Briefing on the Moneyval Report
03 August 2024 | Sharon Avis
1. Overview
1.1 Summary
The MONEYVAL Mutual Evaluation Report (Report) analyses the level of compliance with the Financial Action Task Force (FATF) 11 Immediate Outcomes and 40 Recommendations and the level of effectiveness of Jersey’s anti-money laundering/countering financing of terrorism (AML/CFT) system and provides recommended actions on how the system could be strengthened.
The full report and a summary report have been published on MONEYVAL’s website. This report was presented to industry via a briefing delivered on 24 July 2024 and an introductory video is available from their website. The report confirms that Jersey’s effectiveness in preventing financial crime is among the highest level found in jurisdictions evaluated around the world.
Out of the 11 Immediate Outcomes (IO), 4 have been rated as a Moderate level of effectiveness (under the FATF ratings this means that major improvements are required):
- IO 3 - Supervision
- IO 4 - Preventative Measures
- IO 6 - Financial Intelligence
- IO 7 - ML Investigations & Prosecution
It was noted during the panel discussions that the FATF expectations for compliance with IO.3 and IO.4 are proving challenging for jurisdictions to meet and that most countries receive a Low or Moderate rating for these outcomes. Jersey does not, therefore, appear to be significantly out of alignment.
In respect of the Technical Compliance Ratings against the 40 Recommendations, Jersey has been assessed as either Compliant or Largely Compliant, with 1 Partially Compliant for Recommendation 18 - Internal controls and foreign branches and subsidiaries, (due to one part of this Recommendation whereby all financial institutions should have an independent audit function to test their AML/CFT controls).
The following Recommendations were rated as Largely Compliant:
R3 - Money Laundering Offence
R6 - Targeted Financial Sanctions - Terrorism & Terrorist Financing
R7 - Targeted Financial Sanctions - Proliferation
R10 - Customer Due Diligence
R12 - Politically Exposed Persons
R14 - Money or Value Transfer Services
R15 - New Technologies
R16 - Wire Transfers
R17 - Reliance on Third Parties
R22 - DNFBPs - Customer Due Diligence
R23 - DNFBPs - Other Measures
R24 - Transparency & Legal Ownership of Legal Persons
R25 - Transparency & Legal Ownership of Legal Arrangements
R26 - Regulation and Supervision of Financial Institutions
R28 - Regulation and Supervision of DNFBPs
R29 - Financial Intelligence Units
The full report sets out a number of key findings and recommended actions relating to the individual Immediate Outcomes and Recommendations. During the MONEYVAL briefing held, industry were advised that the findings identified were expected and in line with the areas self-identified. It was noted that whilst a Recommendation criterion may have been rated as mostly met, it does not automatically follow that Jersey will act on all findings and it may be that the current approach to how an FATF Recommendation is met is not changed. This links in with the remarks made by Deputy Ian Gorst who stated the island would address Recommendations in a proportionate and reasonable manner.
We have summarised the Recommendations and Immediate Outcomes with more of a direct impact on financial institutions below in sections 2 and 3[1]. The relevant FATF Recommendation criterion[2] is stated in brackets.
1.2 Jersey Financial Services Commission (JFSC) Immediate Actions
The JFSC have announced some of the immediate actions they will take, along with industry engagement which will include:
- Consulting on enhancements to JFSC background checks for principal and key persons, such as the Money Laundering Reporting Officer (MLRO)
- Undertaking a review of how the JFSC assesses supervisory findings which will help boards and compliance functions further their understanding of the seriousness of the finding
- Ensuring the right enforcement action is taken at the right time and JFSC actions continue to be carefully considered based on the severity of the breaches identified and associated risk
Whilst noting the findings in the report and the above action points, the JFSC noted in the presentation that there were no plans to become “an enforcement first regulator”. It was stated the focus would continue to be taking the appropriate action for the situation at the right time.
