Managing Your Risks

The Jersey Financial Services Commission’s (“JFSC”) Codes of Practice[1] and the AML/CFT/CPF Handbook set out the requirements for the Board (or equivalent governing body) to assess the risk present in the registered/supervised persons business[2].

In considering how to implement and conduct a risk assessment framework for your business it is easy to get lost in the amount of information available on different risk assessment processes. If your organisation is not part of a larger firm with its own risk assessment processes in place it can be quite daunting and leave you wondering how best to proceed.

We would advise to start by looking at the aforementioned Codes of Practice and AML/CFT/CPF Handbook which reference 3 types of risk assessment as shown in the accompanying diagram.

Compliance Risk is defined as the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a registered person may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to its regulated activities (together, “compliance laws, rules and standards”)[3].

Business Risk Assessment –  is an assessment of the supervised person’s risk appetite and the extent of the supervised person’s exposure to money laundering, the financing of terrorism, and the financing of proliferation risks “in the round” or as a whole by reference to the supervised person’s organisational structure, customers, the countries and territories with which those customers are connected, the procedures and services the supervised person provides and how those products and services are delivered. The assessment must consider the cumulative effect of risk identified, which may exceed the sum of each individual risk element.

All factors (including those identified by a National Risk Assessment or similar), as well as the wider picture (and cumulative risk) should be considered.

Operational Risk is an assessment of the risks present in the registered person’s business. Risk is referred to as all the risks that a registered person faces, or may face, as a business enterprise. There is specific reference in the Codes to the risk of a cyber security incident.

In addition to the above 3 risk assessments depending on the structure of the registered person for example where they are part of a group of regulated entities, the group will usually have in place a group risk assessment, which is often referred to as an Enterprise Risk or Enterprise-Wide Risk Assessment.

It is important to note that where you are part of a group that the relevant risk assessments have been conducted for the regulated activities undertaken in Jersey and reflect the risks relevant to a Jersey entity. Though an Enterprise-Wide Risk assessment may identify risks which impact activities undertaken in Jersey this must feed into the specific Jersey risk assessments.

Can this be managed as one risk assessment?

The straight answer to this is yes, provided the relevant risks are clearly distinguished within the single risk assessment. As shown in the accompanying diagram, there will be some overlap with certain risks present in a registered/supervised person's business.

A well-designed overall risk assessment that reflects the relevant types of risks and which is able to distinguish an overall risk for the different elements may be appropriate for certain registered/supervised persons.

Single or Separate?

Whilst a single risk assessment may suit certain registered/supervised persons for larger firms or more diverse businesses, it may be more appropriate to have separate compliance, operational and AML/CFT/CPF risk assessments.

Whether you decide to have a single or separate risks assessments identifying the relevant risks to your business, the activities undertaken and customers is critical. It is important to note that what may work for one registered/supervised person is not necessarily transferrable to another. The Board will need to consider and determine the approach to be taken for their business. We will now look at each of the risk assessments' requirements.

Compliance Risk Assessment

The Guidance Note issued on Compliance Monitoring provides some guidance on conducting the compliance risk assessment as this links with determining a risk-based CMP. The first three steps are:

1. Identifying relevant legislative and regulatory requirements
2. Identifying relevant controls
3. Conducting a risk assessment

Considering the controls in place to meet the relevant legislative and regulatory requirement the assessment would assess the impact and probability and consider the risk of non-compliance before (inherent) and after the controls have been applied (residual).

As stated above this may overlap with risks being identified for the AML/CFT/CPF and Operational risk assessments.

The guidance note also states that where available quantitative as well as qualitative information should be included, along with the experience and knowledge of the Compliance Function and other relevant individuals, including senior management.

Examples of good practice are:

• the risk assessment considers information sources such as relevant revenue, complaints, breaches, operational incidences
• the JFSC’s publications (including public statements, on-site examination feedback and Guidance Notes)
• previous Compliance Monitoring, audit reports and concerns of senior management
• the risk assessment uses a form of rating, such as red, amber and green or a numerical scale.

Where subject to a Code of Practice, there is a requirement for a registered person to assess the extent to which compliance risk is managed effectively on at least an annual basis.

AML/CFT/CPF Business Risk Assessment

Section 2 of the AML/CFT/CPF Handbook requires that the Board must conduct and record a risk assessment which considers on an on-going basis, the supervised person’s risk appetite and the extent of the supervised person’s exposure to money laundering, the financing of terrorism, and the financing of proliferation risks “in the round” or as a whole by reference to the supervised person’s:

• organisational structure
• customers
• the countries and territories with which those customers are connected
• the products and services the supervised person provides, and
• how those products and services are delivered.

The assessment must consider the cumulative effect of risks identified, which may exceed the sum of each individual risk element. The Board’s assessment must be kept up to date and involve all members of the Board in determining the risks posed.

The AML/CFT/CPF Handbook providers some guidance on some factors to examine, but it must be noted the following is not an exhaustive list and the risk factors to be assessed must be relevant to the supervised person’s business:

• considering organisational factors that may increase the level of exposure to the risk of ML/TF/PF
• considering the nature, scale and complexity of its business, the diversity of its operations (including geographical diversity), the volume and size of its transactions, and the degree of risk associated with each area of its operation
• considering who its customers are and what they do
• considering whether any additional risks are posed by the countries and territories with which its customers are connected. Factors such as high levels of organised crime, increased vulnerabilities to corruption and inadequate frameworks to prevent and detect ML/TF/PF will impact the risk posed by relationships connected with such countries and territories
• considering the characteristics of the products and services that it offers and assessing the associated vulnerabilities posed by each product and service
• considering the risk that is involved in placing reliance on obliged persons to apply reliance identification measures
• considering how it establishes and delivers products and services to its customers
• considering the accumulation of risk for more complex customers
• consider relevant risks from the National Risk Assessments
• sanctions risks

It can be beneficial for money laundering, financing of terrorism and financing of proliferation risks to each be considered separately. If choosing not to do this, it is important that your risk assessment process does not exclude any of these risk factors.

Operational Risk Assessment

As stated above, this assessment will consider the risks of operating the business and in particular the relevant risks associated with the providing the product and service offering provided to its customers. There will be some overlaps of risk factors with those identified under the compliance and AML/CFT/CPF risks identified.

Some of the risks expected to be considered as operational risks are:

• Organisation/structure
• Macro environment
• Finance
• Internal controls – also consider where errors and losses, non-regulatory breaches have been identified as will identify if those controls require enhancing and/or further training is required
• Information Technology to include cyber security
• Business Continuity
• Human Resources
• Marketing
• Data Protection

To recap - whether electing to manage as a single or separate risk assessment, it is key that you identify and consider the risks which are relevant to your business and the services provided.

If you have any questions or would like to discuss whether Cyan can be of assistance to you, please contact us.

[1] Includes Codes for Deposit-taking, Fund Services Business, Trust Company Business, Insurance and Investment Codes of Practice — Jersey Financial Services Commission (jerseyfsc.org)

[2] A “registered person” will be regulated for prudential conduct, a “supervised person” will be regulated in respect of their relevant AML, CFT and CPF obligations.

[3] Basel Committee on Banking Supervision