The JFSC CMP GOOD PRACTICES & POOR PRACTICES are highlighted in the updated guide on 4 June 2026

The JFSC Compliance Monitoring Plan (CMP) guidance helps registered and supervised persons develop and maintain a risk-based CMP.

• It reflects regulatory expectations, demonstrates good governance, and provides the board/senior management with informed data on compliance risks (covering operational, conduct, prudential, and financial crime obligations).

The note outlines a 7-step cyclical process for effective compliance monitoring:

1. Identify legal and regulatory obligations
2. Identify the control environment
3. Undertake a risk assessment of non-compliance
4. Design and approve the CMP
5. Undertake testing
6. Report findings
7. Remediate (with feedback loop back to earlier steps)

It stresses a proportionate, risk-based, documented approach with adequate board/senior management oversight.

• Entities have flexibility in design but must meet expectations for documentation, risk focus, and effective oversight. The 2026 revision adds practical scenarios (Appendix A), drawn from thematic compliance monitoring examinations, and clarifies expectations for contextualising CMPs.

The guidance explicitly contrasts

• Good practices (robust, evidence-based, risk-focused implementation) with
• Poor practices (superficial, static, poorly documented, or lacking oversight).

These GOOD AND POOR PRACTICES

• Appear throughout the main text and especially in Appendix A: Scenarios of compliance monitoring practices (four illustrative entities).

Good Practices

• These align with robust execution of the 7-step cycle, strong documentation, evidence-based testing, board engagement, and continuous improvement.

Risk Assessment & Identification of Obligations/Controls

• Map all applicable legal and regulatory requirements (with an approved document detailing each).
• Use subscription services or regularly updated technology solutions for timely notification of regulatory changes.
• Draw on a broad range of information sources for risk assessment: revenue data, complaints, breaches, operational incidents, JFSC publications (public statements, examination feedback, guidance notes), previous CM results, audit reports, and senior management concerns.
• Update the risk assessment on trigger events (e.g., regulatory changes) and periodically (e.g., annually).
• Use structured rating systems (e.g., RAG/red-amber-green or numerical scoring) for prioritisation and transparency.
• Consider impact, likelihood, inherent vs residual risk; identify key controls; cover operational, regulatory, and financial crime risks.
• Where gaps in controls are identified, take timely remedial action so controls effectively mitigate the risk.

CMP Design, Approval & Review

• Ensure the CMP is directly informed by the risk assessment output (focus testing/resources on high residual risk areas; include areas of previous weaknesses to test remedial effectiveness).
• Have the CMP reviewed and approved by the board and/or senior management annually; the compliance function reviews it quarterly, with significant changes escalated/reported.
• Include provisions in policies/procedures for periodically assessing the effectiveness of testing methodologies.
• When weaknesses are identified, consider whether issues are systemic or prevalent elsewhere in the business.
• Tailor any group-level CMP or arrangements to Jersey-specific risks and regulatory requirements (document how Jersey obligations are addressed).

Testing

• Document testing plans clearly (objectives, scope, work to be done, timescales) and share with relevant business individuals.
• Use a variety of testing approaches: interviews, holistic or partial customer file reviews, data analysis, technology stress testing, corporate document reviews, listening to recorded conversations, etc.
• Use appropriate sampling and extrapolate findings (e.g., agreed percentage of high/medium/low risk files).
• Maintain comprehensive records/working papers to evidence testing and support findings.

Reporting & Governance/Oversight

• Document summaries of testing, findings, and remedial actions in CM reports; include extracts in the compliance function's report to the board.
• Include progress against the approved CMP in board reports.
• Assign ratings to individual findings and the overall report to aid prioritisation and oversight.
• Seek regular board/senior management input/feedback on report structure, content, level of detail, presentation, and prioritisation of actions.
• Provide the board with sufficient evidence of oversight (e.g., via minutes and records).

