Why Jersey SMF Rules are the cornerstone of your BRA & Accountability

Why Jersey’s Senior Management Function (SMF) Rules Are the Cornerstone of Building a Robust Business-Wide Risk Assessment (BWRA/EWRA) and an Effective Matrix of Accountability and Responsibility

In Jersey’s highly regulated financial services sector, compliance isn’t just about ticking boxes; it’s about embedding a culture of accountability that protects your business, your clients, and the island’s reputation.

• At the heart of this lies the Jersey Financial Services Commission (JFSC) framework, particularly
• The Senior Management Function (SMF) rules,
• The AML/CFT/CPF Handbook, and
• The sector-specific Codes of Practice.
• These requirements make the SMF regime the first and most important step when developing AND creating a clear
• Business-Wide Risk Assessment (BWRA), often referred to as the Enterprise-Wide Risk Assessment (EWRA), or similar in JFSC terminology, such as A Business Risk Assessment (BRA), and
• Matrix of accountability (risk ownership) and responsibility (risk support).

Here’s why starting here is non-negotiable for any registered or supervised person.

1. SMF Rules Establish Personal Accountability at the Highest Levels of Management

• The JFSC’s Notice designating “senior management functions” (SMF notices)
• (issued 12 January 2023, effective 13 March 2023) under Article 1(1) of the Financial Services Commission (Jersey) Law 1998 is a game-changer.
• The SMF notice rules designate four key categories focusing primarily on individuals who manage aspects of a firm’s affairs that carry a risk of serious consequences, especially in AML/CFT/CPF compliance and risk functions.
• These include:
• Category 1: Managing any aspect of the local AML/CFT/CPF compliance/risk function (typically below board but above key person level, e.g., line-managing the MLCO/MLRO).
• Category 2: Managing broader affairs where the individual reports directly to the board or a principal person, applies AML/CFT/CPF arrangements, and exercises significant influence over ML/TF/CPF risk exposure.
• Category 3: Carrying out duties that the Money Laundering (Jersey) Order 2008 (MLO) or an AML/CFT/CPF Code of Practice explicitly requires senior management to perform.

• Category 4: Specific senior officer roles in certain banking contexts.

• Crucially, Article 21A of the Commission Law allows the JFSC to impose civil financial penalties
  • Not only on the firm but
  • Personally, on individuals performing SMFs if a significant and material contravention of the MLO or a Code occurs with their consent, connivance, or neglect (or if they aided/abetted it).
• Crucially, Article 21A of the Commission Law allows the JFSC to impose civil financial penalties not only on the firm but personally on individuals performing SMFs if a significant and material contravention of the MLO or any JFSC Code of Practice occurs with their consent, connivance, or neglect (or if they aided/abetted it).
• This personal liability applies across all sector Codes (Investment Business, Trust Company Business, Fund Services, Insurance, Deposit-taking, Alternative Investment Funds, etc.).
• It gives real “skin in the game” that drives ownership far beyond AML alone. Without it, risk assessments and governance documents often remain theoretical, gathering dust on a shelf.

2. The AML Handbook and  Critically  the Codes of Practice Place Explicit BWRA/BRA Ownership with Senior Management

• The JFSC AML/CFT/CPF Handbook (Section 2 – Corporate Governance) is crystal clear: the Board (or senior management where there is no board) must:
• Conduct and record a Business Risk Assessment (BRA/BWRA) that evaluates the firm’s overall exposure to money laundering, terrorist financing, and proliferation financing risks “in the round”.
• Consider risk appetite, organisational structure, customers, geographies, products/services, and delivery channels.
• Keep the assessment up-to-date (at least annually or on material change).
• Use the BRA to establish a formal strategy to counter those risks, allocate resources, and implement adequate, effective systems and controls.
• Document its systems and controls (including policies and procedures) and clearly apportion responsibilities for countering money laundering, the financing of terrorism, or the financing of proliferation, and, in particular, responsibilities of the MLCO and MLRO.”
• And in support of the above :
• “The key responsibilities of the board… are to:
• Identify the supervised person’s money laundering, the financing of terrorism, and the financing of proliferation risks;
• Ensure that its systems and controls are appropriately designed and implemented to manage those risks; and
• Ensure that sufficient resources are devoted to fulfilling these responsibilities.”

2A. Sector-specific Codes of Practice

• But the sector-specific Codes of Practice go even further.
• They are issued and maintained under powers provided by the Financial Services (Jersey) Law 1998 and
• Set out the principles and detailed requirements that must be complied with when conducting financial services business.
• Especially Part 3 (Principle 3) on Risk / Corporate Governance and Risk Management is the key driver. Across virtually all these Codes, Principle 3 states:

• “A registered person [or permit holder] must organise and control its affairs effectively for the proper performance of its business activities and be able to demonstrate the existence of adequate risk management systems.”
• Risk management is described as “an integral part of the corporate governance framework”, covering ALL RISKS the business faces (not just financial crime).
• Crucially, Part 3 explicitly requires (non-exhaustive examples that apply across the Codes):
• Responsibilities must be apportioned among a registered person’s directors/partners, key persons, senior managers and employees in such a way that their individual responsibilities are clear.
• The business and affairs of a registered person must be adequately monitored and controlled at the senior management and board level.
• Documented procedures sufficient to facilitate the effective management of risk by the board of directors and senior management.
• Assessment of all risks present in the business, which must be documented, together with how those risks are monitored and controlled.
• Clear policies, practices, and controls to measure, monitor, and mitigate risks appropriate to the nature, scale, and complexity of the business.
• These provisions make it impossible to build or maintain a meaningful BWRA without first identifying who, at the senior level, is accountable.

