Mitigating Risks with Introduced Business Relationships

GUIDANCE MITIGATING RISKS WITH INTRODUCED BUSINESS RELATIONSHIPS

2 Table of Contents Introduction and Context................................................................................................................................................................. 3 Defining Introduced Business.......................................................................................................................................................... 4 Background.......................................................................................................................................................................................... 7 Introduced Business in the Virgin Islands .................................................................................................................................. 7 Understanding the Risks in Introduced Business........................................................................................................................ 8 Risk due to inadequate AML/CFT/CPF procedures established by Introducers .............................................................. 8 Risk due to poorly reviewed and monitored introduced business relationships ............................................................... 9 Responsibility for understanding ownership and control.....................................................................................................10 Steps to aid in mitigating risks with introducers.....................................................................................................................10 Conducting due diligence to ensure suitability of Introducers .........................................................................................11 Ratifying third party relationship agreements......................................................................................................................12 Testing and Monitoring of introduced business relationships..........................................................................................12 Termination of introduced business relationships .................................................................................................................13 Termination of business relationship between Introducer and customer......................................................................13 Termination of business relationship between Introducer and licensee ........................................................................14 Intragroup Introductions ................................................................................................................................................................14 Best Practices....................................................................................................................................................................................15 Register of Introducers ................................................................................................................................................................15 Risk Based Approach....................................................................................................................................................................15 Monitoring cybersecurity and data protection issues...........................................................................................................15 Industry-wide collaboration to meet international standards................................................................................................16 Overarching requirement for compliance...................................................................................................................................16

3 Introduction and Context These Guidelines are issued by the Financial Services Commission (the “FSC”) as the supervisor of financial institutions (FIs) and the Financial Investigation Agency (“the FIA”) as Anti-Money Laundering, Counter- Financing of Terrorism and Counter￾Proliferation Financing (AML/CFT/CPF) supervisor of Designated Non-Financial Businesses and Professions (DNFBPs) in the Virgin Islands (VI). The FSC is responsible for the regulation and supervision of the financial services sector: (i) banking, (ii) insurance, (iii) trust and company services providers (“TSCPs”), (iv) investment business, (v) financing business (FB), money service businesses (“MSBs”), (vi) insolvency services, and (vii) virtual asset service providers (“VASPs”). The FIA is responsible for the supervision and monitoring of the following designated non-financial businesses and professions in the VI: (i) legal practitioners, notaries public and accountants, (ii) real estate agents, (iii)dealers in precious metals and stones (“DMPS”), (iv) high value goods dealers (“HVGD”), (v) vehicle dealers, and (vi) persons engaged in the business of buying and selling boats. As supervisors, the FSC and FIA, are cognisant of the need to ensure all supervised entities are aware of the various risks associated with the services they provide, including those posed by the use of third￾party introducers and that they are provided with clear guidance on how to mitigate those risks. As members of the Council of Competent Authorities’ Joint Supervisory Committee the FSC and FIA are committed to ongoing cooperation and collaboration on, matters that impact both FIs and DNFBPs to ensure proper risk mitigation and enhance transparency, while maintaining the VI’s reputation as a place to conduct legitimate and quality business. These Guidelines have been developed for the benefit of FIs and DNFBPs and persons who may seek to become licensed or approved as an FI and/or DNFBP and to further highlight risks licensees may face specific to introduced business relationships. Additionally, these Guidelines are geared towards assisting FIs and DNFBPs in the implementation of a risk-based approach in applying measures to mitigate against ML, TF, and PF risks related to introduced business relationships. Importantly, these Guidelines also buttress the provisions for compliance with the Anti-Money Laundering Terrorist Financing Code of Practice (the “AMLTFCOP”), the Anti-Money Laundering Regulations (“AML Regulations”), the Regulatory Code (the “RC”), The Financial Investigation Agency Act (the “FIA Act”) and the Financial Services Commission Act (the “FSC Act”) including any Explanatory Notes to these documents.

