JFSC Compliance Monitoring Plans (CMP) - Thematic review – KEY FINDINGS
Q4 2019 – Q1 2020 The JFSC is reminding (today 17 Dec 2020) regulated businesses to make sure they have adequate and effective compliance monitoring in place after the JFSC identified several repeat findings during examinations.
JFSC KEY FINDINGS
Compliance monitoring policies and procedures
Nine of the 11 entities examined had findings in this area which included:
- Local requirements not being adequately identified when following group policies resulting in potential gaps;
- Approved policies and procedures not fully covering Jersey legislative requirements;
- Not providing enough evidence that policies and procedures would mitigate the risks identified;
- Lack of documented detail in the escalation process;
- The timescales for remediation action to be taken not being articulated; and
- By design, policies and procedures should be detailed enough to ensure that the same objective methodology is applied to all testing so as to provide meaningful analysis. JFSC officers found that this was not always the case.
Six of the 11 entities examined had findings in this area which included:
- Board/management meeting minutes lacking detail of any discussions on the CMP, be that the approval process, issues highlighted as high or medium risk or current progress; and
- records retained by Registered Persons were often not comprehensive. For example, registers such as the Breaches Register or Complaints Register where the initial date of the entry/observation had not been captured, agreed actions not adequately recorded and evidence of follow up to ensure closure was not documented.
- To support the compliance monitoring work undertaken, there is an expectation that all supporting documentation, including clear details of how the review was undertaken, should be retained by Registered Persons, along with records that demonstrate that prompt action was taken to remedy deficiencies.
Five of the 11 entities examined had findings in this area which included:
- The Board/senior management minutes not providing any evidence of scrutiny, challenge and/or approval of the CMP for the year ahead;
- Examples of the Board not showing evidence of appropriate oversight of the reporting expected with incomplete reports being submitted and approved;
- The BRA not being reviewed and updated in a timely manner or on a frequent basis, with the result that senior management were unable to demonstrate that the Registered Person's Compliance Risk Assessment and approach to compliance monitoring was aligned to an up to date business and risk profile as articulated within the BRA.
Five of the 11 entities examined had findings in this area.
- Linked to the findings identified under the headings of Corporate Governance and Record Keeping, the common theme was the failure to undertake and document a Compliance Risk Assessment to ensure that the appropriate testing was being performed in line with the regulatory requirements relevant to the entity.
- Principle 3 of the Codes is very clear on the requirement to undertake an annual assessment of the extent to which compliance risk is managed effectively, for the Registered Persons within the scope of this report.
- As noted above it was identified in some instances that the BRA was not kept up to date with the subsequent impact on the effectiveness of the Compliance Risk Assessment when compared to the Registered Person's outdated business and risk profile described in its BRA.
Five of the entities examined had findings in this area.
- The main finding in this area regarded the role of the Compliance Officer (CO) and how it could be evidenced that they had taken responsibility for ensuring appropriate monitoring of operational performance and managing regulatory and compliance risk within the Registered Person.
- JFSC officers noted instances where activities such as transaction monitoring and suspicious activity reporting had not been included in the CMP, and where certain testing had not been undertaken for a period of time despite showing as a regular test on the CMP.
- There were also examples where the role of the CO and the MLCO appeared to have become blurred with the CO signing off on AML monitoring and reporting AML issues to the Board rather than the MLCO where these roles were held by separate individuals.
CANDOUR AND INDEPENDENCE
- For one entity, it was found that items which were considered regulatory breaches had not been recorded as such and no notifications had been made to the JFSC.
- At another entity, it was noted that the independence of the Compliance function could be questioned due to individuals holding Key Person roles, as well as undertaking client facing activities and having partial ownership and control of the entity.
- It was also identified in this entity that an individual had been reviewing their own work, as well as that of another person who was a close relation and who also helped control the entity.
COMPLIANCE WITH THE JFSC GUIDANCE NOTE
- There were instances where best practices described in the Guidance Note were not being followed which could potentially result in those entities not identifying and managing the risks in their business. Examples included:
- The Compliance Report to the Board not including compliance monitoring as a standard agenda item;
- The CMP not being reviewed on a regular basis;
- The CMP not being periodically approved by senior management (it is required, at least, annually) to ensure that changes to the Registered Person's Compliance Risk Assessment are appropriately reflected;
- The lack of a documented approach for testing to be performed; and
- No or incomplete retention of the working paperwork/evidence collected during that testing.
Feedback on compliance monitoring thematic examination