Details on IQEQ Jersey £803K [REDUCED FROM £1.6M] fine and negligent breaches

The fine

1. The JFSC has issued a civil financial penalty of £803,661.17 on IQEQ (Jersey) Limited (IQEQ Jersey) (formerly, First Names (Jersey) Limited (First Names)) for regulatory breaches identified in a professional reporting report issued in 2020.
2. By accepting the findings and agreeing to settle at an early stage, the business avoided a potential fine of £1,607,322.34.

The issue

1. First Names grew rapidly from 2012 to 2016, following the acquisition of other Jersey-regulated trust company businesses.
2. Following this period, and a change in ownership, following which First Names rebranded to IQEQ Jersey, the JFSC requested that an independent reporting professional assess the effectiveness of IQEQ Jersey's processes, systems and controls and compliance with the regulatory framework during 2018-2019 by reference to a targeted review of 16 customer structures.
3. From the findings of the reporting professional's review, the JFSC has concluded that during 2018-2019, specific IQEQ Jersey systems, controls and corporate governance

Summary of findings [USING THE SAME NUMBERS FROM JFSC REPORT]

Comsure has edited certain parts of the JFSC statements [for sizing etc.] for this post - To read the factual and complete statements, see the links at the end of this posting

3.1 The JFSC has concluded that during the relevant period, IQEQ Jersey's specific systems, controls, and corporate governance arrangements, as noted below, were inadequate to mitigate financial crime risk by reference to the 16 customer structures reviewed

• IQEQ Jersey negligently breached certain sections of Principles 2 and 3 of the TCB Code, section 4.5 of the TCB Code and certain sections of the AML/CFT Code.

• 2 IQEQ Jersey's breaches are considered significant and material because they left the business open to the risk of being used to further financial crime domestically and internationally during the relevant period.
  • These matters are of serious concern to the JFSC and can significantly undermine the integrity and stability of Jersey's financial services industry.
• 3 The JFSC has determined the root causes of the breaches can be attributed to the boards of First Names and, from March 2019 to November 2019, IQEQ Jersey, failing to exercise robust oversight and control in ensuring adequate and timely remediation of financial crime weaknesses.
  • The JFSC considers the boards also failed to
    • Sufficiently recognise the risks and increased complexity arising from the business and customers following various acquisitions of regulated businesses, and
    • To ensure commensurate and robust controls were in place to mitigate such risks.
  • 4 Further detail concerning IQEQ Jersey's breaches is outlined below.

BOARD OVERSIGHT

• 5 The TCB Code requires senior management and the board to adequately monitor and control the business and affairs of a trust company business; this includes
  • Keeping adequate, orderly and up-to-date records of board and management minutes.
• 6 The AML/CFT Code requires boards to demonstrate the existence of adequate and effective systems and controls to counter financial crime.
  • It further requires boards to
    • Assess both the effectiveness of, and compliance with, systems and controls (including policies and procedures), and
    • Take prompt action where necessary to address any deficiencies.
  • 7 As detailed below, the reporting professional identified that
    • In certain circumstances during the relevant period, IQEQ Jersey failed to maintain adequate systems and controls to mitigate financial crime risk.
  • 8 During the relevant period, the IQEQ Jersey Board delegated authority to a Risk and Compliance Committee to consider, attend to or make recommendations to the IQEQ Jersey Board on risk and compliance matters.
    • The IQEQ Jersey Board considered reports from the Risk and Compliance Committee at its quarterly meetings.
    • During the relevant period, the IQEQ Jersey Board considered four of the 16 customers selected for review as they had been escalated to it due to significant risk and compliance matters being identified.
  • 9 The JFSC expects robust discussion of risk and compliance matters at board meetings and for this to be adequately recorded in board minutes.
    • However, the reporting professional identified from IQEQ Jersey Board minutes,
    • the IQEQ Jersey Board failed to address the 'root cause' of the issues presented by the four customers it considered and, rather, focused on the particular circumstances of the matters raised.
  • 10 The JFSC considers that had more robust oversight been exercised by the IQEQ Jersey Board and had it recognised and responded to issues being raised both internally and by the JFSC, the matters outlined below could have been mitigated.

