Feedback on Consultation regarding AMLCFT Obligations for VASPs and Licensed Trustees

Feedback on the Commission’s consultation on amendments to Schedule 3 of the Proceeds of Crime Law regarding independent audit, business risk assessments, virtual asset service provider obligations and additional requirements on trustees and partners. 10 July 2023 Overview On 28 March 2023 and 9 June 2023, consultations were issued on proposals to amend certain provisions in Schedule 3 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999 as amended (“Schedule 3 to the Law”) and associated rules and guidance in the Commission’s Handbook on Countering Financial Crime and Terrorist Financing (the “Handbook”) in relation to i) an independent audit function, ii) business risk assessments, iii) rules and guidance for virtual asset service providers and vi) rules and guidance on additional information disclosures for licensed trustees and partners. We had 16 responses in total. Feedback and comments were received from a wide range of industry sectors from firms directly, or via their representative bodies. The Commission is grateful to everyone who replied. Most responses were positive and supportive of the proposals. Respondents did raise queries and propose suggestions, so a summary of the most common issues raised, and the Commission’s response, is set out below. Independent Audit Function We consulted on proposals for firms to establish an independent audit function (where appropriate, having regard to the money laundering and terrorist financing risks, and the size and nature of the firm) to evaluate the effectiveness of the firm’s AMLCFT controls. It will be mandatory for every firm to consider, on the basis of risk and materiality of its business, whether it should have an independent audit function. Most feedback was on the independent audit function with requests for further clarity on who would be considered suitable to undertake an AMLCFT audit and on ensuring independence was preserved if a firm used its external auditor to also audit its AMLCFT controls. Some respondents expressed concern about resourcing such a function. We have sought to ensure that rules and guidance on an independent audit function do not unduly limit who can perform an audit of a firm’s AMLCFT controls. The final text of section 2.4 of the Handbook gives firms as much flexibility as possible to appoint a person internally to fulfil the audit function, providing they are independent from the design and application of the firm’s AMLCFT policies, procedures and controls, or make an external appointment. Where an external appointment is made, we have clarified that we would expect the firm to follow the principles for outsourcing arrangements in the Commission’s sector guidance notes on outsourcing in determining their suitability. We also acknowledge the concern expressed by some respondents that an external auditor’s independence could be compromised if they also undertook an AMLCFT audit. The proposal in the consultation had been amended in discussion with affected parties, whose assistance has been appreciated. One respondent questioned whether the Commission was making it mandatory for an independent audit to be undertaken every three years. The guidance reflects that audits could occur annually or less frequently without setting the frequency with which an audit should occur as this will be for the firm to determine.

