JFSC Industry Guidance on remediation action plans [extracted text added]

The JFSC issued guidance on 06 April 2023 to support businesses in preparing remediation action plans in response to areas of identified non-compliance.

A remediation action plan is a result of

• Findings from a JFSC Examination,
• A self-identified breach notification or
• Another form of review.

The purpose of the guidance is to provide practical information to be considered by businesses when planning for remediation.

In particular,

• The JFSC have detailed examples of good practice for businesses to consider when preparing a remediation action plan,
• As well as considerations for resourcing remediation and post-remediation monitoring

EXTRACTED TEXT FROM = https://www.jerseyfsc.org/industry/guidance-and-policy/remediation-action-plans/

1 Introduction

1.1   The Jersey Financial Services Commission (JFSC) undertakes Examinations as part of its ongoing supervision of regulated and supervised businesses and professions. Examinations may be undertaken by way of a questionnaire or in-depth Examinations. The latter includes desk-based and on-site activity or a combination of both. Examinations are a key tool in executing our regulatory function.

1.2   The findings of an Examination may lead to registered persons[1] being required to prepare a remediation action plan (a plan), to address deficiencies identified. A plan may also be required to address other regulatory matters. For example, in response to findings of an internal audit which identifies breaches of a Code of Practice.

1.3   In instances where a plan is required, it will be submitted to us for our consideration. We will consider whether the timeframes in which remediation will be delivered appears reasonable, taking into account, amongst other factors, the seriousness of the findings, extent of work to be performed and resourcing required.

1.4   Where a plan is designed to address serious deficiencies, we expect the registered person to commence remediation and implement necessary measures to address control weaknesses as soon as is practicable.  As a guide, we will have a low tolerance for plans extending beyond 12 months. However, we recognise there may be instances where completion of all actions within a plan in 12 months may not be achievable.

1.5   The registered person’s senior management, in particular its board of directors (together, senior management), is responsible for ensuring the plan is designed to deliver effective and sustainable remediation of findings. It is beneficial for the registered person to appoint a board member, or equivalent member of senior management, as the overall lead for ensuring the plan is prepared, implemented and completed in a timely manner.

1.6   The purpose of this guidance note is to provide information and outline good practice to be considered by the registered person when preparing a plan.

2 Resourcing for Remediation

2.1   The Compliance Function is often viewed as having staff with requisite knowledge and skills to support remediation, where actions relate to demonstrating compliance with regulatory requirements and/or legal obligations. Care must be taken when diverting staff from their existing responsibilities, as it may result in competing priorities, which could have a detrimental impact on day-to-day operations and/or negatively impact the delivery of effective, timely, and sustainable remediation.

2.2   A registered person will benefit from preparing a remediation resourcing schedule. This will assist the registered person to identify, consider and where appropriate address the following:

2.2.1   Whether there are key dependencies on particular staff members;

2.2.2   Whether the personnel required to complete the plan conflicts with other responsibilities;

2.2.3   Whether additional temporary or permanent staff may be required; and

2.2.4   The time frame by which the plan will reasonably be able to be completed.

2.3   Where a registered person decides to engage external third-party resource to perform remediation activities and/or provide project oversight of the plan, the persons engaged must not be conflicted, and should have relevant knowledge and experience of the regulatory requirements and legal obligations.

2.4   Remediation activity may result in associated costs. Developing a remediation budget will aid the registered person’s board of directors and senior management, in determining, and monitoring, the registered person’s financial capacity to support the level of remediation required.

3 Plan Preparation, Format and Content

3.1   The below table details examples of good practice a registered person should consider when preparing a plan.

• Pre-Plan Considerations – see https://www.jerseyfsc.org/industry/guidance-and-policy/remediation-action-plans/
• Plan Format and Content -see https://www.jerseyfsc.org/industry/guidance-and-policy/remediation-action-plans/

3.2   The registered person should consider what information it requires in a plan, including the elements which enable the plan to be used as a tool to monitor and evidence progress of remediation. The following are regarded as relevant pieces of information to include in a plan, prepared in response to an Examination:

3.2.1   Finding reference – This is the reference number associated with the finding. This information will be detailed in the Examination report.

