News

Building an effective RISK ASSESSMENT in Jersey – Comsure essential tips

04/03/2021

Concerning ENTERPRISE RISK ASSESSMENTS (ERA), the TCB CODES (all Jersey codes require the same) say in Principle 3,

  • "RISK" refers to ALL THE RISKS that a registered person faces, or may face, as a BUSINESS ENTERPRISE.

The CoP says the various risk management provisions under principle 3 of the Code; a registered person will have specifically considered, amongst other risks,

  • The risk of a cyber-security incident.

Furthermore, and included in the ALL THE RISKS is the AML-BRA (BRA-ORG and BRA-CRA).

Concerning preparing an AML BRA and strategy, it is vital to distinguish between the separate elements of the process as they are distinct statutory and regulatory requirements.

  1. Strategy,
  2. AML - BRA,
    • BRA-ORG,
    • BRA-CRA

The Money Laundering Order and JFSC AML handbook says a board AML "Business Risk Assessment" must show its:-

Risk appetite and money laundering and financing of terrorism risk exposure by reference to its

  1. Organisational Structure = BRA-ORG
    • "The Business Risk Assessment" (BRA-ORG) and an assessment of the risk that a business relationship or one-off transaction will involve money laundering or financing of terrorism risk –
      1. Article 11(1)(f) of the Money Laundering Order. (Handbook Part 1: Section 2.3: Corporate Governance)
    • Customers include [1] the countries and territories customers are connected [2] your products and services, and [3] how you deliver those products and services – BRA-CRA
      1. "the Customer Risk Assessment" (BRA-CRA) for each of its customers. –
        1. Articles 13 and 3(5) of the Money Laundering Order. (Handbook Part 1: Section 3.3.2 Identification Measures).
  2. And based on its Business Risk Assessment, the board must
    • Establish a formal strategy to counter money laundering and financing terrorism.  (AML STRATEGY)
Concerning the CoP, and as a stark reminder (£700k+ fine), consider what the JFSC say about SG Hambros Board Oversight –   
  1. The Codes require the business and affairs of Registered Persons to be adequately monitored and controlled at Senior Management and/or Board level. This includes keeping board and management minutes [records] that are
    • Adequate,
    • Orderly and
    • Up-to-date
  2. With all Registered Persons, the JFSC places great weight on Senior Management and/or the board to ensure the on-going fitness and propriety of the Registered Person and its compliance with the specific Jersey Regulatory and AML/CFT Regime.
  3. 13 - Similarly, the Codes require that responsibilities must be apportioned among a Registered Person's Key Persons, Senior Managers and/or Directors so that their individual responsibilities are clear.
  4. https://www.jerseyfsc.org/news-and-events/sgkh-entities/
Also, the CoP notes have the following specific references
  1. A registered person must organise and control its affairs effectively for the proper performance of its business activities, and be able to demonstrate the existence of adequate risk management systems.
  2. NOTE TO SECTION 3 Corporate governance is the system by which an organisation is directed and controlled. A corporate governance framework specifies the distribution of rights and responsibilities among different participants in the organisation and sets out the rules and procedures for making decisions. Risk management is an integral part of the corporate governance framework. In the context of Principle 3, "risk" refers to all the risks that a registered person faces, or may face, as a business enterprise
  3. 1.1.2 Responsibilities apportioned in such a way that individual responsibilities and accountabilities are clear and there is a separation of critical functions
  4. 1.3 Clearly defined procedures must be in place so that there is appropriate oversight by the board of directors and senior management in order to address the principles of risk management:
  5. 5.1.3 Assessment, on at least an annual basis, of the extent to which compliance risk is managed effectively
  6. NOTE TO SECTION 3 [4] - With respect to the various risk management provisions under principle 3 of the Code, particularly 3.1, 3.2 and 3.7, it is expected that a registered person will have specifically considered, amongst other risks, the risk of a cyber-security incident
Also, note the JFSC OUTSOURCING (RISK) GUIDE THAT SAYS
  1. 4.1   The Outsourcing Policy is premised on the understanding that, amongst other things, Registered Persons remain fully
    • RESPONSIBLE AND ACCOUNTABLE to the JFSC for any Outsourced activity.
  2. Since the Governing Body is ultimately responsible for the management and conduct of a Registered Person's affairs; the JFSC would expect to see, upon request,
    • board meeting minutes of the Governing Body evidencing that it had carefully considered any Outsourcing arrangements it implemented.
  3. The Governing Body
    • should also receive reports regarding any issues of non-compliance with the Outsourcing Policy (i.e. exceptions) identified as a result of the monitoring and assessment required by Core Principle No. 3 and
  4. the JFSC would expect to see these recorded and considered in the board meeting minutes.
Building an effective ERA/AML-BRA  – consider the following vital tips
In light of the above, firms should consider the following thoughts and practicalities-
  • Identify the ML risks that are relevant to your business
  • Carry out detailed risk assessments
  • Carry out customer risk assessments
  • Put in place controls to manage risk
  • Monitor controls / improve efficiency
  • Keep records of what you do and why you do it
In addition to the above, are a few tips to consider:-
  • The board should review the ERA/AML-BRA, ideally every 6 months, but annually as a minimum.
  • Appoint an accountable director to oversee the ERA/AML-BRA  and compliance
  • Document the debate of the ERA/AML-BRA  at the board level
  • The board should challenge the ERA/AML-BRA
  • Be honest when identifying the weak-spots
  • All employees are responsible for identifying risk – the board and all employees must identify, analyse, evaluate, respond, monitor and communicate risks.
  • ERA/AML-BRA  should be kept under regular review and updated regularly
  • Map the ERA/AML-BRA  against legal and regulatory requirements and make sure it is maintained
  • Question whether the residual risks are within the risk appetite
  • As part of the ERA/AML-BRA, CMPs should be regularly considered and approved by the board (with evidence recorded)
Bad Behaviour and exposure to risk
  • Unwillingness to subject high value (high fees) customers to effective CDD measures (in case of upsetting them and fear of losing them as clients)
  • Pressure by customers upon employees to act on requests without holding proper CDD
  • Employees not following the procedures
  • Non-attendance of senior employees at training sessions on the mistaken belief that they cannot learn anything new / or because they are busy with other things.
  • Over familiarity between employees and clients – employees do not see the risks
  • Junior employees not having the confidence to raise suspicions
  • Junior employees discouraged to raise suspicions by senior management due to time constraints etc., – they should be encouraged to do so.

JERSEY