BUSINESS RISK ASSESSMENT

• 11 The AML/CFT Code requires the board of a regulated trust company business, like IQEQ Jersey, to conduct and record a BRA and keep it up-to-date.
  • The board of a dynamic and growing business can demonstrate its BRA is up-to-date by reviewing it annually or as and when events occur that could materially change its financial crime risks, for example, the acquisition of another business.
• 12 The AML/CFT Code further requires the assessment to consider the cumulative effect of risks identified, which may exceed the sum of each individual risk element.
  • As detailed in the JFSC's published guidance on compliance monitoring, the JFSC considers a BRA should detail the impact and probability of these risks and consider the risk of non-compliance before (inherent) and after controls have been applied (residual).
• 13 From 2012, whilst it was First Names, IQEQ Jersey's business rapidly grew in terms of size and governance.
  • As a result, both the JFSC and reporting professional consider its BRA should have been updated, at least on an annual basis.
  • Although IQEQ Jersey's BRA was discussed by the IQEQ Jersey Board numerous times at varying intervals during the relevant period, at the time of the reporting professional's review,
    • It had not been updated and formally adopted by the IQEQ Jersey Board since June 2018.
  • As the BRA had not formally been updated for an 18-month period,
    • There was an increased risk that the BRA did not adequately reflect the current risks pertaining to IQEQ Jersey's business.
  • 14 The JFSC considers IQEQ Jersey's BRA during the relevant period could have been improved by:
    • 14.1 Referencing the impact and probability of risk;
    • 14.2 Clearly identifying inherent risks;
    • 14.3 Containing key data on relevant topics, such as revenue, complaints, breaches, operational incidences, previous compliance monitoring, audit reports and concerns of senior management;
    • 14.4 Considering the effectiveness of the controls said to be in place; and
    • 14.5 Referencing how the results of compliance monitoring plans informed the information contained within the BRA.
  • 15 By failing to maintain and record an up-to-date BRA, the IQEQ Jersey Board could not evidence it was sufficiently sighted on IQEQ Jersey's financial crime risks.

CUSTOMER RISK ASSESSMENTS

• 16 The MLO requires appropriate and risk-sensitive policies and procedures to be maintained relating to risk assessment and management.
  • The MLO further states that an assessment must be conducted of the risk that any customer relationship will involve money laundering and obtain appropriate information for assessing that risk.
  • Properly recognising and recording the potential for financial crime risk ensures appropriate, enhanced controls are in place to mitigate any risks identified, including EDD and, where appropriate, more frequent periodic reviews.
• 17 IQEQ Jersey developed its own internal risk rating system to ensure key risks were identified, rated and documented for each customer to which it provides services.
  • However, the definition of risk within IQEQ Jersey's customer risk assessment policy placed greater emphasis upon the commercial risks posed to IQEQ Jersey rather than financial crime risks. This increased the risk that IQEQ Jersey's customers were inappropriately risk-rated for financial crime purposes.
• 18 In certain circumstances, the reporting professional identified IQEQ Jersey's customer risk assessment process resulted in the application of a "standard" risk rating by default, without evidence of sufficient documented consideration being given to financial crime risk factors.
  • The assignment of a "standard" risk rating led to IQEQ Jersey being unable to demonstrate it appropriately risk-rated six customers reviewed by the reporting professional for financial crime purposes.
  • This impacted the level of CDD undertaken and the frequency of on-going monitoring.
  • It was noted by the reporting professional, however, that IQEQ Jersey planned enhancements to IQ EQ's risk management system, including the revalidation of the standard risk rating.
• 19 The reporting professional also found the risk rating applied by IQEQ Jersey related specifically to IQEQ Jersey's customer for business (i.e. the entity with which it has a contract for services).
  • Although IQEQ Jersey's policies and guidance required consideration to be given to the wider relationship when assessing the overall financial crime risk,
  • In practice, the reporting professional found instances where IQEQ Jersey's policy had not been complied with.
  • The risk assessment and narrow focus solely on the 'customer for business' led to deficiencies in CDD and EDD, increasing financial crime risk.