2 | P a g e We were also asked if the factors firms would have to consider in determining whether to have an independent audit function would result in it being mandatory for certain sectors. The Commission does not believe this to be the case. The guidance recognises that within each sector there will be higher and lower risk firms and decisions over an independent audit function do not rest solely on the risk rating attributed to the sector in the National Risk Assessment (“NRA”) or the size of the firm. We have also set out that when assessing firm size, consideration should be given to the number of customers and the value of the assets under management. Business Risk Assessments We consulted on an additional requirement for firms to consider within their business risk assessments the risks and implications of the main criminal offences identified in the Bailiwick’s NRA as being the most likely predicate offences for the Bailiwick being used for money laundering and terrorist financing, together with additional guidance on relevant risks factors. We also consulted on a change to the rule regarding a firm’s compliance review policy. A few respondents questioned whether it was sufficiently clear in the draft legislation and rules what was required of firms in their assessment of the risks from the most likely predicate offences. The wording of the legislation has been amended to align it more closely with the terminology in the NRA. The guidance within the Handbook has been similarly changed. We were asked if the Commission could include a definition of “sensitive industries”. The term is used in guidance on corruption risk factors and a non-exhaustive list of example industries are given in the Handbook. We have not defined the term, but we have expanded the risk factor guidance to draw out that an industry is sensitive where there is dependence on government award of licences, permits etc. We were asked why the guidance on risk factors included information sources on country risks which were not used in Appendix I of the Handbook which lists jurisdictions identified by relevant external sources as presenting a higher risk. Extra information sources on country risk are cited in Chapter 3 to identify to firms where additional information about a country’s risk profile could be found. Some of these sources may concentrate on a specific jurisdiction or region which makes their use in the compilation of Appendix I difficult but nevertheless could be a useful source of information for firms considering the level of corruption risk a country presents. The guidance within Chapter 3 is provided to assist firms when making such risk-based decisions. Virtual Asset Service Providers (“VASPs”) We consulted on a new chapter to the Handbook for VASPs containing rules and guidance on the information which must accompany virtual assets transfers and guidance for VASPs on meeting their obligations generally under Schedule 3 and the Handbook. There were a few suggestions for minor clarifications of the draft legislation. These have been adopted. The small amount of feedback received on the proposed VASPs’ rules and guidance was positive and supportive of the new chapter on VASPs. Additional requirements on licensed trustees and partners We consulted on additional rules and guidance for trustees of relevant trusts and partners of relevant partnerships to hold information on the identity of other regulated agents and service providers to the trust or partnership, and the disclosure of their status as trustee or partner. The reasons for these additional obligations are to meet FATF Recommendations to ensure that beneficial ownership of these types of legal entity is available to the competent authorities.

3 | P a g e A few comments were received in relation to the definitions of regulated agent, the information which should be held and a request to disapply the requirements for the trustee or partner to hold accurate and up to date information on the identity of the regulated agent, if the regulated agent is located in a jurisdiction on the equivalent jurisdictions list in Appendix C of the Handbook. The legislation on these information requirements which the rules and guidance support, contains no means by which the legal obligations can be disapplied. This is because there is no leeway for a jurisdiction to take a risk-based approach in the relevant FATF Recommendation which forms the basis of the legislation, which the States of Guernsey Policy & Resources Committee consulted on earlier this year. We have however provided further guidance explaining that a trustee or partner is likely to hold sufficient information on the regulated agent or service provider’s identity through their correspondence with them and the agent or service provider’s reports. We have also revised the information which should be held on a regulated agent or service provider where they are an individual. When do the amendments take effect? We were asked if there would be a transitional period for firms to implement the amendments. There are no transitional provisions which set a deadline for firms to comply with the amendments to Schedule 3 and rules in the Handbook. The amendments take effect immediately. Licensees are expected to have considered the new obligation on risk at their next mandatory annual review of their business risk assessments, and to have met the requirements around the independent audit function when the Board next considers AML/CFT matters, which would reasonably be expected to occur before the end of 2023. The introduction of rules and guidance for VASPs coincides with the commencement of the supervision of this sector from this month with the rules taking effect immediately. The additional information disclosure requirements on trustees and partners take effect immediately but are likely to be already met in practice as the information will be held by trustees and partners via agreements and reports from regulated agents and service providers. Next steps The Commission has updated Chapters 2, 3, and 7 of the Handbook and is issuing a new chapter 18 following its consideration of all consultation responses. This feedback is being issued simultaneously with today’s publication of the updated Handbook.