4 Comprehensive AML/CFT/CPF compliance by FIs and DNFBPs is essential to remaining up-to-date with evolving risks and threats that could adversely impact operations and fulfilment of legal and regulatory obligations. This Guide also serves as a complement to the ongoing need to report and engage with the FSC, FIA and other Competent Authorities, including law enforcement agencies to achieve optimal results in preventing ML, TF and PF risks from being realised. These agencies include the Office of the Governor, Attorney General’s Chambers, Royal Virgin Islands Police Force (RVIPF) and the BVI International Tax Authority (ITA). Defining Introduced Business Introduced Business, defined as where a professional relies on a third-party for the introduction of clients, presents tremendous opportunities for firms to expand their customer base. However, such reliance on third parties to introduce clients and collect initial due diligence also presents potential increased Money Laundering (ML), Terrorist Financing (TF) and Proliferation Financing (PF) risks to firms. The characteristics of third-party engagements present an additional layer that could be used to obscure beneficial ownership, and adverse information regarding the beneficial owners and the purpose and intended nature of the business relationship or one off transaction. The Financial Action Task Force’s (FATF) 40 Recommendations include standards specific to reliance on third parties for carrying out customer due diligence processes. In particular, Recommendation 17 provides standards to aid firms in mitigating against the risks of ML, TF and PF associated with Introduced Business. This Recommendation focuses on aspects of business impacted by “Reliance, Controls and Financial Groups”. The Interpretive Notes that accompany Recommendation 17 provide criteria for all countries to consider and implement in their overall compliance strategy where there is a reliance on third parties. For ease of reference, FATF Recommendation 17 and the associated Interpretative Note are provided in Boxes 1 and 2 below. 1 Explanatory Notes provide guidance on implementing the requirements of the AMTFCOP, AML Regulations and RC. Where applicable, the FSC and the FIA will take implementation and compliance with the Explanatory Notes into account when assessing compliance by an FI or DNFBP as the case may be.

5 Box 1 – FATF Recommendation 17 RELIANCE, CONTROLS AND FINANCIAL GROUPS Reliance on third parties * Countries may permit financial institutions to rely on third parties to perform elements (a)-(c) of the CDD measures set out in Recommendation 10 or to introduce business, provided that the criteria set out below are met. Where such reliance is permitted, the ultimate responsibility for CDD measures remains with the financial institution relying on the third party. The criteria that should be met are as follows: (a) (b) (c) (d) A financial institution relying upon a third party should immediately obtain the necessary information concerning elements (a)-(c) of the CDD measures set out in Recommendation 10. Financial institutions should take adequate steps to satisfy themselves that copies of identification data and other relevant documentation relating to the CDD requirements will be made available from the third party upon request without delay. The financial institution should satisfy itself that the third party is regulated, supervised or monitored for, and has measures in place for compliance with, CDD and record- keeping requirements in line with Recommendations 10 and 11. When determining in which countries the third party that meets the conditions can be based, countries should have regard to information available on the level of country risk. When a financial institution relies on a third party that is part of the same financial group, and (i) (ii) that group applies CDD and record-keeping requirements, in line with Recommendations 10, 11 and 12, and programmes against money laundering and terrorist financing, in accordance with Recommendation 18; and where the effective implementation of those CDD and record-keeping requirements and AML/CFT programmes is supervised at a group level by a competent authority, then relevant competent authorities may consider that the financial institution applies measures under (b) and (c) above through its group programme, and may decide that (d) is not a necessary precondition to reliance when higher country risk is adequately mitigated by the group AML/CFT policies.

6 Box 2 – FATF Interpretive Note to Recommendation 17 INTERPRETIVE NOTE TO RECOMMENDATION 17 (RELIANCE ON THIRD PARTIES)

1. This Recommendation does not apply to outsourcing or agency relationships. In a third-party reliance scenario, the third party should be subject to CDD and record-keeping requirements in line with Recommendations 10 and 11, and be regulated, supervised or monitored. The third party will usually have an existing business relationship with the customer, which is independent from the relationship to be formed by the customer with the relying institution, and would apply its own procedures to perform the CDD measures. This can be contrasted with an outsourcing/agency scenario, in which the outsourced entity applies the CDD measures on behalf of the delegating financial institution, in accordance with its procedures, and is subject to the delegating financial institution’s control of the effective implementation of those procedures by the outsourced entity.
2. For the purposes of Recommendation 17, the term relevant competent authorities means (i) the home authority, that should be involved for the understanding of group policies and controls at group-wide level, and (ii) the host authorities, that should be involved for the branches/subsidiaries.
3. The term third parties means financial institutions or DNFBPs that are supervised or monitored and that meet the requirements under Recommendation 17.