1.3 Future Actions
- During the MONEYVAL briefing there were a number of actions referenced which are listed below and some we would expect to see covered in more detail in due course:
- The National Strategy will be refreshed in the Autumn
- A review of the "clunky" Money Laundering (Jersey) Order 2008 (MLO). No immediate changes to Articles 16, 17 or 18 but we expect guidance around the use of these will be updated and the JFSC will conduct further fact-finding around the use of the exemptions
- A review of the regulatory environment to be undertaken by the government, expected to start in the second half of 2024 and conclude in the middle of 2025
- The JFSC and Registry Supervision Functions should revisit their supervision activities in relation to legal persons and arrangements with a view to detecting more serious breaches such as cases of beneficial ownership concealment
- Review of current guidance on:
- Complex structures
- Concept of control over legal entities through means other than ownership
- Politically Exposed Persons (PEPs) - application of enhanced due diligence (EDD) measures
- Supervisory data collection - requirement for more data to be provided
1.4 MONEYVAL follow-up
Jersey will be required to report on the actions they have completed in 2 years’ time and expect the next evaluation to be in 2029/2030.
[1] Please note that the findings and recommended actions can be duplicated across different Immediate Outcomes and Recommendations.
[2] Further detail on the evaluation methodology is provided in the FATF Assessment Methodology
2. Immediate Outcome 4 – Preventative Measures and Recommendations 10, 12 and 17
2.1 Understanding of Money Laundering (ML) risks and AML/CFT obligations
- The assessors noted that Jersey has a strong understanding of its ML and terrorist financing (TF) risks informed by a variety of sources. There are some specific areas of risk assessment which would merit further improvements:
o Virtual Asset Service Providers (VASPs) related risks, and
o Risks emanating from transnational organised crime.
- Understanding is generally good across all sectors although it was noted this was not the case for the entire period under review. The report notes that non-bank financial institutions (FIs) understanding of threats and vulnerabilities related to specific characteristics of their business and customer portfolios is less nuanced compared to that of banks. Some weaknesses identified in business risk assessments (BRAs) included:
o A disconnect between the understanding of ML/TF risks and putting place necessary controls
o BRAs not sufficiently well documented in recent years
o Risk assessment processes in the legal sector were subjective and did not capture sufficient detail
- The assessors noted that the risk mitigation strategies of FIs have improved in recent years, however shortcomings were identified in relation to the application of risk-based measures and the effectiveness of internal systems and controls (e.g. delays in periodic reviews, compliance resourcing) were identified in more than 80% of the examinations conducted by the JFSC in 2020 – 2022 for all sectors.
- Periodic reviews did not always include an in-depth examination of economic substance of existing structures or obtaining audit financial statements or tax declaration to ensure tax compliance.
- The understanding of TF risks was overall less well developed. The report highlights that there seem to be no specific measures applied in connection to transactions or customer connected to countries neighbouring higher-risk jurisdictions for TF or conflict zones.
- Whilst noting there was a good understanding of the extent to which legal persons and arrangements can be misused for ML purposes, the risk assessment could have further considered the methods and schemes through which risks could materialise through different types of legal partnership arrangements (LPAs) and their inherent vulnerabilities for TF purposes.
2.2 Complex Structures
The report noted an uneven implementation of risk mitigating measures in relation to complex structures as the criteria employed for identifying those structures varies significantly, which may lead to an uneven implementation of EDD measures.
2.3 Customer Due Diligence Measures
The report found that not all regulated entities (REs) understand fully the concept of control through other means.
It also noted that Jersey requires FIs to understand the nature of an arrangement when the customer is acting for a third party that is a legal arrangement, however, they are not specifically required to understand the nature of the legal arrangement’s business activities (c10.8).
No guidance has been provided that FIs should have copies of trust instruments duly certified and it is not clear whether the copies of relevant extracts from the trust instrument should cover the powers that regulate and bind a trust and the names of all persons involved in senior management of a trust (c10.9).
It is noted that the identification information to be obtained for a legal person or legal arrangement is set out in “guidance” and that there are no explicit legal requirements that address all elements of sub-criteria (b) and (c). (c10.9)
The existing requirements in respect of identifying beneficiaries is not considered to fully meet the standard to obtain sufficient information on beneficiaries of trusts designated by characteristics/class to satisfy themselves that they will be able to identify them at the time of the pay-out or when intending to exercise vested rights (c10.11).
