NEW JFSC Compliance Monitoring Guidance - Changes between the 6 Dec 2013 original and the 4 June 2026 revision.

The JFSC revised its Guidance Note: Compliance Monitoring on 4 June 2026 (part of its broader "simplifying our regulatory framework" project to clarify and modernise guidance notes).

• No new regulatory requirements or Code obligations were introduced.
• The core principles, 7-step cyclical process for Compliance Monitoring Plans (CMPs), risk-based approach, good/poor practice examples, board/senior management responsibilities, and benefits remain fundamentally the same as in the 2013 original.

8 to 15 pages

• The 2013 version was concise (8 pages) and foundational, setting high-level expectations with inline good/poor practice boxes based on on-site examination findings from the prior 18 months.
  • Attached 
  • https://www.comsuregroup.com/media/vnub1etc/jfsc-gn-compliance-monitoring-2013.pdf
  • https://www.comsuregroup.com/media/xd0jn4sx/gn-compliance-monitoring-6-december-2013.pdf
  • https://www.comsuregroup.com/media/d5wbellc/dear-ceo-2013.pdf
• The 2026 version is longer [15 pages], more comprehensive, and explicitly designed to help firms "better contextualise their compliance monitoring plans" with real-world supervisory insights.
  • Compliance monitoring — Jersey Financial Services Commission https://www.jerseyfsc.org/industry/guidance-and-policy/compliance-monitoring/

Key enhancements in 2026:

• Much more detailed, structured, and practical guidance on the 7-step CMP process, with integrated good/poor practice examples for every step.
• New dedicated section on regulatory technology (regtech) and its governance.
• Expanded guidance and a new table on different types of risk assessments (EWRA, thematic, customer, technology/cyber, etc.).
• New Appendix A containing four practical, end-to-end scenarios (good practice, poor practice, recovery, and poor reporting) drawn directly from recent JFSC compliance monitoring thematic examinations.
• Updated legislative references and improved consistency with current JFSC guidance/handbooks.
• Stronger emphasis on proportionality, data-driven/dynamic monitoring, Jersey-specific tailoring for group entities, robust documentation, and board oversight.

Major New Addition in 2026: Appendix A – Scenarios of Compliance Monitoring Practices

This is the standout practical enhancement (explicitly "informed by compliance monitoring thematic examinations on compliance monitoring").

The JFSC has added 4 scenarios directly to illustrate the 7-step process in action and common pitfalls that have persisted since the 2013 guidance (many of which were flagged in the JFSC's 2020 thematic feedback on CMPs).

• Entity A (Good practice): Updated risk assessment mapped obligations; identified gaps (e.g. onboarding, outsourcing); risk-based CMP; structured testing; rated findings; quarterly reporting → risks reduced.
• Entity B (Poor practice): Relied on mismatched group BRA; missed key risks; no board review; poorly scoped CMP; unresolved issues → exposed to breaches.
• Entity C (Recovery): Paused to refresh risk assessment; revised CMP/scope/reporting → avoided breaches.
• Entity D (Poor reporting): Vague report omitted risks → undetected breaches discovered in inspection; prompted reassessment of culture and reporting clarity.

Side-by-Side Comparison of Key Elements

1. Purpose & Scope (largely unchanged)

• 2013:
• Outline an approach to Compliance Monitoring + examples of good/poor practice from JFSC on-site exams (past 18 months).
• Senior management/board expected to consider against their own arrangements and take action where necessary.
• Focus on Compliance Function activities (while noting monitoring can occur throughout the business).
• 2026:
• Same core purpose but expanded to explicitly support development/maintenance of a proportionate, risk-based, documented CMP that provides informed data to the board/senior management.
• Stronger language on dynamic, data-driven, and proportionate monitoring.
• Compliance Function (including MLRO/MLCO) defined similarly.

2. Definition of Compliance Monitoring (unchanged in substance)

• Both versions define it as the assessment of adherence to legislative/regulatory requirements and corresponding controls.
• Both state it should be an integral part of the risk management framework (specifically Compliance Risk, citing the Basel definition).
• Both link it to demonstrating compliance with Principle 3 of the Codes of Practice, Article 11(11) of the Money Laundering (Jersey) Order 2008 (as amended), and relevant Handbook sections.