7 Background Introduced Business in the Virgin Islands All relevant FIs and DNFBPs (hereinafter collectively referred to as “licensees”) in the VI may, where certain criteria are met, utilise introduced business to secure customers. In this guidance, Introduced Business includes only situations where the licensee relies on the Introducer for the collection of customer due diligence information. This guidance does not apply to business introductions where the licensee itself carries out its own due diligence process on the potential customer. Data collected by the FSC through annual returns identifies the TCSP sector and the IB sector as the two sectors where introduced business is more widely used. There is also evidence from the FIA’s Supervision and Enforcement Unit that the legal practitioner and real estate sectors utilise introduced business relationships. Further, ML, TF and PF risk assessments produced and published by the VI have identified the elevated risks within the TCSP sector due to the vulnerabilities that arise when licensees rely on Introducers. While these vulnerabilities exist primarily in the TCSP sector, they also can be found in the investment business, legal and real estate sectors. Additionally, the VI’s 2024 Mutual Evaluation Report emphasised the inherent risks within the TCSP sector with an elevated risk posed by reliance on introduced business. The TCSP sector in aggregate is the largest regulated sector in the VI. A material percentage of TCSPs utilise Reliance on Third Parties, which is commonly referred to as ‘Introduced Business’. Data indicates that almost 30% of TCSPs use introduced business in some form and there are some TCSPs where 100% of their business comes through third-party introductions. The VI’s regime for AML/CFT/CPF is comprehensive in its coverage of Reliance on Third Parties. Substantive provisions can be found in the AMLTFCOP. The AMLR also set out provisions relevant for licensees in their engagements with third parties. Specific legislative references from the AMLTFCOP and AMLR are highlighted within this guidance. As part of good governance, Boards of Directors of licensees should ensure that they provide proper oversight in their reviews and approvals of introducer relationships, as these are necessary to establish, update and maintain a robust AML/CFT/CPF Compliance Framework.

8 Understanding the Risks in Introduced Business Sections 31, 31A and 31B of the AMLTFCOP set out the legislative requirements for the introduced business regime. In addition, the requirements of regulations 7, 7A and 7B of the AMLR are also relevant for the introduced business regime. These provisions are aligned with FATF Recommendation 17 and allow VI licensees to utilise introduced business relationships as an acceptable approach to transact legitimate business globally. The provisions are also geared towards ensuring compliance with Recommendation 10 where, as part of the introduced business relationship, the licensee is required to immediately obtain the following information from the Introducer: (a) (b) (c) information Identifying the customer and verifying the customer’s identity using reliable, independent source documents, data or information. information Identifying the beneficial owner to allow the licensee to take reasonable measures to verify the identity of the beneficial owner, such that the licensee is satisfied that it knows who the beneficial owner is. For legal persons and arrangements this should include licensees understanding the ownership and control structure of the customer. information leading to the understanding of the purpose and intended nature of the business relationship. However, these relationships also present significant risks which can be presented in several ways

1. Risk due to inadequate AML/CFT/CPF procedures established by Introducers

Prior to relying on an Introducer, licensees must ensure that they have ascertained that the Introducer has carried out all the necessary due diligence measures required under VI laws, including measures to obtain and verify the identity of the beneficial owner, applicant for business and the purpose and intended nature of the business relationship. Furthermore, the licensee must ensure and satisfy itself that the Introducer has taken measures to understand the ownership and control structure of the client. The licensee, upon introduction, must also obtain information to build its assurance that the Introducer has taken measures to obtain appropriate due diligence and verification information. This assurance can be achieved through the provision of key information by the Introducer to the licensee such as structure charts, date of birth, address and other verification information. The licensee should also consider the risks relating to the Introducer itself when determining the level of assurance required to satisfy itself of the measures taken by the Introducer.

