Trust Company Business On-site Examination Programme 2012 summary findings published – During 2012, the Jersey Financial Services Commission (the “Commission”) continued its
programme of on-site examinations as part of its supervision of trust company businesses.

The purpose of an on-site examination is to assess a business in terms of its performance against the legislative and regulatory framework, i.e. Laws, Orders and Codes of Practice for Trust Company Business (the “TCB Codes”) and the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism for Financial Services Business Regulated under the Regulatory Laws (the “Handbook”).

The objective in publishing summary findings from a programme of on-site examinations is to share common findings in order that individual trust company businesses may assess where they sit in terms of meeting the requirements of the legislative and regulatory framework.

Read the a summary of the key findings

5 Findings arising from on-site examinations

5.1 The summary findings detailed below have been drawn from all findings across all types of examinations conducted in 2012.

Corporate Governance

Committees and Terms of Reference

5.2 The majority of findings in this area related to gaps and inconsistencies in the terms of reference for delegated committees.
• Such gaps occurred in the documentation of the delegated authorities and reporting lines for a notable number of businesses, and
• in some instances, where there were overlaps in the delegated authorities of more than one committee within the business.

Conflicts of Interest

5.3 Following publication of the Dear CEO letter dated 22 October 2010, the Commission continued to focus on the management of conflicts as part of its on-site examination process.

5.4 As a result, the Commission noted a number of instances where conflicts were not identified and recorded as such. These included
• customers lending to other customers;
• retrocession fee arrangements;
• customers acting as co-trustee within the business, management of structures on behalf of shareholders/principal persons, and
• directors co-investing with customers.

5.5 In addition, the Commission noted that procedures had not been updated to incorporate
• the concerns raised in the Dear CEO letter and,
• although not expressly stated in the letter, a number of businesses had not identified and recorded circumstances within the business where it employed a spouse or relative of an existing employee.

5.6 The Commission will continue to include corporate governance and conflicts of interest in the scope of its on-site examinations on an on-going basis to ensure effective oversight and management in these two key areas.

Anti-money Laundering

Business Risk Assessment and Strategy

5.7 The Commission noted a limited number of findings in this area compared to that of previous years. Of the notable findings in this area, a number related to the business not identifying when a new venture, product or market would be reason to revisit the risk assessment.

5.8 Better business risk assessments demonstrated
• a link between the risks identified and their underlying customer base,
• made a further connection from the risks identified, to the strategy to combat the risks and then to its adopted policies and procedures.

5.9 The Commission noted that better business risk assessments also resulted where active participation on the part of senior management took place.

Risk Management Systems and Controls

5.10 The Commission encountered a broad range of issues in relation to risk management systems, ranging from
• inaccurate assessment of geographical risk,
• lack of details regarding customer background,
• failure to identify politically exposed persons (“PEPs”),
• as well as gaps within the risk rating methodology itself.

5.11 In a notable number of businesses,
• the risk rating methodology was found to be too open to subjectivity of the user and
• there were several instances in which the business had not applied a significantly high enough score to individual risk factors to raise the overall rating of the customer entity, where there is a clear need to do so, such as, for PEPs or associates of PEPs.

5.12 The Commission found that the risk rating methodology for a number of businesses did not fully capture the factors to consider, as set out under section 3.3 of the Handbook.
• Specifically, the methodology under review failed to identify:
o whether the activities of the customer and/or the entity under administration included sensitive activities (as listed in the Commission’s sensitive activities policy) or
o higher risk trading activities;
o high volume and high value transactions; or
o complex transactions.

5.13 Other considerations not always included comprised whether
• bearer shares are held,
• tax considerations and delegated authorities,
• such as powers of attorneys,
• mixed boards and
• external signatories as well as the use of external or co-trustees.

Customer Due Diligence and Customer Profiling

5.14 The Commission noted that some businesses were unable to fully meet the requirements of sections 3 and 4 of the Handbook for collecting and maintaining
• customer due diligence and
• customer profiling.

5.15 This was predominantly borne out in the conduct of business findings, with almost half of all conduct of business reviews resulting in at least one form of deficiency. Typically, businesses were not able to demonstrate
• the ability to succinctly record the rationale for the entity or structure being established.
• Information was found to be held in disparate places, resulting in difficulty for business to demonstrate effective, timely transaction monitoring.

5.16 Inaccuracies in the documentation of rationale was found in a large number of businesses, which corresponded to a lack of understanding of the requirement to record the reason for using an offshore jurisdiction rather than a summary of the underlying activities of the structure.

5.17 Frequently, findings in relation to rationale noted that the description was often generalised, as for example, “investment/asset holding”.
• In order to achieve significant improvement in this area, businesses should be actively considering
o relevant training for staff in all areas of the business tasked with risk management and
o review in order that overall levels of understanding of the requirements are increased.

5.18 Often, tax considerations were not documented or tax advice was not included as part of the customer profile.
• Consideration as to the Identification and verification of third parties, or those connected with the wider relationship, was also found to be inconsistent.
• In some cases, where adverse open source information was held, there was no documented consideration of its impact in terms of the customer relationship.

5.19 The Commission will continue to examine in this area until such time as businesses are better able demonstrate a greater level of compliance with the requirements of the Handbook.

Suspicious Activity Reporting (“SAR”) issues, policies and procedures

5.20 During the course of 2012, the Commission examined a number of businesses where deficiencies were identified that related to the requirements as set out in the Money Laundering (Jersey) Order 2008 and section 6 of the Handbook.