Consultation on AML/CFT obligations upon VASPS and additional obligations upon licensed trustees and partners 9 June 2023 Introduction This consultation paper seeks comments on: i) Proposed rules and guidance for virtual asset service providers (“VASPs”) on information requirements for virtual asset transfers and general guidance for VASPs and specified businesses with a connection to, or involvement with, virtual assets, on how to meet the requirements of Schedule 3 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law 1999 (“the POC Law”) and rules in the Handbook on Countering Financial Crime and Terrorist Financing (“the Handbook”). These rules and guidance are in a new chapter of the Handbook. ii) Proposed additional rules and guidance for trustees of trusts and partners (excluding limited partners) of partnerships and limited partnerships without legal personality to hold information on the identity of other regulated agents and service providers to a trust or partnership, and disclose their status as trustee or partner. These rules will apply to licensed trustees and licensed partners. Both sets of proposed rules and guidance are to support additional provisions being made by the States of Guernsey Policy and Resources Committee to Schedule 3 of the POC Law upon which industry has already been consulted. Both sets of rules and guidance take into account feedback from those consultations. The consultation period is short. Responses are being sought by the close of business on Monday 3 July 2023. The reasons for this are to ensure that that there are rules and guidance in place to assist specified business in meeting their obligations under these new provisions in Schedule 3 which are due to come into effect in early July after consideration by the States of Guernsey. These provisions upon VASPS and upon trustees and partners are necessary to ensure that the Bailiwick continues to meet the recommendations issued by the Financial Action Task Force on combating money laundering and terrorist financing against which the Bailiwick will be assessed by MONEVAL in its forthcoming evaluation. Virtual Assets The draft rules and guidance for VASPS on the information which must accompany virtual asset transfers include requirements that the VASP holds and submits certain information on the originator and beneficiary of a virtual asset transfer. These requirements are colloquially known as “the travel rule” and are similar to the existing requirements for wire transfers. The Commission, mindful of the importance of the alignment of global requirements for the virtual asset sector, has developed the rules and guidance in this chapter which take into account the proposed information disclosure requirements being considered in the UK and EU. Limited feedback was received from the aforementioned consultation on the proposed changes to Schedule 3 on virtual asset transfers for the Commission to consider.

2 These draft rules and guidance include specific information requirements on originators and beneficiaries of virtual asset transfers and the information requirements on virtual asset transfers of £1,000 (or equivalent value) or less, as indicated in the draft legislation. Licensed VASPS are required to meet all the provisions within Schedule 3 and the associated rules in the Handbook. The chapter therefore includes guidance on how VASPS can apply a risk-based approach and comply with customer due diligence and enhanced customer due diligence measures. This chapter also incorporates additional risk factors specific to virtual assets to help VASPs and other licensees which are not licensed as a VASP, but who have business connected to virtual assets, to identify, understand and mitigate specific risks attached to virtual assets when dealing with customers where there is a virtual asset connection. The link to the draft legislation can be found here. The link to the proposed chapter on Virtual Assets can be found here. Trustees and partners (excluding limited partners) This new section at the end of chapter 7 of the Handbook on the due diligence measures for legal persons and legal arrangements will apply to licensed trustees of trusts and licensed partners of partnerships and limited partnerships without legal personality. It proposes additional rules and guidance for trustees of trusts and partners to hold information on the identity of other regulated agents and service providers to a trust or partnership, and the disclosure of their status as trustee or partner. The reasons for these additional obligations are to meet FATF Recommendations to ensure the availability of beneficial ownership of these types of legal entity to the competent authorities. The link to the draft legislation can be found here. The link to the extract on additional requirements on trustees and partners can be found here. Timing It is envisaged that the updated Handbook will be issued in early July to take into account the commencement on 1 July 2023 of the licensing regime for VASPS and when the draft legislative changes to Schedule 3 regarding independent audit, business risk assessments, virtual asset information requirements and trustee/partner obligations are due to take effect after being laid before the States at its meeting on 5 July.

3 The revised Handbook will include the final version of the rules and guidance regarding the independent audit function, and business risk assessments, as well as the VASP AML/CFT obligations and trustee/partners obligations which are the subject of this consultation. There will be no transitional provisions. Licensees will be expected to consider the risk element when they next review their business risk assessments and the audit element when the Board next considers AML/CFT matters following the publication of the updated Handbook. Licensed trustees and partners would be expected to consider the applications of these additional measures as part of their periodic reviews of a trust or partnership (or upon a trigger event) or when reviewing, renewing or changing the regulated agent or service provider to the trust or partnership. The Commission will be issuing feedback on both consultations. Responses to this Consultation Any responses to this consultation paper should be provided via the Consultation Hub by the close of business on Monday 3 July 2023.