2026 update:

• Explicitly covers business operations, conduct, prudential, and financial crime obligations.
• Notes it enables demonstration of compliance with the current AML/CFT/CPF Code of Practice and other frameworks.

3. Approach to Compliance Monitoring – The 7-Step Cyclical CMP Process (core preserved, significantly expanded)

Both describe a cyclical feedback process with the same 7 steps:

1. Identify relevant legislative and regulatory requirements
2. Identify relevant controls
3. Conduct a risk assessment (impact/probability, inherent vs residual)
4. Produce and approve a CMP
5. Undertake testing
6. Reporting
7. Oversee remedial action

2013 details:

• High-level descriptions per step.
• Good/poor practice examples presented in shaded boxes (mainly for Risk Assessment, CMP, Testing, Reporting, and Remedial Action).
• Examples of minimum requirements for Trust Company Business and Fund Services Business.
• Emphasis on ongoing review of requirements and reflecting changes in the CMP.
• CMP must be risk-based, focus on highest residual risk areas, include mandatory monitoring, and be reviewed regularly + periodically approved by the Board (at least annually recommended in good practice).
• Testing: Documented plans, working papers with evidence, variety of methods, sample testing with extrapolation.
• Reporting: Standing board agenda item; summary of findings, remedial action, and progress.
• Remedial Action: Allocate responsibility, monitor progress, consider systemic issues.

2026 enhancements:

• Far more granular detail and expectations for each of the 7 steps.
• Good/poor practice examples now integrated throughout every step (not just some).
• New table listing types of risk assessments (Enterprise-wide/EWRA, functional/departmental, product/service, customer, thematic/issue-based, technology/cyber, project/change) with purpose and regulatory context.
• Stronger practical guidance on mapping obligations, gap identification, control effectiveness testing (not just presence), quantitative/qualitative data sources, and escalation.
• Explicit good practice on re-testing areas of previous weaknesses and considering systemic issues.
• Poor practices expanded (e.g., over-reliance on group CMPs without Jersey tailoring; "negative assurance"; assuming controls are effective without testing; vague board reporting; unresolved remediation).
• CMP must be documented with clear scope, timetable, and restrictions.

4. Benefits of Compliance Monitoring (very similar, slightly updated)

Both list benefits including:

• Enhanced risk management framework
• Demonstrating board oversight of control effectiveness
• Proactive identification of weaknesses, incidents, and breaches
• Targeting improvements to reduce sanctions/financial/reputational risk
• Data for annual declarations (e.g., referencing the relevant 2007 Order in 2013; updated context in 2026)
• Self-reported material breaches viewed more favourably by the JFSC (demonstrates effective governance)

2026

• Adds clearer links to current expectations and emphasises data-driven insights for senior management.

5. New in 2026 – Regulatory Technology (Regtech) Section

• Dedicated new section (absent in 2013).
• Guidance on using regtech to improve efficiency, accuracy, and responsiveness while complementing human judgement.
• Governance expectations: accountability, board oversight, risk assessments, controls for data privacy/cybersecurity/third-party risks, audit trails, resilience.
• Must be tailored to Jersey-specific risks (especially for groups).
• References JFSC's regulatory technology implementation guide and financial crime/regtech guides.

6. Conclusion (substantively the same)

• Both stress that the approach must be risk-based and proportionate to the nature, size, and complexity of the business.
• Senior management and the board must understand, demonstrate the importance of, and ensure the approach is documented with appropriate records maintained.
• Consequences and Implications for Firms
• The 2026 revision is supportive and clarifying, not burdensome. It gives firms clearer, more actionable tools aligned with real supervisory findings from thematic examinations conducted since the original 2013 guidance.
• Positive outcomes:
• Easier to design, document, and defend robust, proportionate CMPs.
• Better board/senior management reporting and oversight.
• Practical examples (especially the new Appendix A scenarios) help firms self-assess and avoid recurring issues.
• Guidance on regtech supports efficiency while maintaining strong governance.
• Consistency with other current JFSC guidance notes.