9 Example of Risk in Introduced Business Relationships A licensee is used unknowingly to create legal structures, legal arrangements or conduct other services to be used by bad actors seeking to advance their criminal activities. This risk is heightened in the instance of third- party entities with inadequate AML/CFT procedures as this weakens the ability to identify bad actors and manage the ensuing ML/TF risks. In this scenario, the risks extend to a lack of transparency in identifying the beneficial ownership and controllers of legal structures and legal arrangements resulting from inadequate AML/CFT/CPF compliance measures. Risk can extend to illicit financing activities, possible breaches of sanctions including UN, UK and all other sanctions applicable to the VI, or other nefarious conduct going undetected thereby exposing a licensee to compliance, legal and operational risks. When deciding whether to rely on an Introducer, it is critical for licensees to fully assess whether their policies, procedures and control framework, and their implementation, allow for the effective mitigation of ML, TF and PF risks arising from risks specific to Introduced Business. Furthermore, in tailoring an AML/CFT/CPF compliance framework, it is important to understand the risks posed by third party relationships, which may increase the licensee’s susceptibility to abuse -. Domestic and international typologies have evidenced several issues and realised risks that can occur where a relationship between a licensee and an Introducer was not properly or effectively administered. These risks are compounded in the absence of ongoing testing and monitoring of Introducers’ procedures, including recording of such, to ensure the adequacy of such procedures. Testing and monitoring of Introducers by licensees helps ensure that there is clarity on the ongoing risk status as well as ensure a measure of accountability in maintaining required records 2. Risks due to poorly reviewed and monitored introduced business relationships Risks that could be realised in poorly reviewed and monitored introduced business relationships include: Maintenance of inconsistent due diligence information. An Introducer may provide comprehensive information at the outset of the relationship; however, the level of detail captured, validity and accuracy of information degrades during the course of the relationship. Due diligence that should be collected and maintained by the introducer has not been collected and/or maintained. Due diligence information of a poor quality (for example, illegible paper documents not reviewed for data integrity before scanning) or is not readily accessible or retrievable as required by law. Changes in the risk profile of the customer (or portfolio) that have not been recognized, due to gaps in due diligence information and ongoing monitoring. Termination and/or abandonment of the relationship by the Introducer without any attempt to update and review the customer due diligence information and accuracy and validity of beneficial ownership information.

10 Inability of the Licensee to access due diligence information and documentation for the customer when requested with particular reference to the licensee’s obligation to cooperate with competent authorities and law enforcement agencies. An introducer refusing to provide information based on assertions of their domestic privacy laws prohibiting the provision of requested information. Responsibility for Understanding Ownership and Control Licensees are required to obtain beneficial ownership information from the Introducer prior to establishing any business relationship or one-off transaction with a customer. Specifically, the licensee is required to obtain “information identifying the beneficial owner to allow the licensee to take reasonable measures to verify the identity of the beneficial owner, such that the licensee is satisfied that it knows who the beneficial owner is. For legal persons and arrangements this should include licensees understanding the ownership and control structure of the customer” . The responsibility rests with the licensee to ensure that it fully understands the ownership and control structure of all customers subject to third party introduction. Licensees must also ensure that sufficient monitoring mechanisms are in place to identify when the beneficial ownership of a customer changes, including changes that result in a change in the risk profile of the customer. Steps to Aid in Mitigating Risks with Introducers Consistent application of a comprehensive compliance framework that is calibrated to mitigate ML, TF, PF and other risks where reliance is placed on Introducers is critical. To protect licensees from these risks, the provisions set out in the AMLTFCOP and AMLR address the requirements for licensees in relation to the following: conducting due diligence and assessing the suitability of the third party ratifying third-party business relationship agreements testing and monitoring of introduced business relationships These requirements, consistently applied, can aid licensees in being able to mitigate their risks in introduced business relationships.

11 Conducting Due diligence to Ensure Suitability of Introducers In consideration of the risks that may occur in an introduced business relationship, it is imperative to consider and mitigate the risks presented by the Introducer itself. The licensee should satisfy itself that the Introducer is suitable and has a robust system of ML/TF/PF controls, which will act as a first line of defense in reducing the risks posed by bad actors. Appropriate due diligence measures for Introducers can be integrated into a holistic AML/CFT/CPF compliance framework. Outlined below is a list of five key steps designed to guide you through conducting appropriate due diligence. These steps are provided to complement not replace the requirements as set out at section 31 of AMLTFCOP and regulation 7 of the AMLR, respectively. STEP 1 – Conduct due diligence on Introducer. Extend the conduct of due diligence to key principals, directors and beneficial owners. Information being obtained should confirm that the Introducer is regulated and supervised for AML/CFT/CPF compliance. STEP 2 – Ensure that the Introducer is the only third party on whom reliance is being placed. The persons to whom you are relying must not rely on another third party. The existence of multi-level or tiered introductions exposes the licensee to additional risk and practices that are not in line with the AMLTFCOP and AMLR. STEP 3 – Obtain AML/CFT/CPF procedures of the Introducer. These AML/CFT/CPF procedures are essential to aid in making an informed assessment of the Introducer’s compliance framework, particularly as it relates to their due diligence processes, identification of beneficial ownership and control, sanction screening, risk assessment and suspicious transaction reporting. The licensee must test the Introducer’s procedures to assess the level of effectiveness. This can be evidenced and demonstrated by sample testing conducted by the licensee. Robust procedures do not affirm effective implementation; therefore, testing of the Introducer’s AML/CFT/CPF measures is required. STEP 4 – Conduct a risk assessment of the Introducer. The risk assessment should consider geographical risk exposure (i.e. the level of risk in the country or territory from which the introducer operates), particularly where the Introducer operates in a country with weak AML/CFT laws or where the laws within a particular jurisdiction may impede timely sharing of due diligence and other customer information. No introduced relationship should be approved where there are restrictions on sharing information that prevents the VI from satisfying its international cooperation obligations. The assessment should also consider any identified risks resulting from the due diligence conducted on the Introducer, its principals or the customer portfolio. The risk assessment, and the resulting ratings, should guide licensees in their treatment and monitoring of each Introducer. Where additional risks have been identified within an Introducer, the licensee should apply a risk-based approach in its ongoing monitoring and testing and increase the frequency of testing of any higher risk introducers. STEP 5 – Obtain senior management sign-off for the establishment or continuation of a relationship with Introducers. Senior management should also be continuously apprised of the compliance level, and any changes in the risk of the Introducer.

