The latest Consultation Paper (No. 10, 2018) from the Jersey Financial Services Commission (“the JFSC”) has floated the proposal that regulated entities which control client monies (other than banks) should implement an annual review of their relevant controls. I don’t think this is particularly controversial, but it struck me that this is yet another requirement for a review, following on from the existing requirements for reviews of corporate governance arrangements and compliance risk management, in line with what seems to be the general direction of travel in Jersey’s regulatory regime.
Whilst I don’t know the inner workings of the mind of the JFSC, it seems likely that each of the reviews which are now required has been triggered by issues at regulated entities, albeit that the Consultation Paper also makes reference to the standard issued by the Group of International Finance Centre Supervisors (“GIFCS”).
Corporate governance arrangements
All regulated entities, other than those subject to only AML regulation by way of being regulated under Schedule 2 of the Proceeds of Crime Law, are required to undertake regular reviews of their corporate governance arrangements. The Codes for each of the regulated sectors specify that such reviews must be “appropriately regular” (which in our view would typically mean “annual”), should assess the appropriateness of the corporate governance arrangements in light of the business’s activities and risk profile and should include an assessment of the board’s effectiveness.
Clearly, corporate governance is the foundation of any business and is particularly important for a business which has responsibility for its clients’ assets. We’ve published an earlier article which considered the challenges for a board to effectively assess its own performance (https://www.cyan.je/board-effectiveness-reviews/), so I won’t go into that again. Importantly, it should be noted that the requirement is for all corporate governance arrangements to be assessed, it’s not just limited to an assessment of the board, albeit that that will be an important element of the assessment.
Robust corporate governance arrangements should hopefully provide a robust defence for a regulated business against other regulatory issues or, at least, help the business to spot problems and address them quickly. I would, therefore, hope that directors of a regulated entity would acknowledge the value of an effective corporate governance review, so that they can be comfortable that they are fulfilling their own responsibilities and running the business well.
Compliance risk management
The next review applies to everyone apart from certified funds, money service businesses and Schedule 2 firms. It is to undertake an assessment, specified to be on at least an annual basis, of the extent to which compliance risk is managed effectively. Now, the JFSC has defined compliance risk as “the risk of legal or regulatory sanction, material financial loss, or loss of reputation that a registered person may suffer because of failing to comply with the regulatory framework, including relevant legislation.” Obviously the compliance function plays a very significant role in managing this risk but it is important to remember that other parties play a part, particularly the board who retain ultimate responsibility for compliance. Similarly to the corporate governance review not being limited to board effectiveness, this compliance risk management review should not be limited to the effectiveness of the compliance function.
There have been instances in past years where businesses have not been effective in managing compliance risk, for many different reasons including:
- The board lacking any interest in or understanding of legal and regulatory requirements;
- The board / compliance function not being aware of industry practice so, for example, not knowing what the compliance function’s tasks and responsibilities should be;
- An under-resourced compliance function;
- An ineffective Compliance Officer/MLCO/MLRO; and
- Incomplete compliance reporting to the board/committee.
A thorough and useful review should consider the management of compliance risk throughout the business and so, in our view, should include the role of the board, any committees, any internal audit function, risk, the effectiveness of reporting etc. This should, in turn, identify any problems, including those listed above, and hopefully any early warning signs of any such problems.
Again, given the importance of compliance, particularly given its role in protecting a regulated business, its senior management and staff, there can be significant value in reviewing how the different areas and levels of the business manage compliance risk.
Client money controls
This is the review proposed in the latest consultation paper. Although specific provisions may be tweaked, it seems unlikely that the requirement for a review will not progress.
The proposed requirement is that where a registered person controls client/customer/fund money, it should implement an independent review of the controls over such money on, at least, an annual basis. The review shall verify the effectiveness of the relevant controls with particular regard to those controls that prevent the loss, misuse and misappropriation of such money. Again, the review is to be performed by an appropriately qualified independent person who may be an internal or external party.
It’s interesting to see how the wording of the review requirements has evolved over time – the client money review, the most recent, is the first to specify that the review must be “performed by an appropriately qualified independent person”. I’ll set out some thoughts on the challenges this presents later in this article.
Many of the industry sectors are subject to client money or client assets orders in addition to relevant Code of Practice requirements so businesses will, typically, already be testing their client money controls as part of their compliance monitoring programmes. However, the JFSC’s themed examination last year did nonetheless identify some findings in this area such that it appears to uphold the GIFCS requirement. (The JFSC has published a feedback paper on its findings from the client assets examinations (https://www.jerseyfsc.org/media/2287/2018-11-27-themed-q2-3-2018-client-assets-key-findings.pdf) and all affected businesses should consider the contents of the feedback when formulating the scope of their client money review later this year. I would also direct you to Chris Cooke’s earlier article (https://www.cyan.je/how-safe-is-your-client-money/).
Few businesses, and few compliance functions, will be pleased to have yet another review requirement imposed. However, these reviews will assess some of the most fundamentally important controls within regulated businesses.
The reference to the client money review being undertaken by “an appropriately qualified independent person” is interesting. Arguably, in order to be effective, all reviews should be undertaken by such a person but the client money review is the only review where this is specified.
It should hopefully be reasonable to assume that a Compliance Officer would be “appropriately qualified”, whether by qualification and/or experience. The independence point, however, is more complicated. The Consultation Paper explains that where an internal party performs the review they “must be operationally independent from the individuals or functions within the registered person responsible for the operation of the controls under review.” It’s unclear what is meant by “operationally independent” but I’m not sure how a Compliance Officer (who is, after all, responsible for monitoring systems, controls, policies and procedures and or recommending amendments to these, according to the Codes of Practice) can be said to be wholly independent of any controls in a regulated business.
Of course, the point goes further back to the perennial question of whether a Compliance Officer can ever be truly independent of their employer, represented by the board of directors of the regulated business. I know many Compliance Officers who have bags of integrity and will always do their utmost to fulfil their responsibilities. However, I can easily imagine that it might be very difficult for a Compliance Officer to undertake a wholly objective review and then produce a frank report, for example on the effectiveness of his or her bosses (being the board of directors), or the effectiveness of the compliance function itself.
For those businesses with an internal audit function, or with compliance functions in other jurisdictions, the use of these people to undertake the reviews may alleviate some of the conflicts of interest. But where reviews are undertaken internally, the inherent conflicts of interest should at the very least be noted in the resulting reports. In respect of the client money review in particular, it may also be worth considering if any relevant work is already being undertaken by way of the compliance monitoring programme, transaction monitoring or periodic reviews, for example. Given the current workloads faced by regulated business, any duplication of effort should be avoided if at all possible without compromising the quality of the review work.
Done effectively, a robust review should be comprehensive, tailored to the business and practical. It should provide the board and key persons with comfort that the business is being managed appropriately and that they themselves are fulfilling their responsibilities in this regard, as well as suggesting possible areas for improvement.
The reviews will also assist the JFSC in their oversight of regulated businesses, due to the requirement for most regulated businesses to provide the JFSC with copies of any reports prepared by an auditor, accountant or consultant that addresses a breakdown or weakness in the business’ internal controls and the recommendations for their improvement.
We should find out in the next few months whether, as seems likely, the client money review requirement is implemented. Needless to say, if you would like to discuss any of the reviews or seek Cyan’s assistance, please do get in touch.