Reporting Suspicion: Thematic Review 2020

Reporting Suspicion Thematic Review – 2020 Published: 15 July 2021

i Executive Summary During the second half of 2020, the Commission undertook a thematic review to assess the effectiveness of the policies, procedures and controls firms apply to reporting suspicion of money laundering (“ML”) or the financing of terrorism (“FT”). Reporting these suspicions is key in tackling the present and evolving threat of financial crime to the Bailiwick and wider global economies. It provides law enforcement with intelligence to assist in the investigation and prosecution of criminal activity and/or the prevention of a terrorist attack. It continues to be important that all individuals operating within the Bailiwick’s financial services industry are alert to the various types of financial crimes as detailed in the Bailiwick’s National Risk Assessment and, where suspicious, they report their suspicion. A single high-profile case of ML or FT could cause serious damage to a firm and to the Bailiwick’s reputation as a well-respected international finance centre. All firms which took part in this industry-wide review had appointed a money laundering reporting officer (“MLRO”) and had policies and procedures for the reporting of suspicion, which provide guidance to their staff on forming a suspicion and what to do. Moreover, the vast majority of MLROs interviewed were suitably senior, qualified and independent. It was also pleasing to see that banks, as the principal gatekeepers of monies flowing through the Bailiwick, generally had good policies and procedures on the reporting of suspicion. Nonetheless, in the majority of firms reviewed, the policies and/or procedures did not cast a full framework over the reporting process or provide comprehensive guidance for the MLRO and nominated officer on the firm’s expectations on the fulfilment of their roles. Evidence suggests that most boards place reliance on their MLRO to determine policy and process in this area, perhaps because it is a highly specialised subject area, and under the daily remit of a few key expert personnel. Nevertheless, whilst boards must ensure that there is no encroachment upon the MLRO’s or nominated officer’s autonomy and independent decision-making on whether there is a suspicion to externalise, they must receive periodic management information and ensure that there are appropriate and effective policies and procedures covering how suspicions will be handled, reported, recorded and managed. This is of particular importance where a relationship is subject to “no consent” from the Financial Intelligence Services. Good quality management information such as the types of predicate offence underlying a suspicion could support boards in evaluating whether risks have been correctly identified within the firm’s ML and FT business risk assessments or whether the firm may be operating outside of its risk appetite.

ii Thank you to all the firms and individuals that took part in this review, your contributions have provided a valuable insight into this key area of the Bailiwick’s defence against criminal activity. I hope that all firms find this report useful on industry-wide practices, the various “Case Studies” and “Areas for Improvement” detailed throughout the report1 . Firms should compare their own practices and where gaps are identified, introduce updated policies, procedures and controls. It is anticipated that the Areas for Improvement will lead to boards of firms applying greater oversight to the implementation and operation of the policies, procedures and controls for the timely reporting of suspicion, and ultimately improve the effectiveness of the Bailiwick at combatting ML and FT. The Commission will consider how firms have incorporated the findings from this report as part of its ongoing supervision. Fiona Crocker 15 July 2021 1 In this document reference is made to guidance issued by bodies other than the Commission. This guidance does not restrict the ability of the Commission to undertake its functions as set out in the regulatory laws.

iii Glossary of Terms AML/CFT - Anti-Money Laundering and Countering the Financing of Terrorism Board - The Board of Directors or equivalent or the senior management, where it is not a body corporate Customer - A person or legal arrangement who is seeking to establish or has established, a business relationship with a financial services business, or to carry out or has carried out, an occasional transaction with a financial services business Firm - A financial services or prescribed business which conducts business in, or from within, the Bailiwick of Guernsey and is subject to the requirements of the Schedule and the Handbook FIS - The Financial Intelligence Service FT - Financing of Terrorism Handbook - Handbook on Countering Financial Crime and Terrorist Financing MI - Management Information ML - Money Laundering MLCO - Money Laundering Compliance Officer MLRO - Money Laundering Reporting Officer NRA - Bailiwick of Guernsey 2019 National Risk Assessment report on Money Laundering and Terrorist Financing Internal and/or external SAR - Internal Suspicious Activity Report from staff to MLRO or nominated officer and external Suspicious Activity Report from the MLRO or nominated officer to the FIS The Commission - The Guernsey Financial Services Commission The Disclosure Laws - The Disclosure (Bailiwick of Guernsey) Law 2007 and the Terrorism and Crime (Bailiwick of Guernsey) Law 2002 Themis - The FIS’s secure online portal for two-way communication between the FIS and the MLRO community for reporting of suspicion and for the dissemination of important updates by the FIS The Schedule - Schedule 3 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law, 1999