There is no requirement currently in the Handbook[1] in respect of a limited partnership to identify persons holding equivalent positions to settlor, trustee or protector[2]. (c10.11) The Handbook references obtaining names of the general partners and those limited partners who participate in the management but is not specific in requiring identification of any other individuals who may have some control in respect of the partnership.
The report notes that the MLO considers the possibility that FIs may identify linked transactions after their execution and requires Fis to conduct CDD measures (including ID&V of the customer’s identity) as soon as reasonably practicable (MLO, Art. 13(5)), which is not among the situations for which this is allowed. (c10.14)
The allowance to not pursue CDD whenever a FI suspects ML/TF and reasonably believes that the application of CDD measures will likely tip-off the customer is not aligned with the FATF standards which permit the discontinuation of CDD only after a SAR is submitted (c10.20).
2.4 Source of Funds / Source of Wealth (SOF/SOW)
Certain weakness were identified in relation to holding up-to-date SOF/SOW information on existing customers.
Periodic reviews of customer profiles do not always involve the corroboration of SOF/SOW even where such information/documents are missing for higher risk customers unless there is a trigger event (e.g. adverse media).
2.5 Enhanced Due Diligence Measures
The report noted that neither the MLO nor the Handbook require any specific EDD measures as required or recommended by the FATF standards in relation to higher-risk customers and situations beyond PEPs, correspondent banking relationships and enhanced risk states (c10.17).
2.6 Periodic Reviews
The report noted that periodic reviews rarely seek to obtain updated documentary evidence to ascertain changes in the ownership or corporate structure. A priority action is noted to updating beneficial ownership information (except where trust and company service provider (TCSPs) are providing management services).
The frequency and depth of reviews was found to be challenging due to lack of appropriate compliance resources
2.7 Ongoing monitoring
TCSPs were found to lack sufficiently effective IT systems – this may hamper the ability to view customer relationships as a whole and not only in the context of individual transactions
The report appears to note that the allowance for a customer to provide an assurance that it will provide the relevant CDD information on a timely basis in the event of a subsequent change does not meet the FATF criteria (c10.7).
2.8 Exemptions
- It was noted that the use of exemptions to identify underlying customers appears to be declining, but some REs do not always consider sufficient information for assessing risks to ensure that exemptions are only applied in low-risk situations. The report noted that risks involved in using the Article 17C exemption:
o Were not always duly assessed and mitigated
o Were not always based on full information or the risk profile of underlying investors/customers base (including those exhibiting higher-risk characteristics such as PEPs)
o Did not always include consideration by the FI of the AML/CFT P&Ps of TCSPs and unregulated or non-public funds in the context of risk mitigation
- The FIs met onsite struggled to articulate how risks related to underlying customers were assessed.
- Some REs that made use of Article 17C exemptions were found to rely exclusively on the Targeted Financial Sanctions (TFS) screening undertaken by their customers, and it appeared there were no processes in place to ensure that information about true matches identified and reported were shared by these counterparties.
- Similarly, the possibility of identifying a nexus to a jurisdiction identified as subject to a call for countermeasures or other higher-risk countries was limited in relation to the underlying customer/investor.
- The report noted that exemptions are permitted to not carrying out the required measures for the purpose of identifying a person and verifying the identity and the authority to act on behalf of a customer when the customer was a public authority legal entity listed on a regulated market (or its subsidiary) (MLO Art. 18(4)) or is a regulated FI (Art. 18(5)) (c10.4).
- The report noted there is an exemption to the obligation to identify the beneficial owner of a customer when the customer is a legal person whose securities are listed on a regulated market without a corresponding requirement to still obtain the relevant identification data from a public register, the customer or other reliable sources which is not consistent with FATF standards (c10.5).
2.9 Politically Exposed Persons
The assessors found that REs only apply all relevant EDD measures (e.g. senior management approval and enhanced monitoring) where is an accumulation of ML/TF risks as opposed to this being a sufficient trigger
Close associate – there was an uneven understanding of the concept of a close associate
The definition of close associates in the MLO, appears limited and does not specifically refer to individuals closely connected to a PEP either socially or professionally (c12.3).