Remediation & Follow-up

• Consider wider implications of issues to identify systemic weaknesses or trends.
• Agree remedial actions between the compliance function and relevant business individuals.
• Record breaches of regulatory requirements or controls centrally and monitor for recurrence.
• Periodically revisit remedial actions to assess whether they are fully embedded and sustainable.
• Re-test areas of previous weaknesses as part of the CMP.

Use of Regulatory Technology (RegTech)

• Automate monitoring activities to enhance efficiency, accuracy, and responsiveness while reducing administrative burden.
• Ensure technology solutions are regularly updated to reflect regulatory changes.
• Maintain strong governance: accountability, board oversight, risk assessments, controls for data privacy/cybersecurity/third-party risks, audit trails, record-keeping, and resilience.
• Complement technology with human judgement and oversight; tailor group-level technology frameworks to Jersey-specific risks and expectations.

Overall / Governance Culture

• Demonstrate board/senior management understanding of and commitment to the importance of compliance monitoring.
• Maintain comprehensive documentation of how the CMP was developed, approved, and delivered.
• Foster a culture where issues are escalated transparently, and remediation is actively overseen and followed up.

Poor Practices (to Avoid)

• These undermine the effectiveness of the CMP, risk management, and regulatory compliance.
• They often stem from superficial approaches, over-reliance on group arrangements, lack of evidence, or weak oversight.

Risk Assessment & Identification

• Rely excessively on "negative assurance" (assuming compliance simply because no breaches are recorded).
• Assume that having controls in place is sufficient, without reviewing or testing their effectiveness.
• Fail to update the risk assessment for changes in the business, operations, or regulations (static approach).

CMP Design, Approval & Review

• Over-rely on group-level CMP procedures or business risk assessments (BRA) without sufficient detail on Jersey-specific regulatory requirements or adaptation to the local business model (e.g., different customers/products).
• Operate the CMP as a fixed, routine schedule of tests without considering operational changes or evolving risks.
• Fail to periodically review or obtain board/senior management approval of the CMP.
• Have poor or absent documentation of how the CMP was developed, approved, and delivered.

Testing

• Place over-reliance on unverified verbal statements from staff about compliance with systems/controls/policies/procedures.
• Produce inadequate or no working papers/evidence to support testing or findings.
• Fail to perform testing at all, to an adequate standard, or in line with the approved CMP.
• Apply inconsistent treatment of findings due to lack of documented guidelines or methodology.
• Misalign actual testing with the CMP without a clear, documented rationale.

Reporting & Governance/Oversight

• Provide insufficient evidence of board oversight of CMP content and results (e.g., in board minutes or records).
• Fail to provide any report to the board on compliance monitoring activities.
• Have the board fail to support or follow up on completion of remedial actions.
• Produce vague or incomplete reports that omit key risks or findings, leading to poor decision-making.

Remediation & Follow-up

• Provide ambiguous business responses to findings with no agreed or implemented remedial action.
• Fail to adequately prioritise or address remedial actions due to lack of clear follow-up and oversight.
• Fail to record breaches identified during testing in the central breaches register.
• Have board/senior management fail to make effective decisions on remedial actions, provide regular oversight, or require updates on improved compliance and remediation progress.

Use of Technology / Group Arrangements

• Adopt group-level technology or CMP frameworks without tailoring them to Jersey-specific risks and regulatory expectations (even if group standards appear robust).
• Over-rely on technology without proper governance, oversight, or human judgement.

Illustrative Scenarios from Appendix A

These practical examples (informed by JFSC thematic work) show real-world application:

• Entity A (Strengthening through good practices): Updated its business risk assessment (BRA) with clear mapping of obligations, identified gaps (e.g., onboarding procedures, outsourced activities oversight), assigned and tracked corrective actions, added a risk matrix, developed a prioritised risk-based CMP, obtained board approval, used structured testing (planning/investigation/reporting/follow-up) with clear ratings (Effective/Partially Effective/Not Effective), and presented findings/recommendations to the board. Result: stronger controls and informed oversight.
• Entity B (Inadequate practices): Over-relied on group BRA/CMP without Jersey tailoring or alignment to its actual business model; board did not actively review/question the BRA; CMP was static and missed key risks; testing was inadequate or missed; issues remained unresolved, leading to exposures and potential breaches.
• Entity C (Recovery from poor risk assessment): Identified oversight gaps in risk assessment, paused to update it properly, revised the CMP accordingly, adjusted testing focus, improved reporting and remediation processes, and avoided regulatory breaches through timely action.
• Entity D (Impact of poor reporting): Vague reporting that omitted risks led to poor governance decisions; a subsequent regulatory inspection revealed issues; prompted a cultural shift toward greater transparency in reporting and stronger board engagement.