iv Contents Executive Summary .........................................................................................................................i Glossary of Terms..........................................................................................................................iii Rationale for the thematic ...............................................................................................................1 Purpose of the thematic...................................................................................................................1 Suspicious activity report statistics.................................................................................................2 Scope of the thematic ......................................................................................................................3 Regulatory requirements.................................................................................................................3 Analysis...........................................................................................................................................4 Section One - Board oversight and MLRO capabilities and capacity.............................................4 Knowledge, skill and experience of MLRO and MLCO ................................................................4 Capacity, resources and independence of MLRO and MLCO........................................................6 Policies, procedures and controls....................................................................................................7 Review of compliance with the AML/CFT regulatory framework...............................................12 Training.........................................................................................................................................13 Section Two - Effectiveness of SAR policies, procedures and controls.......................................15 FIS guidance to improve suspicious activity reporting .................................................................15 Internal suspicious activity thresholds ..........................................................................................16 Timeliness of suspicious activity reports......................................................................................16 Internal record keeping and controls.............................................................................................17 Information to be provided to the FIS...........................................................................................19 FIS requests for additional information ........................................................................................19 Tipping off ....................................................................................................................................20 Conclusion.....................................................................................................................................20

1 Rationale for the thematic The timely reporting of SARs, both internally to the MLRO and, where the MLRO determines that there is a suspicion, to the FIS, is a key component of the Bailiwick’s approach to combatting financial crime, including terrorist financing, both locally and in partnership with other jurisdictions. It serves to alert relevant competent authorities to the existence of financial intelligence, which could ultimately lead to the investigation, prosecution and conviction of criminals and the seizure of their ill-gotten gains or monies which might otherwise be used to support terrorism. We chose this topic as we had identified through general supervision that some firms did not have effective policies, procedures and controls for the timely reporting of suspicion. In recent cases where AML/CFT deficiencies were wide-ranging and significant, including concerns over the effectiveness of reporting mechanisms, we have referred firms to the Enforcement Division for further investigation. Recent sanctions applied to two firms for serious AML/CFT failings have included failings in their reporting processes, one of which also illustrates the importance of appointing a suitably experienced and qualified individual to the MLRO position. Purpose of the thematic The purpose of this thematic review was:

1. To assess the extent to which boards have oversight of their MLRO function and the reporting framework and whether MLROs are suitably senior, qualified, independent and appropriately resourced and supported by their boards;
2. To assess the effectiveness of policies, procedures and controls and to what extent firms meet their reporting obligations to the FIS and the processes in place to avoid the offence of “tipping off”; and
3. Ultimately, to share areas of good and poor practice with all of industry to assist in the implementation and operation of appropriate and effective policies, procedures and controls for the timely reporting of good quality suspicious activity reports.

2 Suspicious activity report statistics The Commission collects internal and external SAR statistics annually from all firms subject to AML/CFT supervision2 . From 2015 to 2020, internal SARs have increased by 51% which suggests a return on the investment in training by firms which have increased staff awareness across industry of ML and FT risks and their personal responsibility to make internal reports to the MLRO or nominated officer. External SARs to the FIS increased from 2015 to 2018 and then reduced in 2019 and 2020. There could be domestic and/or international drivers which either singly or in combination caused this pattern on external reporting. For example, the commencement or closure of tax amnesty programmes, from which customer participation may give rise to potential suspicions of tax evasion, to domestic initiatives such as the publication of refreshed guidance on reporting by the Commission in the Handbook in November 2018 and by the FIS in October 2019. 2 The annual Financial Crime Risk Return collects data for a twelve-month period starting from 1 July to 30 June of the following year. Year 2015 2016 2017 2018 2019 2020 Total Internal 1219 1397 1657 1843 1812 1843 9771 External 905 1000 1194 1205 1153 961 6418 % Externalised 74% 72% 72% 65% 64% 52% 66%

3 Scope of the thematic We used this data on internal and external SARs to select twenty-nine firms across industry to participate in the thematic. Banks and fiduciaries formed the largest two groups, followed by investment firms, insurance, prescribed businesses and non-regulated financial services businesses, in line with risk weightings attributed by the Bailiwick’s National Risk Assessment. Both large and small firms by number of customers were included in the scope. The thematic review consisted of two stages:

1. Each firm was required to submit to the Commission extracts of board minutes, policies and procedures and registers concerning internal and external SARs; and
2. Onsite visits were conducted to the firms to gain a more detailed and practical understanding of their SAR policies, procedures and controls. The onsite visits consisted of an examination of internal and external SAR documentation including completed internal forms, MLROs’ use of Themis and correspondence between firms and the FIS. Interviews with members of the board of directors, MLCO and MLRO were held to discuss internal policies, procedures and controls. Regulatory requirements Paragraph 12 to Schedule 3 to the Criminal Justice (Proceeds of Crime) (Bailiwick of Guernsey) Law 1999 sets out regulatory requirements regarding the process for the reporting of suspicion and the appointments of an MLRO and nominated officer to receive internal suspicious activity reports. Paragraph 12(1)(h) requires firms to ensure that they ‘establish and maintain such other appropriate and effective procedures and controls as are necessary to ensure compliance with requirements to make disclosures’ under the Reporting Laws. This is important as the Courts will consider a firm’s adherence to Paragraph 12 to Schedule 3 when considering whether there has been any offence of failing to disclose a suspicion under the Reporting Laws. With ultimate responsibility for compliance with the AML/CFT regulatory framework resting upon the board, it would be sensible to ensure that the firm’s procedures and controls are effective for making timely and good quality disclosures under the Reporting Laws3 . Additional obligations include formal requests from the FIS for information which are set out in the Disclosure (Bailiwick of Guernsey) Regulations, 2007 as amended and the Terrorism and Crime (Bailiwick of Guernsey) Regulations, 2007 as amended (the “Disclosure Regulations”). 3 Paragraph 12(1)(h) to Schedule 3

