Lutea, the JFSC conducted an on-site examination in 2019 focused on the adequacy of the periodic review remediation and Lutea's wider compliance with the regulatory framework. The examination identified serious deficiencies, and as a result, in 2020, Lutea was placed under investigation.
3. The investigation focused on Lutea's corporate governance arrangements and conduct of business during the relevant period and included a review of nine customer files. The investigation findings also incorporated the conclusions of a corporate governance review conducted by a reporting firm.

DETAILED FINDINGS

Corporate governance arrangements

1. Corporate governance is the system by which an entity is directed and controlled. The JFSC specifically requires registered persons to organise and control its affairs for the proper performance of its business activities through effective corporate governance.
2. Robust risk management arrangements are integral to effective corporate governance. Principle 3 of the TCB Code requires registered persons to be able to demonstrate the existence of adequate risk management systems and the AML/CFT Code requires that these systems include mechanisms to prevent and detect ML/TF.
3. The detailed findings of the investigation into the adequacy of Lutea's corporate governance arrangements, including its risk management systems, are set out below.

BUSINESS RISK ASSESSMENT

1. To facilitate adequate risk management, boards of registered persons are required to conduct, record and maintain a BRA that sets out all of the risks facing their particular business. The AML/CFT Code sets out specific risk factors that must be considered in relation to ML/TF.
2. Previous on-site examinations identified inadequacies in Lutea's BRA.
3. The investigation also identified inadequacies in that Lutea's BRA:
   • Was not kept up to date or discussed on an ongoing basis;
   • Did not consider all risks relevant to Lutea's business and, in particular, ML/TF risks specific to its organisational structure, customer base and products and services.
   • Lutea had also not established a formal strategy to counter ML/TF risk.

COMPLIANCE MONITORING

1. Inadequacies in Lutea's historic compliance monitoring plans were brought to the attention of the Lutea Board during previous examinations.
2. The investigation also identified the following:
   • There was no formal Board approved compliance monitoring plan for 2018 or 2019;
   • Limited ad-hoc compliance monitoring testing had been conducted, but there was no evidence that a risk-based approach had been used to select the themes;
   • Documentation of the testing conducted did not adequately demonstrate the seriousness or extent of findings;
   • There was no evidence of identified deficiencies being discussed by the Lutea Board; and
   • Prompt action was not taken to address these deficiencies.

ONGOING MONITORING

1. Registered persons are also required to conduct ongoing monitoring of customer relationships. Ongoing monitoring consists of scrutinising transactions undertaken throughout the course of a business relationship (through transaction monitoring) and keeping documents, data or information up to date and relevant (through periodic reviews).
2. Lutea did not have a transaction monitoring policy or procedure prior to 2019, despite repeat on-site examination findings regarding transaction monitoring. Further, despite inadequacies in Lutea's periodic review process having been brought to Lutea's attention in earlier on-site examinations, a significant periodic review backlog developed in 2018, and continued during the relevant period.
3. Inadequacies identified in the effectiveness of Lutea's ongoing monitoring activities are set out in the Conduct of Business section below.

COMPLIANCE REPORTING

1. Previous on-site examinations identified inadequacies and weaknesses in compliance reporting to the Lutea Board. The investigation found that, while compliance reports were presented to the Lutea Board during the relevant period, board minutes failed to demonstrate any discussion, consideration or challenge on the part of the Lutea Board in relation to the reports presented. Where compliance issues were brought to the Lutea Board's attention, it often failed to act.
2. The investigation also identified that compliance reports lacked sufficient detail and content, Including:
   • Lack of focus on Lutea's management of compliance risk and clear messaging on the most significant risks/issues for the Lutea Board's consideration;
   • lack of detailed quantitative data presented in a consistent manner, to support meaningful comparisons;
   • MLRO reporting, required by the Lutea Board, lacking sufficient detail for the Lutea Board to have adequate oversight of Lutea's handling of suspicious activity reports;
   • MLCO reporting, required by the Lutea Board, being irregular and, when presented, lacking a clear summary of the overall status of compliance monitoring, key findings of any testing and any required remedial action; and
   • On occasion, no distinction in reporting between Lutea's Jersey regulated entities and its international group companies.