• The Codes do not allow vague or collective responsibility  
• They demand clarity of individual responsibilities and active senior management/board oversight.

3. SMF Rules Enable a Practical Matrix of Accountability (Ownership) and Responsibility (Support)

1. Once SMFs are mapped, the next logical step is building a RACI-style matrix (Responsible, Accountable, Consulted, Informed)  or your firm’s equivalent “matrix of accountability and responsibility”.
1. Accountability (risk ownership) = the SMF holder who is ultimately answerable (the “A” in RACI). This directly satisfies the Codes’ requirement to apportion responsibilities clearly and ties into personal liability under the SMF regime.
2. Responsibility (risk support) = those who perform the day-to-day work (the “R” in RACI), such as compliance teams, risk analysts, or operational staff who support the SMF holder.
2. The matrix
1. Becomes living evidence of compliance with Part 3 of the Codes and the SMF Notice.
2. It eliminates gaps, clarifies escalation routes, and provides clear audit trails for JFSC examinations.
3. Without first completing the SMF designation process, your matrix would lack regulatory teeth; it would be an organisational chart rather than a document tied to enforceable personal accountability and potential penalties.

4. The Benefits of Getting This Foundation Right

Starting with SMF rules and the explicit requirements of the Codes (especially Part 3 on Risk) delivers far more than regulatory compliance:

• Stronger “tone from the top”  Senior individuals understand their personal exposure, so they actively engage with the BWRA rather than delegating it entirely.
• More effective risk mitigation. A properly owned BWRA leads to targeted controls, better resource allocation, and a proactive strategy.
• Easier JFSC engagement. During supervisory visits or examinations, you can demonstrate that risks are owned at the right level with clear lines of accountability.
• Reduced regulatory and reputational risk. Personal accountability drives better decision-making and fewer material breaches.
• Scalable governance  The same framework supports broader enterprise risk management (beyond just financial crime).

Final Thought: Governance Before Process

1. In Jersey, you cannot effectively build a Business-Wide Risk Assessment (BWRA/EWRA) or a meaningful accountability matrix without first addressing who the accountable senior managers are under the SMF rules and the explicit requirements of the Codes of Practice, particularly
1. Part 3 of the Sector-specific Codes of Practice on risk, responsibility apportionment, and senior management/board oversight.
2. SECTION 2 of the AML/CTF/CPF HANDBOOK responsibility for senior management/board oversight
2. The JFSC’s framework, the SMF Notice, AML/CFT/CPF Handbook, and all sector-specific Codes of Practice make this explicit and enforceable.
3. Firms that treat SMF mapping and Code compliance as a mere box-ticking exercise miss the point—those who embrace it as the foundational governance step build stronger, more resilient businesses.

Action point for compliance leaders:

1. Review your current SMF mappings against the 2023 Notice, cross-reference them with Part 3 of your applicable Code(s) of Practice, update your BWRA/BRA ownership, and refresh or create your accountability matrix. Make this your priority project.
2. Comsure helps Jersey-regulated businesses turn these regulatory requirements into practical, value-adding governance frameworks.
3. Get in touch if you’d like support mapping SMFs, refining your BWRA, or building an effective RACI matrix that satisfies the Codes.

Compliance is not a cost; it’s a competitive advantage when done right.

SOURCES

1. Senior Management Function (SMF) Rules / Notice

• Official Announcement: https://www.jerseyfsc.org/news-and-events/notice-designating-senior-management-functions-published/
• Full Official Notice (PDF – issued 12 Jan 2023, effective 13 Mar 2023): https://www.jerseyfsc.org/media/6333/notice-issued-under-article-1-1-of-the-financial-services-commission-jersey-law-1998-designating-senior-management-functions.pdf

2. AML/CFT/CPF Handbook

• Main Handbook Page (current version effective 1 September 2023): https://www.jerseyfsc.org/industry/financial-crime/amlcftcpf-handbooks/ (Section 2 – Corporate Governance covers the Business Risk Assessment / BWRA requirements)

3. Codes of Practice – Main Landing Page

• All Codes Overview: https://www.jerseyfsc.org/industry/codes-of-practice/

The current Codes of Practice are:

• Alternative Investment Funds Code of Practice – Effective from 16 April 2026
• Certified Funds Code of Practice – Effective from 1 January 2021
• Deposit-taking Business Code of Practice – Effective from 01 January 2025
• Fund Services Business Code of Practice – Effective from 15 July 2021
• General Insurance Mediation Business Code of Practice – Effective from 1 January 2021
• Insurance Business Code of Practice – Effective from 1 January 2021
• Investment Business Code of Practice – Effective from 17 January 2022
• Money Service Business Code of Practice – Effective from 1 January 2021
• Trust Company Business Code of Practice – Effective from 1 January 2021