4 Analysis Section One - Board oversight and MLRO capabilities and capacity In this section, we examine the extent to which boards oversaw their MLROs and the suspicious activity reporting framework and whether MLROs were suitably senior, qualified, independent and appropriately resourced and supported by their boards. Knowledge, skill and experience of MLRO and MLCO The MLRO plays a pivotal role asthe designated individual, along with the nominated officer, to receive internal SARs from across the business and determine whether there is a suspicion which should be disclosed to the FIS. This is a management level appointment. It is therefore essential that the individual has the appropriate knowledge, skill and experience4 , sufficient resources to perform his or her duties5 , reports directly to and has regular contact with the board6 , and receives the support of all staff. Similar requirements rest upon the appointment of the MLCO7 who is responsible for monitoring compliance with the firm’s AML/CFT policies, procedures and controls, including those in respect of the reporting of suspicion. All MLROs and MLCOs taking part in this review were employed at least at manager level and therefore were of a sufficiently senior position within firms to fulfil their roles effectively. In most cases (69%), the same person fulfilled both roles. Many noted to us that the role of MLRO had reduced following the introduction of the MLCO role in 2019 which separated the compliance monitoring and reporting functions between the two positions. The vast majority of MLROs and MLCOs had either relevant experience from previous compliance roles or had a formal relevant qualification in a compliance subject. There were a small number of examples where individuals were appointed to the MLRO and MLCO roles despite possessing no relevant knowledge, or the skill and experience required to fulfil those roles. This is reflected in case study 1. 4 Rule 2.68(c) of the Handbook 5 Rule 2.69(c) of the Handbook 6 Rule 2.69(f) of the Handbook 7 Paragraph 15(1)(a) to Schedule 3

5 In this example of poor practice, following the resignation of a former MLRO, a medium sized firm appointed an individual without the knowledge, skills, relevant experience or relevant professional qualifications to fulfil the MLRO and MLCO roles. In addition, the individual retained responsibility for the firm’s operations including various projects. This was intended to be a temporary appointment, but the individual remained in situ over 12 months following the appointment despite attempts to recruit a replacement. The lack of relevant AML/CFT qualification and/or experience and the resource implications around the numerous roles exposes both the MLRO/MLCO and the board to an increased risk of ML or FT. Deficiencies in this area can have serious regulatory, civil and/or criminal consequences for the MLRO and nominated officer, the firm and the board. Where an individual is appointed into either the MLRO or MLCO roles and does not have the relevant AML/CFT knowledge, skills or experience, and/or a relevant qualification, it is important that they are provided with the specialist training and support needed to attain the required levels as soon as possible. Where temporary appointments prevail or the permanent post-holder is “in-training” to develop those specialisms, boards should ensure they keep in mind these resourcing issues when scrutinising and responding to AML/CFT management information should the post-holder have other roles and/or require specialist support. This is an example of good practice where a firm, which was part of an international group, took a planned approach to ensure that it promoted an individual with the right knowledge, skills and experience to the important role of MLCO. The firm had identified an individual in the compliance team as a suitable successor to the director who held the MLCO role. This candidate was already the nominated officer, but recognising the step up in fully taking on the MLCO role, the firm sought to ensure that the successor would have the necessary knowledge, skills and experience for a smooth transition. The director implemented a structured plan, over a period of six months prior to appointment, which included overseeing key MLCO duties delegated to the individual, targeted training and establishing key performance indicators, with a cross-over period where the appointee would shadow the out-going MLCO. CASE STUDY 1: CASE STUDY 2:

6 Capacity, resources and independence of MLRO and MLCO All but one, (see Case Study 3 below) of the MLROs and MLCOs reported that they had sufficient capacity and resources to fulfil their responsibilities. This is encouraging as the industry is made up of a significant number of smaller firms where a director or manager may hold more than one key role. Approximately three quarters of MLROs and MLCOs we met had additional non-AML/CFT related roles and responsibilities, although a significant proportion advised that they spent at least half of their time working on AML/CFT related matters. Predominantly, the non-AML/CFT work undertaken by MLROs and MLCOs was explained to be compliance related. There were four instances where individuals in smaller firms held at least board, MLRO and MLCO positions, and this was where the greatest time pressure to complete all responsibilities was reported. In two of the four cases, it was planned for at least one of the roles to be transferred to reduce the resource pressure. Clearly, it is important for boards of smaller firms to be mindful of emerging resourcing issues where key individuals occupy more than one key role, as in the case of these two firms. It was positive to hear from every MLRO we interviewed that the investigation of internal suspicious activity reports took precedent over all other work commitments. All MLROs reported that they enjoyed complete independence and were under no undue influence from board, senior management or any other area of their businesses in relation to their decision-making around whether or not to make an external disclosure. The Commission did not encounter any evidence to the contrary as part of the thematic review. This is an example of poor practice by a smaller firm in respect of resource expectations. The MLRO was also the MLCO, Data Protection Officer and finance director for both the firm and all group entities. Owing to this high workload, the individual concerned was unable to prepare fully for the thematic onsite visit and was unable to make available the requested information. The individual advised that they had not had time to read all their emails which included the instructions from the Commission to prepare SAR documents for the thematic onsite. An MLRO who cannot keep up with their correspondence may indicate that the individual is undertaking too many roles to discharge all of their responsibilities effectively. CASE STUDY 3:

7 Policies, procedures and controls All firms had policies, procedures and controls for the reporting of suspicion, which provided guidance to their staff on forming a suspicion and what to do. However, in the majority of cases the policies and/or procedures did not set out a complete framework or provide comprehensive guidance for the MLRO and nominated officer on the fulfilment of their roles. Procedures were often silent on what to do upon receipt of an internal SAR, maintaining records on internal and external SARs, handling formal information requests by the FIS, making consent requests, management of blocked accounts, and where a firm is part of a group, sharing information on SARs. All MLROs interviewed said that they regularly logged onto the FIS’s secure online portal, Themis, to follow up on email notifications received or to check on progress of external reports to the FIS. Communications sent by the FIS via Themis includes responses to requests for consent and formal requests for information, either in respect of existing SARs made by the firm, or where a separate firm has filed a report that identifies the MLRO’s firm as a third party providing services to the same customer. However, many procedures were silent on the use of Themis. Evidence suggests that most boards place reliance on their MLRO to determine policy and process in relation to the external reporting of SARs and management of “reported” relationships, perhaps because it is highly specialised subject area, and under the daily remit of a few key personnel. Nevertheless, whilst boards must ensure that there is no encroachment upon the MLRO’s or nominated officer’s autonomy over deciding whether to externalise a suspicion, they retain responsibility to ensure that there are appropriate and effective policies and procedures covering how suspicions will be handled, reported, recorded and managed, including where a relationship is subject to “no consent”. The Handbook does permit boards to delegate some or all of its duties and therefore boards may delegate the oversight of SARs policies, procedures and controls to a sub-committee of the board such as a risk and compliance committee. This is a good practice example where a medium to large sized firm, reacting to failures in its internal processes, reviewed its policies and procedures for reporting of suspicion and identified that additional information and guidance would provide greater clarity on the MLRO and nominated officer roles and procedures to be followed. The revisions included clarifying the functions and tasks of the MLRO and nominated officer and ensuring clarity around the CASE STUDY 4:

8 procedures for handling an internal SAR, use of alerts or blocks on accounts of “reported” relationships; filing of external SARs covering both use of Themis, and seeking consent from the FIS to undertake an activity, managing reported relationships, including relationships where consent was withheld, negating suspicion, exiting a reported customer relationship, handling FIS requests for further information, record-keeping and reporting of SAR management information to the board. In order to provide the MLRO and nominated officer with a framework within which to operate, boards should ensure that the firm’s AML/CFT policies and procedures around the reporting of suspicion cover the following areas: SAR Procedures Board management information Maintenance of SAR records Themis functions Sharing of SARs within the group Maintenance of customers following SAR Interaction wth FIS regarding consent AREA FOR IMPROVEMENT 1:

9 Management Information (“MI”) of Suspicious Activity Reporting Periodic management reporting on the nature and quantity of internal and external SARs provides valuable risk management information for the board, which is responsible for identifying and assessing the ML and FT risks to the business. The types of predicate offence underlying a suspicion could support whether the appropriate risks have been identified within the firm’s ML and FT business risk assessments, identify emerging areas of concern or where the firm may be operating outside of its risk appetite. This type of MI also encourages a board to consider what could be driving any changes in the nature and/or the number of internal and external reports. For example, alterations in the ML and FT risk profile of target customer markets, one-off internal or external factors or whether increases/decreases in the number of internal and external disclosures cannot be readily explained and should be explored to ensure mechanisms for identifying and reporting suspicion remain robust. The collection, recording and consideration of SAR MI will help firms to identify and monitor AML/CFT trends, keep their business risk assessments relevant and up to date, and to implement appropriate policies and procedures to mitigate the risks identified. Rules in the Handbook require the MI which boards receive to cover at least the following data on the reporting of suspicion: (i) the number of internal disclosures received by the MLRO or a nominated officer; (ii) the number of external disclosures reported onward to the FIS; (iii) an indication of the length of time taken by the MLRO or nominated officer in deciding whether or not to externalise an internal SAR; and, (iv) the nature of the disclosures8 . We hope this MI provides boards with the opportunity to oversee reporting patterns to ensure the identification of emerging trends, the weighing up of whether the nature and number of reports is reflective of the business model and to question what is driving any changes. For example, if there is an increase in reports, has this emanated from a review project, and if so, is the board satisfied that there has been timely identification of the activity which led to the suspicions raised? Alternatively, is a decrease in the number of reports (or even no reports) consistent with the size and risk profile of the firm’s customer base, the nature of its services and the risks attributed to the firm’s sector in the NRA? Or could a decrease or nil reporting be symptomatic of failings in other parts of the firm’s controls, such as backlogs in periodic reviews or “rules” turned off in automated screening systems which identify unusual transactions? Needless to say, it is important that boards document their consideration in this respect. 8 Rule 13.78 of the Handbook