5.21 Non-compliance ranged from
• gaps in the businesses’ policies and procedures in meeting the requirements of this section of the Handbook, to
• pockets of more significant breaches, where potential consequences could give rise to more serious sanctions and reputational damage.

5.22 Specifically, in a number of cases the Money Laundering Reporting Officer
• had not acknowledged the receipt of internal reports and failed to clearly document the decision whether to externalise reports.
• In more than one instance, the Commission found it necessary to make recommendations in respect of training and there were frequent findings in relation to an absence of follow-up action after a report has been made to the Joint Financial Crimes Unit (the “JFCU”), such as the consideration of whether to terminate the customer relationship .

5.23 Given the significant proportion of businesses where findings in relation to anti-money laundering controls in relation to suspicious activity reporting were noted,
• the Commission has made this area a target theme for 2013 and all businesses subject to examination in 2013 will receive attention in this area.

Compliance Monitoring Programme

5.24 In its feedback papers published in 2010 and 2011, the Commission communicated the expectation that, in accordance with the TCB Codes, businesses will have implemented a robust and effective compliance monitoring programme.
• With regard to those businesses examined in this area, the following analysis is made.

Content

5.25 A number of businesses omitted to either:

• implement a comprehensive compliance monitoring programme covering
o all their internal controls and
o relevant Sections of the Law, Orders and TCB Codes; or
o demonstrate that the compliance monitoring programme, being restricted in scope, had been determined with an appropriate risk-based approach.

5.26 With regards to the latter, the Commission found that a number of regulated entities had:

• inappropriately restricted the scope of their compliance monitoring programme, for example to focus solely on AML matters or to the exclusion of internal controls generally; and
• failed to periodically review the compliance monitoring programme to ensure that factors, such as changes to its business strategy or regulatory requirements, are appropriately reflected.

5.27 One regulated entity, a managed trust company, failed to have any compliance monitoring programme in place.

Approval

5.28 One in four businesses had not submitted the compliance monitoring programme to the board, or delegated sub-committee, on a periodic basis for consideration or approval.

Testing

5.29 A number of businesses included tasks to be undertaken by the Compliance Function within the compliance monitoring programme which, although valuable and important, failed to report on compliance with the business’ internal controls and relevant Sections of the Law, Order and TCB Codes.
• Such tasks included the maintenance of
o registers,
o renewal of professional indemnity insurance,
o review of the business risk assessment diary reminders to undertake other compliance activities and
o the oversight of the businesses timely completion of tasks.

5.30 One business included
• a test that involved reviewing the breaches register to provide negative assurance as to the business’ level of compliance with the TCB Codes;
• however the Commission does not consider that such a test in isolation is sufficiently robust to provide such a view and would expect positive assurance to be provided.

5.31 One business included
• a list of the controls in place and assumed adherence to the controls without testing compliance within the business.

Independence

5.32 Where compliance monitoring is undertaken by the Compliance Function, the Commission expects an appropriate level of the testing to be independent.

• Although the Commission recognises the challenges faced by Compliance Officers of smaller trust companies with regards to maintaining independence, it is important for the non-independent tests (those where the Compliance Function is checking an element of its own performance) to be identified as such and the balance to be testing of internal controls where the Compliance Function are not involved.
• An exception to this would be where there is appropriate segregation of individuals within the Compliance Function who undertake the compliance monitoring activities.

5.33 For example
• the Compliance Function of one regulated entity completed the periodic customer reviews and included sections of the periodic reviews as part of the compliance monitoring programme, therefore checking the completion of its own work.

Evidence

5.34 Businesses did not always document the testing to be completed under the compliance monitoring programme or sufficiently maintain working papers to evidence completion.

Reporting

5.35 A number of businesses did not provide comprehensive reporting to the board, or delegated sub-committee, on compliance monitoring, including:

• reporting on exceptions identified;
• remedial action and progress;
• trends; and
• progress on the completion of the compliance monitoring programme.

Policies and Procedures

5.36 The Commission found gaps in procedures in almost one sixth of examinations undertaken in 2012.
• Where businesses were examined under a conduct of business review,
o the uncovering of corresponding deficiencies in policies and procedures highlighted that there can be a degree of deficiency in both the design and in the application of procedures in practice.

5.37 Specifically, gaps in procedures and common findings related to processes surrounding
• the take-on of new business,
• the risk rating process,
• identification and verification of customers,
• the content of periodic review forms and,
• in one example, procedures made reference to out of date requirements.

5.38 The Commission’s expectation is that policies and procedures should be
• revisited periodically (for example, as part of the compliance monitoring plan) and
• on an ad-hoc, arising basis in order that the business ensures that its policies and procedures are kept up to date with regulatory requirements and are relevant to current business needs and practices.

Periodic Reviews

Scope and Focus

5.39 In six of the businesses examined, the Commission found that the scope of the periodic review was not sufficient in detail to cover the following areas:

• AML matters, such as
• updating of customer due diligence,
• checking suitability of the recorded rationale and
• customer profile;
• whether a complaint or threat of litigation had
  been made during the period;
• whether up to date tax advice was held; and
• additional, further review of different types of
  underlying asset classes.

Quality

5.40 In a small number of businesses, the poor quality of completed reviews was apparent, indicating that either training or resourcing, or a combination of both, was an issue.

5.41 There were also instances of a “tick box” exercise, rather than a qualitative assessment review, where no supporting comments on the part of the reviewer, or as part of the sign off, were noted.

Read the full report and findings

http://www.jerseyfsc.org/pdf/TCB_2012_Examination_Feedback_June_2013.pdf