Following the release of the New Guernsey AML/CFT Framework, effective 31 March 2019, we have collected some of our early thoughts with regard to key changes. What does this mean for the Financial Services Industry and what should business leaders and AML practitioners be considering as they seek to revise or establish their new AML/CFT Framework?
What do they need to do and understand to be able to walk confidently into tomorrow?
Working through the Legislation, as it has been provided for approval by the States of Guernsey, there is a marked change from the current legislation and Directors and/or Partners of Specified Businesses will need to be aware of these changes and ensure that their policies, procedures and controls are designed not only to meet the new Guernsey AML/CFT Framework but to also satisfy the need to protect against financial crime risks and safe guard their customers.
Specified Businesses – One Handbook for all
There will now only be one Handbook with both Financial Service Businesses and Prescribed Businesses now collectively known as “Specified Businesses”. All Specified Businesses must have an AML/CFT Governance Framework that allows for policies, procedures and controls to effectively and continually identify, assess, mitigate, manage, review and monitor the financial crime risks that are posed to the Specified Business. The National Risk Assessment, along with the perceived or actual identified financial crime risks, in respect of its products, services and customers must be taken into account. Furthermore, Specified Businesses must abide by the rules, instructions and guidance published by the Commission from time to time
Business Risk Assessment
The starting point for the governance process remains with the Business Risk Assessment. Whilst the requirements generally remain the same, there is a broader financial crime remit rather than pure AML. The regulatory AML/CFT Framework requires a Specified Business to consider the following:
- All relevant financial crime risk factors, deciding if they apply or not to the Specified Business
- Assessing and concluding the overall level of risk faced
- The type and the extent of risks that are acceptable in pursuit of achieving the Specified Business’s strategic aims
- What is an appropriate level or type of mitigation that will be applied via its policies procedures and controls
We also see the requirement for the Business Risk Assessment to take in to account the nature, size and complexity of the business regarding the following:
- Its customers
- Countries and geographical regions it engages with and transacts in, or provides it products and/or services to
- its delivery channels
The new AML/CFT Framework now includes the requirement for the review and assessment of new products and technologies to be considered before they are applied in the AML/CFT Framework of a Specified Business. The Specified business must have a detailed and specific Business Risk Assessment that provides a high-level overview of the business.
Customer Risk Assessment
The Business Risk Assessment flows in to the Customer Risk Assessment which must now include the consideration of a customer to the risk appetite of the business. There must be an understanding that the combination of financial crime risks identified may itself increase the financial crime risk posed by the Customer, as well as consideration of the National Risk Assessment as it pertains to the Specified Business. The Customer Risk assessment must be specific to the activities of the Specified Business, and referenced against the following risks:
- Delivery channel
This assessment will assist the business to meet the Guernsey Data Protection Regulations and obtain the relevant and required customer due diligence on natural persons commensurate to the financial crime risk they pose.
Customer Due Diligence
The level of Customer Due Diligence will be dictated by the level of financial crime risks identified and the requirements of the Commission’s Handbook to the risk identified. The focus for the verification subjects will be in respect of beneficial ownership and those controlling the entity or structure (except for an entity listed on a recognised stock exchange or a majority owned subsidiary of such a company). What is key here is the Specified Business must have obtained sufficient and suitable identification and verification evidence/ documentation to demonstrate it has obtained a good understanding of the purpose and intended nature of the business relationship or occasional transaction.
This also brings in the requirement to undertake enhanced measures where a customer meets the following requirements:
- The customer is not resident in the Bailiwick,
- The Specified Business provides private banking services,
- The Customer is a legal person or arrangement for personal asset holding purposes and where a legal person has nominee shareholders or owned by such an entity.
The Specified Business must undertake measures to be able to mitigate the specific risks associated with the customer and ensure that this is demonstrable. For example, obtaining the source of wealth and funds for a customer who is part of an asset holding arrangement.
High Risk Relationships
Whether a Specified Business identifies its customer as high risk through the accumulation of risk, predetermined high risk rationale of the Specified Business or as required by the regulation and commission, it will need to undertake enhanced customer due diligence. High risk relationships include:
- PEP relationship or connection,
- Relevant connection to a high-risk geographical jurisdiction
- Correspondent Banking Relationships
The new AML/CFT Framework precludes Specified Businesses from entering into, or continuing a correspondent banking relationship, and there must be appropriate measures to ensure that it does not enter into or continue such relationships or permit its accounts to be utilised by a shell bank. Furthermore, Specified Businesses must not set up anonymous accounts or accounts in fictitious names.
There also needs to be consideration over Politically Exposed Persons, specifically to whether they are a foreign PEP, a domestic PEP or an international organisation PEP. These are new categories that need to be included and documented.
The requirements for Enhanced Customer Due Diligence changes slightly with specific senior management approval required for Foreign PEPs. Where the beneficial owner is a PEP, an understanding of the Source of Funds and wealth of the customer must be obtained through reasonable measures and documented.
Monitoring of high-risk relationships in respect of Enhanced Customer Due Diligence needs to continue to be undertaken more frequently whilst looking more extensively at patterns of activity or transactions. Additionally, the business will need to obtain additional information and evidence as follows:
- On the type, volume and values of the customers assets
- Additional information on any other beneficial owners,
- Additional aspects of the customers’ identity,
- Obtaining additional information to understand purpose and nature of the business relationship or occasional transactions and obtaining information on the other beneficial owners’ source of wealth and funds where they are not the Customer or Political Exposed Person.