12 Ratifying Third Party Relationship Agreements In addition to thorough due diligence measures, licensees must ensure ratified agreements are in place for each Introducer. The terms of these agreements must be sufficiently detailed to address requirements specifically outlined in section 31A of the AMLTFCOP and regulation 7A of the AMLR, respectively. Ratified agreements may have effect for a period of up to five years or for the duration of the business relationship for each applicant for business or customer that has been introduced by the third party (or whichever is longer) and for a period of at least five years from the date of termination of the business relationship between the relevant parties to ensure access to records. However, licensees must update agreements more frequently based on changing regulations, changing in licensee’s assessment of the risk profile of the introducer, emerging risks or other factors driven by the evolution of good corporate governance practices and business conduct. The minimum conditions for agreements with Introducers are outlined in section 31A of the AMLTFCOP. Testing and Monitoring of Introduced Business Relationships The AMLTFCOP and AMLR also require licensees to test the agreements maintained to ensure compliance and to conduct ongoing monitoring of their relationships with Introducers. This requirement is set out in section 31B of the AMLTFCOP and regulation 7B of the AMLR, respectively. Whilst licensees are required to test their relationships with Introducers at least once every three years, a licensee must also ensure that testing is done on a risk sensitive basis. For example, it is expected that high risk introducers are tested more frequently, such as annually, to ensure the risks within the Introducer and its customer portfolio continue to be managed. The details that are to be captured in the testing of an Introducer are set out in detail at section 31B(4) of the AMLTFCOP, an extract of which is provided at Box 3 below. Box 3 – Extract of s.31B(4) AMLTFCOP (4) An entity or a professional that has carried out a testing of its or his or her business relationship with a third party shall— (a) prepare a report of its testing, including (i) the name of the third party relationship that was tested; (ii) the date of the testing; (iii) the percentage of customers introduced by the third party for which due diligence and documentation was requested during the testing; (iv) details of customer information requested from the third party during testing; (v) the results of testing of the third party relationship; and (vi) any follow-up actions to be taken as a result of the testing (b) make a copy of the report of its testing available whenever requested by the Commission.

13 Licensees must be cognisant that the conduct of regular testing alone does not fully address or mitigate the risks that may be occurring. Licensees must consider the outcomes of the test, inclusive of whether the conditions stipulated within the agreement are being adhered to and whether the ML/TF/PF risk are being managed. Such outcomes, positive or adverse, should be reported to Senior Management and the Board of Directors. Where an Introducer has been unable to adhere to its agreement and provide complete due diligence information upon request without delay (ordinarily within 24 hours), such introducer should be re-assessed, given the increased risk exposure due to lack of adherence and compliance to the agreement and its AML/CFT/CPF policies, and the licensee should reconsider whether to pursue its business relationship with that Introducer. Board/Senior Management should be engaged to determine and/or approve what remedial action is required in these circumstances. Further, the lack of adherence to the agreements makes the licensee susceptible to breaches of the AMLTFCOP. Consequently, to ensure full compliance, the licensee must consider remedial action, inclusive of termination of the Introducer relationship. Termination of Introduced Business Relationships Termination of Business Relationship between Introducer and Customer There are cases where the Introducer with whom the licensee has a relationship and who has introduced a customer to the licensee terminates their business relationship with the licensee’s customer. In this instance the customer becomes a direct customer of the licensee and the responsibility to undertake the full CDD process rests with the licensee. The licensee must, amongst other things: undertake full CDD on the existing customer; undertake an updated risk assessment of the customer; request copies all CDD documentation from the Introducer, including a rationale for ceasing the business relationship; consider whether the relationship between the licensee and the customer should be terminated; and consider whether a suspicious activity report should be filed with FIA.