Recommended actions:

• Map your current CMP, policies, procedures, and processes against the full 2026 7-step framework and the detailed good/poor practice examples.
• Pay particular attention to the four scenarios in Appendix A — many firms will recognise elements of Entities B or D in their own arrangements.
• Ensure CMPs are genuinely risk-based, regularly reviewed (quarterly by Compliance Function, annually by Board), include re-testing of prior weaknesses, and are tailored for Jersey risks (especially groups).
• Strengthen documentation of testing plans, working papers/evidence, ratings, remediation tracking, and board reporting.
• Review opportunities for appropriate regtech within a governed framework.
• Brief senior management/board on the updated guidance and any gaps identified.
• Document your review and any enhancements.

Supervisory context:

• JFSC examiners and thematic teams will reference the 2026 version. Firms that can demonstrate alignment (particularly avoiding the poor practices illustrated) will be better positioned. Issues highlighted since 2013 (inadequate risk assessment, weak evidence, poor board oversight, unresolved remediation, over-reliance on group frameworks) remain key focus areas.
• There is no specific implementation deadline, but given the recent revision and ongoing supervisory attention to compliance monitoring, prompt review and alignment is strongly advisable.

Sources

Consolidated Single List of Unique Primary Official Sources (no duplication)

• 2026 revised Guidance Note – Landing page: https://www.jerseyfsc.org/industry/guidance-and-policy/compliance-monitoring/ (notes "Last revised: 04 June 2026”) Direct PDF: https://www.jerseyfsc.org/media/ekynybkh/gn-compliance-monitoring.pdf
• Guidance Note Changes announcement (details the 2026 update rationale and new practical scenarios): https://www.jerseyfsc.org/industry/simplifying-our-regulatory-framework/guidance-note-changes/
• Guidance and policy main page (lists the revised note): https://www.jerseyfsc.org/industry/guidance-and-policy/
• 2013 original Guidance Note (now superseded) – Previously available at: https://www.jerseyfsc.org/media/5885/gn-compliance-monitoring.pdf (the JFSC has removed the document!!!!} see attached docs
• 2013 Dear CEO letter (accompanied the original guidance): https://www.jerseyfsc.org/news-and-events/dear-ceo-compliance-monitoring/
• 2020 Compliance Monitoring Plans Thematic review feedback (references and builds on the 2013 guidance; details persistent issues): https://www.jerseyfsc.org/media/4168/e-thematic-feedback-complaince-monitoring-december-2020.pdf
• Related 2020 examination feedback page: https://www.jerseyfsc.org/industry/examinations/compliance-monitoring-examination-feedback/
• 2024/2025 compliance monitoring examination feedback (ongoing supervisory context): https://www.jerseyfsc.org/industry/examinations/examination-findings-and-questionnaires/2024-compliance-monitoring-examination-feedback/

2013 - Dear CEO: compliance monitoring

Compliance monitoring

The JFSC considers compliance monitoring to be an important part of a registered person’s risk management framework in relation to compliance risk. When done effectively and in conjunction with other activities, it enables the JFSC to have some comfort that compliance risk is being proactively and appropriately managed within registered persons, and that issues requiring notification are being made to the JFSC in a timely manner.

That being said, during the past 18 months, the JFSC has observed that the quality of compliance monitoring varies significantly between registered persons and frequently appears as a finding within examination reports.

For these reasons, and to assist registered persons, the JFSC has published a guidance note on compliance monitoring which outlines an approach to Compliance Monitoring and provides examples of observed good and poor practice.

Given that senior management, including the board, are responsible for the effective management of risk within a registered person, the JFSC expects senior management to be actively engaged in the compliance monitoring process. This should include the approval of a compliance monitoring plan and ensuring the timely completion of any resulting remedial action.

It is therefore imperative that senior management read and understand the guidance note and are able to demonstrate that they have considered the content against their own arrangements and taken action where necessary.

Effective compliance monitoring should be invaluable to senior management and provide a view of the business’ compliance with legislative and regulatory requirements and the effectiveness of its internal controls. It should also give confidence that where there is non adherence, issues are proactively identified and appropriately escalated and managed.

Should you have any queries regarding this letter, please feel free to contact your supervision manager at the JFSC.

Notes

Compliance Risk (as defined by the Basel committee on banking supervision): the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a [registered person] may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards and codes of conduct application to its regulated activities.

https://www.jerseyfsc.org/news-and-events/dear-ceo-compliance-monitoring/