MAT SAYS:- WHEN RISK ASSESSMENTS FAIL: Lessons from Jersey’s August 6, 2025, Enforcement Action

1. Have you noticed the COMMONALITY and DISCONNECT in recent (IF NOT ALL) Financial Services Regulators' enforcement actions and public statements
2. The COMMONALITY and DISCONNECT are that enforcement actions and public statements:-
1. Show TEXTBOOK CASES of what happens when RISK ASSESSMENTS (BRA/CRA/BWRA), compliance and controls
2. ARE DISCONNECTED from REAL-WORLD RISK(S) such as financial crime, cyber, human resources, etc., etc.
3. This can be seen in the recent FCA fine, Barclays Bank UK PLC & Barclays Bank PLC – £42 million for poor handling of financial crime risks related to WealthTek and Stunt & Co.
1. https://www.comsuregroup.com/news/barclays-fined-42-million-for-banking-dirty-money-associated-with-fowler-oldfield-wealthtek/
4. What is seen in the above case and what COMSURE sees in its day-to-day work is that firms (and regulators) in many instances:-
1. Treat RISK as a COMPLIANCE CHECKBOX rather than a STRATEGIC TOOL
5. However, we all know RISK:-
1. Must be owned by an ACCOUNTABLE board, and the firm's directors and senior management as risk owners, and
2. Delegated through an organisation to RESPONSIBLE risk operators
6. And to help manage risk ownership, COMSURE suggests using the RACI framework
1. https://www.comsuregroup.com/news/using-the-raci-matrix-to-demonstrate-compliance-with-jfsc-senior-management-function-rules/

MATS BLOG

1. For this blog, I’m going to illustrate my thoughts on the above further by focusing on a Jersey JFSC public statement and fine that was published on August 6^th, 2025

JERSEY

1. On August 6^th, the Jersey Financial Services Regulator (JFSC) sanctioned GARFIELD BENNETT TRUST COMPANY (GBTCL), and as a result, they were subject to a penalty of £86,803.19
1. Read here:- https://www.comsuregroup.com/news/jfsc-issued-a-financial-penalty-of-86-80319-to-garfield-bennett-trust-company-limited-public-gbtcl/
2. The JFSC case:-
1. Highlight fundamental CONTROL FAILURES AND WEAKNESSES
2. But only mention RISK ASSESSMENTS briefly.
3. The JFSC say in its public statement:-
1. At onboarding and throughout the relevant period, GBTCL FAILED:-
1. To conduct and record adequate BUSINESS RISK ASSESSMENTS (BRA) and CUSTOMER RISK ASSESSMENTS (CRA) for the Funds, leaving it under-informed of all relevant financial crime risks.
2. GBTCL’s BUSINESS RISK ASSESSMENTS (BRA) and CUSTOMER RISK ASSESSMENT (CRA) FAILED:-
1. To consider a change in investment direction for Fund A to invest in cryptocurrency until after investments have been made for an extended period.
3. GBTCL failed:-
1. To react and re-assess RISK following trigger events such as the conversion of Funds A-D to JPFs.
4. In addition, the JFSC outlined some mitigations that included:-
1. GBTCL is strengthening its governance framework by appointing a new member to the GBTCL Board.
5. However, there is nothing else that highlights a failure of  governance and the management of risk, which is surprising, as the JFSC in the codes says:-
1. Corporate governance is the system by which an organisation is directed and controlled.
2. A corporate governance framework:-
1. Specifies the distribution of rights and responsibilities among different participants in the organisation and
2. Sets out the rules and procedures for making decisions.
3. Risk management
1. Is an integral part of the corporate governance framework.
4. In the context of Principle 3, “risk” refers to:-
1. All the risks that a registered person faces, or may face, as a BUSINESS ENTERPRISE.
6. It seems there were so many failures of these RISK measures at GBTCL
1. The JFSC public statement was worthy of further RISK commentary and analysis, and
2. The absence of any meaningful commentary should concern us all.

THE JFSC BRA, CRA, AND BWRA

1. THE JFSC require firms to have both BRAs and CRAs
   1. Business Risk Assessment (BRA) Requirements
      1. The BRA must identify and assess the ML/TF/PF risks to which the business is exposed, tailored to its nature, size, and complexity. It is a board-level responsibility and must be documented.
   2. Statutory Obligations:
      1. Under Article 37 of the Proceeds of Crime Law, supervised persons must take prescribed measures to prevent and detect ML/TF/PF; failure constitutes a criminal offence.
      2. Article 11(1) of the Money Laundering Order requires establishing and maintaining policies/procedures to prevent and detect ML/TF/PF in financial services business.
      3. Article 11(11) mandates procedures for monitoring compliance and testing the effectiveness of policies, awareness, and training.
      4. AML/CFT/CPF Codes require the board to conduct and record the BRA, considering risk appetite, exposure in organisational structure, customers, countries, products, services, delivery methods, and cumulative risks.
   3. Customer Risk Assessment (CRA) Requirements
      1. The CRA evaluates the risk of specific business relationships or one-off transactions involving ML/TF/PF, determining the level of customer due diligence (CDD) measures.
   4. Statutory Obligations:
      1. Article 11 of the Money Laundering Order: Maintain policies/procedures for CDD, considering the degree of ML/TF risk.
      2. Article 3(5): Collect information to assess ML/TF risk for existing customers.
      3. Assess risk of business relationships or one-off transactions involving ML/TF/PF.