10 This example shows poor practice by a medium sized firm where insufficient management information on SARs was provided to the board. An extract from a 2020 board report relating to SARs states, “In the period under review there have been several internal STRs [SARs] received and some submissions to the FIS.” It is difficult to see how this amount of information was sufficient for the board to gain an understanding of how many internal reports were received; what proportion were externalised; what predicate offences are linked to them; or any idea of the general background to help inform the board about the firm’s exposure to financial crime risks. It is particularly relevant in this example as the firm had experienced a sharp increase in internal and external SARs over the relevant period which warranted further information and consideration by the board to understand the origins and whether any actions were required to further mitigate the increased risks faced by the firm at that time. Information on the length of time between an internal SAR being made to the MLRO and a determination made whether there is a suspicion to report to the FIS can show how effective and efficient the firm’s policies and procedures are for the timely reporting of suspicion. This information can also act as a barometer to alert boards to situations where the MLRO and nominated officer are under resourced and may need more support. Only a few boards received a good level of anonymised information explaining the nature of suspicions being raised by their staff and on those being reported to the FIS. The most common explanation for giving a board limited or no information about disclosures was the fear of committing the criminal offence of tipping off as specified within the Reporting Law9 . The Commission would remind firms that the Bailiwick’s HM Procureur has issued guidance that no criminal prosecutions will be brought against individuals “who disclose the fact that a SAR has been or will be made, if the disclosure is made by one member of an organisation to another for the purposes of discharging AML/CFT responsibilities and functions.” A similar situation of not sharing information on suspicious activity because of the fear of “tipping-off” also arose in relation to firms that were part of a group. Sharing this type of information in a managed way, on a group basis avoids potential scenarios where one part of the group refuses to take on a customer owing to a suspicion, only for the same customer to approach another part of the group which takes them on. Or, where one part of the group raises a suspicion about a customer, but other parts of 9 Section 4 the Disclosure (Bailiwick of Guernsey) Law 2007 CASE STUDY 5:

11 the group which also provide products or services to the customer do not know that a suspicion has been raised. Sharing suspicions with other parts of the group is important for group management of ML and FT risks. The HM Procureur’s guidance also clarifies that there will be no criminal prosecutions in respect of “a disclosure made to linked organisations such as head offices or other branches of the same institution , again providing that it is made to discharge AML/CFT responsibilities and functions.” This is a good example of how informative SAR MI can be. The medium sized firm held board meetings every two months, at which the MLRO reported on any new internal SARs received during the period, the time between receipt and their decision to externalise the report to the FIS and a high-level summary detailing the nature of the suspicion and the predicate offences involved whilst withholding the identity of the customer. The MLRO provided the board with interim six monthly and annual reports showing statistics for the previous 12 months along with a consideration of the overall level of internal and external reports compared to previous years. In the case of this firm, the MLRO considered that for a firm of its nature and size, it received a high level of internal reports, although reasons for this were rationalised and documented within the reports. To illustrate, the firm had identified as relevant risk factors that it had a large number of non-resident customers compared to its peers, and considerable reliance for due diligence on regulated third parties such as an independent financial adviser. Its internal policy applied a threshold for reporting for staff based upon whether an activity was unusual, which is broader as opposed to a narrower more distilled approach of considering if an activity is suspicious. As a consequence of the detailed SAR MI it received, the board was able to demonstrate to us that it clearly understood the extent and nature of the inherent financial crime risks in its business model, the reasons for the relatively high number of internal reports and the effectiveness of its reporting processes. Based on the board information analysed during this review, at least one third of boards are not receiving sufficient information to meet the minimum requirements specified by the Handbook. CASE STUDY 6:

12 Firms are encouraged to review the level of SAR MI boards receive to ensure that at a minimum it meets Handbook requirements as outlined in Rule 13.78 of the Handbook. In addition, boards should be provided with anonymised general descriptions of the circumstances leading to suspicion and the predicate offences involved. This information can assist boards in discharging their responsibilities in two ways. Firstly in determining the effectiveness of their SAR reporting processes when considering compliance with the rules in the Handbook; and secondly when considering the continued relevance of the risks identified in their ML and FT business risk assessments. It can also be useful for identifying key areas for future AML/CFT training to staff or enhanced training to senior managers, the board, MLRO and MLCO. Review of compliance with the AML/CFT regulatory framework A board must establish and maintain an effective policy for the review of its compliance with the requirements of AML/CFT regulatory framework10 . All the firms visited had a compliance monitoring programme however, only one third of firms exercised tests that examined the SAR procedures and controls, leaving boards exposed to potential breaches of their duty to ensure that their firm operates effective policies, procedures and controls. This example highlights the various measures for testing the effectiveness of reporting processes. The firm’s compliance monitoring programme included an annual test to determine whether the firm’s SAR policy was up to date with AML/CFT legislation, regulations and guidance, whether regulatory reporting requirements had been met and that all staff were aware of the firm’s internal AML/CFT reporting procedures. The test also involved a consideration of the entries on the SAR register to ensure internal reports were assessed, recorded and, where suspicion was confirmed, externalised to the FIS in compliance with internal policy. The firm’s compliance team conducted the test to avoid a potential conflict of interest by the MLRO or nominated officer reviewing their own work. 10 Paragraph 15(1)(c) of Schedule 3 CASE STUDY 7: AREA FOR IMPROVEMENT 2:

13 The Commission would encourage boards to ensure that their compliance monitoring programmes, at least annually, assess the effectiveness of the internal reporting processes and the quality and timeliness of reporting suspicion. In terms of timing, areas to consider could include the trigger for the initial suspicion and how timely was it identified. In respect of quality, the internal and external SARs could be benchmarked against the guidance the FIS issued in October 2019. Where a firm has one person responsible for compliance and reporting, the board could mitigate the inherent conflict of interest by utilising the services of an independent colleague or external party to test the appropriateness and effectiveness of their policies, procedures and controls on SARs. Training One of the most important ways a firm can protect itself from the risk of ML or FT is to ensure its staff receive the right training to identify suspicious activity and report it. Firms must ensure that relevant employees receive comprehensive ongoing training that must include the reporting of suspicion, the criminal and regulatory sanctions that can be applied to both the firm and individuals for failing to report suspicion, and the identity and responsibilities of the MLRO, MLCO and nominated officer11 . This example shows good practice where an MLRO received a number of internal SARs from different individuals across the business, all relating to the same customer and same activity. The MLRO identified one employee in the customer’s relationship team who had been involved in the handling of the proposed activity but who had not made an internal disclosure. The MLRO felt that on the basis of the facts about the case the individual should have reasonably formed a suspicion and made a report. Considering the individual’s responsibility to report suspicion and the potential consequences to the individual of failing to do so, the MLRO approached the person concerned and provided targeted training to improve their knowledge and understanding of what would be considered suspicious activity and the obligation to report suspicion. 11 Rule 15.30 of the Handbook AREA FOR IMPROVEMENT 3: CASE STUDY 8:

14 This example shows good practice where an MLRO was horizon scanning and identified the need for staff to receive targeted training on financial crime red flags. The training need was identified by the MLRO in response to a thematic review published by a regulator in another jurisdiction where the firm operated a branch. Firms shall also identify relevant employees in the firm who, in view of their particular responsibilities, should receive additional and ongoing training, appropriate to their roles12. The board and senior management should receive additional training13 , as well as the MLRO14, nominated officer and the MLCO15 . All participating firms provided routine training to staff, which included awareness of the relevant legislation and personal obligations. The training also included examples of specific types of red flags and suspicious activity that were relevant to their business and which their staff may encounter as part of their day-to-day work. A common format for AML/CFT training was via online platforms offering subjects tailored to the Bailiwick’s regulatory framework and which set a test requiring a certain mark be achieved. In the majority of cases (82%) firms provided enhanced training to board members, the MLRO and MLCO, however there were instances where the board, MLRO and MLCO received the same training as that given to all staff across their business. These individuals hold distinct and important roles in ensuring that the firm operates effective AML/CFT policies, procedures and controls and therefore the Handbook requires these individuals to have additional bespoke AML/CFT training. Firms are recommended to undertake a review of their AML/CFT training with particular reference to understanding their compliance with Paragraph 13 of Schedule 3 and Handbook sections 15.2 (Employee Screening and Training - Board Oversight) and 15.7 to 15.11 (Employee Screening and Training – 15.7 Frequency of training, 15.8 Content of training, 15.9 the Board and Senior Management, 15.10 MLRO and nominated officer and 15.11 MLCO). 12 Paragraph 13(3) to Schedule 3 13 Rules 15.34 and 15.35 in the Handbook 14 Rules 15.36 and 15.37 in the Handbook 15 Rules 15.38 and 15.39 in the Handbook AREA FOR IMPROVEMENT 4: CASE STUDY 9:

15 Section Two - Effectiveness of SAR policies, procedures and controls In this section we examine the effectiveness of policies, procedures and controls and the extent to which firms meet their reporting obligations to the FIS and the processes in place to avoid the offence of tipping off. FIS guidance to improve suspicious activity reporting In October 2019, the FIS published through Themis a document entitled ‘Guidance to Improve Suspicious Activity Reporting’ for all reporting institutions. The purpose was to outline the type of information required with a SAR which would enable the FIS to understand the relationship and the nature of the suspicion pertaining to it and to assist the FIS to make an informed decision as to how to develop the information provided. All boards and MLROs visited acknowledged having reviewed the document with just under half of the firms reviewed (41%) making alterations to their policies and procedures. The firms that did not make any revisions advised that they had performed a gap analysis and determined that their existing procedures were sufficient. It was very positive to hear that all firms had acted on its receipt to consider if their processes needed changing. All firms had standard internal suspicious activity forms for staff to use to ensure that all relevant information about the suspicion is being brought expeditiously to the MLRO’s or nominated officer’s attention. However, the Commission noted separate instances across firms where despite the existence of the internal reporting forms, staff bypassed this procedure by emailing their suspicions to the MLRO. Although limited, the Commission noted instances where the guidance issued by the FIS was not followed by the MLRO, for instance, the suspicious activity referred to was not linked to a predicate offence within the external SAR sent to the FIS. There was one example where the basis of the cause for suspicion were not immediately obvious. This is an example of poor practice, where despite the firm’s internal procedure requiring internal SARs to be submitted on a standard reporting form, with text fields requiring specific information, a member of staff who had suspicion submitted a file note to the MLRO instead. It included information on the identity, background, employment and the source of funds and source of wealth of the investor but omitted the nature of the suspicion or the predicate offence suspected. CASE STUDY 10:

16 To assist the MLRO and nominated officer by providing the information to help them make an informed decision on whether there is a suspicion to report, and if so, to provide information which will assist the FIS, firms should ensure that their internal SAR form captures the information set out in the guidance issued by the FIS. MLROs and nominated officers could also consider feedback or additional training if information is omitted in internal reports or if they are not completed properly. Internal suspicious activity thresholds In some firms, MLROs advised that they expected staff to report anything that they felt was unusual or that they were uncomfortable with through the internal SAR procedure. This approach reduces the burden on staff to enquire, or angst over whether they should be suspicious, about an activity and places more onus on the MLRO on reviewing internal reports, customer files and obtaining further information upon which to make a decision over whether there is a suspicion to disclose. In other firms, MLROs reported that they required staff to be suspicious that a predicate crime has or will occur. A firm may determine either approach to internal reporting appropriate based upon the size, nature and complexity of its business providing that disclosure to the FIS is based upon the suspicion being a “possibility” rather than pure speculation that the relevant facts exist.16 In either scenario, the MLRO and nominated officer is the ultimate arbiter of the decision to make an external SAR. Timeliness of suspicious activity reports From the Commission’s review of SAR documentation for each firm sampled, internal and external SARs were being made and filed appropriately but there were isolated examples where external SARs should have been submitted by the MLRO or nominated officer more expeditiously. Firms should ensure that their staff receive training on typical financial crime red flags to enable prompt identification of suspicion and make the resulting internal or external SAR. The Bailiwick’s National Risk Assessment of ML and FT provides most likely modalities and case studies which firms may find beneficial in this respect. 16 Section 13.2 of the Handbook AREA FOR IMPROVEMENT 5:

17 This is a good practice example of where an MLRO reviewed the effectiveness of a firm’s reporting of suspicion. Following the transition from an outgoing MLRO to a new MLRO, the new MLRO reviewed all internal SARs going back over a couple of years to assess how effectively the firm’s SAR policies, procedures and controls operated during that period. Internal record keeping and controls Firms are required to keep records of any internal SARs made to the MLRO or nominated officer and of any external SARs to the FIS made under the Reporting Laws17. In respect of each internal and external SAR, records must be kept and include details of the actions taken by the MLRO and nominated officers, details of enquiries made and reasons for decisions not to externalise an internal SAR as well as reasons for making an external SAR18 . The majority of firms operated effective record keeping procedures in line with the regulatory requirements. There were isolated instances where firms were not operating effective procedures in this respect, see case study 13 below. Each firm taking part provided a copy of the SAR register which must be maintained19 . In general, the quality and quantity of information available within SAR registers was appropriate. There were a minority of examples where the SAR register recorded limited information, and therefore did not afford an understanding of the length of time that an internal SAR investigation took, types of associated predicate offences or provide useful details of correspondence relating to consent with the FIS. The reason for requiring firms to maintain a register include assisting in the identification of trends or emerging issues in the type and/or nature of the suspicions or in the reporting process. In addition, registers provide a secure reference point of sensitive customer information should enquiries about a reported relationship be made by relevant authorities and assist in the management of communications with the FIS about a particular disclosure. 17 Paragraph 14(5)(a) of Schedule 3 18 Rule 16.16 of the Handbook 19 Rule 13.79 of the Handbook CASE STUDY 11:

18 This is an example of good practice where a firm’s SAR register included useful information in accessible form for the MLRO and nominated officer that summarised the general nature of each suspicion, predicate offences, customer and connected parties and provided a record of the firm’s communications with the FIS. Headings included: This is an example of poor practice where a medium sized firm did not keep a central record of internal SAR information and documentation. Its MLRO had received all internal SAR notifications and documentation to their work email address i.e. name@firm. When the individual left the firm, the successor MLRO was not able to access any of the information or documentation that the former MLRO had received. This left the firm in breach of its duty to retain SAR information20. The firm has since introduced a central MLRO email address that can be accessed by any other authorised individuals in the event of a change in the MLRO post holder. 20 Paragraph 14(5)(a) of Schedule 3 and rules 16.16 and 16.17 of the Handbook CASE STUDY 12: CASE STUDY 13:

19 All firms confirmed that they had policies requiring alerts to be put on customers who are subject to an internal or external SAR to prevent activities or transactions proceeding without referral to the MLRO or nominated officer. Failure to ensure appropriate controls to flag or block such payments can result in serious implications including the possibility of criminal prosecution for money laundering. Information to be provided to the FIS A firm should provide the FIS with a full account of the circumstances and grounds for suspicion and provide as much relevant information and documentation (e.g. CDD, minutes and statements etc.) as possible to enable the FIS to fully understand the purpose and intended nature of the business relationship/occasional transaction and the reasons for the suspicion. It is for the MLRO and/or nominated officer to consider whether any external SAR made to the FIS concerns an ‘act’ that would constitute a money laundering offence21 . If the firm suspects such an ‘act’ may be committed and the firm intends to carry out such an ‘act’ on behalf of their customer, a request should be submitted, as part of the firm’s external SAR to the FIS, outlining the suspected ‘act’ and seeking consent to undertake it. Upon receipt of a request, the FIS will consider whether to grant consent under the provisions of the relevant legislation. Clearly the more relevant and fulsome the information about the customer, the activity and the nature of the suspicion which can be provided to the FIS, the better placed it will be to determine if there is a consent issue. Chapter 13 of the Handbook provides specific guidance on this particular subject which explains that such a response from the FIS does not imply that the intended transaction or activity could not constitute an offence, only that the FIS has not received sufficient information in order to make that determination and therefore if consent would apply. FIS requests for additional information Following receipt of an external SAR, the FIS can make a written request to a firm for additional information under Regulation 2 of the Disclosure Regulations. The additional information could be used to help ascertain the nature of the suspicion and to assist the FIS in determining what steps to take. In addition, under Regulation 2A of the Disclosure Regulations, the FIS can formally request information relating to an external disclosure from a third party if it is satisfied that there are reasonable grounds to believe that the third party possesses relevant information and that the information is necessary for the FIS to discharge its functions. The written request will contain a deadline by which time the firm should provide the information requested, failure to comply with the deadline can constitute an offence. The Disclosure Regulations also provides for the FIS to obtain additional information from any parties following a report/request for information made to the FIS by a party listed 21 Sections 38, 39 and 40 of the Proceeds of Crime Law and Part IV of the Drug Trafficking Law

20 at Section 11A of the Law, without the requirement for an initial disclosure or SAR to be made under the Law. In March 2020, the FIS published guidance on requests for additional information. The firms reviewed during the Commission’s thematic understood their responsibilities to provide information to the FIS upon receipt of formal notification from the FIS. Tipping off The Reporting Laws provide that it is a criminal offence for a person, who knows or suspects that an internal SAR to an MLRO or an external SAR to the FIS has or will be made, or any information or other matter concerning a disclosure has or will be communicated to an MLRO or the FIS, to disclose to any other person information or any other matter about, or relating to, that knowledge or suspicion unless it is for a purpose set out in the Reporting Laws22 . All MLROs interviewed said they cautioned all staff members who raised an internal SAR about their responsibility to withhold this information from the customer and connected parties in order to avoid the offence of tipping off. Firms made their staff aware of their responsibilities not to disclose information by including tipping off as a topic in routine AML/CFT training, by reference within the policies and procedures and by warnings contained within the acknowledgement from the MLRO or nominated officer in response to receipt of an internal SAR. As described in the “Board – Management Information on Suspicious Activity Reports” section above, some firms exercised too much caution for fear of tipping off by not providing sufficient detail within the SAR MI submitted to the board or within their group structure. Conclusion The firms that participated in the thematic process had policies, procedures and controls for the reporting of suspicion and we met many diligent, knowledgeable and appropriately senior MLROs. Nonetheless, in the majority of firms reviewed, the policies and/or procedures did not cast a full framework over the reporting process or provide comprehensive guidance for the MLRO and nominated officer on the firm’s expectations on the fulfilment of their roles. Boards are ultimately responsible for ensuring that their firms comply with the AML/CFT regulatory framework including that their policies, procedures and controls for the reporting of suspicion are fit for purpose and that staff are sufficiently skilled to discharge this important responsibility. We were surprised to find that this area was not generally on boards’ radar when they were considering the effectiveness of their AML/CFT controls. 22 Section 4 Disclosure (Bailiwick of Guernsey) Law 2007