CUSTOMER DUE DILIGENCE

• 20 The MLO requires that CDD is conducted for a business relationship or one-off transaction. CDD should be performed by way of a three-stage approach,
  • (i) obtain information;
  • (ii) risk assess; and
  • (iii) obtain evidence according to its risk assessment of the customer.
  • Understand the ownership and control structure (and determine the ultimate beneficial owners and/or controllers) and
  • Make an informed risk assessment, information should be obtained concerning all persons (natural and legal) in a customer structure.
• 21 For the 16 customers reviewed, IQEQ Jersey's CDD measures were found by the reporting professional to be principally focused on the 'customer for business' and, in some cases, failed to give sufficient consideration to the wider customer relationship, such as beneficial owners/controllers.
  • This meant, on occasion, IQEQ Jersey failed to obtain sufficient CDD for customers, increasing the possibility that financial crime risks arising via ownership or control may not have been identified or mitigated.
• 22 In one instance, the reporting professional identified that IQEQ Jersey had initially relied upon confirmation from a regulated third-party insurance firm as to the beneficial owner of a customer.
  • It was subsequently determined that the information relied upon was incorrect, leading to CDD deficiencies in that regard.

ENHANCED DUE DILIGENCE

• 23 The MLO requires EDD to be carried out in any situation with a higher risk of money laundering.
  • EDD must be in addition to the measures undertaken in the circumstances presenting lower or standard risk and must address the particular risk presented.
  • The AML/CFT Handbook provides non-exhaustive examples as to how a business, like IQEQ Jersey, can apply EDD measures.
• 24 The reporting professional identified that while various IQEQ Jersey policies and procedures contemplated some form of EDD, they lacked sufficient detail for the increasing size and complexity of IQEQ Jersey's business and customer base.
  • The policies and procedures did not assist IQEQ Jersey staff by providing a bespoke and clear reference point to understand when and how to apply EDD measures, which resulted in an inconsistent application of EDD to IQEQ Jersey's customers.
• 25 While instances were identified where IQEQ Jersey could demonstrate appropriate EDD was undertaken, in three cases reviewed by the reporting professional, IQEQ Jersey correctly assessed the customers as high risk but failed to undertake EDD as required.
  • By failing to apply EDD measures consistently, IQEQ Jersey was exposed to an increased risk that financial crime might not be detected.

SOURCE OF FUNDS AND SOURCE OF WEALTH

• 26 The CDD and EDD performed by IQEQ Jersey did not sufficiently consider the source of funds and wealth information.
  • IQEQ Jersey populated source of funds and source of wealth within a single field in its system,
  • Despite being two clear and distinct matters.
  • Source of funds information for all customers and source of wealth for high-risk customers must be clearly and separately recorded and articulated to manage financial crime risk effectively.
• 27 For one customer that was dissolved in 2018, the description for the customer's source of funds/source of wealth detailed the history of the beneficial owner's businesses.
  • It did not reference the overlying trust from where monies may have derived for the customer, ultimately failing to clearly identify the source of funds information.

