Business Risk Assessments are the foundation of any Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) strategy.
This summary is written, with thanks, by Amanda Reilly, Director of Supervisory Engagement at the JFSC, who is responsible for the teams which supervise the banks, funds services businesses (FSBs), international businesses, trust and company service providers businesses (TCBs) and some designated non-financial businesses and professions (DNFPBs) such as the larger law firms. Here she outlines the results of the recent JFSC thematic examination in relation to BRAs made by industry.
Earlier this year the JFSC conducted a thematic examination in regards to AML and CFT Business Risk Assessments (BRA) and strategy. At the event, Amanda gave an overview of these results. An industry feedback paper containing all the detail is scheduled to be issued by the JFSC’s Supervision Examination Unit by the end of the year.
It’s no coincidence that the first codes of practice within the AML and CFT handbook describe an organisation’s requirement to assess its exposure to money laundering, terrorist financing and proliferation financing risk, with a documented strategy of how to counter those risks.
This assessment is the bedrock upon which an organisation’s systems and control framework is developed, and if done correctly may save that organisation significant time and expense in the future. In line with international standards, the JFSC expects that a robust and ongoing assessment of financial crime risk exposure is conducted. If this is not done, it can result in it not being effective in mitigating and managing those risks. The consequences of this must not be underestimated.
The JFSC uses a risk model to drive its supervisory activity, and it shows that AML and CFT governance is our most frequently assessed risk protocol. For this exercise we identified 11 organisations across the Banking, FSB, IB and TCBs sectors. To gain a wider perspective of how Industry complies with the regulatory framework we decided to issue a questionnaire to 20 DNFBPs. We were mindful of the examination activity conducted by our Pooled Supervision Unit across the legal sector in 2021, so limited the questionnaire to:
- 10 accountancy firms
- 5 law firms
- 5 estate agents
Information requests were issued asking:
- AML and CFT BRA and strategy and resulting risk appetite
- development, awareness and use of the AML and CFT BRA and strategy
- extract of minutes evidencing discussion and approval of the BRA and strategy
- methodology used to assess the risks
- index of P&Ps focusing on the P&Ps re AML and CFT BRA and strategy
- CMP overview, as this should align with the risks identified in the BRA
- effectiveness of the control environment, cultural barriers and any identified deficiencies
- customer list with risk data
- declined and terminated business register
Nine of the 11 examinations were completed onsite, the first since before the COVID-19 pandemic. They lasted three days and involved board or senior management and members of the compliance function. We identified that:
- 50% of the entities did not adequately identify key risk factors such as customer, products or services, geographical factors and sensitive activities
- 30% of the entities could not demonstrate that the board had approved the BRA, as this was delegated to a committee which did not consist of all board members
- 20% of the entities based their BRA on group documents and whilst these were localised to varying degrees, the BRA was still not adequate for Jersey requirements
- the majority of entities had at least one finding in regards to its internal systems and controls
- all entities had findings in relation to record keeping, ranging from a failure to minute approval of the BRA, to a lack of scrutiny, discussion or challenge. This is a recurring theme and the need for adequate records to be maintained on decision making needs to be underlined
- 1 entity had failed to apply its own methodology in the BRA to its customers identified as high risk in the supervisory data submission, and another had an incomplete risk matrix which formed part of the BRA
As a result of the responses to the questionnaire, six organisations were selected for a deeper dive into the answers provided, and two accountants, two law firms and two estate agents were subject to a further review. These findings were very similar in nature to those recorded for the entities subject to the examination. As a result the JFSC will soon issue a consultation paper to enhance the handbook in respect of conducting and maintaining a BRA, as we recognise that further guidance would support industry.
The importance of getting an AML and CFT BRA and strategy right cannot be overstated. Establishing and assessing the financial crimes risks which an organisation faces is the foundation to effectively mitigating and managing those risks. If the BRA is not adequate, the control framework upon which it is based will be deficient and will not protect the organisation and its stakeholders.
The cost of getting it wrong tomorrow will be much greater than investing the time and energy required to assess the risk exposure your firms face today. From what we have seen during this exercise, you should not underestimate the value of complying with this key regulatory requirement. Remember that prevention will always be much cheaper, and far less painful and resource intensive, than cure.