THE BUSINESS-WIDE RISK ASSESSMENT (BWRA)

1. In the Comsure world, BRAs and CRAs together provide for
2. 1. The BUSINESS-WIDE RISK ASSESSMENT (BWRA) or
   2. Sometimes referred to as an ENTERPRISE-WIDE RISK ASSESSMENT (EWRA)

WHY BWRAs FAIL TO INFLUENCE RISK

1. If the GBTCL BWRA (ill use BWRA for this blog) was functioning as intended,
   1. It would have served as the very lens through which these risks were identified, prioritised, and mitigated.
2. Properly designed and implemented,
   1. Too often, BWRAs are written retrospectively and built around abstract regulatory risk factors, “jurisdiction,” “customer type,” “delivery channel”, rather than plausible events.
   2. The output becomes a narrative summary that catalogues existing controls but never challenges their effectiveness or alignment.
3. As a result, BWRAs frequently fail to:
   1. Model-specific possible real risk events as evidence every day in business failures
   2. Capture how controls interact dynamically to mitigate those events (e.g., onboarding due diligence + adverse media alerting + production order handling),
   3. Reflect actual control performance (e.g., missed periodic reviews, unverified risk rating assumptions) and effectiveness

GBTCL case reflects the consequences of all the above, DESPITE RED FLAGS BEING VISIBLE   

OWNERSHIP

1. And who owns the risk? 
   1. In the JFSC’s PUBLIC STATEMENT, someone failed, but who?
   2. It was not just a collective board failure

WHAT YOU SHOULD BE DOING

1. Your  BWRA methodology should ensure it is not static and it is a DYNAMIC RISK operating system, where:
   1. Spreading the ownership of risk to identifiable people rather than just the board or compliance
   2. Ensuring threat and vulnerabilities (Risk) events are modelled based on how financial crime occurs.
   3. Controls are mapped by function and to ownership, not policy label.
   4. Residual risk is calculated based on performance (effectiveness), not paper.
   5. Internal and external threat and vulnerability signals are integrated continuously.
   6. Outputs feed into resourcing decisions, thresholds, and governance.
2. This is not just a better BWRA.
   1. It’s a different way of thinking about risk altogether.

A BETTER WAY FORWARD

1. The GBTCL case:-
   1. Doesn’t just expose failings in control execution.
   2. It reveals the structural limitations of how RISK is CONCEPTUALISED, ASSESSED, AND MANAGED at the system level.
2. In our financial institutions,
   1. 1. WE DON’T need better policies.
      2. WE NEED a better mindset, one that recognises that RISKS such as “financial crime risk” are emergent, dynamic, and interconnected.
3. The BWRA, properly designed and implemented, is the one framework capable of holding that complexity, but only if we stop treating it as a
   1. COMPLIANCE CHECKBOX AND START BUILDING IT AS A STRATEGIC TOOL.

END

If you want to know about the Comsure methodology of risk management through its proprietary products, as follows, please call mathew

• BUSINESS RISK ASSESSMENTS (BRA) = RISQED = SEE
• Overview - https://www.comsuregroup.com/media/3v0bhfom/10842-comsure-risqed-a4-flyer-lr.pdf
• MORE DETAILS - https://www.comsuregroup.com/media/h4rneuqx/10851-comsure-risqed-brochure-4pp-lr.pdf
• CUSTOMER RISK ASSESSMENTS (CRA) = ITRACK –
• SEE THE VIDEO – https://itrackaml.com/iTrackPromo.mp4
• READ MORE  -  www.comsuregroup.com/advisory-product-support/itrack-aml//advisory-product-support/itrack-aml/

HERE ARE MAT’S DETAILS

Mathew Beale - Chartered FCSI

Principal & Director - Comsure Compliance Limited, Comsure Technology Limited, Comsure Mauritius

(the "Comsure Group of Companies")

mathewbeale@comsuregroup.com

www.comsuregroup.com

T (Jersey) +44 1534 733-588 /+44 7797 747-490

T (Mauritius) +230 214-6487 / +230 5717-6907

ALSO, IF YOU ARE IN MAURITIUS