2.10 Suspicious Activity Reports (SARs)
- The number of ML-related SARs was lower than the assessment team’s expectations considering the risks Jersey faces.
- The systems and processes used for identifying suspicious transactions were found to be insufficiently effective.
- Reporting is largely driven by information requests, discussions held with customers or customer files reviewed by relationship managers, adverse media, and group wide sharing of information, rather than the analysis of higher risk criteria and indicators.
- Some policies do not always ensure prompt reporting and it was revealed during the onsite visit that at least some entities are not aware of the need to submit SARs promptly.
- Linking with corroboration of SOF/SOW, the assessment team noted that the lack of verified information about source of assets for legacy customers may make it difficult to identify suspicions on the basis of reviewing existing customer profiles.
- There should more in-depth analysis of the appropriateness of SAR reporting by FIs, designated non-financial business and professions (DNFBPs) and VASPs on TF suspicions and the authorities should issue relevant guidance or provide training to increase awareness.
2.11 Reliance on Third Parties
The report noted there is no requirement to ensure that any higher country risk is adequately mitigated by a financial group's AML/CFT policies (c17.3).
·
[1] Handbook for the prevention and detection of money laundering, the countering of terrorist financing, and the countering of proliferation financing
[2] 136. A supervised person may demonstrate that it has found out the identity of the settlor of a trust which is a third party under Article 3(2)(b)(iii)(B) of the Money Laundering Order where it finds out the identity of: › the settlor (including any persons subsequently settling funds into the trust); › any person who directly or indirectly provides trust property or makes a testamentary disposition on trust or to the trust; and › any other person exercising ultimate effective control over the trust, for example, a protector
3. Immediate Outcome 3 – Supervision and recommendations 26 and 28
3.1 Criminal Background Checks
The report recommended enhancing background checks for beneficial owners, controllers and key function holders, noting that the practice of relying on a self-declaration by the applicant to report criminal convictions and screening against specific lists is a less effective control in comparison to the requirement for a “criminal record certificate” as routine practice.
Criminality checks for the existing DNFBPs that have not been subject to criminality checks at the time of registration need to be applied retrospectively.
Jersey legislation does not follow an “all-crimes” approach when considering criminality. (c26.3, c28.1(b), c28.4(b))
3.2 Terrorism Financing
The report identifies that when Jersey conducted a TF National Risk Assessment, no sectoral TF risk assessment had been conducted.
Obliged entities are generally aware of TFS screen obligation and the requirements to freeze funds/assets, however implementation techniques vary with difficulties reported by obliged entities to identifying close associations and indirect links with sanction entities and individuals. Noted obliged entities would benefit from further guidance, as well as guidance on PF as distinct from TF.
The JFSC should strengthen TF-related TFS supervisory practices with a focus to increase scrutiny of on-site checks.
3.3 DNFBPs and VASP Sector-Specific Guidance
The authorities should issue sector-specific guidance prioritising DNFBPs and VASPs. Guidance documents should cover specificities of the products and services offered by different sectors in greater detail, identification of suspicious activities in different sectors and how specific services or products can be abused for ML/TF purposes. Training activities should be aligned to sectoral needs, i.e., taking into account sectoral and individual risks and vulnerabilities.
3.4 Examinations
The report recommended that the JFSC consider making further use of full-scope and focused/targeted examinations, and alternatively, off-site supervisory tools, to ensure that there is always adequate coverage of all AML/CFT obligations across all sectors, especially in relation to those entities and sectors that have not had all aspects of the AML/CFT obligations yet assessed.
o The scope of some of the thematic inspections could be further expanded - utilising the CDD exemptions thematic as an example, which the report noted only covered 10 entities and only 1 bank and no legal sector participants when they are significant for the purposes of this theme
o The number of DNFBPS inspections is considered to be low
o The report noted that in terms of shortcomings, TCSPs account for an average of 45% of the overall shortcomings detected for all sectors with the most relevant areas being business and customer risk assessments, record-keeping, risk understanding, training and internal controls and procedures.
o Law firms account for approximately 17% of the overall shortcomings
o The report noted that compliance of the VASP section with the full range of AML/CFT obligations is yet to be supervised
Noted that for the majority of financial sectors, thematic examinations are the most common undertaken. This was found to present the risk that some areas which are deemed not risky or not sufficiently wide to be part of a thematic by the JFSC may be unassessed for a number of years and hence be neglected from a supervisory perspective.