Additional Context & Benefits

• Effective compliance monitoring delivers: enhanced risk management and board oversight; early identification of weaknesses (preventing escalation); business process improvements; reliable data for regulatory declarations/returns; and a stronger compliance culture. Poor practices increase regulatory risk, including the risk of enforcement action.
• The guidance encourages timely notification of issues to the JFSC where required and warns against non-disclosure risks.
• For the full authoritative text, download the PDF directly from the JFSC website: https://www.jerseyfsc.org/industry/guidance-and-policy/compliance-monitoring/ (or the direct media link). Firms should review their current CMP against these good- and poor-practice benchmarks and the 7-step cycle, with particular attention to board oversight, Jersey-specific tailoring, evidence, and remediation sustainability.
• This outline captures all the good and poor practices explicitly highlighted in the revised guidance.

 

READ MORE..........................

NEW JFSC Compliance Monitoring Guidance - Changes between the 6 Dec 2013 original and the 4 June 2026 revision.

The JFSC revised its Guidance Note: Compliance Monitoring on 4 June 2026 (part of its broader "simplifying our regulatory framework" project to clarify and modernise guidance notes).

• No new regulatory requirements or Code obligations were introduced.
• The core principles, 7-step cyclical process for Compliance Monitoring Plans (CMPs), risk-based approach, good/poor practice examples, board/senior management responsibilities, and benefits remain fundamentally the same as in the 2013 original.

8 to 15 pages

• The 2013 version was concise (8 pages) and foundational, setting high-level expectations with inline good/poor practice boxes based on on-site examination findings from the prior 18 months.
• Attached
• The 2026 version is longer [15 pages], more comprehensive, and explicitly designed to help firms "better contextualise their compliance monitoring plans" with real-world supervisory insights.
• Compliance monitoring — Jersey Financial Services Commission https://www.jerseyfsc.org/industry/guidance-and-policy/compliance-monitoring/

Key enhancements in 2026:

• Much more detailed, structured, and practical guidance on the 7-step CMP process, with integrated good/poor practice examples for every step.
• New dedicated section on regulatory technology (regtech) and its governance.
• Expanded guidance and a new table on different types of risk assessments (EWRA, thematic, customer, technology/cyber, etc.).
• New Appendix A containing four practical, end-to-end scenarios (good practice, poor practice, recovery, and poor reporting) drawn directly from recent JFSC compliance monitoring thematic examinations.
• Updated legislative references and improved consistency with current JFSC guidance/handbooks.
• Stronger emphasis on proportionality, data-driven/dynamic monitoring, Jersey-specific tailoring for group entities, robust documentation, and board oversight.

Major New Addition in 2026: Appendix A – Scenarios of Compliance Monitoring Practices

This is the standout practical enhancement (explicitly "informed by compliance monitoring thematic examinations on compliance monitoring").

The JFSC has added 4 scenarios directly to illustrate the 7-step process in action and common pitfalls that have persisted since the 2013 guidance (many of which were flagged in the JFSC's 2020 thematic feedback on CMPs).

• Entity A (Good practice): Updated risk assessment mapped obligations; identified gaps (e.g. onboarding, outsourcing); risk-based CMP; structured testing; rated findings; quarterly reporting → risks reduced.
• Entity B (Poor practice): Relied on mismatched group BRA; missed key risks; no board review; poorly scoped CMP; unresolved issues → exposed to breaches.
• Entity C (Recovery): Paused to refresh risk assessment; revised CMP/scope/reporting → avoided breaches.
• Entity D (Poor reporting): Vague report omitted risks → undetected breaches discovered in inspection; prompted reassessment of culture and reporting clarity.