14 Termination of Business Relationship between Introducer and Licensee There are also cases where the relationship between the Introducer and the licensee is terminated. These may include where the introducer is unable to satisfy the requirements of the AML legislation or where the licensee has decided not to continue the arrangements. In such instances the customers that were introduced to the licensee by the Introducer become direct customers of the licensee and the responsibility to undertake the full CDD process rests with the licensee. The licensee must, amongst other things: notify the FSC or the FIA as the case may be of such, where upon termination the Introducer is unable to or refuses to provide the requisite CDD information; undertake an updated risk assessment of the customers introduced by the Introducer; request copies of all CDD documentation of each customer from the Introducer; and consider whether the relationship between the licensee and each customer introduced by the Introducer should be terminated. Intragroup Introductions A licensee that is a member of a group of entities may rely on introductions from another member within that group with respect to the establishment of a business relationship or the conduct of one-off transactions. However, it is not sufficient for the licensee to rely on such introductions solely on the basis that they come from a member of the group. The licensee must ensure that all the relevant requirements are equally met by the group entity, including ensuring that the entity is regulated and supervised and has appropriate policies and procedures in place (save for where such are group level policies and procedures). Ultimately the responsibility remains with the licensee to ensure compliance with its AML/ CFT/CPF obligations. A licensee must not rely on group introductions where the member of the group fails to meet these requirements. Where an existing member no longer meets the requirements, a licensee must take the equal step to terminate the business relationship with the introducing group entity. In proceeding with termination of the relationship, the licensee must initiate retrieval of all CDD information and similar records from the group member, or commence terminating the business relationship with the customers introduced by the group entity.

15 Best Practices Register Of Introducers As an additional measure, licensees relying on third parties should consider establishing a Register of Introducer to aid in the ongoing reviews and monitoring of third-party relationships. A Register can include the following details, in addition to other details relevant to the licensee’s scope of business: Name of Introducer Regulated Status and relevant Regulatory Authority Primary jurisdiction of domicile, business activities and registered address Name of two primary contacts Risk Assessment rating for Introducer CDD/ECDD conducted for an Introducer (including date checked and the results) Number of BVIBCs or other financial services products per Introducer Date of signed agreement Evidence of Introducer’s Professional Indemnity Insurance Date of last testing Report on outcomes of testing and any corrective actions required Progress on any corrective actions from testing Risk Based Approach Licensees should employ a risk-based approach in their treatment of third party relationships. Licensees should ensure that third parties who present additional risk undergo greater scrutiny and are subject to more robust and frequent monitoring. Additionally, for those applicants for business or customers introduced by a third party, the licensees should consider the risk of the delivery channel (and any risks emanating from the specific third party) within its customer risk assessment. This allows any risks within the customer, arising from the Introducer, to be appropriately identified and mitigated. Monitoring Cybersecurity and Data Protection Issues Licensees are expected to be compliant and up to date with the relevant requirements related to cyber security and data protection. Reliance on third parties can lead to increased risk of data breaches wherein the Introducer’s systems are compromised and the licensees’ and customer data are made available to those who should not have it. Licensees must implement strong controls and risk programs that can adapt appropriately to these and other emerging challenges.

16 Industry-wide Collaboration to Meet International Obligations The VI has built its reputation in financial services following years of innovation in providing modern corporate and other legal structures. The risks to the VI’s reputation are many, including those surrounding degrading levels of compliance in key aspects of the industry. Such degradation in AML/CFT/CPF compliance efforts can come to light during international cooperation efforts, and result in instances of non-compliance. As such, it is important for licensees to continue to cooperate with Competent Authorities and law enforcement agencies when required by providing requested information that would be needed to fulfil the VI’s AML/CFT/CPF obligations and international cooperation obligations. Overarching Requirement for Compliance Licensees must remain vigilant in relation to evolving ML, TF and PF threats, as well as other threats that can negatively impact their operations. To mitigate against these threats and resulting risks, licensees must be diligent in the application of AML/CFT/CPF measures. These measures must be holistic and integrate prudent governance and modern risk management strategies with a robust compliance framework. Licensees must therefore remain agile and embed systems to allow for continual improvement in the efficiency and effectiveness of AML/CFT/CPF compliance.