The JFSC has published its feedback to the Consultation on AML/CFT Scope Exemptions.
A host of entities which were formerly subject to exemptions will fall under the AML/CFT regime when the necessary legislation is approved in early 2023. They will be required, inter alia, to:
- Appoint an MLRO and MLCO;
- Formulate and implement a Business Risk Assessment (BRA) and strategy, and AML/CFT systems and controls (including policies and procedures);
- Receive and consider regular compliance reports;
- Maintain required records; and
- Where the entity receives services from its AML Service Provider (AMLSP), it must assess the effectiveness of the services provided by the AMLSP.
These changes will likely have a significant impact on both the AMLSPs and the newly regulated entities (referred to in the JFSC’s documents as the AMLSP Direct Customers).
With apologies for the confusing terminology (which follows that now introduced by the JFSC), we’ve tried to summarise below, at a high level, the main requirements set out in the new Codes and guidance notes as they relate to AMLSPs and their Direct Customers.
We will issue other articles on determining whether or not an entity is caught by the new regime and how such an entity can comply with the new requirements if it is not receiving any services from an AMLSP.
An AMLSP must include consideration of its AMLSP services within its BRA, its AML/CFT strategy and its systems and controls (including policies and procedures).
This should include documenting the AMLSP services that it provides for its AMLSP Direct Customers (being the Supervised Persons under Schedule 2) and determining whether there are any differences arising from the provision of AMLSP services for its AMLSP Direct Customers by comparison to the AML/CFT activities that the AMLSP performs for its other customers. If the activities of the AMLSP Direct Customers are similar to those of the other customers, the extension of the AML framework documents should be straightforward as the underlying risks will be similar.
The AMLSP should also consider the AMLSP Indirect Customers (i.e. the customers of the AMLSP Direct Customers) as if they were its own customers when providing AMLSP services and should document any relevant impact in its AML framework documents.
As is already the case, the conclusions of the BRA and AML/CFT strategy must flow through into the organisation and control of the AMLSP’s affairs in order to effectively mitigate the risks that it has identified, including areas that are complex; and so that it can demonstrate the existence of adequate and effective systems and controls (including policies and procedures) to counter ML/TF.
AML Direct Customer MLRO and MLCO
The requirements with reference to the MLCO and MLRO are consistent with those already set out in the AML/CFT Handbook.
The AMLSP must appoint an employee or employees to carry out the roles of MLRO and MLCO to each AMLSP Direct Customer.
The employee should be an employee of the AMLSP (or its financial group), be based in Jersey and have sufficient experience and skills.
The AMLSP must ensure that the MLCO and MLRO:
- has appropriate independence, in particular from customer-facing, business development and systems and controls development roles;
- reports regularly and directly to the MLCO/MLRO of the AMLSP (where they are not the same person) and has a sufficient level of authority within the AMLSP so that the MLCO/MLRO of the AMLSP reacts to and acts upon reports made by them;
- is able to raise issues directly with the governing body of the AMLSP Direct Customer;
- has sufficient resources, including sufficient time and (if appropriate) a deputy and compliance support staff;
- is fully aware of their, the AMLSP’s, and the AMLSP Direct Customer’s AML/CFT obligations;
- formally acknowledges each appointment; and
- has sufficient access to information, oversight and knowledge of the AMLSP Direct Customer’s and the AMLSP Indirect Customer’s activities on a continuing basis to fulfil the MLCO/MLRO role.
In addition, the AMLSP Direct Customer MLCO/MLRO and the governing body of the AMLSP Direct Customer must ensure any proposed AMLSP Direct Customer MLCO/MLRO has sufficient skills and experience to fulfil their role with reference to the specific AMLSP Direct Customer to which they will be appointed.
Where a Deputy MLRO has been appointed, the MLRO must keep a record of them, provide support, monitor their performance and assess whether suspicious activity reports are being handled in an appropriate and consistent manner.
Where appropriate with reference to the size and complexity of the AMLSP Direct Customer, the same employee could hold both the MLCO and MLRO roles.
The employee must have received a “no objection” from the JFSC and be on the list of persons provided by the AMLSP to the JFSC, however a “no objection” for each separate appointment is not required.
The AMLSP must keep the list of persons up-to-date, notify the JFSC when anyone is removed from the list and provide the list to the JFSC on request.