Side-by-Side Comparison of Key Elements

1. Purpose & Scope (largely unchanged)

• 2013:
• Outline an approach to Compliance Monitoring + examples of good/poor practice from JFSC on-site exams (past 18 months).
• Senior management/board expected to consider against their own arrangements and take action where necessary.
• Focus on Compliance Function activities (while noting monitoring can occur throughout the business).
• 2026:
• Same core purpose but expanded to explicitly support development/maintenance of a proportionate, risk-based, documented CMP that provides informed data to the board/senior management.
• Stronger language on dynamic, data-driven, and proportionate monitoring.
• Compliance Function (including MLRO/MLCO) defined similarly.

2. Definition of Compliance Monitoring (unchanged in substance)

• Both versions define it as the assessment of adherence to legislative/regulatory requirements and corresponding controls.
• Both state it should be an integral part of the risk management framework (specifically Compliance Risk, citing the Basel definition).
• Both link it to demonstrating compliance with Principle 3 of the Codes of Practice, Article 11(11) of the Money Laundering (Jersey) Order 2008 (as amended), and relevant Handbook sections.

2026 update:

• Explicitly covers business operations, conduct, prudential, and financial crime obligations.
• Notes it enables demonstration of compliance with the current AML/CFT/CPF Code of Practice and other frameworks.

3. Approach to Compliance Monitoring – The 7-Step Cyclical CMP Process (core preserved, significantly expanded)

Both describe a cyclical feedback process with the same 7 steps:

1. Identify relevant legislative and regulatory requirements
2. Identify relevant controls
3. Conduct a risk assessment (impact/probability, inherent vs residual)
4. Produce and approve a CMP
5. Undertake testing
6. Reporting
7. Oversee remedial action

2013 details:

• High-level descriptions per step.
• Good/poor practice examples presented in shaded boxes (mainly for Risk Assessment, CMP, Testing, Reporting, and Remedial Action).
• Examples of minimum requirements for Trust Company Business and Fund Services Business.
• Emphasis on ongoing review of requirements and reflecting changes in the CMP.
• CMP must be risk-based, focus on highest residual risk areas, include mandatory monitoring, and be reviewed regularly + periodically approved by the Board (at least annually recommended in good practice).
• Testing: Documented plans, working papers with evidence, variety of methods, sample testing with extrapolation.
• Reporting: Standing board agenda item; summary of findings, remedial action, and progress.
• Remedial Action: Allocate responsibility, monitor progress, consider systemic issues.

2026 enhancements:

• Far more granular detail and expectations for each of the 7 steps.
• Good/poor practice examples now integrated throughout every step (not just some).
• New table listing types of risk assessments (Enterprise-wide/EWRA, functional/departmental, product/service, customer, thematic/issue-based, technology/cyber, project/change) with purpose and regulatory context.
• Stronger practical guidance on mapping obligations, gap identification, control effectiveness testing (not just presence), quantitative/qualitative data sources, and escalation.
• Explicit good practice on re-testing areas of previous weaknesses and considering systemic issues.
• Poor practices expanded (e.g., over-reliance on group CMPs without Jersey tailoring; "negative assurance"; assuming controls are effective without testing; vague board reporting; unresolved remediation).
• CMP must be documented with clear scope, timetable, and restrictions.

4. Benefits of Compliance Monitoring (very similar, slightly updated)

Both list benefits including:

• Enhanced risk management framework
• Demonstrating board oversight of control effectiveness
• Proactive identification of weaknesses, incidents, and breaches
• Targeting improvements to reduce sanctions/financial/reputational risk
• Data for annual declarations (e.g., referencing the relevant 2007 Order in 2013; updated context in 2026)
• Self-reported material breaches viewed more favourably by the JFSC (demonstrates effective governance)

2026

• Adds clearer links to current expectations and emphasises data-driven insights for senior management.

