Sanctions Risk – is your Business Risk Assessment (“BRA”) current?

Over the past few months, most businesses have learned a great deal about sanctions, in particular how practical and effective the business’ controls are when put to the test! 

It seems an opportune time for businesses to reflect and consider what lessons have been and should be learned from the recent experiences.  

The JFSC has published a number of pieces of guidance addressing different areas of sanctions, including the note “Key Considerations for Relevant Financial Institutions”. The note addresses several practical matters, providing some detail on JFSC expectations, including with reference to a business’ Business Risk Assessment (“BRA”). 

By way of a brief recap, the JFSC’s AML/CFT Handbook sets out the requirement to: 

• Identify the supervised person’s money laundering and financing of terrorism risk 
• Ensure that its systems and controls are appropriately designed and implemented to manage those risks, and 
• Ensure that sufficient resources are devoted to fulfilling these responsibilities 

The “Key Considerations for Relevant Financial Institutions” guidance includes a reminder that the BRA should provide adequate coverage of financial sanctions as well as financial crime risks and controls. The guidance note states the following risks should be considered from a sanction perspective in addition to their consideration from an AML/CFT perspective. 

• Geographic factors 
• Customer screening arrangements
• Management information
• Policies and procedures
• Staff training
• Reliance on third parties 

This supplements the section from the JFSC’s “Financial Sanctions Practical Guidance” which sets out that a risk assessment should consider how an institution may become involved in breaching sanctions. The guidance notes the following relevant factors which a business may consider in formulating its risk assessment are: 

• Customer, product and activity profiles 
• Distribution channels 
• Complexity and volume of transactions (recognising that one prohibited transaction alone would be a breach) 
• Processes and systems 
• Operating environment
• Screening processes of intermediaries
• Geographic risk of where it does business
• Whether trustees, settlors, beneficiaries, directors and beneficial owners of legal persons and third party payees are screened to ascertain whether there is a risk of indirect benefit to a sanctioned person

It is important to stress that you may have additional factors to those listed above to be considered as part of the BRA.  

Of course, all of the above must be considered with reference to sanctions risk – i.e. the risk of failing to identify any exposure to sanctioned entities / individuals and/or take appropriate actions in response. This is not always straightforward, after all businesses have no influence on whether sanctions are issued or the scope of any sanctions.  

All businesses can do is remain watchful of the political landscape and horizon to see if any sanctions are looming and, crucially, have robust systems in place so that the business is able to respond swiftly and effectively to any new of amended sanctions. A lessons-learned exercise for recent months should prove a solid basis from which to assess how well a business’ controls have performed in this regard. This assessment will, in turn, inform the sanctions elements of the BRA.  

Lastly in determining if your BRA is current, the findings of the JFSC’s recent thematic examination paper, issued on 30 June, should be considered. The JFSC identified the following findings in relation to BRAs: 

• Lack of relevant supporting data – consider supporting management information such as clients with connections to sanctioned countries/activities, number of sanction hits 
• Absence of proportionate criteria to consistently determine the likelihood, impact and levels of inherent and residual risks – this would typically be set out in a methodology paper accompanying the BRA 

• All customer segments or business locations were not included – this is a perennial finding which all regulated businesses should have addressed 
• Targeted financial sanctions had not been considered as a risk factor – this has particularly come to the fore in recent months and will likely connect to the above point re customer locations 
• An ineffective assessment of the adequacy of the supervised person’s control environment to determine if levels of residual risk were within the supervised person’s risk appetite – this should connect through the compliance monitoring findings and the results of any other internal or external review 
• The supervised person’s risk appetite was not aligned with the data set out in the BRA – a documented risk appetite statement is increasingly useful to evidence the board’s decision as to which services, products, customers and jurisdictions will not be considered. 
• Directors were unable to demonstrate their involvement in the risk assessment process – this reiterates the importance of board papers and, in particular, the minutes of board meetings to demonstrate the board’s deliberations and decisions. 

• Boards or senior management were not provided with adequate management information to enable them to demonstrate that they were informed of and acting upon any indicators of changing financial crime risks in its business and risk profile – a comprehensive paper detailing the assessment methodology, drawing out key points and connecting them to relevant information (including the Supervisory Risk Data Returns, National Risk Assessment for the sector and management information) can be invaluable in addressing this point. 
• Failure to consider the risks presented by terrorist financing and proliferation financing – whilst the JFSC has postponed its proliferation financing risk assessment, FATF has published useful typology resources which are available from its website and Jersey’s National Risk Assessment of Terrorist Financing is published on gov.je.   

If you have any queries on the BRA or would like to discuss the appropriate steps to take to ensure compliance in this area, please do get in touch.