3.2.2   Finding – Clear details or a summary of the findings to be remediated.

3.2.3   Action Reference Number – The reference number the registered person has assigned to each action to address the findings. It is noted there may be multiple actions required to address each finding.

3.2.4   Action Details or Description – Details of each action which will be taken by the registered person, aligned to the finding.

3.2.5   Action Lead – The name or initials of the person who is responsible for overseeing the completion of each action.

3.2.6   Start Date – The date upon which the registered person will start each action.

3.2.7   Due Date – The date by which the registered person intends to complete each action.

3.2.8   Action Status – To be populated with a description of the status of each action. For example, ‘In progress’, ‘Overdue’, or alternatively this may be through the use of a RAG rating.

3.2.9   Evidence – Details of the evidence which will be produced to demonstrate each action is complete.

3.2.10   Date approved – The date upon which senior management have approved completion of each action.

3.3   During the course of remediation, where relevant to do so, the registered person should set out clearly how any identified control weaknesses will be mitigated in the immediate, pending full remediation.

4 Post Remediation Monitoring

4.1   Throughout the course of performing remediation, senior management should take steps to assure itself the changes implemented are operating in the manner expected. Remediation actions should be effective from the point upon which they are implemented. On completion, senior management should arrange for its appointed remediation lead to provide an attestation to the JFSC confirming remediation has been implemented and is, in senior management’s view, operating sustainably.

4.2   A period of business as usual will need to pass before the registered person will be able to fully assess whether the measures implemented have been effective and sustainable. We consider six months of business as usual, post-remediation, to be the minimum time before assessing effectiveness and sustainability.

4.3   This period is intended to provide sufficient time for a registered person’s updated systems and controls to be fully embedded, and be used to demonstrate, outside of remediation, the enhancements made are effective in preventing issues or deficiencies re-emerging. There may be instances where we require a registered person to appoint a reporting professional to perform post remediation effectiveness testing.

4.4   The registered person will need to determine how it will assess, and monitor in the longer term, effectiveness and sustainability of its remediation. This may involve the following:

4.4.1   engaging a reporting professional or having internal audit perform an independent review, focusing on the registered person’s ability to demonstrate compliance with regulatory requirements and legal obligations, relevant to the findings which led to remediation; and/or

4.4.2   incorporating relevant testing into the registered person’s compliance monitoring programme.

4.5   Where post remediation effectiveness testing reveals remediation to have been ineffective, or not sustainable, the JFSC will consider an appropriate response. This may include, but not be limited to, escalation to our Enforcement division and/or imposing safeguarding directions on the registered person to manage and mitigate any on-going risks arising from ineffective remediation.

5 Conclusion

5.1   It is the responsibility of senior management to ensure the registered person operates in compliance with regulatory requirements and legal obligations.

5.2   Where deficiencies are identified within a registered person’s business which may lead to, amongst others, financial crime risk, client detriment or damage to the reputation of Jersey, we regard it as senior management, and in particular the board of directors, duty to restore the registered person to a compliant state as soon as possible.

[1] For the purposes of this Guidance Note, the term ‘registered person’ refers to a person registered or holding a permit (as applicable) under: the Collective Investment Funds (Jersey) Law 1988; the Banking Business (Jersey) Law 1991; the Insurance Business (Jersey) Law 1996; the Financial Services (Jersey) Law 1998, and to a person supervised by the JFSC - using powers in the Proceeds of Crime (Supervisory Bodies) (Jersey) Law 2008 - for compliance with the JFSC’s AML/CFT/CPF Codes of Practice and related legislation.

Read Here

• Source
• https://www.jerseyfsc.org/news-and-events/guidance-on-remediation-action-plans/
• Guidance on remediation action plans
• https://www.jerseyfsc.org/industry/guidance-and-policy/remediation-action-plans/