The AMLSP must have sufficient oversight and access to relevant information to appropriately manage the risks of providing the AMLSP services and to enable the MLRO and MLCO to fulfil their responsibilities
The AMLSP must provide the AMLSP Direct Customer with sufficient information to satisfy them that the AMLSP is fulfilling its obligations on an ongoing basis.
The AMLSP must demonstrate to its AMLSP Direct Customer how knowledge, suspicion, or reasonable grounds for knowledge or suspicion of money laundering or financing of terrorism activity will be reported to the AMLSP Direct Customer MLRO (or deputy).
An AMLSP must notify the JFSC and its AMLSP Direct Customer immediately in writing of any material failures to comply with the requirements of the Money Laundering Order or the AML/CFT Handbook in respect of the AMLSP services it provides.
AMLSP Systems and Controls
The AMLSP Direct Customer must be satisfied that the AMLSP:
- Organises and controls its affairs in a way that effectively mitigates identified risks, including any complex areas;
- Is able to demonstrate the existence of adequate and effective systems and controls (including policies and procedures) to counter ML/TF; and
- Is able to perform the activities required to ensure the AMLSP Direct Customer fulfils its AML/CFT obligations.
On an ongoing basis, the AMLSP Direct Customer must ensure its AML/CFT obligations continue to be fulfilled by its AMLSP and must be able to demonstrate its oversight of the AMLSP.
The guidance suggests that a written agreement for services be put in place between the AMLSP and its AMLSP Direct Customer regarding the provision of AMLSP services.
This should include:
- Which AML/CFT obligations the AMLSP is responsible for fulfilling;
- How the services are fulfilled (i.e. the service levels);
- The frequency and content of regular reporting by the MLRO and MLCO to the AMLSP Direct Customer board (or equivalent). Such reporting should be at a frequency in line with the risks assessed within the AMLSP’s BRA;
- The actions to be taken in response to trigger events such as suspicions arising, or a change in the risk profile of an AMLSP Indirect Customer;
- The arrangements around suspicious activity reporting;
- The requirement for the AMLSP Direct Customer to consent to the sub-outsourcing of any of the AMLSP services undertaken by its AMLSP, if sub-outsourcing is to be permitted at all; and
- A clear acknowledgement of the AMLSP Direct Customer’s ultimate responsibility for its own AML/CFT obligations.
This will likely involve the AMLSP revising the existing agreements to reflect the new legal and regulatory regime.
For the AMLSP itself, the guidance suggests that the following documentation should be in place:
- BRA, AML/CFT strategy and systems and controls (including policies and procedures) to include documented consideration of AMLSP services, AMLSP Direct Customers and AMLSP Indirect Customers;
- Board minutes (or equivalent) to include consideration of AMLSP services.
The AMLSP Direct Customer should have board minutes (or equivalent) evidencing that it has carefully considered the appointments of its AMLSP, MLRO and MLCO prior to such appointments taking effect.
The board (or equivalent) should also be able to demonstrate its ongoing oversight of the AMLSP’s services through, for example:
- The review of scheduled compliance reporting
- Participation in all relevant training provided by the AMLSP
- Board minutes (or equivalent) evidencing the ongoing monitoring of services provided by the AMLSP.
AMLSP Direct Customer Reserved Activities
The following activities should only be undertaken by the AMLSP Direct Customer:
- The approval of the appointment of the AMLSP including the AML/CFT services to be provided;
- The approval of any new business relationship (and continuation thereof) or one-off transaction where there is a connection to an enhanced risk state;
- An AMLSP Direct Customer that undergoes mergers, continuance, takeovers or internal reorganisations, must ensure that records remain readily accessible and retrievable for the required periods (including the rationalising of computer systems and storage arrangements); and
- Record-keeping arrangements must be agreed with the JFSC where an AMLSP Direct Customer terminates its activities or transfers customers to another person
There will be a six-month transition period following the implementation of the legislation and we would recommend that AMLSPs and relevant entities start to actively consider how they can most effectively and efficiently respond to the new requirements, particularly considering the impact on key areas including client agreements, compliance resources, business risk assessments and compliance monitoring. The six months will pass very quickly!
Cyan is available to assist both AMLSPs and those entities now coming into scope with any queries.