It was not always clear if the examination “route planner” (covering all aspect of the Handbook) is routinely followed in its entirety, and it was also not apparent how samples were selected.
It was unclear as to how the characteristics of groups are considered when determining the frequency and intensity of onsite and offsite supervision (c26.5)
3.5 Remedial Actions
The JFSC’s approach in relation to breaches detected through supervision was noted as relying on remedial actions, with a significant degree of flexibility given to the RE to propose remedial actions and timeframes.
The report noted that the rate at which remedial actions were being completed has steadily improved, however at the time of the on-site there was still remediation taking place from the 2019/2020 period in respect of an entity, despite all actions taken by the JFSC.
The report noted the creation of the JFSC’s Heightened Risk Response Team to monitor the effectiveness of remediation in cases deemed as high-risk, but also noted that these tasks are most commonly undertaken by independent reporting professionals, with less proactive oversight by the JFSC.
Between July 2021 and December 11 cases (3 banks, 6 TCSPs, 1IB and 1 DNFBP) had been referred to the Heightened Risk Response Team.
3.6 Administrative Sanctions
The assessors noted that when it comes to breaches, the JFSC’s approach greatly relies on remedial actions. The use of administrative sanctions to penalise non-compliance is low, especially in the case of pecuniary sanctions, and is considered not in line with the risk profiles of the entities and the number and types of breaches detected.
The JFSC was not considered to be consistent in determining which types of breaches are severe. The report recommended that the JFSC should apply greater scrutiny to the breaches emanating from supervision, clearly distinguishing those more severe in nature, for the purposes of the imposition of sanctions upon non-compliant entities.
The application of the sanctioning regime should be revised (in particular the guidance criteria to determine the severity of the sanction) so as to ensure that, in cases of serious breaches, the imposition of a wider range of severe and proportionate penalties, including pecuniary sanctions, is prioritised.
The report noted that for the 7 cases which result in the imposition of a financial penalty, only 2 of the cases were subject to any follow-up actions by the JFSC in the form of reinforced supervision, follow-up or remediation effectiveness testing. The report notes a more proactive involvement would have been expected due to the seriousness of the cases.
3.7 Institutional Risk Assessments
The risk tool utilised by the JFSC could benefit from enhancements to allow further strengthening of risk understanding and risk differentiation across different sectors and individual entities, due to the following reasons:
o The frequency of data collected (annual) may not be enough in respect of high-risk entities to update the risk profile in a timely manner
o Enhancements to the risk weightings assigned to the data points used for the inherent risk assessment should be considered
o The AML/CFT internal controls assessment is not carried out for every entity and is informed by other sources of information rather than routine data collection exercises, such as supervisory examinations (c28.5)
We would expect that enhancements to the risk tool will require the JFSC to collect additional data as part of the Supervisory Risk Data Collection[1].
The report noted that the JFSC’s risk model did not cover some obliged entities, namely insurers, funds (which are supervised through their FSB), Managed Entities, TCSP participating members, VASPs and class G TCSPs. It was noted that at the time of the assessment, the risk model did not cover some categories of TCSPs, as they were deemed low risk by the JFSC, however no actual risk assessment had taken place to justify the rating (C28.5)
Major developments in the management (apart from change in compliance resources) and operations are not captured by the list of events that trigger the review of the AML/CFT risk profile of the supervised institutions (c26.6)
3.8 Impact of Supervisory Actions on Compliance
The assessors considered there was room for improvement concerning the compliance of obliged entities with certain obligations, such as transaction monitoring and the identification of suspicions or the application of CDD/EDD measures to legacy customers.
The impact of supervisory actions on compliance is modest when observing that the number of breaches detected by supervisory actions has remained quite steady during the period reviewed.