5. New in 2026 – Regulatory Technology (Regtech) Section

• Dedicated new section (absent in 2013).
• Guidance on using regtech to improve efficiency, accuracy, and responsiveness while complementing human judgement.
• Governance expectations: accountability, board oversight, risk assessments, controls for data privacy/cybersecurity/third-party risks, audit trails, resilience.
• Must be tailored to Jersey-specific risks (especially for groups).
• References JFSC's regulatory technology implementation guide and financial crime/regtech guides.

6. Conclusion (substantively the same)

• Both stress that the approach must be risk-based and proportionate to the nature, size, and complexity of the business.
• Senior management and the board must understand, demonstrate the importance of, and ensure the approach is documented with appropriate records maintained.
• Consequences and Implications for Firms
• The 2026 revision is supportive and clarifying, not burdensome. It gives firms clearer, more actionable tools aligned with real supervisory findings from thematic examinations conducted since the original 2013 guidance.
• Positive outcomes:
• Easier to design, document, and defend robust, proportionate CMPs.
• Better board/senior management reporting and oversight.
• Practical examples (especially the new Appendix A scenarios) help firms self-assess and avoid recurring issues.
• Guidance on regtech supports efficiency while maintaining strong governance.
• Consistency with other current JFSC guidance notes.

Recommended actions:

• Map your current CMP, policies, procedures, and processes against the full 2026 7-step framework and the detailed good/poor practice examples.
• Pay particular attention to the four scenarios in Appendix A — many firms will recognise elements of Entities B or D in their own arrangements.
• Ensure CMPs are genuinely risk-based, regularly reviewed (quarterly by Compliance Function, annually by Board), include re-testing of prior weaknesses, and are tailored for Jersey risks (especially groups).
• Strengthen documentation of testing plans, working papers/evidence, ratings, remediation tracking, and board reporting.
• Review opportunities for appropriate regtech within a governed framework.
• Brief senior management/board on the updated guidance and any gaps identified.
• Document your review and any enhancements.

Supervisory context:

• JFSC examiners and thematic teams will reference the 2026 version. Firms that can demonstrate alignment (particularly avoiding the poor practices illustrated) will be better positioned. Issues highlighted since 2013 (inadequate risk assessment, weak evidence, poor board oversight, unresolved remediation, over-reliance on group frameworks) remain key focus areas.
• There is no specific implementation deadline, but given the recent revision and ongoing supervisory attention to compliance monitoring, prompt review and alignment is strongly advisable.

Sources

Consolidated Single List of Unique Primary Official Sources (no duplication)

• 2026 revised Guidance Note – Landing page: https://www.jerseyfsc.org/industry/guidance-and-policy/compliance-monitoring/ (notes "Last revised: 04 June 2026") Direct PDF: https://www.jerseyfsc.org/media/ekynybkh/gn-compliance-monitoring.pdf
• Guidance Note Changes announcement (details the 2026 update rationale and new practical scenarios): https://www.jerseyfsc.org/industry/simplifying-our-regulatory-framework/guidance-note-changes/
• Guidance and policy main page (lists the revised note): https://www.jerseyfsc.org/industry/guidance-and-policy/
• 2013 original Guidance Note (now superseded) – Previously available at: https://www.jerseyfsc.org/media/5885/gn-compliance-monitoring.pdf (the JFSC has removed the document!!!!} see attached docs
• 2013 Dear CEO letter (accompanied the original guidance): https://www.jerseyfsc.org/news-and-events/dear-ceo-compliance-monitoring/
• 2020 Compliance Monitoring Plans Thematic review feedback (references and builds on the 2013 guidance; details persistent issues): https://www.jerseyfsc.org/media/4168/e-thematic-feedback-complaince-monitoring-december-2020.pdf
• Related 2020 examination feedback page: https://www.jerseyfsc.org/industry/examinations/compliance-monitoring-examination-feedback/
• 2024/2025 compliance monitoring examination feedback (ongoing supervisory context): https://www.jerseyfsc.org/industry/examinations/examination-findings-and-questionnaires/2024-compliance-monitoring-examination-feedback/