Politically Exposed Persons
Further to differentiating between the different types of PEP, the new Framework also allows the following:
- Domestic PEPs to be treated as not being a PEP after a period of 5 years after ceasing to be entrusted with a prominent public function
- Foreign and international organisation PEPs to be treated as not being a PEP after a period of seven years after ceasing to be entrusted with a prominent public function.
The two requirements for this are that a Specified Business;
- Understands the Source of Funds within the business relationship or occasional transaction and
- The person is not a Head of State or Government or the Head of an international organisation inclusive of persons who are the immediate family, maintain a close business relationship, or in a position to conduct substantial transactions on behalf of such a person.
With respect of high-risk jurisdictional and geographical connections, the new Handbook clarifies this as requiring a relevant connection. The relevant connection is defined as follows:
- Being either resident in the country or territory,
- Having a business address in the country or territory,
- Deriving funds from assets held directly or on behalf of the customer in the country or territory,
- Receiving income arising in the country and territory
- Any connection that the Specified Business feels is a relevant connection to a country or territory.
There will be customers who neither require Enhanced Customer Due Diligence nor enhanced measures and for those customers who are risk rated as low risk and in accordance with the NRA, the Specified Business can utilise the provisions for Simplified Due Diligence as detailed in the Commission’s Handbook.
Simplified Due Diligence
There is a requirement to undertake all the risk assessments, due diligence gathering, understanding of the business relationship and financial crime risks, prior to the on-boarding of the customer. There will be occasions where it will not be possible to obtain due diligence prior to the start of the relationship and the new Handbook still allows for this to happen in certain circumstances as follows:
- That it is not high risk
- It is to be completed as soon as practicable after the commencement of the Business relationship,
- It is essential not to interrupt the normal conduct of business and
- That there are effective and appropriate policies and controls in place to manage the risks identified, such as limitation on transaction and or the type of transactions etc.
Introduced Business Relationships
The Guernsey AML/CFT Framework retains the ability for business relationships and occasional transactions to be introduced by Appendix C Businesses or subsidiaries of such. The Specified Business must ensure the following:
- Requirements relating to AML/CFT will be met
- That it will receive copies of identification data upon request
It is important to remember that Customer Due Diligence must meet the requirements of the Guernsey AML/CFT Framework as the responsibility for meeting the requirements of the Guernsey AML/CFT Framework remain with the Specified Business.
Non-compliance with Due Diligence Measures
There will be occasions where customers may be non-compliant with the due diligence measures as set out by the Commission in their new Handbook. Where this is the case, a proposed business relationship or occasional transaction should not be entered and an existing relationship must be terminated. The business must consider and document their assessment of whether a disclosure is required to be made under the Disclosure Law or the Terrorism Law.
The new Guernsey AML/CFT Framework retains the requirements for the Money Laundering Reporting Officer and the Nominated Officer. The MLRO and Nominated Officer will be relevant employees to receive additional and on-going training that is appropriate for their roles. The Directors and/or Partners Money Laundering Compliance Officer and Senior Management will also be required to have additional training that is appropriate for the role they undertake in the Specified Business’s AML/CFT Framework. Employees, dependent on their role within the Specified Business, must have comprehensive training on the relevant Guernsey enactments, the new Schedule and Handbook in order to understand and appreciate their personal obligations and responsibilities and the consequences of non-compliance to the Guernsey AML/CFT Framework.
A Specified Business in evidencing its compliance with the Guernsey AML/CFT Framework will need to retain records. The new schedule makes specific reference to the following;
- Transactional documents, risk assessments, for a period of five years from the cessation of the business relationship or carrying out an occasional transaction.
- Business Risk Assessments and its policies, procedures and controls require to be retained for a period of 5 years from when they ceased to be operative.
- Records relating to disclosures made to the MLRO must be retained for a period of five years from the cessation of the business relationship or the carrying out of an additional transaction.
- Any AML/CFT training carried out for a period of five years when the training was undertaken. Minutes or other documents relating to the Specified Business AML/CFT Framework and compliance status.
Records can be kept in any form if they are readily retrievable and can be provided promptly to auditors, police, Financial Intelligence Services and the Commission.
A Specified Business’s AML/CFT Framework needs to meet the requirements of the regulation, the specifics of the Handbook and the rules, instructions and guidance published from time to time by the Commission. The Directors and/or Partners must have in place a suitable and sufficient governance structure from which they can evidence and demonstrate that they have taken due corporate responsibility while enhancing, and where required, remediating their business. They must ensure that as a minimum, they can evidence their consideration of their compliance AML/CFT Framework annually and the status is discussed and assessed and where required enhanced to meet the size nature and complexity of their business and the financial crime risks that are posed or advised via the National Risk assessment. The Handbook contains the requirement for a new role of Money Laundering Compliance Officer to undertake this review of the compliance status of the Specified Business and reports to the Board for their discussion and assessment in this area, meeting the corporate governance requirements.
It is for Specified Businesses and their controllers and management to ensure that their AML/CFT Frameworks meet the requirements set out by the Commission regarding the identification, assessment, mitigation, management, review and monitoring of the financial crime risks that are posed and pertinent to its business on an on-going basis. The devil will be in the detail of the Handbook and any other instructions and guidance published by the Commission from time to time.
All in all, this is a positive enhancement of the Guernsey AML/CFT Framework to ensure that Guernsey continues to meet international standards and remains a desirable International Financial Centre, enabling businesses to move forward confidently into tomorrow, as we are already there!