CONFLICTS OF INTEREST

1. Adequate procedures regarding the avoidance and, if necessary, the management of conflicts of interest are required to be maintained by registered persons. Previous on-site examinations identified failures by Lutea in this regard.
2. The investigation identified that, until April 2019, Lutea operated without a Lutea Board approved conflicts of interest policy or procedure. Further, when such a policy/procedure was approved in April 2019, the Lutea Board failed to consider whether it was adequate and effectively applied by the business. This resulted in instances where, during the relevant period, Lutea failed to recognise and/or manage conflicts of interest.

CONDUCT OF BUSINESS

1. To counter the risk of financial crime (including ML/TF), the regulatory framework requires, amongst other matters, registered persons to adopt a proportionate, risk based approach to CDD measures and ongoing monitoring in respect of customers.
2. Further, in the conduct of business with customers, registered persons must act with due skill, care and diligence and be transparent in their business arrangements.
3. To assess Lutea's compliance with the regulatory framework relating to conduct of business, nine customer files were reviewed during the investigation. Serious deficiencies were identified, certain of which were systematic across the files. Further details of the deficiencies are set out below.

UNDERSTANDING OWNERSHIP AND CONTROL

1. Lutea's procedures did not outline the requirement to understand a customer's wider ownership and control structure. As a result, the investigation identified instances where documented understanding of ownership and control was inadequate, including structure charts failing to identify all relevant parties.
2. By failing to adequately document its understanding of these customers' ownership and control structure, Lutea could not demonstrate it had identified the individuals who were the customer's beneficial owners and controllers and, therefore, identify all relevant ML/TF risks.

FINDING OUT AND EVIDENCING IDENTITY (INCLUDING EDD)

1. Previous examinations identified issues concerning Lutea's application of CDD measures, including, where required, EDD.
2. In all customer files reviewed, Lutea failed to conduct sufficient measures to adequately identify and verify all relevant parties to each customer relationship. Failures included a lack of address verification, no CDD measures conducted on controllers, and deficiencies in documented understanding and corroboration of source of funds and source of wealth.
3. Lutea's EDD procedures were inadequate. In particular, Lutea did not have any formal policies and procedures for the identification and management of PEPs. The investigation identified a number of instances where EDD measures were not identified as being required or were not performed. Documentation of any discussions or considerations relating to the application of EDD in these instances was also absent.
4. ISSUES IDENTIFIED INCLUDED:
   • No evidence of consideration of the most appropriate EDD measures to be performed or whether the EDD conducted was proportionate and commensurate with the specific risks posed;
   • Three customer files where, for over 10 years, EDD was absent or inadequate; and
   • One instance where Lutea failed to recognise and investigate a high-risk factor at customer take-on. An independent EDD report was subsequently commissioned, but there was no evidence that Lutea reviewed the report or assessed the risks presented by the customer.
   • By failing to conduct and obtain sufficient identification measures, including routinely failing to identify customer relationships where the application of EDD measures was required, Lutea failed to identify and manage ML/TF risks arising from the customers reviewed and did not subject higher risk customers to the appropriate level of scrutiny.

NATURE AND PURPOSE OF THE BUSINESS RELATIONSHIP

1. In six of the nine customer files reviewed, Lutea failed to document adequate information on the nature and purpose of the business relationship and the rationale for Jersey as the chosen jurisdiction for establishment.

ASSESSING CUSTOMER RISK

1. Previous on-site examinations identified issues with Lutea's customer risk assessments. The investigation found deficiencies in the risk assessments in eight [of the nine] customer files reviewed. Potential red flags which were not appropriately responded to by Lutea included:
   • A customer rated as low risk for over 10 years despite the presence of higher risk factors;
   • A customer where connections to high risk jurisdictions and activities were identified. Two risk assessments conducted in 2018 failed to consider these factors;
   • A customer risk assessment that stated there was no negative news and/or litigation despite the periodic review performed at the same time identifying beneficiaries that had been fined by tax authorities for falsifying records;
   • Two high risk customers where no annual customer risk assessments were conducted in 2018, as required by Lutea's internal policies and procedures; and
   • A number of instances of customer risk assessments which were incomplete and/or not signed off or reviewed in a timely manner.
2. Lutea failed to demonstrate that it obtained sufficient information to effectively assess risk, including information regarding the ownership structure of its customers, jurisdictions of activities and assets, source of funds and the type, volume and value of activity expected. By failing to conduct adequate risk assessments, Lutea could not evidence it applied a risk-based approach to identification measures for its customers or that it applied appropriate levels of scrutiny.