CUSTOMER PROFILES AND ONGOING MONITORING

• 28 The MLO requires ongoing monitoring of a customer relationship which includes scrutinising transactions and ensuring that data or information, including CDD, is kept up to date and relevant.
  • For effective ongoing monitoring to take place and to identify any unusual or suspicious transactions/activity, an up-to-date and accurate customer business risk profile must be recorded and maintained.
• 29 The reporting professional identified IQEQ Jersey's documented customer business profiles were limited to transactional considerations only. In one instance identified by the reporting professional, this hindered IQEQ Jersey's ability to carry out effective monitoring to identify unusual transactions/activity.
  • The JFSC also considers this increased the risk of IQEQ Jersey failing to comply with its suspicious activity reporting obligations under the POC(J)L.
• 30 The reporting professional also identified matters suggesting that IQEQ Jersey's periodic review process was not as sufficiently robust as it should be during the relevant period.
• 31 For example,
  • For certain customers reviewed, periodic reviews were identified by the reporting professional which had failed to identify inadequate CDD and missing service agreements (outlined below).
  • The reporting professional also identified periodic reviews that were "closed off" without issues being addressed and three breaches of IQEQ Jersey's periodic review policy where matters identified from two periodic reviews were not remediated within the timeframe set out in the review policy.
• 32 For three out of the 16 customers reviewed,
  • The reporting professional found that not all relevant parties associated with IQEQ Jersey's customer for business were populated within its customer database and, therefore not subject to IQEQ Jersey's daily automated screening processes.
  • This meant IQEQ Jersey could not readily identify potential adverse information about connected parties to its customer to consider potential financial crime risks.
• 33 Due to the above deficiencies, in certain instances, IQEQ Jersey could not undertake effective on-going monitoring in a timely manner and adequately re-assess the customer relationships as they developed over time, leaving it under-informed of potential financial crime risk.

OTHER MATTERS

• 34 While general terms of business were in place, in five out of the 16 customers reviewed, IQEQ Jersey failed to have or put in place, or execute in a timely manner, service agreements with its customers (section 4.5 of the TCB Code).
• 35 The reporting professional identified in eight out of 16 customer files reviewed, IQEQ Jersey's corporate governance for its customers (principally as corporate directors and, occasionally, in its fiduciary capacity) was focussed on the wishes of the beneficial owner or ultimate client. Consequently, attention was insufficiently focussed on the business of its customers (Principle 2 of the TCB Code).

AGGRAVATING FACTORS

• 1 The regulatory compliance record of First Names, as evidenced by the findings of the 2015 and 2016 on-examinations and the 2018 investigation.
• 2 Instances where IQEQ Jersey failed to comply with its own financial crime policies and procedures.
• 3 An absence of one clear policy relating to EDD (although there were various policies and procedures contemplating some form of EDD).
• 4 The JFSC has published guidance on the steps businesses can take to reduce their financial crime risk, including the AML/CFT Handbook, guidance notes, examination feedback papers and public statements.
  • Despite having access to this documentation, IQEQ Jersey failed to comply with elements of the AML/CFT Code, therefore, increasing its financial crime risk.

MITIGATING FACTORS

• 1 No customer suffered losses from the matters identified.
• 2 The IQEQ Jersey Board engaged the services of a regulatory consulting firm to help address the reporting professional's findings and support a remediation exercise.

This included:

• 2.1 Devising an improved financial crime training programme for all IQEQ Jersey staff;
• 2.2 Undertaking further reviews to prevent recurrence of the issues identified; and
• 2.3 Making changes to the IQEQ Jersey Board composition, including appointing a non-executive director.

• 3 The commencement and operation of the remediation exercise was fully supported by the wider IQEQ group, which included de-risking the business acquired due to the acquisitions.
• 4 IQEQ Jersey cooperated with the JFSC during the professional reporting process.

Comsure has edited certain parts of the JFSC statements [for sizing etc.] for this post - To read the factual and complete statements, see the links at the end of this posting

The full public statement is here

• https://www.jerseyfsc.org/media/5626/2022-07-01-enf-1410-iq-eq-public-statement-final.pdf

Press release

• https://www.jerseyfsc.org/news-and-events/we-have-imposed-a-civil-financial-penalty-on-iq-eq-jersey-formerly-first-names-for-regulatory-breaches/