CUSTOMER BUSINESS AND RISK PROFILES

1. None of the nine customer files reviewed had an adequate customer profile in place prior to 2020. In 2020, Lutea began to prepare customer profiles as part of its remediation programme. However, the profiles subsequently prepared for the nine customer files reviewed lacked sufficient information and detail to demonstrate a full understanding of the customer and its associated risks.
2. Lutea's failure to create and maintain adequate customer profiles impacted its ability to carry out effective ongoing monitoring, identify unusual customer transactions or activity and consequently, mitigate ML/TF risk.

LETTERS OF ENGAGEMENT

1. In six of the nine customer files reviewed, Lutea failed to either provide or adequately provide confirmation, in writing, of the services provided, or a contract, agreement or other written form setting out its terms of business. Consequently, for these customers, Lutea failed to act transparently in its business arrangements as it was not always possible to clearly identify which customer entity Lutea was engaged with or the nature and terms of services provided and, accordingly, the extent of Lutea's fiduciary obligations.

ONGOING MONITORING

1. The requirements relating to ongoing monitoring are set out earlier in this public statement.
2. In terms of Lutea's scrutiny of customer transactions, transaction checklists could not always be located on the customer files reviewed, or where they were in place, were not always completed or formally signed off.
3. No evidence was held on the customer files reviewed of Lutea scrutinising transactions to ensure it was comfortable with the activity. For example, in one instance, Lutea failed to document an investigation into why a payment was received from a bank account that differed from the one stated in the transaction corroboration provided by the customer.
4. In terms of keeping documents, data or information up to date and relevant, deficiencies were identified in periodic reviews performed by Lutea during the relevant period in the customer file reviews. These included:
   • The frequency of reviews not being conducted in line with Lutea's internal periodic review policy;
   • Failures in identifying deficiencies such as absent CDD/EDD, no customer profiles, or inadequate customer risk assessments.
   • Reviews not signed off in accordance with Lutea's policies and procedures and/or not signed off in a timely manner;
   • Incorrect information being documented in the reviews; and
   • Reviews were incorrectly signed off as complete when remedial actions remained outstanding.

RECORD-KEEPING

1. Lutea's customer record-keeping was very poor and customer records were not kept in an adequate, orderly or up-to-date manner. For all nine customer files reviewed there was a lack of key documentation (as outlined above), including risk assessments, customer profiles and CDD/EDD. There was no central storage system for Lutea's customer records, meaning there was an inconsistent approach to filing customer data, and directors regularly stored customer records in personal folders.

ACTING WITH DUE SKILL, CARE AND DILIGENCE

1. For one customer file reviewed, Lutea failed to act with due skill care and diligence as required by the TCB Code.
2. Whilst performing a periodic review in 2020, Lutea identified that its customer's assets, a trust, had been resettled in December 2019 into a newly established trust. The resettlement was strictly prohibited by the trust deed.
3. The resettlement of assets was initiated to enable an additional beneficiary to benefit from assets that, had they remained within the original trust, and they may have been unable to benefit from.
4. By suggesting and supporting the resettlement, Lutea failed to demonstrate how it considered the impact and acted to avoid any detriment to its customer's best interests and, accordingly, to exercise due skill, care and diligence.

Additional findings

1. During the relevant period, Lutea facilitated unauthorised financial service business in Jersey by Lutea group companies. The Lutea Board failed to identify this activity as being an issue, despite certain Lutea Board members being directors of the group entities.
2. Lutea also failed to fully comply with directions[1] issued by the JFSC during the relevant period due to a failure to implement adequate controls to ensure compliance.

Read the full statement here

• jerseyfsc.org/news-and-events/lutea-holdings-limited-and-lutea-trustees-limited/